WireGuard

• WireGuard Settings
• Design Considerations
• WireGuard Limitations
• Configure a WireGuard Tunnel
• Assign a WireGuard Interface
• WireGuard and Rules / NAT
• WireGuard Routing

See also

• WireGuard Remote Access VPN Configuration Example

• WireGuard Site-to-Site VPN Configuration Example

• WireGuard VPN Client Configuration Example

WireGuard Overview

WireGuard is a new VPN Layer 3 protocol designed for speed and simplicity. It performs nearly as fast as hardware-accelerated IPsec and has only a small number of options in its configuration.

Due to this simplicity, WireGuard lacks many of the conveniences of more complicated VPN types which can help automate large deployments. Thus, while its performance scales well, the management can become cumbersome for large numbers of peers.

WireGuard behaves unlike other traditional VPN types in several ways:

• It operates completely in the kernel

• Configuration is placed directly on the interfaces

• It has no concept of connections or sessions

• It has no facilities for user authentication

• There is minimal logging from the kernel

• It does not bind to a specific interface or address on the firewall, it accepts traffic to any address on the firewall on its specified port

WireGuard instances consist of a tunnel and one or more peer definitions which contain of the necessary keys and other configuration data.

WireGuard interfaces carry Layer 3 information and above.

To use WireGuard, upgrade to the latest version of pfSense Plus or pfSense CE software then install the WireGuard package from the Package Manager.