pfSense 2.5.2 - New Fresh Guaranteed WIREGUARD
-
Dear Community,
First you all know the drill by now - " The Intro " - a true legend Jackie to all - https://www.youtube.com/watch?v=sBa81YSyshk and the lyrics as always - https://genius.com/Jackie-wilson-baby-workout-lyrics - just for fun - https://www.youtube.com/watch?v=iNLXxDMxe18 - https://genius.com/Chris-montez-lets-dance-lyrics / Surprise Bonus : https://www.youtube.com/watch?v=sIH6s1thcWQNow with that out of the way. Let's get down to business. I am one of the many who have tried to get WireGuard up and running on pfSense 2.5.2 . Well, I am very pleased to announce that you have come to the right place if you want rock solid WireGuard on pfSense ( finally ). Forget about anything else you may have heard about how to achieve this goal - this is the most simple, direct and effective method you will find. I know - pfsense has WireGuard built in as a package - and there is pfSense-pkg-WireGuard maintained by theonemcdonald. Personally I do not find any of these solutions to be as efficient as the one I will detail here. So - here we go.
OK - Here go - let's get down to the business at hand. The first thing we must do is install all the necessary packages for this to work properly. Now you need to know that when you try to view the packages on the FreeBSD servers by way of their url - for example , https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/ - you will get the 403 Forbidden message. There is a remedy / workaround that will allow you to check out exactly what are the most recent package versions for you to install. Go to https://pkgs.org/ - once there - you will see a search box in the upper right hand corner. Just enter the package you wish to find there - then go down to FreeBSD 12 ( the distributions are listed alphabetically - next click on FreeBSD amd64 ( the distro pfSense 2.5.2 is based on ) - finally, go down to the Download section and copy your download url found next to the Binary Package section.
1 - All of the packages that you will need to install are found in the FreeBSD repository.
Just install these packages in the order as listed below:A - # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/wireguard-kmod-0.0.20210606_1.txz
B - # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/bash-5.1.8.txz
C - # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/bash-completion-2.11,2.txz
D - # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/wireguard-tools-1.0.20210914.txz
E - # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/wireguard-go-0.0.20210424,1.txz
F - # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/wireguard-2,1.txz2 - To begin you need to get your WIREGUARD configuration files from the TORGUARD website. To do so login your
TORGUARD account then go to Tools ( along the top of Login Page ). Then select " Config Generator " from the drop down
menu. From the top line " VPN Tunnel type: " select WireGuard. Go to the next line - " VPN Server Hostname/IP: "
choose your desired location. Enter your TorGuard Username and Password. You also have the option to enter your own
Local Private-Key and Local Public-Key if you elect to do so. When all of the fields are complete - click on the " Generate Config "
box. Download the file to your desired location. Open the numbered config file with a text editor.Your Config file will be like this - see below : ## all the information below is invalid and fictitious
for obvious reasons - use your actual file and valid entries to ensure connection.# TorGuard WireGuard Config [Interface] PrivateKey = 0LyqOOa31kblp0mViH+TfwmBT8PIfWXuT9OUa7cvVmo= ListenPort = 51820 DNS = 1.1.1.1 Address = 100.96.0.141/24 [Peer] PublicKey = fmmIzVG3JL1tjDjTIBpE+C5WQbLGCHsdIqQVodQ7yPM= AllowedIPs = 0.0.0.0/0 Endpoint = 23.10.187.115:1443 PersistentKeepalive = 25
3 - 4 - Now I used this guide as the template for my manual installation of WIREGUARD on pfSense see here : https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/ I will make this simple for you step by step. You may sing and / or hum along as we proceed.
A- First - configure WireGuard Client. TorGuard, AzireVPN, VPN.ac, Mullvad, IVPN, are commercial VPN providers which offer LIVE ! WireGuard Services now. I use TorGuard here is a sample file. Keys are dummies - only used for illustrative purposes in this tutorial- Use your real WireGuard configuration file here: Create file by SSH and issue the commands below-A - # touch /usr/local/etc/wireguard/tunwg0.conf
B - # nano /usr/local/etc/wireguard/tunwg0.conf - then enter the contents of your previously downloaded TorGuard WireGuard Config
as detailed above. Save and Close. Done with this file.4 - B - Run command via SSH
A - # wg-quick up tunwg0 ( wireguard-go is in package and this action creates wireguard interface )
" tunwg0 " ( tunwgZero ) must be the name of the WireGuard interface otherwise you will have issuesYou may also run # wireguard-go tunwg0 to create tunwg0 but I prefer the first method mentioned here.
5 - Configure WireGuard Service with rc.d - for automatic startup/shutdown of the tunnel.
In order to achieve this there’s already an rc.d script /usr/local/etc/rc.d/wireguard which came with the wireguard package.
You need to issue this command :
A - # mv /usr/local/etc/rc.d/wireguard /usr/local/etc/rc.d/wireguard.sh / then enter the file -
B - # nano /usr/local/etc/rc.d/wireguard.sh
Then go to bottom of file - lines 46 and 47 -
change : ${wireguard_enable="NO"} to : ${wireguard_enable="YES"} and then add tunwg0 on line 47
: ${wireguard_interfaces=""} to : ${wireguard_interfaces="tunwg0"} ( tunwgZero ) -
Save and Close - Make it executable, I run this command - it works for me:
C - # chmod 755 /usr/local/etc/rc.d/wireguard.sh - Done with this file.6- In order to have pfSense use default start up script ( /usr/local/etc/rc.d/wireguard.sh ) at boot time
it helps to create a boot time start up script for it in /etc/rc.conf.d/.
Not to prolong this - do the following :
A - # nano /etc/rc.conf.d/wireguard - in the new file enter the following two lines:wireguard_enable="YES"
wireguard_bootup_run="/usr/local/etc/rc.d/wireguard.sh"Save and Close - Make it executable (tunwg0)
B - # chmod 755 /etc/rc.conf.d/wireguard / Done with this file.
7 -
A - Now head to pfSense WEBGUI in order to configure Wireguard Interface ( created earlier ) and FireWall Rule.
First, go along top menu - go to Interfaces > Assignments -choose tunwg0 interface from drop down menu. Click on
the + Add Button. The selection will be listed as opt1, opt2 are some similar name depending on the number of your
pre-configured lan interfaces. Click underneath opt2 ( in my case ) - then when the page opens up - Enable the new interface.
Name the new interface - in my case " WIRE " . DO NOTHING ELSE HERE ! Save and Apply - Done with this phase.B - Second - Firewall Rule - go to Firewall > NAT > Outbound > Once on this Landing Page put a Dot in radio button Hybrid outbound NAT rule generation - Click on Save - Do Not - Repeat Do Not Click Save and Apply At This Time - Instead Click on Add Square with Up Arrow (underneath Mappings ). On the page which opens change Interface from WAN in drop down menu to your Wireguard ( tunwg0 ) Interface which you created and labeled previously - in this example " WIRE " . Next - Change
" Address Family " to IPV4 - " Protocol " to " Any " - " Source " to " Any " - " Destination " to " Any " " Translation Address " to " Interface Address " - Lastly enter "Description "
in my case " Made For Wire " now Click " Save " at bottom of page. Finally click " Save and Apply " at the top of the page.Your WireGuard Client is now installed and ready - you must enter command # /usr/local/etc/rc.d/wireguard.sh restart
in order to start it up. Lastly, issue command# wg show
which prints out your WireGuard Connection statistics and configuration.
Sample output for wg show below:interface: tunwg0
public key: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
private key: (hidden)
listening port: 51820peer: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
endpoint: 159.x.xxx.xxx:xxx
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 46 seconds ago
transfer: 3.35 MiB received, 859.23 KiB sent
persistent keepalive: every 25 secondsThis solution is guaranteed to ensure that WireGuard interface ( tunwg0 ) the ability to survive a reboot
When you reboot or reestablish connection - go to Status > Filter Reload - then press Reload Filter Radio Button
to get yourself up and running once again.