Separating VPN server from pfSense

McMurphy

I am trying to visualise how this will work but having trouble.

I currently have pfSense running WireGuard with multiple connections and I am thinking of moving WG to a separate server.

Would the WG server live on the LAN and does this mean that WG connections via WAN would still go through pfSense and then be forwarded to the WG server on the LAN?

If the WG user was connecting to a VLAN then the traffic would then go from the WG server back to pfSense.

Am I making this more complex than it needs to be?

tedquade

@McMurphy
"I currently have pfSense running WireGuard with multiple connections and I am thinking of moving WG to a separate server."

Why?

Ted

chpalmer

@McMurphy said in Separating VPN server from pfSense:

Am I making this more complex than it needs to be?

IMHO... yes.

I had ten OpenVPN connections to my Watchguard box running pfSense for a few years. I have several still connected and have moved over to Wireguard myself. If I was worried about the performance of adding more I would personally just run a more powerful router.. my 2 pennies anyways.

McMurphy

@tedquade

I cannot script WG setups in pfSense but I can if I use a Linux WG server.

tedquade

@McMurphy
Got it and thanks.
Ted

JKnott

@McMurphy said in Separating VPN server from pfSense:

am trying to visualise how this will work but having trouble.

You will have to provided the route for clients to reach the other end of the VPN. Normally, they'd use the default route and pfSense would sort things out. Since you're not using pfSense for the VPN, that no longer works.

stephenw10

Yes if these are remote access style users then you would need to forward the encrypted WG traffic to the server behind pfSense or have the server use a public IP directly and route that to it.

JKnott

@stephenw10

You'd have to provide a public address, no matter which way he goes, so not much difference there. The issue will be getting packets out. Since the default route can no longer be used, the route for the remote end has to be provided to LAN clients somehow. DHCP alone won't do it. Typically, you'd have to issue commands to add the route. That can be done in Linux or Windows, for those that know how to do it, but the average users wouldn't. I don't even know if it's possible for things like smartphones & tablets. An alternative would be for pfSense to route to the other server. That might work, but would certainly add to the "fun"! It would also cause pfSense to issue ICMP redirects, to tell the devices to use the other route, as it's reachable on the same LAN.

All in all, it's a bad idea.

AndyRH

I have a VM running WG server. It did not require any pfSense work other than the allow rule for the inbound traffic. From there the WG clients can go anywhere, including out to the internet.
For your question about VLAN routing, the packet will leave the client, passthrough pfSense to WG. WG will decode the packet and if needed send it back to pfSense to be routed.

My WG install has the ability (Hint Netgate) to generate a QR code to configure the WG client. Super nice. I just send the QR code and the client is configured in seconds.