WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.
If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes
WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.
The WireGuard package is still under active development. Follow the development progress on the developer’s YouTube channel
WireGuard Package Settings¶
The WireGuard package contains the following configurable options:
Controls whether or not the WireGuard service itself is enabled or disabled.
The WireGuard service cannot be disabled when one or more tunnels is assigned to an interface via Interface Configuration.
- Keep Configuration
Controls whether or not the tunnel/peer configurations and package settings will persist when the package is removed.
- Endpoint Hostname Resolve Interval
Controls how often peer endpoint hostnames are resolved and updated by the WireGuard service. By default this is
300seconds (5 minutes).
- Track System Resolve Interval
This option overrides the Endpoint Hostname Resolve Interval setting and configures the WireGuard service to track and use the system Aliases Hostnames Resolve Interval.
- Interface Group Membership
Controls which WireGuard tunnels are implicit members of the WireGuard interface group. By default this is
See Rule Methodology for more on Interface Groups and Rule Processing Order.
- Hide Secrets
Controls whether or not secrets (private and pre-shared keys) are hidden in the user interface.
Hide Secrets only hides secrets in the user interface. It does not obfuscate secrets for storage in the pfSense® software configuration file,
config.xml. For more information on password storage and protecting configuration file backups see Password Storage Security Policies
WireGuard Tunnel Settings¶
When creating or editing a WireGuard tunnel, the following options are available:
Controls whether or not this WireGuard tunnel is enabled or disabled.
A WireGuard tunnel cannot be disabled while assigned as an interface.
A short text description of this WireGuard tunnel.
- Listen Port
The local port upon which this WireGuard tunnel will listen for incoming traffic from peers, and the port from which it will source outgoing packets. The default port is
51820, additional tunnels must use a different port.
The GUI will automatically suggest the next highest available port.
- Interface Keys
The private and public key pair for this WireGuard tunnel. The public key is derived from the private key and does not need to be entered separately. The GUI will display the public key automatically when possible. When entering a new private key manually, the public key will be available after saving the tunnel.
The private key will stay only on this firewall, the public key will be copied to peers.
A new set of keys can be generated by the Generate button.
Click Copy under the public key to copy it to the clipboard.
- Interface Addresses
A list of IPv4 and/or IPv6 addresses which will be assigned to this WireGuard tunnel.
Interface addresses are configured here only for WireGuard tunnels that are not assigned to an interface via Interface Configuration.
WireGuard Peer Settings¶
When creating or editing a WireGuard peer, the following options are available:
Controls whether or not this WireGuard peer is enabled or disabled.
Controls which WireGuard tunnel to associate with this peer. The default is Unassigned.
A short text description of this peer.
- Dynamic Endpoint
This option controls whether a WireGuard peer should be considered dynamic. Uncheck this option for a peer that has a fixed, static endpoint address or hostname.
The IP address or hostname of the remote WireGuard peer, from which the peer will connect to this firewall, and to which this WireGuard instance will send traffic destined for this peer.
This can be left empty if the peer endpoint is unknown, such as for dynamic remote access clients. When empty, the tunnel will track the endpoint dynamically based on the key used by the peer. Additionally, when empty, this firewall cannot initiate traffic on the tunnel to the peer until the remote peer sends traffic.
- Endpoint Port
The port used by the peer for WireGuard traffic. The default port is
51820if left empty.
If the Endpoint is empty, this value is ignored.
- Keep Alive
An interval, in seconds, at which an empty packet is sent to the peer to keep the session active. This can improve handling through stateful firewalls. Disabled by default.
- Public Key
The public key of this peer.
- Pre-Shared Key
An optional pre-shared key which provides an additional layer of symmetric-key cryptography on top of the public key cryptography for post-quantum resistance.
A new pre-shared key can be generated by the Generate button.
Click Copy under the public key to copy it to the clipboard.
- Allowed IPs
List of networks on the peer side which the firewall can reach through this peer. For example, on a site-to-site VPN this would be the tunnel address of the peer and any LAN segments reachable via this peer.
When a tunnel has multiple peers this list allows WireGuard to determine which peer will receive traffic for destinations routed through the WireGuard interface.
The networks listed here are transformed into proper subnet start boundaries prior to validating and saving.
These networks cannot be duplicated between multiple peers on the same tunnel, they must be unique. Otherwise, only the last peer in the list will be configured properly.
All traffic may be associated with a peer by using
0.0.0.0/0for IPv4 or
::/0for IPv6, but this won’t work for a tunnel with multiple peers. Only the last peer in the list will be configured properly.
For those familiar with OpenVPN, the internal routing used by WireGuard is similar to
iroutestatements which associate remote networks with specific clients.