Hey everyone, I’m trying to connect pfSense to a VPN I have setup in a VPS, but I’m running into an issue I can’t seem to figure out. pfSense tells me that there’s a handshake between the VPS and pfSense, but when I try to ping pfSense from the VPS, it hangs.
allowed ips i’ve tried 10.8.0.1/32, 10.8.0.1/24 (the address in my VPS’s config) and 0.0.0.0/0
Interfaces WG0 (tun_wg0)
enabled
some description
ipv4 configuration static ipv4
ipv4 address set to 10.8.0.2/32
Firewall Rules
WireGuard has PASS ANY
WG0 has PASS ANY
Outbound NAT
not configured, I want to do a split tunnel
For my VPS, I configured wireguard according to the “building your own wireguard vpn server” docs, but used 10.8.0.1 as the address for the VPS and 10.8.0.2 for pfSense.
I’ve tried everything I can think of. The netgate docs suggest changing the gateway, but when I create a group to prefer wireguard, all my traffic goes through the VPS, which I don’t want.
I’m new to pfSense and VPNs, so any help would be good! Thanks!
The IP address of the wg0 interface on the pfSense shouldn’t be set to a /32 prefix. After all, /32 networks only have a single host (the router itself), so the VPS cannot be reached via that network. Try setting that to /24.
What is the goal you wish to achieve in the end? Do you only want connectivity between the pfSense and the VPS (one host to one host)? Or do you eventually want to route traffic from a LAN through the VPN? In that case you will have to configure static routes and/or NAT.
Ahh that might be it! I’ll check it later, thanks!
I want to be able to access one of my VMs that is running some docker containers from outside my network. I was planning on adding my phone as a peer after this worked, and then letting it access the VM through pfSense.
My other choice was to install WireGuard on the VM itself, but I wanted to try pfSense first to have more control over how the traffic is routed.
I’d like to narrow down my firewall rules to limit what can be accessed through the VPN. The VM I’m planning on exposing is on it’s on VLAN, so it’s isolated, but I have some ports open so that I can access things locally. That all works fine, but for the wireguard part, is this doing what I think it is lol
Under Firewall/Rules/WireGuard I have this rule
Protocol
Source
Port
Destination
Port
IPv4 TCP/UDP
*
*
1.2.3.4
80 (HTTP)
Where 1.2.3.4 is my VM’s address.
On my VPS, I can’t ping 1.2.3.4, but curl 1.2.3.4 returns the page that’s being served.
It looks like it works as I want, only port 80 is accessible through the VPN, but I just want to be safe!
As long as there are no further rules, this is the way to go. But I presonally don’t create any rules for the Wireguard interface group, I prefer rules for the individual interfaces.
Do I have to worry about securing anything else? My VPS has all the standard SSH security (key login only, no root, complex passwords, etc), but if someone got in it, I want to make sure I’m protected in my network as much as possible. I also have a rule for WireGuard to deny accessing 80/443 for pfSense and SSH is disable.
Hm. That’s a rather broad question. You already restricted access from the VPS to only a specific port on a specific IP address. Not really much more you can do that I can think of. Specific deny rules are superfluous as pfSense blocks everything by default.
