I’ve viewed Tom’s and Christian McDonalds Youtube videos on setting up ‘roadwarrior’ (not LAN to LAN) connections to remote networks and found it great for remote support.
However, the demonstrated connections bring the user into the network on VLAN 1. At a site that I support, I need staff to be able to log in, using Wireguard, to view security cameras. These cameras are on VLAN 60. How do I set up Wireguard to do this? (I’m using ‘full tunnel’ remote access.)
I don’t know the videos you’re referencing, but I can make some general comments.
When you connect from a remote peer with a Wireguard peer running on pfSense, your remote peer is not automatically part of (or bridged to) any existing network the pfSense is connected to. Wireguard is purely a layer 3 VPN. Every connection between the virtual Wireguard network and any other (physical) network happens through routing/forwarding, not through switching. Therefore, in order to access any network, regardless of which VLAN tag (if any) pfSense happens to use for that network, you simply have to create the respective Allow rules on the firewall, i.e. set the destination according to the network you want to allow access to.
Do you mean in /Firewall/Rules/Wireguard (edit the rule or add a rule?)
Wireguard is using 192.168.2.0/24 and the Vlan 60 uses 10.6.0.0/16.
Wouldn’t this be a routing issue rather than a firewall issue?
pfSense does routing, forwarding and firewall. Routing is the process of discovering or establishing routes to networks and building a routing table. Forwarding is taking packets that come in on one interface and sending them out another interface based on the routing table. To regulate the forwarding process, you create firewall rules that determine which packets are allowed to be forwarded and which aren’t.
So, yes, you would create a firewall rule on the appropriate interface with 10.6.0.0/16 as the destination.
Under Firewall → Rules, “Wireguard” is not an interface, but an interface group. Which interfaces are part of that group can be set via VPN → Wireguard → Settings → Interface Group Membership. If you created a dedicated interface for that tunnel, your rules should go there, otherwise in the “Wireguard” group.
I am struggling with what I would think was quite simple.
I attach a couple of screen prints. i have followed Christian McDonalds (wrote Wireguard program for PfSense) video https://www.youtube.com/watch?v=bCNnP8FDSNA to set upmy present system that works well connecting on VLAN1.
In the Firewall screen I Thought that I would just put the destination address in and I would be connected on that network/VLAN. I can’t see where it is channelling me into VLAN 1 so that I can change it.
I understand that as I followed Christians instructions , there is no dedicated interface for my Wireguard tunnel.
You mention, “…you would create a firewall rule on the appropriate interface …” but then say that “Wireguard” is not an interface but a group. How can I set the interface for that group. As my attached pic shows, there are only three options and none of them allow specification of an interface.
Regarding where to put the firewall rule, that wasn’t entirely unambiguous from me. pfSense allows you to assign rules to either interfaces or interface groups. On the Firewall → Rules page, each interface or group has its own tab. On the edit page, both are called “Interface” in the dropdown label. When you create a tunnel, an implicit interface is created on the system, but it’s not visible to and configurable by you until you assign it under Interfaces → Assignments. However, depending on what you set under VPN → Wireguard → Settings → Interface Group Membership, this interface will be part of the Wireguard interface group. So if you don’t explicitly assign the interface, your rules have to go in the “Wireguard” tab on the rules page. But I prefer to assign the interface and put the rules directly in the corresponding tab.
So to confirm: If you set Interface Group Membership to “All Tunnels”, the rule you show in the screenshot will allow tunnel peers access to any destination. This is OK for testing and should be narrowed down for production. For the road warrior scenario you described in your initial post, this is all you need on the pfSense side since the traffic will have a source in the 192.168.2.0/24 range.
You need to assign the user an IP address within the VLAN 60 arena. I was able to do this by using free radius and creating users.
In the wireguard client conf file,
Make sure under interface - Address is 192.168.2.0/24
Under Peer - make sure allowed IPs is 10.6.0.0/16
The VPN tunnel should have interface of 192.168.2.1/24
Make sure each peer has a different allowed ip address subnet /24 i.e. 192.168.2.2/24, 192.168.2.3/24
All the tunnel private keys and public keys have to match in the wireguard config and on the wireguard settings
If you are unsure , delete the wireguard settings and goto WireGuard Tools - Configuration Generator (wireguardconfig.com)
CIDR setting would be 192.168.2.0/24
Client IP 10.6.0.0/16
Entry you wan details in endpoint
If using internal dns add this
Blank out Post-up and post down rules
Click on Generate Config
Click on Zip, this will have the client wireguard config files and server config
The details on the screen, you cut and paste into PFSense wireguard settings
Make sure you have added the firewall rule to your internet connection i.e.
