Training Lab 7: WireGuard
Training Lab 7: WireGuard Site-to-Site VPN — pfSense Plus Fundamentals and Practical Application
Overview
This lab goes through an example configuration of WireGuard for site-to-site VPNs.
WireGuard has no concept of sessions or connections. The protocol uses public and private keys to authenticate and route traffic. WireGuard instances consist of a tunnel and one or more peer definitions which contain the necessary keys and other configuration data that allows the two sides to communicate.
Step 1: Delete OpenVPN
First, since we have an OpenVPN configured here already, we need to delete it so it doesn’t interfere with our WireGuard setup. On both fw1-HQ and fw1-branch, browse to VPN → OpenVPN and delete all client and server instances.
Step 2: Configure WireGuard Settings
Browse to VPN → WireGuard → Settings on both firewalls and:
- Click the Enable checkbox
- For Interface Group Membership, choose Only Unassigned Tunnels
- Uncheck Hide Secrets and Hide Peers
- Scroll down and click Save
Step 3: Add a New Tunnel on Both Firewalls
On FW1-HQ and Branch-FW, navigate to VPN → WireGuard → Tunnels and click the green +Add Tunnel button.
| Setting | Value |
|---|---|
| Enabled | checked |
| Description | Site-to-Site VPN |
| Listen Port | 51820 |
| Interface Keys | Press the blue Generate button |
Make a note of the public key on BOTH firewalls, as this will be required later. Then click Save.
Step 4: Configure a Peer on FW1-HQ
Edit the tunnel on FW1-HQ and click +Add Peer.
| Setting | Value |
|---|---|
| Enable | checked |
| Description | Branch Office Peer |
| Dynamic Endpoint | unchecked |
| Endpoint | 203.0.113.10 |
| Endpoint Port | 51820 |
| Public Key | (paste public key from Branch-FW) |
| Pre-shared Key | (blank) |
| Allowed IPs | 10.6.210.0/30 (Tunnel Network), 172.18.1.0/24 (Branch LAN) |
Scroll down and click Save Peer.
Step 5: Configure a Peer on Branch-FW
Edit the tunnel on Branch-FW and click +Add Peer.
| Setting | Value |
|---|---|
| Enable | checked |
| Description | HQ Peer |
| Dynamic Endpoint | unchecked |
| Endpoint | 192.0.2.2 |
| Endpoint Port | 51820 |
| Public Key | (paste public key from FW1-HQ) |
| Pre-shared Key | (blank) |
| Allowed IPs | 10.6.210.0/30 (Tunnel Network), 172.17.1.0/24 (HQ LAN) |
Scroll down and click Save Peer.
Step 6: Assign Interfaces
Select Default Gateways
On both firewalls, navigate to System → Routing and set Default Gateway IPv4 to a specific gateway, such as WANGW. Click Save and Apply.
Assign WireGuard Interface on FW1-HQ
Navigate to Interfaces → Assignments, choose the tun_gw0 interface, and click +Add (creates OPT4). Configure OPT4:
| Setting | Value |
|---|---|
| Enable | checked |
| Description | BRANCH_VPN |
| IPv4 Configuration Type | Static IPv4 |
| IPv4 Address | 10.6.210.1/30 |
| Gateway Name | VPN_BRANCHGW |
| Gateway IPv4 | 10.6.210.2 |
Assign WireGuard Interface on Branch-FW
Navigate to Interfaces → Assignments, choose the tun_gw0 interface, and click +Add (creates OPT1). Configure OPT1:
| Setting | Value |
|---|---|
| Enable | checked |
| Description | HQ_VPN |
| IPv4 Configuration Type | Static IPv4 |
| IPv4 Address | 10.6.210.2/30 |
| Gateway Name | VPN_HQGW |
| Gateway IPv4 | 10.6.210.1 |
Step 7: Create Firewall Rules on WAN
On both firewalls, navigate to Firewall → Rules → WAN and add a rule to the top:
| Setting | Value |
|---|---|
| Action | Pass |
| Protocol | UDP |
| Source | Any |
| Destination | WAN Address |
| Destination Port | 51820 |
| Description | Pass traffic to WireGuard |
Click Save and Apply Changes.
Step 8: Add Routing Between Sites
HQ-FW1 Static Route
Navigate to System → Routing → Static Routes and click +Add:
- Destination Network: 172.18.1.0/24
- Gateway: VPN_BRANCHGW
Branch-FW Static Route
Navigate to System → Routing → Static Routes and click +Add:
- Destination Network: 172.17.1.0/24
- Gateway: VPN_HQGW
Step 9: Allow Tunnel Traffic
HQ-FW1 Tunnel Rule
On HQ-FW1, navigate to Firewall → Rules → BRANCH_VPN and add:
| Setting | Value |
|---|---|
| Action | Pass |
| Interface | BRANCH_VPN |
| Protocol | Any |
| Source | Any |
| Destination | Any |
| Description | Allow WireGuard VPN Traffic |
Branch-FW Tunnel Rule
On Branch-FW, navigate to Firewall → Rules → HQ_VPN and add the same rule (Interface: HQ_VPN).
Step 10: Testing
WireGuard doesn’t have much status information. In most cases it either works if you configured it properly, or it does not. One place to look is for the existence of a recent “handshake.”
Check Status
On each firewall, navigate to VPN → WireGuard → Status. One of the only indicators that the VPN is up is the presence of the peer’s handshake.
Try to Ping Across
From the HQ-Client, try to ping the Branch-FW LAN interface at 172.18.1.1. If the tunnel is up, your pings should be successful.
If the pings failed, you have a configuration issue and need to check your configuration.
Troubleshooting
Due to its stateless nature, WireGuard doesn’t have status screens, and there is very little logging to be consulted. If your tunnel fails:
- Check the peer settings on both sides, paying particular attention to the public keys of the far-end peers
- Check for an active WireGuard state by navigating to Diagnostics → States and searching for a state that matches port 51820
The existence of this state can indicate that the VPN is connected. This state may age out, so you may need to try your ping again to bring it back up.
Once you are satisfied that WireGuard is working, you may delete it in order to simplify the next labs.
Next Module
Source: Netgate pfSense Training — FUND001-LIVE-Lab7-WireGuard.pdf (© 2015-2021 Electric Sheep Fencing LLC)