WireGuard Settings¶
WireGuard Package Settings¶
The WireGuard package contains the following configurable options:
- Enable:
Controls whether or not the WireGuard service itself is enabled or disabled.
Note
The WireGuard service cannot be disabled when one or more tunnels is assigned to an interface via Interface Configuration.
- Keep Configuration:
Controls whether or not the tunnel/peer configurations and package settings will persist when the package is removed.
- Endpoint Hostname Resolve Interval:
Controls how often peer endpoint hostnames are resolved and updated by the WireGuard service. By default this is
300
seconds (5 minutes).- Track System Resolve Interval:
This option overrides the Endpoint Hostname Resolve Interval setting and configures the WireGuard service to track and use the system Aliases Hostnames Resolve Interval.
- Interface Group Membership:
Controls which WireGuard tunnels are implicit members of the WireGuard interface group. By default this is
All Tunnels
.Tip
See Rule Methodology for more on Interface Groups and Rule Processing Order.
- Hide Secrets:
Controls whether or not secrets (private and pre-shared keys) are hidden in the user interface.
Warning
Hide Secrets only hides secrets in the user interface. It does not obfuscate secrets for storage in the pfSense® software configuration file,
config.xml
. For more information on password storage and protecting configuration file backups see Password Storage Security Policies
WireGuard Tunnel Settings¶
When creating or editing a WireGuard tunnel, the following options are available:
- Enable:
Controls whether or not this WireGuard tunnel is enabled or disabled.
Note
A WireGuard tunnel cannot be disabled while assigned as an interface.
- Description:
A short text description of this WireGuard tunnel.
- Listen Port:
The local port upon which this WireGuard tunnel will listen for incoming traffic from peers, and the port from which it will source outgoing packets. The default port is
51820
, additional tunnels must use a different port.Note
The GUI will automatically suggest the next highest available port.
- Interface Keys:
The private and public key pair for this WireGuard tunnel. The public key is derived from the private key and does not need to be entered separately. The GUI will display the public key automatically when possible. When entering a new private key manually, the public key will be available after saving the tunnel.
The private key will stay only on this firewall, the public key will be copied to peers.
A new set of keys can be generated by the Generate button.
Tip
Click Copy under the public key to copy it to the clipboard.
- Interface Addresses:
A list of IPv4 and/or IPv6 addresses which will be assigned to this WireGuard tunnel.
Note
Interface addresses are configured here only for WireGuard tunnels that are not assigned to an interface via Interface Configuration.
WireGuard Peer Settings¶
When creating or editing a WireGuard peer, the following options are available:
- Enable:
Controls whether or not this WireGuard peer is enabled or disabled.
- Tunnel:
Controls which WireGuard tunnel to associate with this peer. The default is Unassigned.
Tip
Peers can easily be staged or moved between tunnels using this option.
- Description:
A short text description of this peer.
- Dynamic Endpoint:
This option controls whether a WireGuard peer should be considered dynamic. Uncheck this option for a peer that has a fixed, static endpoint address or hostname.
- Endpoint:
The IP address or hostname of the remote WireGuard peer, from which the peer will connect to this firewall, and to which this WireGuard instance will send traffic destined for this peer.
This can be left empty if the peer endpoint is unknown, such as for dynamic remote access clients. When empty, the tunnel will track the endpoint dynamically based on the key used by the peer. Additionally, when empty, this firewall cannot initiate traffic on the tunnel to the peer until the remote peer sends traffic.
- Endpoint Port:
The port used by the peer for WireGuard traffic. The default port is
51820
if left empty.Note
If the Endpoint is empty, this value is ignored.
- Keep Alive:
An interval, in seconds, at which an empty packet is sent to the peer to keep the session active. This can improve handling through stateful firewalls. Disabled by default.
- Public Key:
The public key of this peer.
- Pre-Shared Key:
An optional pre-shared key which provides an additional layer of symmetric-key cryptography on top of the public key cryptography for post-quantum resistance.
A new pre-shared key can be generated by the Generate button.
Tip
Click Copy under the public key to copy it to the clipboard.
- Allowed IPs:
List of networks on the peer side which the firewall can reach through this peer. For example, on a site-to-site VPN this would be the tunnel address of the peer and any LAN segments reachable via this peer.
When a tunnel has multiple peers this list allows WireGuard to determine which peer will receive traffic for destinations routed through the WireGuard interface.
The networks listed here are transformed into proper subnet start boundaries prior to validating and saving.
Warning
These networks cannot be duplicated between multiple peers on the same tunnel, they must be unique. Otherwise, only the last peer in the list will be configured properly.
Note
All traffic may be associated with a peer by using
0.0.0.0/0
for IPv4 or::/0
for IPv6, but this won’t work for a tunnel with multiple peers. Only the last peer in the list will be configured properly.Note
Routes are not automatically created in the system routing table. Routes for networks other than the tunnel network itself must be configured separately using static or dynamic routes.
Tip
For those familiar with OpenVPN, the internal routing used by WireGuard is similar to
iroute
statements which associate remote networks with specific clients.