WireGuard Server Behind Home Router

flynace

Hello,
Is it be possible to use a Netgate Appliance (i.e. SG-1100) as a 'WireGuard Server' (if that is the correct term) behind a home network ISP router and be able to tunnel in remotely using a second SG-1100 ('WireGuard Peer'?) carried to various sites such as summer/winter homes abroad, also behind an ISP router?

Will there be a relatively easy guide for setting up something like this (if it's possible)?

Or is this something a total novice like myself with no pfSense experience should not even attempt?

But I would really like to learn what WireGuard can do as it is being implemented in pfSense.

Thank you for any feedback and advice

stephenw10

Yes, you could do that. You would need to port forward the WG listening port to it in the ISP router or use DMZ mode etc.

Steve

Griffo

@flynace said in WireGuard Server Behind Home Router:

Hello,
Is it be possible to use a Netgate Appliance (i.e. SG-1100) as a 'WireGuard Server' (if that is the correct term) behind a home network ISP router and be able to tunnel in remotely using a second SG-1100 ('WireGuard Peer'?) carried to various sites such as summer/winter homes abroad, also behind an ISP router?

Will there be a relatively easy guide for setting up something like this (if it's possible)?

Or is this something a total novice like myself with no pfSense experience should not even attempt?

But I would really like to learn what WireGuard can do as it is being implemented in pfSense.

Thank you for any feedback and advice

I can confirm it works, you just need a NAT port forward on your external router with the UDP port you are using.

flynace

Thank you @stephenw10 & @Griffo

I have ordered two SG-1100's to work on this project.
I have zero experience with pfSense, so I hope it is okay to ask some very newbie questions...

For the 'Home' location I should sign up for a dynamic DNS service correct?

Then on the Home ISP router, I will give the the Home SG-1100 a reserved IP address and forward port 51820?

Does it matter which Ethernet port the Home SG-1100 uses to connect to the main ISP router since I am just using this as a VPN tunnel?

If the SG-1100 is sitting behind the ISP router, can it still determine the location's dynamic public IP address and update the dynamic DNS service when it changes?

Or would that information be hidden from the SG-1100 and I need to find an alternative way to keep the public IP address updated when it changes?

(If there is a guide for doing things like that please let me know. I was hoping to keep everything contained on the Netgate appliance so I could set it up here, then ship it back home and have someone just plug it in.)

And if I get that far then I could start down the path of enabling the WireGuard configuration for the Home endpoint?

Thanks again

stephenw10

For the 'Home' location I should sign up for a dynamic DNS service correct?

Yes, if you don't have a static IP.

Then on the Home ISP router, I will give the the Home SG-1100 a reserved IP address and forward port 51820?

Yes. Or use DMZ mode to that IP where all traffic is forwarded to it.

Does it matter which Ethernet port the Home SG-1100 uses to connect to the main ISP router since I am just using this as a VPN tunnel?

They are just ports you can configure any of them. But you would use WAN by default there as that's the default route the SG-1100 uses.

If the SG-1100 is sitting behind the ISP router, can it still determine the location's dynamic public IP address and update the dynamic DNS service when it changes?

Yes it will check against an external IP checker. It cannot see the actual WAN go down though so updates if that happens will be slower.

Or would that information be hidden from the SG-1100 and I need to find an alternative way to keep the public IP address updated when it changes?

You could do either. Or both!

(If there is a guide for doing things like that please let me know. I was hoping to keep everything contained on the Netgate appliance so I could set it up here, then ship it back home and have someone just plug it in.)

And if I get that far then I could start down the path of enabling the WireGuard configuration for the Home endpoint?

Yes, though you will need the port forward in the ISP router. Someone on site will have to do that.

Steve

flynace

Thank you @stephenw10, really looking forward to trying this out

For someone who has no experience with pfSense yet, would recommend waiting for the CE 2.5 release or the pfSense Plus 21-02 release before diving into Wireguard?

Or go ahead and start with the CE 2.5.0 development snapshots once my appliances arrive?

stephenw10

You may not have long to wait for a 2.5/21.02 release.

If you run a 2.4-dev snaphot there's a possibility you might have to reinstall if you get ahead of the eventual release version. Re-installing is not that hard though and it's good to know how it's done anyway.

Steve

flsnowbird

@stephenw10 Any idea when 2.5 will be release for SG-3100? I upgraded to DEVEL 2.5.X looking for WG, and it only pulls the 2.5.0.a.20201127.0650 snapshot release, which doesn't include wireguard.

stephenw10

'Real soon now!'

But yeah, it is close. We had to disable the public snapshots while we got all the changes in order and there are still a few things the need to be resolved.

Steve