I made a WireGuard package for pfSense
@RumMonkey69 created a gateway and set the VPN alias to use that. But it's still sending all traffic out the VPN, not just the IPs in the alias.
I now have the split traffic going the way I want.
It required changing the Default LAN to any rule to specifically use the "real" Gateway. Seems wireguard becomes the pfsense "default" so the built in LAN to any rule stops functioning...
@burntoc You are right, the packages and the gui are installed, but it doesn't work correctly.
The problem is that the repositories for FreeBSD11 no longer work and I can't find the correct packages.
Could anyone help us find the packages for 2.4.5_p1 or FreeBSD11?
Hello and I hope that you are well and safe. I wrote a tutorial walk through for this whole process and posted it here below :
The bottom line is that you should use this FreeBSD repo mirror located in South Africa :
for pfSense 2.4.5_p1 and for
pfsense 2.5.0 this repo below :
Again the tutorial pretty much explains all - once again look at :
Peace and Be and Stay Well
Hey Ascrod, thanks for your great work!!! would you be able to make that work for a clustered environment (pfSense High Availability)? and a second idea: would it be complicated to make your WEB-GUI working for more than one interface?
thanks again! Cheers, Sven.
Nice work ;)
I have A Netgate SG-3100 running 2.4.5-RELEASE-p1 (arm) built on Tue Jun 02 17:45:24 EDT 2020 FreeBSD 11.3-STABLE
Is there A install for that?
I'm now running this error.
pkg: wrong architecture: FreeBSD:11:amd64 instead of FreeBSD:11:armv6
Thanks in advance.
Hi all - A question on routing with Wireguard
I have Wireguard setup pfSense acting as a VPN concentrator (Road Warrier) and also as a Site to Site connection.
From my local pfSense I want to be able to use the site-2-site connection , reach the remote Wireguard server and then break out to internet from there. I have successfully configured this.
To get this to work I use 0.0.0.0/0 in the allowed-IP of peer-config in the pfSense.
As you you would imagine this also adds a default route to the pf routing table (with a higher pref than the local route ) and all LAN traffic then starts flowing over the site-to-site tunnel. What I want to get to is use this site-2-site tunnel for only certain LAN devices and not all. So for instance my appleTV behind pfSense could use this and break out to the internet from the remote Wireguard server.
What have I have explored
- Tried to change the gateway of the other devices to the WAN_DHCP - this breaks a few things for me
- Tried adding Table = off in the peer config to prevent this route from getting added. Does not work
- Adding specific IP's to the peer config instead of default will not work as administrative headache of maintaining those is too high.
Address = 10.100.100.1/24
ListenPort = 51820
DNS = 192.168.11.5
PrivateKey = xxxx
PublicKey = yyyy
AllowedIPs = 0.0.0.0/0
@ab5g the config is different for pfsense and the peer. By specifying 0.0.0.0/0 on pfsense you are telling that it can send all traffic down the tunnel. That's not what you want, you only need traffic destined for your client/peer to go down the tunnel.
On pfsense the AllowedIPs should be the one IP address the client/peer is using. Mine looks like this:
The client/peer config on the other hand would look something like this;
Address = 192.168.xx.yy/32 #make sure this matches the IP in the pfsense config
DNS = 192.168.xx.1 #you can make this an interface on the pfsense (even the tunnel interface, just make sure the resolver is listening on the interface
PrivateKey = obfuscated
Endpoint = [pfsense public ip]:[pfsense wiregaurd port]
PublicKey = obfuscated
AllowedIPs = 0.0.0.0/0
Thank you for replying. The reason I have a 0.0.0.0/0 on the pfSense WireGuard Peer is because I want certain LAN devices (like AppleTV) to use the Wireguard tunnel and exit to the internet from the remote site.
Remote IP is 10.100.100.50
Remote LAN is 192.168.29.0/24
So if I specify allow only the 2 IP above in my peer config on pfSense- I will only be able to reach the remote LAN, but not break out to the internet from remote Wireguard server.
Unfortunately with a 0.0.0.0/0 as the WireGuard Peer, it creates a more specific route in the routing table, forcing all LAN traffic to flow to the remote site instead of certain LAN devices
I see. I don't have experience on an outbound "VPN" like this with wg. But I note others in this thread have had the same problem. I'm not sure if a resolution was found.
You can goto System>Routing and Add a new Gateway pointing it to the new WireGuard interface. You can then use it like a a normal gateway. The gateway will not appear automatically.
After you create a gateway, I ran into some routing issues related to my setup that I have explained in a post above.
Solved it. Added the following configuration to the tunwg0.conf file ( can be done through the command line or the GUI).
PostUp = route delete 0.0.0.0/1
This deletes the route from the routing table, allowing pfSense to route based on source IP's.
@burntoc I'm in the same boat.
[2.4.5-RELEASE][admin@my-pfsense]/root: pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/wireguard-go-0.0.20201118.txz Fetching wireguard-go-0.0.20201118.txz: 0% Fetching wireguard-go-0.0.20201118.txz: 100% 890 KiB 911.1kB/s 00:01 Installing wireguard-go-0.0.20201118... Newer FreeBSD version for package wireguard-go: To ignore this error set IGNORE_OSVERSION=yes - package: 1104001 - running kernel: 1103507 Ignore the mismatch and continue? [y/N]:
I'm on an SG-5100 running 2.4.5-RELEASE-p1 which is supposed to be the most up to date (as of this post). Anybody this out? I'm assuming I shouldn't mismatch.
LEASE-p1 which is supposed to
Your error is different fro the burntoc's. Your error is simply implying that the kernel we are running is 11.03 while the package is for 11.04 (latest). You can go ahead and ignore the mismatch to continue (if you wish to - I did the same).
Looks like the kernel package has just been merged into mainline for 2.5.0. Hope we see it functional out of the box by next release! https://redmine.pfsense.org/issues/8786
Updated by Renato Botelho about 3 hours ago
Project changed from pfSense Packages to pfSense
Category changed from New Package Request to VPN (Multiple Types)
Status changed from New to Feedback
Assignee set to Renato Botelho
Priority changed from Very Low to Normal
Target version set to 2.5.0
Initial kernel version wireguard support is now in place
Anybody know how to completely remove this prior to updating to 2.5? By simply removing the packages, does it also remove the settings from the configuration or are there remnants? And if there are, do they cause a conflict or any errors?
I'd be curious to hear form someone who was running this (awesome, btw) homebrew package and who upgraded to 2.5. Did it work out? Did you have to manually delete things from the config and restore?
Things like that. I'm trying to figure out if I can just upgrade or if I will need to start from scratch (don't want to do that...).
I did that - I ended up removing the package and upgrading to 2.5. Unfortunately it did not work out very smoothly for me. I had some issues with packets 'disappearing'. I don't know if it was related but I ended up doing a clean reinstall. You can read more about the packet disappearing in my post in the Wireguard subsection. YMMV.
@ab5g Thanks for chiming in (even though it's not the reply I was hoping for) ;-)
Now that WG has been disabled in 2.5, is this package still available for use in 2.5? Can it still be used in v2.5?
Would appreciate experiences before i take the plunge.