Connect pfSense wireguard to VPS

Hey everyone, I’m trying to connect pfSense to a VPN I have setup in a VPS, but I’m running into an issue I can’t seem to figure out. pfSense tells me that there’s a handshake between the VPS and pfSense, but when I try to ping pfSense from the VPS, it hangs.

I watched this video, Tutorial: pfsense Wireguard For Remote Access - YouTube and followed this guide from netgate pfSense® software Configuration Recipes — WireGuard VPN Client Configuration Example | pfSense Documentation, but no luck.

Here’s my config on pfSense:

Tunnel Configuration tun_wg0

  • enabled
  • some description
  • listen port 51820
  • interface keys filled out, public key copied


  • enabled
  • tunnel tun_wg0
  • some description
  • dynamic endpoint unchecked
  • endpoint set to VPS
  • keep alive 15
  • public key copied from VPS’s public key
  • allowed ips i’ve tried, (the address in my VPS’s config) and

Interfaces WG0 (tun_wg0)

  • enabled
  • some description
  • ipv4 configuration static ipv4
  • ipv4 address set to

Firewall Rules

  • WireGuard has PASS ANY
  • WG0 has PASS ANY

Outbound NAT

  • not configured, I want to do a split tunnel

For my VPS, I configured wireguard according to the “building your own wireguard vpn server” docs, but used as the address for the VPS and for pfSense.

I’ve tried everything I can think of. The netgate docs suggest changing the gateway, but when I create a group to prefer wireguard, all my traffic goes through the VPS, which I don’t want.

I’m new to pfSense and VPNs, so any help would be good! Thanks!

The IP address of the wg0 interface on the pfSense shouldn’t be set to a /32 prefix. After all, /32 networks only have a single host (the router itself), so the VPS cannot be reached via that network. Try setting that to /24.

What is the goal you wish to achieve in the end? Do you only want connectivity between the pfSense and the VPS (one host to one host)? Or do you eventually want to route traffic from a LAN through the VPN? In that case you will have to configure static routes and/or NAT.

Ahh that might be it! I’ll check it later, thanks!

I want to be able to access one of my VMs that is running some docker containers from outside my network. I was planning on adding my phone as a peer after this worked, and then letting it access the VM through pfSense.

My other choice was to install WireGuard on the VM itself, but I wanted to try pfSense first to have more control over how the traffic is routed.

That was it! It works now thanks!

One final quick question :slight_smile:

I’d like to narrow down my firewall rules to limit what can be accessed through the VPN. The VM I’m planning on exposing is on it’s on VLAN, so it’s isolated, but I have some ports open so that I can access things locally. That all works fine, but for the wireguard part, is this doing what I think it is lol

Under Firewall/Rules/WireGuard I have this rule

Protocol Source Port Destination Port
IPv4 TCP/UDP * * 80 (HTTP)

Where is my VM’s address.

On my VPS, I can’t ping, but curl returns the page that’s being served.

It looks like it works as I want, only port 80 is accessible through the VPN, but I just want to be safe!

As long as there are no further rules, this is the way to go. But I presonally don’t create any rules for the Wireguard interface group, I prefer rules for the individual interfaces.

Great! Thanks so much for the help.

One final question :slightly_smiling_face:

Do I have to worry about securing anything else? My VPS has all the standard SSH security (key login only, no root, complex passwords, etc), but if someone got in it, I want to make sure I’m protected in my network as much as possible. I also have a rule for WireGuard to deny accessing 80/443 for pfSense and SSH is disable.

Hm. That’s a rather broad question. You already restricted access from the VPS to only a specific port on a specific IP address. Not really much more you can do that I can think of. Specific deny rules are superfluous as pfSense blocks everything by default.