Justinaquino: Created page with "NOTOC
'''Training Lab 7: WireGuard Site-to-Site VPN''' — pfSense Plus Fundamentals and Practical Application
== Overview == This lab goes through an example configuration of WireGuard for site-to-site VPNs. WireGuard has no concept of sessions or connections. The protocol uses public and private keys to authenticate and route traffic. WireGuard instances consist of..."

2026-04-23T07:09:24Z

Created page with "__NOTOC__ <div style="background:#e7f3ff;border:1px solid #a3c6ff;padding:10px;margin-bottom:15px;"> '''Training Lab 7: WireGuard Site-to-Site VPN''' — pfSense Plus Fundamentals and Practical Application </div> == Overview == This lab goes through an example configuration of WireGuard for site-to-site VPNs. WireGuard has no concept of sessions or connections. The protocol uses public and private keys to authenticate and route traffic. WireGuard instances consist of..."

New page

__NOTOC__

<div style="background:#e7f3ff;border:1px solid #a3c6ff;padding:10px;margin-bottom:15px;">
'''Training Lab 7: WireGuard Site-to-Site VPN''' — pfSense Plus Fundamentals and Practical Application
</div>

== Overview ==

This lab goes through an example configuration of WireGuard for site-to-site VPNs.

WireGuard has no concept of sessions or connections. The protocol uses public and private keys to authenticate and route traffic. WireGuard instances consist of a tunnel and one or more peer definitions which contain the necessary keys and other configuration data that allows the two sides to communicate.

== Step 1: Delete OpenVPN ==

First, since we have an OpenVPN configured here already, we need to delete it so it doesn’t interfere with our WireGuard setup. On both fw1-HQ and fw1-branch, browse to '''VPN → OpenVPN''' and delete all client and server instances.

== Step 2: Configure WireGuard Settings ==

Browse to '''VPN → WireGuard → Settings''' on both firewalls and:

* Click the '''Enable''' checkbox
* For Interface Group Membership, choose '''Only Unassigned Tunnels'''
* Uncheck '''Hide Secrets''' and '''Hide Peers'''
* Scroll down and click '''Save'''

== Step 3: Add a New Tunnel on Both Firewalls ==

On FW1-HQ and Branch-FW, navigate to '''VPN → WireGuard → Tunnels''' and click the green '''+Add Tunnel''' button.

{| class="wikitable"
|-
! Setting !! Value
|-
| Enabled || checked
|-
| Description || Site-to-Site VPN
|-
| Listen Port || 51820
|-
| Interface Keys || Press the blue Generate button
|}

Make a note of the public key on '''BOTH''' firewalls, as this will be required later. Then click '''Save'''.

== Step 4: Configure a Peer on FW1-HQ ==

Edit the tunnel on FW1-HQ and click '''+Add Peer'''.

{| class="wikitable"
|-
! Setting !! Value
|-
| Enable || checked
|-
| Description || Branch Office Peer
|-
| Dynamic Endpoint || unchecked
|-
| Endpoint || 203.0.113.10
|-
| Endpoint Port || 51820
|-
| Public Key || (paste public key from Branch-FW)
|-
| Pre-shared Key || (blank)
|-
| Allowed IPs || 10.6.210.0/30 (Tunnel Network), 172.18.1.0/24 (Branch LAN)
|}

Scroll down and click '''Save Peer'''.

== Step 5: Configure a Peer on Branch-FW ==

Edit the tunnel on Branch-FW and click '''+Add Peer'''.

{| class="wikitable"
|-
! Setting !! Value
|-
| Enable || checked
|-
| Description || HQ Peer
|-
| Dynamic Endpoint || unchecked
|-
| Endpoint || 192.0.2.2
|-
| Endpoint Port || 51820
|-
| Public Key || (paste public key from FW1-HQ)
|-
| Pre-shared Key || (blank)
|-
| Allowed IPs || 10.6.210.0/30 (Tunnel Network), 172.17.1.0/24 (HQ LAN)
|}

Scroll down and click '''Save Peer'''.

== Step 6: Assign Interfaces ==

=== Select Default Gateways ===

On both firewalls, navigate to '''System → Routing''' and set Default Gateway IPv4 to a specific gateway, such as WANGW. Click '''Save''' and '''Apply'''.

=== Assign WireGuard Interface on FW1-HQ ===

Navigate to '''Interfaces → Assignments''', choose the tun_gw0 interface, and click '''+Add''' (creates OPT4). Configure OPT4:

{| class="wikitable"
|-
! Setting !! Value
|-
| Enable || checked
|-
| Description || BRANCH_VPN
|-
| IPv4 Configuration Type || Static IPv4
|-
| IPv4 Address || 10.6.210.1/30
|-
| Gateway Name || VPN_BRANCHGW
|-
| Gateway IPv4 || 10.6.210.2
|}

=== Assign WireGuard Interface on Branch-FW ===

Navigate to '''Interfaces → Assignments''', choose the tun_gw0 interface, and click '''+Add''' (creates OPT1). Configure OPT1:

{| class="wikitable"
|-
! Setting !! Value
|-
| Enable || checked
|-
| Description || HQ_VPN
|-
| IPv4 Configuration Type || Static IPv4
|-
| IPv4 Address || 10.6.210.2/30
|-
| Gateway Name || VPN_HQGW
|-
| Gateway IPv4 || 10.6.210.1
|}

== Step 7: Create Firewall Rules on WAN ==

On both firewalls, navigate to '''Firewall → Rules → WAN''' and add a rule to the top:

{| class="wikitable"
|-
! Setting !! Value
|-
| Action || Pass
|-
| Protocol || UDP
|-
| Source || Any
|-
| Destination || WAN Address
|-
| Destination Port || 51820
|-
| Description || Pass traffic to WireGuard
|}

Click '''Save''' and '''Apply Changes'''.

== Step 8: Add Routing Between Sites ==

=== HQ-FW1 Static Route ===

Navigate to '''System → Routing → Static Routes''' and click '''+Add''':
* Destination Network: 172.18.1.0/24
* Gateway: VPN_BRANCHGW

=== Branch-FW Static Route ===

Navigate to '''System → Routing → Static Routes''' and click '''+Add''':
* Destination Network: 172.17.1.0/24
* Gateway: VPN_HQGW

== Step 9: Allow Tunnel Traffic ==

=== HQ-FW1 Tunnel Rule ===

On HQ-FW1, navigate to '''Firewall → Rules → BRANCH_VPN''' and add:

{| class="wikitable"
|-
! Setting !! Value
|-
| Action || Pass
|-
| Interface || BRANCH_VPN
|-
| Protocol || Any
|-
| Source || Any
|-
| Destination || Any
|-
| Description || Allow WireGuard VPN Traffic
|}

=== Branch-FW Tunnel Rule ===

On Branch-FW, navigate to '''Firewall → Rules → HQ_VPN''' and add the same rule (Interface: HQ_VPN).

== Step 10: Testing ==

WireGuard doesn’t have much status information. In most cases it either works if you configured it properly, or it does not. One place to look is for the existence of a recent “handshake.”

=== Check Status ===

On each firewall, navigate to '''VPN → WireGuard → Status'''. One of the only indicators that the VPN is up is the presence of the peer’s handshake.

=== Try to Ping Across ===

From the HQ-Client, try to ping the Branch-FW LAN interface at '''172.18.1.1'''. If the tunnel is up, your pings should be successful.

If the pings failed, you have a configuration issue and need to check your configuration.

== Troubleshooting ==

Due to its stateless nature, WireGuard doesn’t have status screens, and there is very little logging to be consulted. If your tunnel fails:

* Check the peer settings on both sides, paying particular attention to the public keys of the far-end peers
* Check for an active WireGuard state by navigating to '''Diagnostics → States''' and searching for a state that matches port 51820

The existence of this state can indicate that the VPN is connected. This state may age out, so you may need to try your ping again to bring it back up.

Once you are satisfied that WireGuard is working, you may delete it in order to simplify the next labs.

== Next Module ==
* [[Training: WireGuard|← Back to Training: WireGuard]]

----
<small>'''Source:''' Netgate pfSense Training — FUND001-LIVE-Lab7-WireGuard.pdf (© 2015-2021 Electric Sheep Fencing LLC)</small>

Training Lab 7: WireGuard - Revision history