Remote access to your network using WireGuard on pfSense

NC

In this article you will learn How to remote access to your network on pfSense using WireGuard. 

Install the WireGuard package

Log in pfSense : http://192.168.1.1

Go to "System" > "Package Manager"

Remote access to your network using WireGuard on pfSense

Download WireGuard for Windows https://www.wireguard.com/install/

Switch to "Available Packages" tab, search "wireguard", then click the "Install" button on the right.

Remote access to your network using WireGuard on pfSense

After the package has been installed, you will receive a prompt :

pfSense-pkg-WireGuard installation successfully completed.

There will be a new sub menu "WireGuard" in the VPN menu.

Remote access to your network using WireGuard on pfSense

In the top menu go to VPN and then select wireguard, next, we will select "Settings".

"VPN" > "WireGuard" > "Settings", You need to enable the wireguard service, click "Save" button to save you settings.

Remote access to your network using WireGuard on pfSense

Switch to the "Tunnels" tab, and "Add Tunnel".

Remote access to your network using WireGuard on pfSense

Listen Port: 51820, click "Generate".

Remote access to your network using WireGuard on pfSense

Interface Keys: to establish a connection, you will need to generate a keypair. 

Note down the interface public key as it will be needed after.

Remote access to your network using WireGuard on pfSense

Address: this will be the address of your tunnel interface. For example, let's use 10.0.1.1/24

Remote access to your network using WireGuard on pfSense

Make sure the range you pick does not overlap with others you already defined.

Remote access to your network using WireGuard on pfSense

We now need to configure the interface itself and the firewall so that the traffic is allowed in the first place.

Go in "Interfaces > Assignments" and "Add" your Wireguard interface.

Remote access to your network using WireGuard on pfSense

Remote access to your network using WireGuard on pfSense

You set the ip address for this interface.

Remote access to your network using WireGuard on pfSense

Next, we need to open up the "Listen Port" picked above on our WAN interface.

Go in "Firewall > Rules" and select your WAN interface.

Remote access to your network using WireGuard on pfSense

To note, the destination port will be 51820.

Remote access to your network using WireGuard on pfSense

Now, we need to add a rule in our VPN interface. This is to allow the traffic from the Wireguard network to reach what is needed. Both "WireGuard" and "VPN" are set like this.

Remote access to your network using WireGuard on pfSense

We now need to configure your device that will be connecting to our Wireguard tunnel as a peer. 

For example, a Windows PC. Open the WireGuard GUI and click on Add Tunnel -> Add empty tunnel...

Remote access to your network using WireGuard on pfSense

The software automatically creates the public and private key pair and displays it on the screen. You get publickey information for the purpose of setting up on pfsense.

Remote access to your network using WireGuard on pfSense

We then add a "Peer", go to "VPN" > "WireGuard" > "Peers"

Remote access to your network using WireGuard on pfSense

You select the tunnel you just created in the previous step from the dropdown list menu.

Remote access to your network using WireGuard on pfSense

PublicKey: Public key of the Windows client.

Allowed IPs: To route all traffic to the Wireguard tunnel when active, set this to 0.0.0.0/0

Remote access to your network using WireGuard on pfSense

On the Windows side you need to insert the following configuration:

  • Listen port = 51820

  • Address: IP address of this client. It must be unique among all clients.

  • PublicKey: Public key of the pfSense.

  • AllowedIPs: Specifies what IP addresses should be routed over the VPN. 0.0.0.0/0 is a catch-all configuration and routes everything over the VPN.

  • Endpoint: External IP address of the server and listening port. ListenPort is 51820.

Remote access to your network using WireGuard on pfSense

You should now be able to activate the VPN connection. Click on activate. We should be connected to our wireguard tunnel and able to access all are your network from afar.

Remote access to your network using WireGuard on pfSense

Tags: pfSense WireGuard