I made a WireGuard package for pfSense
-
@Ascrod So I found this yesterday and I tired it for the first time just now. I'm on 2.4.5 and I used the links from your post just a few hours ago. I got no errors, but if I can into Assign Interfaces I don't see it. I see the Wireguard package status in my dash and it is stopped, but when I try to start it then it tries for a bit and then fails. The system log shows these entries every time I go through that process;
Apr 12 12:29:22 kernel tunwg0: link state changed to DOWN
Apr 12 12:29:22 kernel tun0: changing name to 'tunwg0'
Apr 12 12:29:22 kernel tun0: link state changed to UP
Apr 12 12:28:26 kernel tunwg0: link state changed to DOWN
Apr 12 12:28:26 kernel tun0: changing name to 'tunwg0'
Apr 12 12:28:26 kernel tun0: link state changed to UP
Apr 12 12:27:41 kernel tunwg0: link state changed to DOWN
Apr 12 12:27:41 kernel tun0: changing name to 'tunwg0'
Apr 12 12:27:41 kernel tun0: link state changed to UP
Apr 12 12:27:34 kernel igb3: promiscuous mode enabledAny ideas what it could be tripping up on?
-
As a follow up, it does show in VPN and I can configure things like the IP range and have it gen private and public keys. It seems the key will be being able to get that interface up and running and I'll be in business. Thanks for any suggestions you can provide.
UPDATE - Once I'd input the items above, I could get the service to start. Once the service was started, i was able to assign the interface. Looks like I am in pretty good shape now. This is great work - I really hope they can get something like this into pfSense ASAP so we'll have support for upgrades and backups and such.
-
@burntoc You have to configure the VPN before you can use it... was that your issue?
If you need to troubleshoot further, running WireGuard from the command line might help. I haven't figured out how to pipe all of WG's output to the log yet, so some errors may not be easy to troubleshoot from the web interface alone.
-
Hi and thanks for your effort.
It would be great if you could make a step-by-step howto on how to set this up as as server, and with peers (road warrior) from a fresh install (and with client configs).
I have installed, restarted services, assigned interface, created outbout NAT etc. in every different order, without any luck.
I cannot make a conenction that routes traffic correctly. I can make a connection to the server, but the traffic does not pass.
Br
-
@Ascrod Thank You! it took several attempts before it installed. Again I'm not a CLI person but received an error about “bash” so after an hour or so I figured bash needed to be installed once installed with
pkg install bash
and then was able to execute your commands in putty. I removed the bash withpkg remove bash
and it removed the WG, not sure why that happened but I reinstalled bash and re-ran your commands and all is good again.Understood on the advice to use at your own risk, right now I have it on a test box and will continue with the test box before trying on the main system. As far as the client and peer setting I have the keys them from a Raspberry Pi WG install from a few weeks ago so I should just be able to plug those values in. I had the Pi working somewhat. The client would say active but I couldn’t see my Lan from the WG client so hoping to have better luck here with pfsense.
Thanks again for doing this and the detailed explanation. Going to enter the Interface and Peer info tomorrow and see how it goes.
-
Well, fortunately, most of the existing guides out there for WireGuard will still be helpful here. This package doesn't do anything particularly special; it just provides a graphical interface for bringing the interface down or up, and for configuring the VPN. For the most part, WireGuard functionality and troubleshooting on pfSense/FreeBSD should be close to how it works on Ubuntu.
Maybe you'd find the unofficial WireGuard docs useful? They have a number of examples posted that can probably get you started. The configuration interface should match pretty closely with the parameters used in the config file, and the start/restart button simply calls the
wg-quick
up and down commands.I have been having some issues with getting DNS requests to route through the VPN. If you set your DNS setting to something other than the VPN server, does traffic route properly?
-
It might be straight forward for people used to wireguard config interface/peers, for me it's not - even though I consider myself pretty advanced in config and troubleshooting.
My last config broke my servers, resulting in some strange routing or whatever, so my internet went down. Everything started working once I stopped the wireguard service.
I don't think its about DNS, as I cannot even ping LAN IP on pfsense server, or the wireguard interface IP of the server.
I know my client works, because I already have a wireguard streisand server on another host behind my firewall (pfsense). Connecting to that server works great!
I have even tried to compare the configs provided by streisand server, output of wg show/wg showconfig interface on both servers - without any luck on setting the parameteres on server and client config.
-
@cappiz I didn’t write down the steps, but here is the rough take on what worked for me earlier today.
- Run the pkg get commands from today’s earlier post. I did have to swap the first and second commands because it told me wireguard-go was a dependency for wireguard. I also had to pkg install bash.
- Rebooted the server. I did this b/c I couldn’t find the wireguard interface in the Assign Interfaces area as I understood from the comments in this thread. The service also wouldn’t start.
- After reboot, Wireguard showed up under my VPN lists, IIRC. I configured a network and had it autogen keys.
- Went into Services and saw Wireguard there, and I started it there.
- Went into Assign Interfaces and it was there, so I enabled the interface.
HTH. YMMV.
-
I did not use apt-get (ubuntu/debian based?) as I used pkg (and yes, I also had to swap the commands, and first install bash).
I have/had the interface (assigned) up and running (needed to create interface and peer first).
In the peer config - what is preshared key? I can't find any references to it in the documentations.
-
While I do believe at some point this will get added to pfsense.. Until it is "officially" supported, be it added to the official package system - or just natively in the pfsense distro.. I would not suggest anyone play with this unless your ready to break your config, or be concerned with its security.
When either someone takes the time to vet this through the pfsense developers to the point they add it to the package system. Or the official pfsense developers incorporate into the code - its not something anyone should be messing with that are not fully aware of all the possible consequences
If you want to deploy this now, before its officially supported - I suggest you run this on some other box in your network and do it that way before you go dicking with anything to do with the pfsense install.
If someone wants to help the community in deploying this - they should be putting together guides on how to run this on a different box in there network, vs suggesting anyone mess with base pfsense deployment.
-
This post is deleted! -
@cappiz My apologies - misspoke there. You’re right, it was pkg get - corrected.
-
So here's another question for the crew. I realized that I'm actually going to run Wireguard on another device in my IOT zone and the msg from @johnpoz reminded me that if I don't have to have it here I probably shouldn't install it this way.
How do you remove it? I used pkg delete to remove wireguard, wireguard-go, and bash, and I rolled back my config as well and rebooted, and I'm STILL seeing Wireguard as a service and in the VPN menu and defined interfaces.
-
@cappiz As I said in my first post, using WireGuard here is very much at your own risk; if you're having this much difficulty, please consider @johnpoz 's advice in setting WG up on a separate device instead. Also, please do NOT post any private keys publicly, they are private for a reason! I suggest changing your private and public key immediately.
@burntoc It sounds like you also need to remove
pfSense-pkg-wireguard
. I'm not sure why pkg wouldn't have caught it when you removed wireguard and wireguard-go, but that might be your issue. -
@Ascrod Thank you for the message. As best I can tell, there may be some package reinstallation tasks that try to put things back in order. I saved the config I'd restored to and removed the wireguard entries then reloaded it and everything looks good so far. If it acts up, I guess it will be my excuse to kick the tires on 2.5, LOL.
-
It is working! Thanks for package. How can I see wireguard logs?
-
@baran WireGuard doesn't provide much in the way of log files. You can check the status of the interface and peers on the status page, though (Status > WireGuard VPN)
-
Hi All,
Would like some input. Im testing this on a pfsense install running in a vm. I seem to have all the port forwarding from my real/physical pfsense box to my vm-pfsense machine running the wireguard server.
Im testing a connection from my android phone over cellular data connection. It seems to be able to connect to the wireguard vpn server. When i run the command "wg" it shows my cellphone's public IP as an endpoint. If i run a tcpdump on the vpn port i see a lot of UDP acitivy between the vpn server and my cell phone public IP.
However i cannot ping any internal IPs or internet ip e.g 8.8.8.8. Its like no traffic is passing through the tunnel.
On the client side i do have allowed IPs set 0.0.0.0
From the vpn server i can ping the phone on the vpn ip address, but i cannot ping the vpn servers interface Ip from the phone! -
This post is deleted! -
How can I add a new interface and configure it seperately from this package?