Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I made a WireGuard package for pfSense

    Scheduled Pinned Locked Moved pfSense Packages
    178 Posts 40 Posters 135.1k Views 42 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      alirz @Ascrod
      last edited by

      @Ascrod if i restart the wireguard interface, i lose internet again at home. its like there is some conflict of routing between WAN/LAN/TUNWG0 or something.
      Do i need to some ip forwarding/NAT rules between WAN/TUNWG0/LOCALHOST etc ?

      I have wireguard server successfully running on an ubuntu machine on my LAN.However i would prefer to run that on my pfsense box also. on ubuntu I had to enable ip4 forwarding and add some NAT iptable rules etc to get the traffic flowing as per all the intrucions out there in almost all tutorials.... Does the same need to be done on pfsense? I cant find any info on this. Thank you.

      A 1 Reply Last reply Reply Quote 0
      • A Offline
        Ascrod @alirz
        last edited by Ascrod

        @alirz I didn't have to set up anything special on my actual setup or my test VM, other than port forwarding inbound traffic to the VPN interface and actually enabling the interface, so I would ensure that you have done both of those. You shouldn't have to set up any other special forwarding on pfSense like you would on Ubuntu, because pfSense is designed to be a router (this post goes into some detail about that). Also, iptables rules definitely won't work on pfSense because it uses pf rather than iptables.

        I'm not entirely sure what's going on here, but I would double-check your WG config against some working examples (again, ignoring the PostUp/PostDown commands that most people use for routing in Ubuntu) as well as your logs. Make sure your interface address is a range if necessary (I use /24 on mine) and that your client is routing properly. (One time I ran into an issue where I had set the allowed IPs on one of my "client" peers to 0.0.0.0 rather than 0.0.0.0 /0. That caused a few hours of headache.)

        A 2 Replies Last reply Reply Quote 0
        • A Offline
          alirz @Ascrod
          last edited by

          @Ascrod ok so I didn't add any inbound route to the VPN interface(tunwg0) yet.
          So am I to a FW RULE for udp traffic from any port, Where source is ANY or WAN? and destination is the particular VPN interface?

          1 Reply Last reply Reply Quote 0
          • A Offline
            alirz @Ascrod
            last edited by alirz

            @Ascrod It looks like I'm almost there. But missing some routing.
            Here is my setup.

            Pfsense WG config: I've hidden real keys. But still showing which keys are used where

            [Interface]
            # Generated by pfSense
            Address = 10.100.100.1/24
            ListenPort = 51830
            DNS = 10.0.0.1                             <----- Pfsense local LAN IP
            PrivateKey = xxxxxxxxxxxxxxxx
            
            [Peer]
            # phone
            PublicKey = cccccccccccccccccc
            AllowedIPs = 10.100.100.2/32
            
            [Peer]
            # IPAD
            PublicKey = vvvvvvvvvvvvvvvvv
            AllowedIPs = 10.100.100.3/32
            

            Client config of Android Phone

            [Interface]
            Address = 10.100.100.2/32
            DNS = 10.100.100.1
            PrivateKey = dddddddddddddd
            
            [Peer]
            AllowedIPs = 0.0.0.0/0
            Endpoint = my_ddns.com:51830
            PersistentKeepalive = 21
            PublicKey = cccccccccccccccccc
            
            

            Now im not sure which and where i need to add the rule for the vpn interface. Is it under NAT and port forward from WAN to OPT4 Address? OR is it under NAT> Outbound?
            Note my above config works fine if i move that to my ubuntu wireguard server and simply forward UDP port 51830 from pfsense to my ubuntu machine IP.. NOTE: For testing purpose im using the same private and public keys on my ubuntu wireguard server and this one im trying to setup on the PF box. I believe that should not be an issue? Thanks for your help

            TunWG0 interface

            I tried the following rule but i dont think thats correct
            NAT Rule

            If i tcpdump on my pfsense internet side(WAN) interface, i see constant incoming connection attempts from phone and then the pfsense reponding back to the phone from the WAN interface.
            But if I trace on the TUNWG0 interface i only 1 request from 10.100.100.2(Phones vpn ip) to the pf sense WAN inteface.
            This is the furthest ive been able to get now. From the pfsense and from my LAN devices, i can ping the phone's vpn ip(10.100.100.2) but thats it. I cannot ping LAN IPs, lan DNS, 8.8.8.8 etc from the phone.

            A 1 Reply Last reply Reply Quote 0
            • M Offline
              murzik
              last edited by

              Please help me to install on 2.5...

              A 1 Reply Last reply Reply Quote 0
              • A Offline
                alirz @murzik
                last edited by

                @murzik 2.5 or you mean 2.4.5?

                1 Reply Last reply Reply Quote 0
                • M Offline
                  murzik
                  last edited by murzik

                  2.5.0
                  file in repository built for FreeBSD 11, so I am getting an error trying to install on Pfsense 2.5.0

                  A 1 Reply Last reply Reply Quote 0
                  • A Offline
                    Ascrod @alirz
                    last edited by

                    @alirz Your configs look all right. I can't see your NAT rule, but if you already have one set up for your server then the only modification you would need to make to it (or a copy of it) is to have it redirect to the VPN interface address instead of the server address and making sure the associated firewall rule updates accordingly.

                    A 1 Reply Last reply Reply Quote 0
                    • A Offline
                      Ascrod @murzik
                      last edited by

                      @murzik As stated above, you need wireguard packages for the version of FreeBSD that corresponds to your pfSense version. 2.5.0 is based on FreeBSD 12.

                      1 Reply Last reply Reply Quote 0
                      • A Offline
                        alirz @Ascrod
                        last edited by alirz

                        @Ascrod I did attach the links to google photos for a screenshot of my interface page and one showing the port forward tule in my post above.
                        By the way, I’m using the packages listed above on my 2.4.5 pfsense. That should be ok right? I didn’t rebuild them or anything.i simply installed the ones listed above. Even though they are for 2.4.4. But seems as one poster mentioned, they work on 2.4.5 also?

                        A 1 Reply Last reply Reply Quote 0
                        • A Offline
                          alirz @alirz
                          last edited by alirz

                          ok. i got it to work. Had to add two rules.
                          One on the WAN rule to allow inbound on the WG port

                          States	Protocol	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	Actions
                           
                          0 /2.67 MiB IPv4 UDP	*	*	WAN address	51830	*	none	 
                          

                          Second FW rule for my WG interface(OPT4) in my case

                          Firewall >Rules >OPT4
                          
                          States	     Protocol	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	Actions
                          15 /9.99 MiB  IPv4      *	  *	          *       *      *	  *      none            Wireguard vpn	    
                          
                          

                          Based on DNS leak checks, looks like all traffic from my phone is now going through the home internet as it should. I can also access my Lan network devices etc.

                          A 1 Reply Last reply Reply Quote 1
                          • A Offline
                            alirz @alirz
                            last edited by

                            @alirz Well After my brief success, something is not right again. DNS is not working. I can ping everything over the vpn via IPs but not my hostname.
                            perhaps at some point something was working and active sessions probably led me believe that everything was working. But eventually when either those states/sessions expired or when i rebooted the FW just to be sure, at some point DNS stopped working.
                            I really wish routing for this was simple.

                            A 1 Reply Last reply Reply Quote 0
                            • A Offline
                              Ascrod @alirz
                              last edited by

                              @alirz I've had some issues with DNS occasionally not working after a reboot. Try restarting the DNS service; I believe that's what I've had to do the last few times.

                              A L 2 Replies Last reply Reply Quote 0
                              • A Offline
                                alirz @Ascrod
                                last edited by

                                @Ascrod OK that fixed it..thats strange though. Ive done several reboots and it didnt do anything. So is there some sort of race condition going on here that the DNS service on pfsense needs to restarted once more after a reboot? Sucks as this kind of makes it a bit unreliable!!
                                i am also running openvpn server on the pfsense...Does that show affect this?
                                Any fix for this DNS issue? perhaps add a startup script to restart DNS shortly after a reboot is done?

                                A 1 Reply Last reply Reply Quote 0
                                • A Offline
                                  alirz @alirz
                                  last edited by alirz

                                  ok so i used the "shellcmd" package that can launch commands during/after boot.
                                  I added the following command in there to run after reboot.

                                  sleep 30 && pfSsh.php playback svc restart unbound
                                  

                                  Had to put a sleep because restarting dns right after reboot doesnt fix the issue.
                                  Wish this get resolved eventually when this whole thing makes it into PFsense officially. I dont like these patchy fixes that i lived with for years when i was suing dd-wrt/openwrt years ago.

                                  A 1 Reply Last reply Reply Quote 0
                                  • A Offline
                                    alirz @alirz
                                    last edited by

                                    Do we know of the dns issue is related to the unbind DNS server or to the wireguard models? If later, is there a newer build of wireguard available?

                                    1 Reply Last reply Reply Quote 0
                                    • L Offline
                                      lucas_nz @Ascrod
                                      last edited by

                                      Thanks for your work on this @Ascrod !! I've just set it up and working nicely. I also had the DNS issue after reboot. I suspect it is because the wireguard interface IP address is not set when the DNS resolver is started. pfSense's Unbound defaults to only responding to internal subnets. See this setting;
                                      ab4ff5d7-4a41-4cf5-a650-0f37383210a8-image.png
                                      I suspect adding the wiregaurd subnet on the Access list tab of the DNS resolver will work as a acceptable workaround (haven't tried this yet).

                                      A 1 Reply Last reply Reply Quote 0
                                      • L Offline
                                        lucas_nz @Ascrod
                                        last edited by

                                        @Ascrod echoing what @S762 said, suggest you add "pkg install bash" and reorder the above (wireguard-go needs to go before the wireguard package). Otherwise, these steps worked well for me to set up.
                                        I wonder if we could auto-detect an unused (RFC1918) subnet, select a random port and generate server keys on first install. This would make the initial set up much easier :)

                                        1 Reply Last reply Reply Quote 0
                                        • A Offline
                                          alirz @lucas_nz
                                          last edited by

                                          @lucas_nz said in I made a WireGuard package for pfSense:

                                          Thanks for your work on this @Ascrod !! I've just set it up and working nicely. I also had the DNS issue after reboot. I suspect it is because the wireguard interface IP address is not set when the DNS resolver is started. pfSense's Unbound defaults to only responding to internal subnets. See this setting;
                                          ab4ff5d7-4a41-4cf5-a650-0f37383210a8-image.png
                                          I suspect adding the wiregaurd subnet on the Access list tab of the DNS resolver will work as a acceptable workaround (haven't tried this yet).

                                          Hi,
                                          I tired your suggestion of adding the wireguard subnet in the dnsresolver access list. RebootEd, but still had no dns until I restarted the service.
                                          I also thought and tried of assigning a static Ip to the wireguard interface under the interface assignment page to see if that made any difference. Nope.

                                          L 2 Replies Last reply Reply Quote 0
                                          • L Offline
                                            lucas_nz @alirz
                                            last edited by

                                            thanks @alirz. Good to know. Hmm - I wonder what the issue is then??

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.