• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

WireGuard Server Behind Home Router

Scheduled Pinned Locked Moved WireGuard
9 Posts 4 Posters 3.5k Views 5 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F Offline
    flynace
    last edited by Jan 23, 2021, 3:09 PM

    Hello,
    Is it be possible to use a Netgate Appliance (i.e. SG-1100) as a 'WireGuard Server' (if that is the correct term) behind a home network ISP router and be able to tunnel in remotely using a second SG-1100 ('WireGuard Peer'?) carried to various sites such as summer/winter homes abroad, also behind an ISP router?

    Will there be a relatively easy guide for setting up something like this (if it's possible)?

    Or is this something a total novice like myself with no pfSense experience should not even attempt?

    But I would really like to learn what WireGuard can do as it is being implemented in pfSense.

    Thank you for any feedback and advice

    G 1 Reply Last reply Jan 24, 2021, 5:04 AM Reply Quote 0
    • S Offline
      stephenw10 Netgate Administrator
      last edited by Jan 24, 2021, 12:59 AM

      Yes, you could do that. You would need to port forward the WG listening port to it in the ISP router or use DMZ mode etc.

      Steve

      1 Reply Last reply Reply Quote 1
      • G Offline
        Griffo @flynace
        last edited by Jan 24, 2021, 5:04 AM

        @flynace said in WireGuard Server Behind Home Router:

        Hello,
        Is it be possible to use a Netgate Appliance (i.e. SG-1100) as a 'WireGuard Server' (if that is the correct term) behind a home network ISP router and be able to tunnel in remotely using a second SG-1100 ('WireGuard Peer'?) carried to various sites such as summer/winter homes abroad, also behind an ISP router?

        Will there be a relatively easy guide for setting up something like this (if it's possible)?

        Or is this something a total novice like myself with no pfSense experience should not even attempt?

        But I would really like to learn what WireGuard can do as it is being implemented in pfSense.

        Thank you for any feedback and advice

        I can confirm it works, you just need a NAT port forward on your external router with the UDP port you are using.

        1 Reply Last reply Reply Quote 1
        • F Offline
          flynace
          last edited by Jan 24, 2021, 8:23 AM

          Thank you @stephenw10 & @Griffo

          I have ordered two SG-1100's to work on this project.
          I have zero experience with pfSense, so I hope it is okay to ask some very newbie questions...

          For the 'Home' location I should sign up for a dynamic DNS service correct?

          Then on the Home ISP router, I will give the the Home SG-1100 a reserved IP address and forward port 51820?

          Does it matter which Ethernet port the Home SG-1100 uses to connect to the main ISP router since I am just using this as a VPN tunnel?

          If the SG-1100 is sitting behind the ISP router, can it still determine the location's dynamic public IP address and update the dynamic DNS service when it changes?

          Or would that information be hidden from the SG-1100 and I need to find an alternative way to keep the public IP address updated when it changes?

          (If there is a guide for doing things like that please let me know. I was hoping to keep everything contained on the Netgate appliance so I could set it up here, then ship it back home and have someone just plug it in.)

          And if I get that far then I could start down the path of enabling the WireGuard configuration for the Home endpoint?

          Thanks again

          S 1 Reply Last reply Jan 24, 2021, 3:01 PM Reply Quote 0
          • S Offline
            stephenw10 Netgate Administrator @flynace
            last edited by Jan 24, 2021, 3:01 PM

            For the 'Home' location I should sign up for a dynamic DNS service correct?

            Yes, if you don't have a static IP.

            Then on the Home ISP router, I will give the the Home SG-1100 a reserved IP address and forward port 51820?

            Yes. Or use DMZ mode to that IP where all traffic is forwarded to it.

            Does it matter which Ethernet port the Home SG-1100 uses to connect to the main ISP router since I am just using this as a VPN tunnel?

            They are just ports you can configure any of them. But you would use WAN by default there as that's the default route the SG-1100 uses.

            If the SG-1100 is sitting behind the ISP router, can it still determine the location's dynamic public IP address and update the dynamic DNS service when it changes?

            Yes it will check against an external IP checker. It cannot see the actual WAN go down though so updates if that happens will be slower.

            Or would that information be hidden from the SG-1100 and I need to find an alternative way to keep the public IP address updated when it changes?

            You could do either. Or both!

            (If there is a guide for doing things like that please let me know. I was hoping to keep everything contained on the Netgate appliance so I could set it up here, then ship it back home and have someone just plug it in.)

            And if I get that far then I could start down the path of enabling the WireGuard configuration for the Home endpoint?

            Yes, though you will need the port forward in the ISP router. Someone on site will have to do that.

            Steve

            F 1 Reply Last reply Jan 26, 2021, 12:28 PM Reply Quote 0
            • F Offline
              flynace @stephenw10
              last edited by Jan 26, 2021, 12:28 PM

              Thank you @stephenw10, really looking forward to trying this out

              For someone who has no experience with pfSense yet, would recommend waiting for the CE 2.5 release or the pfSense Plus 21-02 release before diving into Wireguard?

              Or go ahead and start with the CE 2.5.0 development snapshots once my appliances arrive?

              1 Reply Last reply Reply Quote 0
              • S Offline
                stephenw10 Netgate Administrator
                last edited by Jan 26, 2021, 2:17 PM

                You may not have long to wait for a 2.5/21.02 release.

                If you run a 2.4-dev snaphot there's a possibility you might have to reinstall if you get ahead of the eventual release version. Re-installing is not that hard though and it's good to know how it's done anyway.

                Steve

                F 1 Reply Last reply Jan 26, 2021, 11:12 PM Reply Quote 0
                • F Offline
                  flsnowbird @stephenw10
                  last edited by Jan 26, 2021, 11:12 PM

                  @stephenw10 Any idea when 2.5 will be release for SG-3100? I upgraded to DEVEL 2.5.X looking for WG, and it only pulls the 2.5.0.a.20201127.0650 snapshot release, which doesn't include wireguard.

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    stephenw10 Netgate Administrator
                    last edited by Jan 26, 2021, 11:40 PM

                    'Real soon now!'

                    But yeah, it is close. We had to disable the public snapshots while we got all the changes in order and there are still a few things the need to be resolved.

                    Steve

                    1 Reply Last reply Reply Quote 1
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received