Warning

WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.

If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes

WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.

WireGuard Settings

WireGuard Tunnel Settings

When creating or editing a WireGuard tunnel, the following options are available:

Enabled

Controls whether or not this WireGuard instance is enabled or disabled.

Note

A WireGuard instance cannot be disabled while assigned as an interface.

Description

A short text description of this WireGuard instance.

Address

A comma-separated list of IPv4 and/or IPv6 addresses which will be assigned to this WireGuard interface.

Note

Use a subnet mask of sufficient size to contain all peers.

Listen Port

The local port upon which this WireGuard instance will listen for incoming traffic from peers, and the port from which it will source outgoing packets. The default port is 51820, additional tunnels must use a different port. The GUI will automatically suggest the next highest available port.

Interface Keys

The private and public key pair for this WireGuard instance. The public key is derived from the private key and does not need to be entered separately. The GUI will display the public key automatically when possible. When entering a new private key manually, the public key will be available after saving the tunnel.

The private key will stay only on this firewall, the public key will be copied to peers.

A new set of keys can be generated by the fa-key Generate button.

Tip

Click Copy under the public key to copy it to the clipboard.

WireGuard Peer Settings

WireGuard peers are defined inside a tunnel entry. They control which remote hosts are allowed to connect to the VPN and how the firewall communicates with these peers.

When creating or editing a WireGuard tunnel, the following options are available:

Description

A short text description of this peer.

Endpoint

The IP address or hostname of the remote WireGuard peer, from which the peer will connect to this firewall, and to which this WireGuard instance will send traffic destined for this peer.

This can be left empty if the peer endpoint is unknown, such as for dynamic remote access clients. When empty, the tunnel will track the endpoint dynamically based on the key used by the peer. Additionally, when empty, this firewall cannot initiate traffic on the tunnel to the peer until the remote peer sends traffic.

Endpoint Port

The port used by the peer for WireGuard traffic. The default port is 51820 if left empty.

Note

If the Endpoint is empty, this value is ignored.

Keep Alive

An interval, in seconds, at which an empty packet is sent to the peer to keep the session active. This can improve handling through stateful firewalls. Disabled by default.

Public Key

The public key of this peer.

Allowed IPs

List of networks on the peer side which the firewall can reach through this peer. For example, on a site-to-site VPN this would be the tunnel address of the peer and the peer LAN subnet.

When tunnel has multiple peers this list allows WireGuard to determine which peer will receive traffic for destinations routed through the WireGuard interface.

The networks listed here also get setup for routing at the operating system level.

Warning

These networks cannot be duplicated between multiple peers, they must be unique.

Note

All traffic may be associated with a peer by using 0.0.0.0/0 for IPv4 or ::/0 for IPv6, but this won’t work for a tunnel with multiple peers. Automatic operating system routes are not added for these default route style targets.

Tip

For those familiar with OpenVPN, the internal routing used by WireGuard is similar to iroute statements which associate remote networks with specific clients.

Peer WireGuard Address

If present, this may be used by functionality which requires knowledge of the WireGuard tunnel address of the peer. For example, when assigning a WireGuard tunnel as an interface (Assign a WireGuard Interface), this value can be selected for use as the automatic interface gateway.

Note

This does not affect the underlying WireGuard peer configuration.

This is necessary since the Allowed IPs list may not necessarily contain the specific remote peer address, and features such as automatic gateways and configuration export may need to know this address.

Pre-Shared Key

An optional Pre-Shared key which provides and additional layer of symmetric-key cryptography on top of the public key cryptography for post-quantum resistance.