pfSense with Wireguard. Difficulties getting setup.
-
I've followed this guide as closely as I could (he seems to have a different IP range on his network):
How to Set Up WireGuard on pfSenseMy home network includes three VLANs: 10.1.10.0/24, 10.1.20.0/24, 10.1.30.0/24 & 10.1.1.0/24. The last one listed is the default where all "unkown traffic" goes to die -- none of my devices actually use it. My laptop is in the 10.1.10.0/24 network. My cell phone is in the 10.1.20.0/24 network. Once I get this setup, I want my remote devices to be able to access devices on the 10.1.20.0/24 network. I have home assistant (and all my IoT devices on that network). Soon I'll be adding a NextCloud server to the mix as well -- I'm leaning toward putting it in its own VLAN to keep all the sensitive data away from any hackers that might potentially make it in via one of the IoT devices and if I do that, it will be on 10.1.40.0/24. If I do that, the remote devices will need to access that VLAN as well.
I currently have 2 devices that I want to be able to connect remotely: My laptop (rarely used outside the home) & my cell phone. I plan to setup a second raspberry pi at my Mom's house to act as a nextcloud client and store a copy of all the data from the NC server (off-site redundant backup). All three will need to access the VPN as described above. I have a duckdns domain along with a Let'sEncrypt certificate.
- During the process of setting up the peers, there is an optional pre-shared key specifically for that device -- it seems like this would make it a little more secure. But when I tell it to generate the pre-shared key and then copy it to the clipboard, the key is the SAME as the private key. Here's a screenshot of what I see when I try generate a pre-shared key. This was done using a temporary peer that I deleted after trying to generate the key so don't be concerned about the fact that I've published it here.
- On the windows client software, under the [Interface] section, I'm supposed to put an IP address. He used 10.200.0.5/24. But I have no idea where that address came from so I don't know what I should use here. EDIT: I think this is intended to be the IP address of the client on the VPN.
- I also watched his YT video about this (that's actually how I got to this blog entry). In the video, he talked about the fact that he's using split tunnel. If you want to use the VPN for ALL internet traffic that the peer has, you should use 0.0.0.0/0 as the "Allowed IPs". I'm currently undecided if I want split tunnel or full VPN. Assuming that I decide I want full VPN, how do I decide what IP address(s) to put here? EDIT: I THINK that if I want to use a split VPN, I'd put in the allowed IPs section (within pfSense) 10.1.20.0/24 to give access to the IoT devices and 10.1.40.0/24 to give access to the NC server as noted above. Is that correct?
- During the process of setting up the peers, there is an optional pre-shared key specifically for that device -- it seems like this would make it a little more secure. But when I tell it to generate the pre-shared key and then copy it to the clipboard, the key is the SAME as the private key. Here's a screenshot of what I see when I try generate a pre-shared key. This was done using a temporary peer that I deleted after trying to generate the key so don't be concerned about the fact that I've published it here.
-
-
I've had that happen where it's the same key, I just disabled Hide Secret Key and manually copied the key (was different than what I was C+P)
-
The IP is the IP address that you'd like to assign, I did 100.20.0.X/24 instead of what was done on the video 10.200.0.X/24 (I know which video you are referring to)
-
I wanted ALL my traffic on my devices (iPhones, Laptops, etc) to go through the VPN so I added 0.0.0.0/0. I didn't want to split tunnel as I don't want anything 'leaked' (if it did).
-
-
@rtorres said in pfSense with Wireguard. Difficulties getting setup.:
- I've had that happen where it's the same key, I just disabled Hide Secret Key and manually copied the key (was different than what I was C+P).
I'll try that
- The IP is the IP address that you'd like to assign, I did 100.20.0.X/24 instead of what was done on the video 10.200.0.X/24 (I know which video you are referring to)
Since I want the VPN traffic to use the 10.1.90.0/24 network, I'll set the phone to 10.1.90.101 and the laptop to 10.1.90.100. I'd do that in the client configuration app on the client itself, in the peer configuration within pfSense or both? After posting this last night, I did set the clients to use the ip addresses as I described. The phone indicates that it connected. But when I look at the VPN status in pfSense, it shows that neither client has ever performed a handshake -- and the phone doesn't have access to any of the network resources. I made a separate post about that.
- I wanted ALL my traffic on my devices (iPhones, Laptops, etc) to go through the VPN so I added 0.0.0.0/0. I didn't want to split tunnel as I don't want anything 'leaked' (if it did).
Thanks. It sounds like I was on the right track there -- just having confirmation of that is helpful.
-
@rtorres
Thanks for the assistance. I was able to get it working. Now I need to figure out how to limit what the VPN traffic can access. I'm wanting to do a split tunnel.The VPN uses the 10.1.90.0/24 range. My phone has an IP address of 10.1.90.101. The only resources VPN devices should be able access are on the 10.1.20.0/24 network.
Screenshot 1 shows the peer portion of the wireguard android client. Screenshot 2 shows the peer portion as shown in pfSense. When I did this, the phone would not connect. But If I left it as 0.0.0.0/0 (in the android app) it worked -- even with the peer set this way in pfSense -- so I think I need to leave the pfSense set the way it is.
EDIT: Correction -- Screenshot 1 shows what the android app looks like when IT WORKS. If I change the 0.0.0.0/0 entry to 10.1.90.0/24,10.1.20.0/24, it fails.
-
This is what the android client looks like when it try to enable split tunnel configuration. It refuses to connect.
