WireGuard

Warning

WireGuard has been removed from releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.

If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes

WireGuard Overview

WireGuard is a new VPN Layer 3 protocol designed for speed and simplicity. It performs nearly as fast as hardware-accelerated IPsec and has only a small number of options in its configuration.

Due to this simplicity, WireGuard lacks many of the conveniences of more complicated VPN types which can help automate large deployments. Thus, while its performance scales well, the management can become cumbersome for large numbers of peers.

WireGuard behaves unlike other traditional VPN types in several ways:

  • It operates completely in the kernel

  • Configuration is placed directly on the interfaces

  • It has no concept of connections or sessions

  • There is no “status” of the VPN (e.g. it isn’t considered up or down, it has no visible timers, etc.)

  • It has no facilities for user authentication

  • There is no service daemon to stop or start

  • There is minimal logging from the kernel

  • It does not bind to a specific interface or address on the firewall, it accepts traffic to any address on the firewall on its specified port

That said, due to the simplicity of the configuration, there is little to go wrong and thus little need for logging or status.

WireGuard instances consist of a tunnel and one or more peer definitions which contain of the necessary keys and other configuration data.

WireGuard interfaces carry Layer 3 information and above.