WireGuard VPN is a new robust and very fast protocol for creating virtual private networks, in this article we have seen how it is able to double and even triple the speed of OpenVPN or IPsec.
This new VPN protocol is ideal for configuring remote access with mobile clients, whether they are smartphones, tablets or laptops because it consumes very little resources and the connection is really fast.
How to Configure a WireGuard VPN Server in pfSense
The pfSense operating system in version 2.5.0 has officially integrated this new VPN along with IPsec, L2TP and also OpenVPN. Today we will show you how to configure WireGuard VPN from scratch in pfSense 2.5.0 for remote connections.
WireGuard VPN function
WireGuard VPN is a very light software that allows us to quickly and easily configure a VPN tunnel, by default it uses the latest cryptography without having to choose different asymmetric, asymmetric or hash encryption algorithms, by default we have secure by default, unlike other VPN protocols.
WireGuard aims to become the best VPN for home and business users and is successful because it has already been integrated into the Linux Core to provide us with the best possible performance.
As for the cryptography used, we have ChaCha20 for symmetric encryption, verified using Poly1305 , so we have AEAD. It also uses Curve25519 for ECDH, BLAKE2 for hashing, SipHash24 for hashing keys and HKDF for key derivation.
As you can see, we have the most modern cryptographic algorithms used by default and we can’t change them for others at this time, they have to be yes or yes.
With this new VPN we won’t have to manage connections or perform difficult configurations, it only works in tunnel mode because it’s an L3 VPN and uses UDP as the transport layer and doesn’t allow you to choose TCP.
Of course, the WireGuard server can be behind NAT without any problems, only port forwarding would have to be done. Other interesting features include that it allows quick and easy travel between networks so that it is always possible to connect from any WiFi or 4G / LTE network without interrupting the connection. In addition, we can also enable Kill-Switch to prevent data leakage in the event of a VPN outage.
Finally, this new VPN is compatible with multiple operating systems such as Windows, Linux, macOS, FreeBSD, Robot, and also iOS.
Now the pfSense 2.5.0 development team has integrated WireGuard into their system by default, although we could have installed it before, but we didn’t have official support.
WireGuard VPN server configuration
Before the release of pfSense 2.5.0, if we wanted to have a complete WireGuard firewall on this, we had to manually install it on the system by downloading some FreeBSD compatible packages.
Thanks to the pfSense development team, it has been integrated into the graphical user interface by default since version 2.5.0.
The first thing we need to do is go to VPN / WireGuard. ”Enter the configuration for this new VPN protocol. Once we enter the menu, click on «Add tunnel».
In the tunnel configuration, we must enable the tunnel, give it a description, and give the following:
- Address: The IPv4 or IPv6 address of the VPN server for the tunnel interface.
- Port: by default it is 51820 UDP, but we can change any UDP port.
pfSense includes a public/private key generator for the VPN server with WireGuard, our recommendation is to generate some keys for the VPN client and that we click “Generate” again, so the others that are generated are the VPN server keys.
For example, the following keys are the ones we will use later in the VPN client. You can help with Notepad or Notepad ++ when uploading a configuration.
To make it easier to configure WireGuard with public and private keys, you can also use the wireguardconfig tool, which allows us to automatically generate both the server and clients and customize them later with pfSense.
And the second generated are those of the VPN server itself with WireGuard.
Once we have the keys, we need to click “Save” and create a VPN server with the previous configuration:
Once we have it, we now need to register “partners”, ie VPN clients. Go back to the WireGuard server configuration and click on “Add Peer”, which is green. Here we will have to fill in some settings, but it is not necessary to fill in all.
We will now explain what each of the options is for:
- Description: We will add a description to this client, such as our name.
- Endpoint: enter the public IP address of the VPN client.
- Endpoint port: place the VPN client port.
If you are going to configure a VPN client where the public IP address and port of the client change, then we must leave the “Endpoint” and “Endpoint Port” options blank. These options must be filled in if you are going to configure a Site-to-Site VPN, but it is not necessary to fill in remote access (Roadwarrior).
- Keep alive: the value within a few seconds, always so often checks whether the tunnel is still active, it is deactivated by default.
Now come the most important settings:
- Public key: we need to give the public key of the VPN client, you have previously seen how it is generated for the client because we will insert the public key here.
- Alloweds IPs: if we want Internet redirection and access to all networks, we give 0.0.0.0/0. The most common thing is that VPN clients for remote access go to the Internet through the VPN itself, but here we can configure specific access to different networks.
- Peer WireGuard Address: IP address of the registered peer.
- Pre-shared key: Optional, you can add a pre-shared key to further increase security.
In our case, we did not enter a pre-shared key, but if you enter it, it must be exactly the same in both pfSense and the VPN client, and we must generate this key with the blue button located in pfSense. For example, we can’t give the pre-shared key “12345678”, we need to use the pfSense generator.
Once we have correctly configured the WireGuard VPN server in pfSense 2.5.0, we will configure part of the firewall, because by default it is always in block mode.
Firewall configuration in WAN and WireGuard
Before connecting the first VPN client, we must go to the “Firewall / Rules” section and add a new rule to the Internet WAN interface. We will add a new rule with the following information:
- Action: Pass
- Interface: WAN
- Address family: IPv4, IPv6, or both
- Protocol: UDP
- Source: any (if you plan to set up a Site-to-Site server using WireGuard, you can place the source public IP address here to improve security).
- Destination: WAN address on port 51820
After configuration, click «Save» to save this rule and apply the changes, as always when adding a new rule to the firewall.
Once this is done, we must now go to the «WireGuard» Interface which was created automatically in the « Firewall / Rules « section, here we will have to allow all communication as soon as it is connected, or just what we want, like OpenVPN or IPsec.
In the following configuration you can see that we have a rule with the following configuration:
- Action: Pass
- Interface: WireGuard
- Address family: IPv4, IPv6, or both
- Protocol: any
- Source: any
- Goal: any
Click “Save” and make your changes as usual. At this point, we are ready to configure VPN clients using WireGuard.
Configure WireGuard VPN clients and connect to pfSense
The configuration of VPN clients with WireGuard is the same on all platforms, we will need exactly the same information. In our case, we used a smartphone with the Android system, below you can download the official WireGuard application for Android and iOS:
But we also have it for other operating systems, such as Windows, directly from the official website of this VPN protocol. Once we install it, we will be able to easily configure the client.
As we said, our recommendation is to copy these keys to Notepad, both public and private, when generating keys in pfSense. In addition, you must also copy the server’s public key. Once you’ve done that, open WireGuard and continue adding a new VPN tunnel, we have three options:
- Import all the configuration from a file if you are going to configure several clients, such as Windows, Linux, etc., It is normal to have a template with different configurations.
- Scan from the QR code: if we use the WireGuardConfig tool, we can do it easily.
- Create from scratch: this is the option we have chosen.
When adding a new VPN, we need to fill in all or almost all the information it requires from us, this is a VPN client:
- Name: enter a description of the VPN tunnel, a descriptive name in case we have several.
- Private key: paste the private key we previously copied from Notepad.
- Public key: when entering the private key, it is generated automatically
- Addresses: IPv4 or IPv6 client, in this case we previously configured 10.9.0.2/32, we will insert it.
- Port: leave blank
- DNS servers: we can place a specific DNS server or directly solve the tunnel.
- MTU: Let’s leave it blank.
Now click on add pair and more configurations will be displayed, these configurations are VPN server configurations.
- Peers – Public key of the VPN server.
- Pre-shared key: if we have not configured, we leave it blank, if we have configured we copy it exactly the same.
- Continuous maintenance: keep-alive, we recommend leaving it blank.
- The final point: we have to give the syntax “IP: port”, so we can give: “vpn.redeszone.net:51820”.
- Allowed IP addresses: if we want to place them all, enter 0.0.0.0/0. We also have a button to exclude private IP addresses.
Once we have done this, we will click on save and we will see all the settings made.
After adding and verifying that everything is fine, we continue to connect and see that there is a transfer and that the VPN works perfectly.
If we do not receive packets, it means that something is wrong and the WireGuard VPN tunnel was not created correctly. If this happens to you, you’ll need to check all the configuration you’ve done and check the pfSense logs to see what’s going on.
We hope you have been able to configure the WireGuard VPN server in your spectacular pfSense 2.5.0 with this tutorial.