Hey everyone, I’m trying to connect pfSense to a VPN I have setup in a VPS, but I’m running into an issue I can’t seem to figure out. pfSense tells me that there’s a handshake between the VPS and pfSense, but when I try to ping pfSense from the VPS, it hangs.
allowed ips i’ve tried 10.8.0.1/32, 10.8.0.1/24 (the address in my VPS’s config) and 0.0.0.0/0
Interfaces WG0 (tun_wg0)
enabled
some description
ipv4 configuration static ipv4
ipv4 address set to 10.8.0.2/32
Firewall Rules
WireGuard has PASS ANY
WG0 has PASS ANY
Outbound NAT
not configured, I want to do a split tunnel
For my VPS, I configured wireguard according to the “building your own wireguard vpn server” docs, but used 10.8.0.1 as the address for the VPS and 10.8.0.2 for pfSense.
I’ve tried everything I can think of. The netgate docs suggest changing the gateway, but when I create a group to prefer wireguard, all my traffic goes through the VPS, which I don’t want.
I’m new to pfSense and VPNs, so any help would be good! Thanks!
The IP address of the wg0 interface on the pfSense shouldn’t be set to a /32 prefix. After all, /32 networks only have a single host (the router itself), so the VPS cannot be reached via that network. Try setting that to /24.
What is the goal you wish to achieve in the end? Do you only want connectivity between the pfSense and the VPS (one host to one host)? Or do you eventually want to route traffic from a LAN through the VPN? In that case you will have to configure static routes and/or NAT.
Ahh that might be it! I’ll check it later, thanks!
I want to be able to access one of my VMs that is running some docker containers from outside my network. I was planning on adding my phone as a peer after this worked, and then letting it access the VM through pfSense.
My other choice was to install WireGuard on the VM itself, but I wanted to try pfSense first to have more control over how the traffic is routed.
I’d like to narrow down my firewall rules to limit what can be accessed through the VPN. The VM I’m planning on exposing is on it’s on VLAN, so it’s isolated, but I have some ports open so that I can access things locally. That all works fine, but for the wireguard part, is this doing what I think it is lol
Under Firewall/Rules/WireGuard I have this rule
Protocol
Source
Port
Destination
Port
IPv4 TCP/UDP
*
*
1.2.3.4
80 (HTTP)
Where 1.2.3.4 is my VM’s address.
On my VPS, I can’t ping 1.2.3.4, but curl 1.2.3.4 returns the page that’s being served.
It looks like it works as I want, only port 80 is accessible through the VPN, but I just want to be safe!
As long as there are no further rules, this is the way to go. But I presonally don’t create any rules for the Wireguard interface group, I prefer rules for the individual interfaces.
Do I have to worry about securing anything else? My VPS has all the standard SSH security (key login only, no root, complex passwords, etc), but if someone got in it, I want to make sure I’m protected in my network as much as possible. I also have a rule for WireGuard to deny accessing 80/443 for pfSense and SSH is disable.
Hm. That’s a rather broad question. You already restricted access from the VPS to only a specific port on a specific IP address. Not really much more you can do that I can think of. Specific deny rules are superfluous as pfSense blocks everything by default.
I have a racknerd vps that I setup on Debian as a wireguard server and works well to connect to it with wireguard directly. What I would like to do is connect to the VPS like I connect to Mullvad. Would the video apply to me? There are benefits connecting from pfsense one it will produce the best speeds since itbis handled through the server.
Not sure why everyone just has pfsense on the home end and some linux on the VPS end. This setup is so much easier when pfsense is also used for the VPS. Just saying…
ensure you have sshd running on the vps pfSense and deploy your public key there. Verify that you can login via ssh with public key.
then you can expose the UI only for localhost, i.e. remove any filter rule that allows UI access and disable the anti lockout rule. the UI is always usable from localhost.
You from then on login via SSH with public key to the VPS WAN SSH port and forward the UI port through SSH to your local machine and then connect to the forwarded port on the local machine with your browser.
put this in your local machine .ssh/config:
host vps-pfsense
Hostname <my-vps-ip>
User root
LocalForward 2000 127.0.0.1:443
use on your local machine ssh vps-pfsense to log in to the vps and then connect in the local machine browser to https://localhost:2000. This will display the vps pfSense UI.
Thanks for that. I do have a question as I never disabled from the config file not sure what it looks like.
It said to do the following:
Edit the /tmp/rules.debug file to remove or modify the anti-lockout rule. The rule typically allows traffic from any source inside the network to firewall administration protocols like TCP ports 443 (WebGUI), 80 (GUI redirect), and 22 (SSH if enabled).
Do you know what the line and or lines are look like?
