VPN WireGuard on pfSense

There is times we need to access our cluster but we are not at the site. The only safe way is to use a VPN of some sort, I use WireGuard and #Cloudflare #Tunnels. This is how to set up #WireGuard on #pfSense. #vpn #roadworrior

VPN WireGuard on pfSense
Photo by Chris Buckwald / Unsplash

There is times we need to access our cluster but we are not at the site. The only safe way is to use a VPN of some sort, I use WireGuard and Cloudflare Tunnels.

This is how to set up WireGuard on pfSense.

Initial stage

You need a functional pfSense box or VM. Setup virtual pfSense blog.

Update the software and install WireGuard from the Package Manager.

Configuration of the Server

In the VPN section on pfSense open WireGuard tab and create a new Tunnel. Make a description for a future you to know what this is, Port is what you like and you need to generate a Key Pair for later use. You can have many Tunnels and a Tunnel can have many Peers.

‌Save the tunnel and go back to the WireGuard Tunnel, you’ll now see that the interface is assigned to our Tunnel. We will return to set up the Peers.

Firewall Rules for WireGuard on pfSense

We need to setup Rules for the use of WireGuard. Go to Interfaces/Interface Assignments and add your tunnel. Then go to the new interface OPT10 and Enable it and set to Static IP and a IP number and set MTU as 1420 or 1440.

Now that the WireGuard tunnel and the WireGuard interface has been created, we need to create two firewall rules. One for our WG Interface, and one for WAN (to allow traffic on port 51820 or what you chosen to use).

Rule - WG Interface

Add a new rule for the WG Interface: Leave the Address Family as IPv4, set Protocol, Source and Destination as Any. Wright a Description.
Save and Apply the new firewall rule.

You should not use Destination any, it's better to say MGMT-network or SRV-network than making a wide open rule.

Rule - WireGuard

Rule - WAN Interface

Leave the Address Family as IPv4, then set the Protocol to UDP. Set the Destination as WAN address and set the custom port from and to 51820. Save and Apply the new firewall rule.

WireGuard Peer Configuration

You need to add the WireGuard app to all your devices you like to be able to dial-in to your HomeLab and to set up a Peer for it on the WireGuard server.

Your Device(s) the Peers

For the WireGuard Peer setup you need to get the Public Key from the peer you’re setting up. The Peer can be almost anything, a Mac, a Linux workstation, a Windows PC, or even an iOS or Android device. The process will be the same, meaning that you need to set up the interface on that device first. Then you can setup the Peer.
Address Configuration is according to your network, it can be 192.0.2.0/24 or 192.0.2.10/32. Also add other needed Networks and a description for each.

Remember to klick generate for a new Pre-shared Key

iOS Install the WireGuard app from the App Store and add a Tunnel from the + . You can read a QR code or a file or the hard way entering by hand. It's better to use a QR code over a file and doing it by hand is not my cup of tea.

You need to give it a name and create the Key Pair and copy the key to WG on pfSense. It's recommended to set the IP address and if you like also the DNS info.

After testing it's recommended to generate a Pre-shared Key for extra security.