Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WireGuard lives!

    Scheduled Pinned Locked Moved WireGuard
    90 Posts 17 Posters 28.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gabacho4 Rebel Alliance @gabacho4
      last edited by

      @gabacho4 just manually removed the older package versions and manually reinstalled and all is well. Not as convenient as having a package to select in the package manager, but easy enough still and nice to be on current.

      B 1 Reply Last reply Reply Quote 0
      • B
        brians @gabacho4
        last edited by

        @gabacho4 Thanks, I will just wait until official release. Was just curious because the different version numbers with PfSense + and CE.
        Having said that, wonder if will support the ARM devices eg. SG3100.

        V 1 Reply Last reply Reply Quote 0
        • V
          vajonam Rebel Alliance @brians
          last edited by vajonam

          @brians yup it should support ARM devices, assuming NG will build the WireGuard Kmods for all architectures. the WG pfsense package (ui) really has no dependency on architecture.

          B 1 Reply Last reply Reply Quote 1
          • B
            brians @vajonam
            last edited by

            Wow, I upgraded SG5100 to 21.05 last night, this morning I manually installed WireGuard 0.1.2.
            Took me a few minutes of fiddling with my iPhone, and memories of how I setup before. There is a few differences in assigning interface etc. but it very simple and I had no problems except forgetting to add firewall rule on the interface which is probably very common LOL.

            Later will setup a 2nd SG5100 and do site to site test.

            Let's hope this gets updated into official packages in GUI because its still at 0.0.8. I did notice package no longer shows up as available in GUI on my pfSense if I have installed manually, which is a good thing I suppose!

            cmcdonaldC 1 Reply Last reply Reply Quote 0
            • cmcdonaldC
              cmcdonald Netgate Developer @brians
              last edited by cmcdonald

              @brians said in WireGuard lives!:

              except forgetting to add firewall rule on the interface which is probably very common LOL.

              This might be a good argument for adding associated pass rule creation as a feature when creating a tunnel, similar to what is done for port forwarding

              Need help fast? https://www.netgate.com/support

              T B 2 Replies Last reply Reply Quote 0
              • T
                tquade @cmcdonald
                last edited by

                @theonemcdonald I ran into a similar issue and stronly support your thoughts. In my view a good model to follow is that set out for IPSec and openVPN particularly with regard to outbound NAT rules when setting up a server.

                Ted Quade

                1 Reply Last reply Reply Quote 0
                • B
                  brians @cmcdonald
                  last edited by

                  @theonemcdonald

                  But is it possible to even make a rule before the interface is assigned? Don't you still have to go and select/assign it after making the tunnel?

                  1 Reply Last reply Reply Quote 0
                  • B
                    brians
                    last edited by

                    What is the purpose of Interface addresses?
                    When I assign to an interface I assign the IP address to the interface and the values entered here previously disappear and are not used. If I un-assign they re-appear.

                    87568326-901c-4b79-bed0-5a0d3c884f27-image.png

                    cmcdonaldC 1 Reply Last reply Reply Quote 0
                    • cmcdonaldC
                      cmcdonald Netgate Developer @brians
                      last edited by cmcdonald

                      @brians said in WireGuard lives!:

                      What is the purpose of Interface addresses?
                      When I assign to an interface I assign the IP address to the interface and the values entered here previously disappear and are not used. If I un-assign they re-appear.

                      This is for configuring WireGuard tunnels that are not assigned to a pfSense interface. Yea that is a bit confusing. But basically you can have two different types of WireGuard tunnels, which sort of depend on what you intend to do with them. It is possible to build WireGuard tunnels that aren't associated with a specific pfSense interface. These WireGuard tunnels are filtered using the "WireGuard" interface group. The addresses for unassigned tunnels are configured through the WireGuard UI. However, once you assign a WireGuard tunnel to a pfSense interface, pfSense takes over the address assignment, so the WireGaurd UI changes to reflect that...and instead you're left with a link to the native pfSense UI for configuring addresses:

                      We do this because we don't want to step on pfSense's toes when it comes to things that it should be handling.

                      5be9f6b4-0ce9-46a4-978c-6acba1c49206-image.png

                      41a6cdf9-459f-45df-9b91-7e9133e5cbac-image.png

                      06c6b9eb-03e2-4c41-9b31-ff7a06666129-image.png

                      Need help fast? https://www.netgate.com/support

                      B 1 Reply Last reply Reply Quote 0
                      • B
                        brians @cmcdonald
                        last edited by brians

                        @theonemcdonald ok thanks, can you give me an example of your first tunnel named Remote Access?

                        I have my iPhone setup with an actual interface, is there a way to make it simpler without assigning an interface like this?

                        cmcdonaldC 1 Reply Last reply Reply Quote 0
                        • cmcdonaldC
                          cmcdonald Netgate Developer @brians
                          last edited by cmcdonald

                          @brians

                          2140cf69-ea3e-4c31-bd72-e55604ef4146-image.png

                          ea17e9d2-ab5b-45b7-90f8-63c390cdb01c-image.png

                          6380d096-36da-472a-80cc-491a9cb2373a-image.png

                          fd6e2446-7bb1-4076-a7d9-55fc6135083d-image.png

                          b8c7cb08-812c-4e9b-ac0f-b7c62f0da9cb-image.png

                          Need help fast? https://www.netgate.com/support

                          B 1 Reply Last reply Reply Quote 0
                          • B
                            brians @cmcdonald
                            last edited by

                            @theonemcdonald
                            Thanks, I though I would try myself and got working and then came back to update but you already responded :)

                            I didn't realize could do without an interface so this is much nicer...

                            3d3360ff-f732-4f01-96de-16f211a9b88c-image.png

                            cmcdonaldC 1 Reply Last reply Reply Quote 1
                            • cmcdonaldC
                              cmcdonald Netgate Developer @brians
                              last edited by

                              @brians oh no worries! Glad it is working!

                              Assigning as an interface is useful if you intend to route traffic over the WireGuard tunnel. For instance, you'll notice in my example Remote Access is unassigned but my Mullvad tunnel is assigned (because I need to be able to do policy routing over the mullvad tunnel).

                              Generally speaking, if you're doing Road Warrior, you don't need to assign the interface...but if you're doing Site-to-Site, you'll probably need to assign it.

                              Need help fast? https://www.netgate.com/support

                              1 Reply Last reply Reply Quote 1
                              • B
                                brians
                                last edited by

                                Tried latest v0.1.2_3 with no issues.

                                Also noticed that on my work SG-5100 the Gui package manager has 0.1.1 now.

                                I see v0.1.2_3 is a release candidate so probable will see that version soon for general availability.

                                cmcdonaldC 1 Reply Last reply Reply Quote 0
                                • cmcdonaldC
                                  cmcdonald Netgate Developer @brians
                                  last edited by

                                  @brians Yep, working hard on this! Soon

                                  Need help fast? https://www.netgate.com/support

                                  JeGrJ 1 Reply Last reply Reply Quote 1
                                  • JeGrJ
                                    JeGr LAYER 8 Moderator @cmcdonald
                                    last edited by

                                    @theonemcdonald said in WireGuard lives!:

                                    @brians Yep, working hard on this! Soon

                                    Is it currently planned to inlcude the wireguard package in the list for 2.5.2-release or only for 2.6(-dev)? At least having it with a -dev/-experimental or /-beta/-alpha label in 2.5.2 would be nice, but currently 2.5.2-betas don't have it listed. I think it would really help bringing additional helpers and eyes to your package and we can help work out the kinks :)

                                    Cheers
                                    \jens

                                    Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                    1 Reply Last reply Reply Quote 2
                                    • martywdM
                                      martywd
                                      last edited by

                                      I've been using wireguard on '2.5.1-RELEASE (amd64)' since v0.0.8 was released, upgrading every time a new release was added. Updated yesterday from v0.1.2_6 to v0.1.3. This where I stand at the moment:

                                      • pfSense-pkg-WireGuard 0.1.3
                                        wireguard-kmod 0.0.20210606
                                        wireguard-tools-lite 1.0.20210424

                                      One issue I've noticed since doing yesterday's update is shown as follows (Public key removed from the image, all else is as appears, sans the red eclipse ... of course!). This is from 2.5.1's menu: 'Status|Wireguard|Tunnels' and clicking on 'Show Peers' button. Possibly this is because I'm using 2.5.1? idk?

                                      tunnels-missing_peer_info.png

                                      This seems cosmetic since my wireguard connect in pfsense continues to work without issues.

                                      In the 'Status' window the 'Peers' show as expected (again, keys and endpoint:ports removed by me from this image).

                                      v0.1.3_status.png

                                      .

                                      1 Reply Last reply Reply Quote 0
                                      • V
                                        vjizzle
                                        last edited by

                                        Hi! I am running wireguard on 2.5.2 rc. I have no tunnels configured because this system is running in a virtual machine on my homelab.

                                        After upgrading to the latest version of wireguard I still see these errors:

                                        Crash report begins. Anonymous machine information:

                                        amd64
                                        12.2-STABLE
                                        FreeBSD 12.2-STABLE RELENG_2_5_2-n226661-b1c18988dca pfSense

                                        Crash report details:

                                        PHP Errors:
                                        [24-Jun-2021 11:28:59 Europe/Amsterdam] PHP Warning: flock() expects parameter 1 to be resource, null given in /usr/local/pkg/wireguard/wg_service.inc on line 324
                                        [24-Jun-2021 11:28:59 Europe/Amsterdam] PHP Warning: fclose() expects parameter 1 to be resource, null given in /usr/local/pkg/wireguard/wg_service.inc on line 327
                                        [24-Jun-2021 11:29:19 Europe/Amsterdam] PHP Warning: flock() expects parameter 1 to be resource, null given in /usr/local/pkg/wireguard/wg_service.inc on line 324
                                        [24-Jun-2021 11:29:19 Europe/Amsterdam] PHP Warning: fclose() expects parameter 1 to be resource, null given in /usr/local/pkg/wireguard/wg_service.inc on line 327

                                        No FreeBSD crash data found.

                                        I hope this is all cosmetic but please let me know if I can help troubleshoot this.

                                        cmcdonaldC 1 Reply Last reply Reply Quote 0
                                        • cmcdonaldC
                                          cmcdonald Netgate Developer @vjizzle
                                          last edited by

                                          @vjizzle Fix for this is included in the latest release which was accepted yesterday. It should be available very soon

                                          Need help fast? https://www.netgate.com/support

                                          D 1 Reply Last reply Reply Quote 1
                                          • D
                                            dersch @cmcdonald
                                            last edited by

                                            @theonemcdonald i'm missing the routing overview inside the status view wt 0.1.3

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.