Setting Up WireGuard VPN on pfSense: A Comprehensive Guide
This guide provides step-by-step instructions for configuring WireGuard VPN on a pfSense router, including detailed explanations of each configuration step.
Created 6/4/25 by Andrae
Prerequisites
- pfSense version 2.5.2 or newer
- Administrative access to the pfSense web interface
- Basic understanding of networking conceptsivpn.netdeepwiki.com
Step 1: Install the WireGuard Package
- Log in to the pfSense web interface.
- Navigate to System > Package Manager > Available Packages.
- Search for WireGuard and click Install.
- Wait for the installation to complete.ivpn.net
Step 2: Create a WireGuard Tunnel
- Go to VPN > WireGuard.
- Click Add Tunnel.
- Configure the tunnel:
- Enable: Checked
- Description: e.g.,
WireGuard VPN - Listen Port:
51820(default) - Interface Keys: Click Generate to create a key pair.
- Tunnel Address: e.g.,
10.0.0.1/24
- Click Save.ivpn.net+1aminrj.com+1docs.netgate.com+6aminrj.com+6mullvad.net+6
Note: The Tunnel Address defines the internal IP range for the VPN tunnel and is used by WireGuard to route traffic between peers.
Step 3: Enable the WireGuard Service
- In the WireGuard section, click on the Settings tab.
- Check Enable WireGuard.
- Click Save and then Apply Changes.
Step 4: Assign the WireGuard Interface
- Navigate to Interfaces > Assignments.
- Find the newly created WireGuard interface (e.g.,
tun_wg0) and click Add. - Click on the new interface (e.g.,
OPT1) to configure it:- Enable: Checked
- Description: e.g.,
WG_VPN - IPv4 Configuration Type:
Static IPv4 - IPv4 Address: e.g.,
10.0.0.1/24 - MTU:
1420(recommended)
- Click Save and then Apply Changes.zh.wikipedia.org+4aminrj.com+4docs.netgate.com+4docs.netgate.com+1aminrj.com+1
Clarification: Assigning a static IP ensures consistent routing and firewall rule application, which are crucial for stable VPN operation. WireGuard does not support DHCP for its virtual interfaces.
Step 5: Configure Firewall Rules
Allow WireGuard Traffic on WAN
- Navigate to Firewall > Rules > WAN.
- Click Add to create a new rule:
- Action: Pass
- Protocol: UDP
- Destination Port Range:
51820 - Description: e.g.,
Allow WireGuard
- Click Save and then Apply Changes.forum.netgate.com+2docs.netgate.com+2mullvad.net+2
Allow Traffic from WireGuard Clients
- Navigate to Firewall > Rules > [WireGuard Interface] (e.g.,
WG_VPN). - Click Add to create a new rule:
- Action: Pass
- Protocol: Any
- Source:
10.0.0.0/24 - Destination: Any
- Description: e.g.,
Allow WireGuard Clients
- Click Save and then Apply Changes.
Clarification: The Source refers to the IP addresses assigned to VPN clients within the tunnel network. For instance, if your tunnel network is 10.0.0.0/24, and you’ve assigned 10.0.0.2/32 to a client, you would set the source as 10.0.0.0/24 to encompass all potential client IPs.
Step 6: Add WireGuard Peers (Clients)
For each client device:
- Navigate to VPN > WireGuard.
- Click Edit on your tunnel.
- Scroll to the Peers section and click Add Peer.
- Configure the peer:
- Enable: Checked
- Description: e.g.,
Client Device - Public Key: Client’s public key
- Allowed IPs: e.g.,
10.0.0.2/32 - Persistent Keepalive:
25(optional, helps with NAT traversal)
- Click Save and then Apply Changes.forums.serverbuilds.net
Clarification: The Allowed IPs setting in WireGuard serves dual purposes:
- Routing: Determines which IP addresses should be routed through the VPN tunnel.
- Access Control: Specifies which IP addresses a peer is allowed to use.
It’s crucial to assign unique IPs to each peer to prevent routing conflicts.
Step 7: Configure Outbound NAT (if necessary)
If you want WireGuard clients to access the internet through the VPN:
- Navigate to Firewall > NAT > Outbound.
- Select Manual Outbound NAT rule generation and click Save.
- Click Add to create a new rule:
- Interface: WAN
- Source:
10.0.0.0/24 - Translation Address:
Interface Address
- Click Save and then Apply Changes.
Step 8: Configure DNS (optional)
To allow VPN clients to resolve DNS:
- Navigate to System > General Setup.
- Add a DNS server (e.g.,
10.0.0.1if using pfSense as DNS resolver). - Uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN.
- Click Save.
Step 9: Configure WireGuard Client (macOS Example)
- Download and install the official WireGuard app from the Mac App Store.
- Open the WireGuard app on your Mac.
- Click the “+” button and select “Add Empty Tunnel”.
- The app will generate a new private key and public key.
- Assign a unique IP address to your Mac within the VPN tunnel’s subnet (e.g.,
10.0.0.2/24). - Set the DNS server to your pfSense router’s LAN IP (e.g.,
192.168.1.1) or another preferred DNS server.
Your configuration should look like:
iniCopyEdit[Interface]
PrivateKey = <Your Mac's Private Key>
Address = 10.0.0.2/24
DNS = 192.168.1.1
[Peer]
PublicKey = <pfSense WireGuard Public Key>
Endpoint = <Your pfSense Public IP>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
- Replace
<Your Mac's Private Key>with the private key generated by the app. - Replace
<pfSense WireGuard Public Key>with the public key from your pfSense WireGuard tunnel configuration. - Replace
<Your pfSense Public IP>with your pfSense router’s public IP address or dynamic DNS hostname.
Clarification: Each client device should have its own unique peer configuration with distinct keys and IP addresses. Sharing a peer configuration among multiple devices can lead to connection instability and security risks.
Step 10: Test the VPN Connection
- Activate the VPN Connection on Your Client Device: Open the WireGuard application on your client device and toggle the switch to activate the VPN tunnel.
- Verify the Connection:
- Check the Status: In the WireGuard app, ensure that the connection status indicates an active tunnel.
- Ping the pfSense Router: Open a terminal or command prompt on your client device and run:nginxCopyEdit
ping 10.0.0.1This tests connectivity to the pfSense router’s WireGuard interface. - Access Internal Resources: Attempt to access internal network resources, such as shared folders or internal websites, to confirm proper routing.
- Check Public IP Address: Visit https://whatismyipaddress.com to verify that your public IP address matches your home network’s IP, confirming that internet traffic is routed through the VPN.
Additional Notes and Clarifications
- One Peer per Client Device: It’s recommended to create a unique peer configuration for each client device. Sharing a peer among multiple devices can lead to connection instability and security concerns.
- Static IP Assignment: WireGuard operates at Layer 3 and doesn’t support DHCP. Assigning static IP addresses ensures consistent routing and firewall rule application.
- Allowed IPs Configuration: In the client configuration, setting
AllowedIPs = 0.0.0.0/0routes all traffic through the VPN (full tunnel). To route only specific traffic (split tunnel), specify the desired IP ranges. - MTU Settings: The recommended MTU for WireGuard interfaces is 1420 bytes. This accounts for the overhead introduced by encapsulation and ensures optimal performance.en.wikipedia.org
- DNS Resolution: Ensure that the DNS server specified in the client configuration is accessible through the VPN tunnel. This allows for proper domain name resolution when connected.
Troubleshooting Tips
- No Internet Access: Verify that outbound NAT rules are correctly configured to allow VPN clients to access the internet.
- Cannot Access Internal Resources: Ensure that firewall rules on the WireGuard interface permit traffic to the internal network.
- Connection Drops: Setting
PersistentKeepalive = 25in the client configuration can help maintain the connection, especially when the client is behind NAT. - DNS Issues: Confirm that the DNS server specified is reachable and correctly configured to handle queries from VPN clients.
For more detailed information and advanced configurations, refer to the official pfSense documentation: WireGuard on pfSenseforum.netgate.com+8docs.netgate.com+8docs.netgate.com+8