In this post I will explain how to setup WireGuard on your pfsense router. Your pfsense router will be the WireGuard server and I’ll show a couple example client configurations at the end.

Installing WireGuard on pfsense

  • pfsense version 2.5.2
  • WireGuard version 0.1.5

Navigate to System > Package Manager > Available Packages

Search for WireGuard and Install.

Configuring WireGuard Server

Create Tunnel

Navigate to VPN > WireGuard

Create a tunnel by clicking Add Tunnel

  • Disable Tunnel
  • Add a Description
  • Change the listen port or leave at default of 51820
  • Generate New Keys
  • Copy Public Key, you’ll need it later when configuring a client

Click Save Tunnel

Configure Interface and Enable Tunnel

Navigate to Interfaces > Assignments

On the Available Network Ports row, select the tun_wg0 interface and click add.

  • Enable Interface
  • Add a Description
  • Static IPv4
  • IPv6: None (unless preferred)
  • IPv4 Address: Choose an IPv4 Address and Subnet Mask

Click Save

Navigate to VPN > WireGuard

Click Edit on your new tunnel and enable the tunnel

Configure Firewall

Navigate to Firewall > Rules

Create a new WAN Rule

  • Action: Pass
  • Interface: WAN
  • Address Family: IPv4
  • Protocol: UDP
  • Source: any
  • Destination: WAN Address
  • Destination Port Range: 51820
  • Log Packets, if preferred
  • Add a description
  • Tag: vpn (if desired, not used but could be in other rules)

Click Save

Create a new VPN Rule (VPN is the name of the interface)

  • Action: Pass
  • Interface: VPN
  • Address Family: IPv4
  • Protocol: Any
  • Source: any
  • Destination: LAN net

Click Save

Repeat the VPN rules to allow all desired access

Configuring a Client

I will use a CentOS Stream system for this example but any client can be used the configuration is the same, installations will differ though.

Install WireGuard

WireGuard Installation

For CentOS I followed Method 2

sudo yum install elrepo-release epel-release
sudo yum install kmod-wireguard wireguard-tools

Key Generation

Once installed you can follow these instructions to generate a key Key Generation

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Your private key is stored in a file ‘privatekey’, use this in the next step Your public key is stored in a file ‘publickey’, use this when adding the peer in pfsense later

Interface Config File

vim /etc/wireguard/wg0.conf
PrivateKey = YLzz2QbAowMXx913RyXsr33FVlcNZ+wx96vVKtdL9nk= (privatekey generated in previous step)
Address = IP Address assigned to this client in VPN Subnet

PublicKey = iQSIKmjCbWR57bu0kk774Sg03t80dRyV64UXIv2ADFY= (public key generated during tunnel creation)
AllowedIPs = (Any Subnets you want this client to route through the VPN Tunnel, can use if you want all traffic routed through VPN)
EndPoint = (PFsense Router WAN IP Address or DNS Name and Wirguard Port configured on tunnel)

Adding a Peer

Descriptions on the configurations below can be found here

Navigate to VPN > WireGuard > Peers

Add Peer

  • Enable Peer
  • Select the tunnel we created
  • Add a description of the peer
  • Public Key generated on client during configuring a client
  • Allowed IPs should be the Interface Address from the client.

The Allowed IPs is what was a source of confusion for me when setting up the WireGuard Server. I couldn’t have more than one peer and it was due to setting the allowed IPs to for both peers. Remember the Allowed IPs are what traffic is routed through the tunnel, you can’t have 2 default routes in this case.

Click Save Peer

Testing Client

On your client run the following command

wg-quick up wg0

You should see some routes created

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add dev wg0

You should now be able to test connectivity by pinging your WireGuard tunnel interface IP Address This was set when the interface was assigned and you chose your WireGuard subnet Configure Interface

To ensure the interface is configured at startup after any reboots use the following command

systemctl enable wg-quick@wg0