WireGuard VPN providers that support pfsense
-
I've been using IVPN for several years and have been happy with them. They do support Wireguard and I have transitioned my pfSense to use Wireguard exclusively with them. I've posted screenshots of how I got it configured in this post https://forum.netgate.com/topic/160378/wg-not-routing-or-sending-traffic
-
@hypnosis4u2nv said in WireGuard VPN providers that support pfsense:
I have Torguard up and running.
Any chance you could share how you got this running? I've been trying to get this in place but the peer won't connect.
-
@ertnec Go to the config generator, select tunnel type - wireguard, choose your server location and enter your VPN log in details.
Go to pfsense VPN->Wireguard->Add Tunnel. Check Enable interface, add description, and go down and Generate New Keys.
Go back and enter those keys in the Torguard config generator and hit generate config button. You should have a config printed out in the box. Copy the address under interface and plug that into address in pfsense wireguard tunnel. Listen port should be listed as 51820 so enter that in the tunnel. Click add peer on the bottom in the wireguard setup.
The peer configuration is being copied from the config that was generated and plugged into all applicable fields in the tunnel peer settings. Leave everything else blank.
Create and enable your Wireguard interface. Create a firewall rule under the wireguard interface to allow any.
Add your NAT rule for WAN.
Then add any policy based rules to the firewall.
Done.
-
@hypnosis4u2nv said in WireGuard VPN providers that support pfsense:
@ertnec Go to the config generator, select tunnel type - wireguard, choose your server location and enter your VPN log in details.
Go to pfsense VPN->Wireguard->Add Tunnel. Check Enable interface, add description, and go down and Generate New Keys.
Go back and enter those keys in the Torguard config generator and hit generate config button. You should have a config printed out in the box. Copy the address under interface and plug that into address in pfsense wireguard tunnel. Listen port should be listed as 51820 so enter that in the tunnel. Click add peer on the bottom in the wireguard setup.
The peer configuration is being copied from the config that was generated and plugged into all applicable fields in the tunnel peer settings. Leave everything else blank.
Create and enable your Wireguard interface. Create a firewall rule under the wireguard interface to allow any.
Add your NAT rule for WAN.
Then add any policy based rules to the firewall.
Done.
You know what, I'm an idiot... It was working fine, I'd just not interpreted the output of
wgcorrectly. Once I'd properly set it to the vlan which uses it (so just swapping over ovpnc1 for wg0 on the gateway interface), everything was spot on. Although what wasn't clear was that in order to get port forwarding working correctly, you need to first request/configure the range within TG itself, then generate a new config. I'd generated the config then requested the port forwards.Compared to OpenVPN, peak speeds seem far more consistent (holding steady now at around 55mbps which is the upper limit of my current connection compared to ranging from 45-55), although CPU load has increased from an average of 40% to around 55%.
-
@ertnec Glad you got it working. The only bugs I am seeing is that the traffic graph doesn't display any data and the RTT latency data is ridiculously low so probably wrong. Could be an issue if you're running a gateway group and it's choosing gateways based on latency.
-
@hypnosis4u2nv the latency is low because the gateway is set to ping itself. You’ll want to go to System -> Routing, then edit the gateway and set it to ping an alternate ip like 8.8.8.8 or whatever. Them you’ll get a real gauge of your latency.
-
windscribe also has wireguard support.
-
@hypnosis4u2nv said in WireGuard VPN providers that support pfsense:
@ertnec Glad you got it working. The only bugs I am seeing is that the traffic graph doesn't display any data and the RTT latency data is ridiculously low so probably wrong. Could be an issue if you're running a gateway group and it's choosing gateways based on latency.
Ahhh I never noticed the traffic graph reporting incorrectly for the interface where the tunnel is paired! Interesting
-
@gabacho4 Thanks! Just added it and it displays correctly! Duh!
-
@n8rfe iVPN.net fully support it and even have a guide for pfSense they uploaded a few days ago,
-
@xxgbhxx how's the performance, already paying for 2 vpn providers, do i need a third...ha
-
@beachbum2021 said in WireGuard VPN providers that support pfsense:
@xxgbhxx how's the performance, already paying for 2 vpn providers, do i need a third...ha
I also use IVPN. It's been very stable for me. I have 1000/1000 FIOS and running a speedtest via command line through WAN directly to Verizon servers about 60 miles away typically results in down/up in the 800-900 Mbps range with latency in the 9-10 ms range.
With Wireguard to servers that are about 200 miles away down/up in the 700-800 range and latency in 16-17 ms range.
With OpenVpn to the servers that are about 200 miles away down/up in the 350-500 range and latency in 14-15 ms range.
Wireguard speeds are more consistent than the OpenVpn speeds.
IVPN allows 7 concurrent connections per account. As a fail safe, I use 3 of the connections as 3 different Wireguard connections in pfSense to servers in 3 different geographical locations. I then bind all the of the interfaces as a Gateway Group so pfSense routes through the 3 different connections. In 5 years or so of using their service I've never been not able to route traffic through their servers.
I've never felt the need to have a second provider as it would be an extremely unlikely event that would cause 3 different servers, in geographically different places, hosted by different data centers (Leaseweb, Quadranet and M247) go offline at the same time. Honestly, the only way I can imagine that happening would be some major internet disruption, like Verizon going down. In that case, I wouldn't be able to reach a 2nd provider even if I had one set up.
-
@beachbum2021 said in WireGuard VPN providers that support pfsense:
@xxgbhxx how's the performance, already paying for 2 vpn providers, do i need a third...ha
@dma_pf said in WireGuard VPN providers that support pfsense:
@beachbum2021 said in WireGuard VPN providers that support pfsense:
@xxgbhxx how's the performance, already paying for 2 vpn providers, do i need a third...ha
I also use IVPN. It's been very stable for me. I have 1000/1000 FIOS and running a speedtest via command line through WAN directly to Verizon servers about 60 miles away typically results in down/up in the 800-900 Mbps range with latency in the 9-10 ms range.
With Wireguard to servers that are about 200 miles away down/up in the 700-800 range and latency in 16-17 ms range.
With OpenVpn to the servers that are about 200 miles away down/up in the 350-500 range and latency in 14-15 ms range.
Wireguard speeds are more consistent than the OpenVpn speeds.
IVPN allows 7 concurrent connections per account. As a fail safe, I use 3 of the connections as 3 different Wireguard connections in pfSense to servers in 3 different geographical locations. I then bind all the of the interfaces as a Gateway Group so pfSense routes through the 3 different connections. In 5 years or so of using their service I've never been not able to route traffic through their servers.
I've never felt the need to have a second provider as it would be an extremely unlikely event that would cause 3 different servers, in geographically different places, hosted by different data centers (Leaseweb, Quadranet and M247) go offline at the same time. Honestly, the only way I can imagine that happening would be some major internet disruption, like Verizon going down. In that case, I wouldn't be able to reach a 2nd provider even if I had one set up.
I have been using iVPN for 9 years now. For those 9 years I've used OpenVPN. I must be incompetent though clearly. I've never managed to get the connection stable or able to failover.
When I reboot, the OpenVPN tunnel comes up but doesn't route traffic. If I re-connect the tunnel it works perfectly.
The tunnel randomly drops its connection. Sometimes it's stable for a few weeks and I forget about it. Over the last week it's dropped about 10 times a day and is worse under heavy load. It NEVER automatically reconnects. It tries but it always hangs. I then have to either wait a few mins or (as I now do) I hop to a different server and it re-conencts instantly.
I have tried creating additional tunnels and grouping them and while it worked I had packet loss and slow down.The second ISP connection is a connection resiliency thing not an ISP thing. I work from home and I am 100% reliant on my connection so it's there as a backup and as a clean (non VPN) feed for all the scummy media companies that now ban VPN's.
G
-
@gabacho4 said in WireGuard VPN providers that support pfsense:
@hypnosis4u2nv the latency is low because the gateway is set to ping itself. You’ll want to go to System -> Routing, then edit the gateway and set it to ping an alternate ip like 8.8.8.8 or whatever. Them you’ll get a real gauge of your latency.
For what it's worth, I set the monitoring IP the same as the "Peer WireGuard Address", which is the other end of the tunnel. I thought I read somewhere in Redmine that this would be done automatically if Peer WireGuard Address is configured, but it didn't seem to work for me.
EDIT: here is the issue https://redmine.pfsense.org/issues/11300
-
I posted a quick how-to on NordVPN
https://www.reddit.com/r/PFSENSE/comments/m0989o/nordvpn_wireguard_setup_works/It's really just how to get the keys and IP, not a full setup guide. It seems you can only have a single WG tunnel at this stage.
-
@griffo Nice
-
StrongVPN provides WireGuard service, although only the San Francisco node supports in for IPv6. All other nodes support IPv4.
They don't have pfSense specific configuration instructions, but you can get keys.
Not that I've gotten it to work ...
-
I have a pfSense solution for PIA. It's not quite ready to share, but I'm getting close. I'm running it myself now and have been for awhile, but I need to clean up a few things before I'd say give it a go. Basically it's a docker you run somewhere on your LAN and it talks to pfSense over ssh and manages the WireGuard config for you. It also supports PIA's port forwarding if you need that, too.
It's based on a previous sol'n that I ran on vanilla Linux before pfSense had wg support. I've converted it to something that can manage wg interfaces directly on pfSense. I use it to mange multiple tunnels with pia allowing me to policy route traffic based on various conditions as needed.
-
@slugger said in WireGuard VPN providers that support pfsense:
I have a pfSense solution for PIA. It's not quite ready to share, but I'm getting close. I'm running it myself now and have been for awhile, but I need to clean up a few things before I'd say give it a go. Basically it's a docker you run somewhere on your LAN and it talks to pfSense over ssh and manages the WireGuard config for you. It also supports PIA's port forwarding if you need that, too.
It's based on a previous sol'n that I ran on vanilla Linux before pfSense had wg support. I've converted it to something that can manage wg interfaces directly on pfSense. I use it to mange multiple tunnels with pia allowing me to policy route traffic based on various conditions as needed.
I like wireguard because of its simplicity and ease of use, aside from the technical and performance value it has over OpenVPN for my use case. I think it's cool that you came up with something to make it work with PIA, but I wouldn't complicate my setup just to use PIA. I use Mullvad instead and it takes 5 minutes to create a new account and set a wireguard key up.
-
@xparanoik Valid points. PIA is like 1/4 of the cost of Mullvad and I already had a paid PIA sub not expiring anytime soon so didn't want to pay out for another vpn provider. That was my motivation to make it work in pfSense. :)