Tutorial: pfsense Wireguard For Remote Access [YouTube Release]

Additional Resources:

Our pfsense tutorials

Getting Started Building Your Own Wireguard VPN Server

pfsense manual
https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/index.html

Christian McDonald
pfSense Software + WireGuard Package - Project Report 011

Connecting With Us

Lawrence Systems Shirts and Swag

►👕 https://teespring.com/stores/lawrence-technology-services

AFFILIATES & REFERRAL LINKS

Amazon Affiliate Store
:shopping_cart: https://www.amazon.com/shop/lawrencesystemspcpickup

All Of Our Affiliates that help us out and can get you discounts!
:shopping_cart: Affiliates We Love - Lawrence Technology Services

Gear we use on Kit
:shopping_cart: Kit

Try ITProTV free of charge and get 30% off!
:shopping_cart: Learn technology and pass IT certifications with ITProTV

Use OfferCode LTSERVICES to get 10% off your order at
:shopping_cart: https://www.techsupplydirect.com/

Digital Ocean Offer Code
:shopping_cart: https://m.do.co/c/85de8d181725

HostiFi UniFi Cloud Hosting Service
:shopping_cart: HostiFi - UniFi cloud hosting

Protect you privacy with a VPN from Private Internet Access
:shopping_cart: Buy VPN with Credit Card or PayPal | Private Internet Access

Patreon
:moneybag: lawrencesystems is creating Tech Tutorials & Reviews | Patreon

:stopwatch: Timestamps :stopwatch:
00:00 pfsense Wireguard remote access
02:30 pfsense Wireguard Documentation
03:00 Lab Setup
05:31 Install Wiregaurd Package
06:05 Wireguard Firewall Rules
07:02 Creating Wireguard Tunnel
08:46 WAN Wireguard Rule
09:22 Wireguard Outbound NAT Rule
11:03 Adding Peers
11:44 Configuring Linux Peer
16:00 Configuring Windows Peer
19:52 Split VS Full Tunnel
22:19 Wireguard Troubleshooting

#Wireguard #pfsense #VPN

I have watched Tom’s video and am having trouble completing a successful handshake.

I am using pfSense as my home firewall and attempting to setup my iPhone (on cellular) as a peer.

I see in my pfSense system logs that the incoming packet is blocked by the default deny rule, however I believe I have created the WAN firewall rule correctly.

Here is the system log filtered for WG traffic:

Here are my WAN rules:

Also have an allow all traffic for wireguard:

I am using pfBlocker but I don’t think pfBlocker is causing the issue as the system log shows it’s being blocked by the default rule, not any pfBlocker rules. This implies to me that I have not setup my WG WAN rule correctly, but I believe I have followed Tom’s video to the T.

Any ideas from the community? Thank you

This is absolutely a great tutorial (!!!), but when I tried to set up WireGuard this way I realized things are somewhat more complicated than what Tom describes using his internal test network. The issue is the ADSL modem provided by my (your) internet provider (AT&T in my case). My modem is configured for “pass though” mode, which means that the internet-facing address of the modem is not the same IP address as the NATed WAN address provided to pfSense, since the modem provides the DHCP address that pfSense uses on the WAN. So for WireGuard I still need to specify the outward facing internet address of the modem to configure clients but need tp specify a different incoming client IP because of NAT. I’m trying to work this all out now.

Follow-up to my own post: my issue getting Wireguard to work had nothing to do with the NATed WAN address. Rather it was because the AT&T BGW210-700 modem still does packet filtering even when in pass through mode. I needed to create a rule to pass through UDP port 51420 traffic. On the BGW210 navigate to Firewall → NAT/Gaming → Custom Services and create a service named “Wireguard” with the “global port range” of the Wireguard port you have chosen and protocol UDP. Then click on Add followed by Return to NAT/Gaming and confirm that your new entry is listed in a table under Hosted Applications. After doing that Wireguard connected just fine for me. Of course it took a while to figure all this out. Running tcpdump on the pfSense command line helped a bunch in determining that packets from the remote Wireguard client were not reaching my pfSense firewall and that I needed to look further upstream for the problem.