Warning

WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.

If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes

WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.

Note

The WireGuard package is still under active development. Follow the development progress on the developer’s YouTube channel

WireGuard Settings

WireGuard Package Settings

The WireGuard package contains the following configurable options:

Enable

Controls whether or not the WireGuard service itself is enabled or disabled.

Note

The WireGuard service cannot be disabled when one or more tunnels is assigned to an interface via Interface Configuration.

Keep Configuration

Controls whether or not the tunnel/peer configurations and package settings will persist when the package is removed.

Endpoint Hostname Resolve Interval

Controls how often peer endpoint hostnames are resolved and updated by the WireGuard service. By default this is 300 seconds (5 minutes).

Track System Resolve Interval

This option overrides the Endpoint Hostname Resolve Interval setting and configures the WireGuard service to track and use the system Aliases Hostnames Resolve Interval.

Interface Group Membership

Controls which WireGuard tunnels are implicit members of the WireGuard interface group. By default this is All Tunnels.

Tip

See Rule Methodology for more on Interface Groups and Rule Processing Order.

Hide Secrets

Controls whether or not secrets (private and pre-shared keys) are hidden in the user interface.

Warning

Hide Secrets only hides secrets in the user interface. It does not obfuscate secrets for storage in the pfSense® software configuration file, config.xml. For more information on password storage and protecting configuration file backups see Password Storage Security Policies

WireGuard Tunnel Settings

When creating or editing a WireGuard tunnel, the following options are available:

Enable

Controls whether or not this WireGuard tunnel is enabled or disabled.

Note

A WireGuard tunnel cannot be disabled while assigned as an interface.

Description

A short text description of this WireGuard tunnel.

Listen Port

The local port upon which this WireGuard tunnel will listen for incoming traffic from peers, and the port from which it will source outgoing packets. The default port is 51820, additional tunnels must use a different port.

Note

The GUI will automatically suggest the next highest available port.

Interface Keys

The private and public key pair for this WireGuard tunnel. The public key is derived from the private key and does not need to be entered separately. The GUI will display the public key automatically when possible. When entering a new private key manually, the public key will be available after saving the tunnel.

The private key will stay only on this firewall, the public key will be copied to peers.

A new set of keys can be generated by the fa-key Generate button.

Tip

Click Copy under the public key to copy it to the clipboard.

Interface Addresses

A list of IPv4 and/or IPv6 addresses which will be assigned to this WireGuard tunnel.

Note

Interface addresses are configured here only for WireGuard tunnels that are not assigned to an interface via Interface Configuration.

WireGuard Peer Settings

When creating or editing a WireGuard peer, the following options are available:

Enable

Controls whether or not this WireGuard peer is enabled or disabled.

Tunnel

Controls which WireGuard tunnel to associate with this peer. The default is Unassigned.

Description

A short text description of this peer.

Dynamic Endpoint

This option controls whether a WireGuard peer should be considered dynamic. Uncheck this option for a peer that has a fixed, static endpoint address or hostname.

Endpoint

The IP address or hostname of the remote WireGuard peer, from which the peer will connect to this firewall, and to which this WireGuard instance will send traffic destined for this peer.

This can be left empty if the peer endpoint is unknown, such as for dynamic remote access clients. When empty, the tunnel will track the endpoint dynamically based on the key used by the peer. Additionally, when empty, this firewall cannot initiate traffic on the tunnel to the peer until the remote peer sends traffic.

Endpoint Port

The port used by the peer for WireGuard traffic. The default port is 51820 if left empty.

Note

If the Endpoint is empty, this value is ignored.

Keep Alive

An interval, in seconds, at which an empty packet is sent to the peer to keep the session active. This can improve handling through stateful firewalls. Disabled by default.

Public Key

The public key of this peer.

Pre-Shared Key

An optional pre-shared key which provides an additional layer of symmetric-key cryptography on top of the public key cryptography for post-quantum resistance.

A new pre-shared key can be generated by the fa-key Generate button.

Tip

Click Copy under the public key to copy it to the clipboard.

Allowed IPs

List of networks on the peer side which the firewall can reach through this peer. For example, on a site-to-site VPN this would be the tunnel address of the peer and any LAN segments reachable via this peer.

When a tunnel has multiple peers this list allows WireGuard to determine which peer will receive traffic for destinations routed through the WireGuard interface.

The networks listed here are transformed into proper subnet start boundaries prior to validating and saving.

Warning

These networks cannot be duplicated between multiple peers on the same tunnel, they must be unique. Otherwise, only the last peer in the list will be configured properly.

Note

All traffic may be associated with a peer by using 0.0.0.0/0 for IPv4 or ::/0 for IPv6, but this won’t work for a tunnel with multiple peers. Only the last peer in the list will be configured properly.

Note

Routes are not automatically created in the system routing table. Routes for networks other than the tunnel network itself must be configured separately using static or dynamic routes.

Tip

For those familiar with OpenVPN, the internal routing used by WireGuard is similar to iroute statements which associate remote networks with specific clients.