pfSense® software Configuration Recipes — WireGuard Site-to-Site VPN Configuration Example (2024)

Table of Contents
Required Information¶ WireGuard Configuration¶ Tunnel Configuration¶ Peer Configuration¶ Assign Interface¶ Firewall Rules¶ Routing¶ Finish Up¶ References

This recipe explains how to setup a VPN tunnel between two firewalls usingWireGuard.

This example is a minimal configuration, more complicated scenarios arepossible, see WireGuard for details.

pfSense® software Configuration Recipes — WireGuard Site-to-Site VPN Configuration Example (1)

WireGuard Example Site-to-Site Network

Required Information

General Values

Item

Value

Design

Site-to-Site, one peer per tunnel

Tunnel Subnet

10.6.210.0/31

HQ:

Item

Value

WAN IP Address

198.51.100.15

Tunnel Address

10.6.210.0/31

Listen Port

51820

LAN Subnet

10.15.0.0/24

Satellite Office:

Item

Value

WAN IP Address

198.51.100.23

Tunnel Address

10.6.210.1/31

Listen Port

51820

LAN Subnet

10.23.0.0/24

WireGuard Configuration

  • Navigate to VPN > WireGuard > Settings

  • Fill in the following options:

    Enable

    Checked

    Interface Group Membership

    Only Unassigned Tunnels

  • Click Save

Tip

When allowing inbound connections from arbitrary remote networks, use rulesonly on assigned WireGuard interface tabs only to ensure proper return routing.

Note

Rules on assigned WireGuard interface tabs get reply-to which ensures thattraffic entering a specific assigned WireGuard interface exits back out the sameinterface. Without that, return traffic will follow the default gateway.

Tunnel Configuration

First create the WireGuard tunnel on both sites:

  • Navigate to VPN > WireGuard > Tunnels

  • Click pfSense® software Configuration Recipes — WireGuard Site-to-Site VPN Configuration Example (2) Add Tunnel

  • Fill in the options using the information determined earlier, with variationsnoted for each site:

    Enabled

    Checked

    HQ Settings
    Description

    Satellite Office VPN

    Satellite Office Settings
    Description

    HQ VPN

    Listen Port

    51820

    Interface Keys

    Click Generate to create a new set of keys.

  • Copy the public key from each firewall and note which is which

  • Click Save

Peer Configuration

The peer entry for the server can be added when editing the tunnel. Follow thesesteps on both sites, with the differences in settings noted inline.

See Also
Ubuntu: site-to-site VPN with WireGuardSite-to-Site VPN with Wireguard and DockerSetting up a VPC with site-to-site VPN in Hetzner CloudHow to Configure an EdgeRouter Wireguard Remote Access VPN

Edit the tunnel:

  • Navigate to VPN > WireGuard > Tunnels

  • Locate the WireGuard tunnel for this VPN

  • Click pfSense® software Configuration Recipes — WireGuard Site-to-Site VPN Configuration Example (3) at the end of the row for the tunnel

From the tunnel editing page, add a peer:

  • Click pfSense® software Configuration Recipes — WireGuard Site-to-Site VPN Configuration Example (4) Add Peer

  • Fill in the options using the information determined earlier, with variationsnoted for each site:

    HQ Settings
    Description

    Satellite Office Peer

    Endpoint

    198.51.100.23 (the WAN IP address of the Satellite Office)

    Endpoint Port

    51820

    Public Key

    The public key from the Satellite Office firewall

    Allowed IPs

    10.6.210.0/31 and 10.23.0.0/24 (Tunnel network and Satellite Office LAN)

    Satellite Office Settings
    Description

    HQ VPN Peer

    Endpoint

    198.51.100.15 (the WAN IP address of HQ)

    Endpoint Port

    51820

    Public Key

    The public key from the HQ firewall

    Allowed IPs

    10.6.210.0/31 and 10.15.0.0/24 (Tunnel network and HQ LAN)

  • Click Save Peer

Assign Interface

These steps should be done on both sites.

First, fix the default gateway so WireGuard isn’t automatically selected beforeit’s ready:

  • Navigate to System > Routing

  • Set Default Gateway IPv4 to a specific gateway (e.g. WANGW) or group

  • Set Default Gateway IPv6 in a similar manner if this VPN will also carryIPv6 traffic

  • Click Save

  • Click Apply Changes

Next, assign the interface (Assign a WireGuard Interface):

  • Navigate to Interfaces > Assignments

  • Select the appropriate tun_wg<number> interface in the Available networkports list

  • Click pfSense® software Configuration Recipes — WireGuard Site-to-Site VPN Configuration Example (5) Add to assign the interface as a new OPT interface (e.g.OPT1)

  • Navigate to the Interface configuration page, Interfaces > OPTx

  • Check Enable

  • Enter an appropriate Description which will become the interface name(e.g. VPN_HQ or VPN_SATELLITE)

  • Fill in the options for the HQ endpoint using the information determinedearlier:

    IPv4 Configuration Type

    Static IPV4

    IPv4 Address

    10.6.210.0/31

    IPv4 Upstream Gateway

    • Click Add a new gateway

    • Fill in the options:

      Gateway Name

      WG_VPN_SAT_V4

      Gateway IPv4

      10.6.210.1

    • Click pfSense® software Configuration Recipes — WireGuard Site-to-Site VPN Configuration Example (6) Add

  • Fill in the options for the Satellite Office endpoint using theinformation determined earlier:

    IPv4 Configuration Type

    Static IPV4

    IPv4 Address

    10.6.210.1/31

    IPv4 Upstream Gateway

    • Click Add a new gateway

    • Fill in the options:

      Gateway Name

      WG_VPN_HQ_V4

      Gateway IPv4

      10.6.210.0

    • Click pfSense® software Configuration Recipes — WireGuard Site-to-Site VPN Configuration Example (7) Add

  • Click Save

  • Click Apply Changes

Firewall Rules

First, add a rule to the WAN on both firewalls to allow traffic to reachWireGuard:

  • Navigate to Firewall > Rules, WAN tab

  • Click pfSense® software Configuration Recipes — WireGuard Site-to-Site VPN Configuration Example (8) Add to create a new firewall rule at the top ofthe list so that it matches before other rules

  • Configure the firewall rule as follows:

    Action

    Pass

    Protocol

    UDP

    Source

    This can typically be left at Any, but it is more secure to fill in theIP address of the opposing firewall.

    Destination

    WAN Address

    Destination Port Range

    (other), 51820

    Description

    Pass traffic to WireGuard

  • Click Save

  • Click Apply Changes

Next, add a rule to pass traffic inside the WireGuard tunnel on both firewalls:

  • Navigate to Firewall > Rules

  • Click the tab for the assigned WireGuard interface (e.g. VPN_SATELLITE orVPN_HQ)

  • Click pfSense® software Configuration Recipes — WireGuard Site-to-Site VPN Configuration Example (9) Add to add a new rule to the top of the list

  • Use the following settings:

    Action

    Pass

    Protocol

    Any

    Source

    any

    Destination

    any

    Description

    Pass VPN traffic from WireGuard peers

    Note

    This rule allows all traffic between sites, which is easy but not a securepractice. Traffic between the sites can be restricted as needed with lesspermissive rules.

  • Click Save

  • Click Apply Changes

Routing

Specific networks can be routed across the VPN by adding a static route forthe network(s) under System > Routing on the Static Routes tab.

These steps should be done on both sites.

  • Navigate to System > Routing > Static Routes

  • Click Add

  • Fill in the options using the information determined earlier, with variationsnoted for each site:

    HQ Settings
    Destinaton Network

    10.23.0.0/24 (e.g. Satellite office LAN segment)

    Gateway

    WG_VPN_SAT_V4

    Satellite Office Settings
    Destinaton Network

    10.15.0.0/24 (e.g. HQ LAN segment)

    Gateway

    WG_VPN_HQ_V4

  • Click Save

  • Click Apply Changes

See also

As an alternative to static routing in this way, dynamic routingprotocols can also work with WireGuard. See WireGuard Routing formore information.

Tip

These gateways can also be used for policy routing if needed.

Finish Up

The configuration is now complete! The two sites should now have full LAN-to-LANconnectivity.

See also

  • WireGuard

  • Routing

  • WireGuard Remote Access VPN Configuration Example

  • WireGuard Site-to-Multisite VPN Configuration Example

  • WireGuard VPN Client Configuration Example

pfSense® software Configuration Recipes — WireGuard Site-to-Site VPN Configuration Example (2024)

References

Top Articles
White Blood Cell Count: Test Results & Details
Neutrophils (Absolute) | Healthmatters.io
Peeples-Rhoden Funeral Home Memorials and Obituaries | We Remember
Peeples-Rhoden Funeral Home | Hampton, South Carolina
Kia Sportage Or Ford Escape Crossword
Ts Massage Ct
Latest Posts
Complete Blood Count (CBC) Test
White Blood Count (WBC): How to Read the Test Results | Ada
Article information

Author: Jerrold Considine

Last Updated:

Views: 5739

Rating: 4.8 / 5 (58 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Jerrold Considine

Birthday: 1993-11-03

Address: Suite 447 3463 Marybelle Circles, New Marlin, AL 20765

Phone: +5816749283868

Job: Sales Executive

Hobby: Air sports, Sand art, Electronics, LARPing, Baseball, Book restoration, Puzzles

Introduction: My name is Jerrold Considine, I am a combative, cheerful, encouraging, happy, enthusiastic, funny, kind person who loves writing and wants to share my knowledge and understanding with you.