Jump to content

Pfsense WireGuard Client Working ( With Catch 22 )

Rate this topic


Recommended Posts


Dear Community,

First you all know the drill by now - " The Intro " we would all have a better world if we remember to practice the concept that - NOW ! is the time for all of US ( A ) to GET UP & GET INVLOVED and act with SOUL POWER ! - lyrics to sing along : https://genius.com/James-brown-get-up-get-into-it-get-involved-lyrics plus https://genius.com/James-brown-soul-power-lyrics and video : https://www.youtube.com/watch?v=SmrZRcfYWvA Bonus JB : https://www.youtube.com/watch?v=1pvIarW3xHg

This tutorial guide details dead simple GUARANTEED process to get WIREGUARD Client up and running on pfSense Firewall. Some of you may remember my work with GETDNS and STUBBY. This installation is for commercial WireGuard Clients ONLY ! - where creation of keys and how to exchange them is not needed. The keys are generated and managed by your WireGuard VPN service provider - in my case - TorGuard.

1 - This is what I did and it worked out great. First go to https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/  as pfSense is based on FreeBSD 11 - the current WireGuard release is version - July 2019 wireguard 0.0.20190702 . To get started install bash # pkg install bash ( as it is need by WireGuard-GO ). Scroll down page on FreeBSD package website ( find wireguard and wireguard-go ) Then issue these commands: # pkg add -f  https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/wireguard-go-0.0.20190517.txz and # pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/wireguard-0.0.20190702.txz  - As I said, this will install latest versions of these packages. W are now ready to get this going and up and running. Just follow these steps below:

2 - To begin you need to get your WIREGUARD configuration files from the TORGUARD website. To do so login your TORGUARD account then go to Tools ( along the top of Login Page ) from drop Down Menu click on Enable WIREGUARD Access. You will then be in your TorGuard Account Area. You will see this message along the top : Below is a list of WireGuard VPN Servers, Please click enable in front of the servers you like to connect to, and use the returned keys shown to connect. Currently, TORGUARD offers WIREGUARD Servers in USA - New York ( quite actually situated in Clifton, New Jersey ), Asia - Singapore and Europe - UK. Click on your preferred Server - Enable WIREGUARD. This will result in a green box below the now grayed out box - which states now Disable WIREGUARD- naturally leave your server enabled as you want to connect to the now enabled server. Next, Download Config file as the box allows you to do now that you have enabled your WIREGUARD Server. You will also see in the adjoining box the following :

Location VPN Server Keys Manage
USA - New York 1 159.xx.xxx.xx:xxx Server Public key: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
Your Private Key: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
Your Address: 10.xx.x.xxx/24

3 - Now I used this guide as the template for my manual installation of WIREGUARD on OPNsense see here : https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/  I will make this simple for you step by step. You may sing and / or hum along as we proceed.
A- First - configure WireGuard Client. TorGuard, AzireVPN, VPN.ac, Mullvad, IVPN, are commercial VPN providers which offer LIVE ! WireGuard Services now. I use TorGuard here is a sample file. Keys are dummies - only used for illustrative purposes in this tutorial- Use your real WireGuard configuration file here: Create file by command line - # nano /usr/local/etc/wireguard/wg0.conf - and enter the configuration file below ( copy and paste ) - substitute your real one. Save and Close. Done with this file.

# TorGuard WireGuard Config
PrivateKey = foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
ListenPort = 51820
Address = 10.xx.x.xxx/24

PublicKey = 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
AllowedIPs =
Endpoint = 159.xx.xx.xxx:xxx
PersistentKeepalive = 25

B - Secondly, run command via SSH # wg-quick up wg0 ( wireguard-go is in package and  this action creates wireguard interface ) You may also run # wireguard-go wg0 to create wg0  - however,  I prefer to use the first method mentioned here.

4 - Configure WireGuard Service with rc.d - for automatic startup/shutdown of the tunnel. In order to achieve this there’s already an rc.d script /usr/local/etc/rc.d/wireguard which came with the wireguard package. You need to issue this command :  # mv /usr/local/etc/rc.d/wireguard /usr/local/etc/rc.d/wireguard.sh then enter the file - # nano /usr/local/etc/rc.d/wireguard.sh Then go to bottom of file - lines 46 and 47 - change : ${wireguard_enable="NO"} to : ${wireguard_enable="YES"} and then add wg0 on line 47 : ${wireguard_interfaces=""} to : ${wireguard_interfaces="wg0"} ( wgZero ) - Save and Close - Make it executable, I run two commands - it works for me: # chmod a+x /usr/local/etc/rc.d/wireguard.sh # chmod 744 /usr/local/etc/rc.d/wireguard.sh - Done with this file.

5 - Now head to pfSense WEBGUI in order to configure Wireguard Interface ( created earlier ) and FireWall Rule. First, go to Interfaces > Assignments -you will see wg0 interface - click (+) add button /symbol. Once the wg0 interface is listed as OPT ( 1 - 2 depending on your setup ) - Click underneath it - - enter check in " Enable interface " - and enter description - I call mine " WIRE " - DO NOTHING ELSE HERE ! Save and Apply - Done with this phase.
Second - Firewall Rule - go to Firewall > NAT > Outbound > Once on this Landing Page put a Dot in radio button Hybrid outbound NAT rule generation - Click on Save - Do Not - Repeat Do Not Click Save and Apply At This Time - Instead Click on Add Square with Up Arrow (underneath Mappings ) on the page which opens change Interface from WAN in drop down menu to your Wireguard ( wg0 ) Interface which you created and labeled previously - in this example  " WIRE " . Next - Change Source Address to " LAN NET " . You must manually enter your LAN NET . For example if your LAN Address is - then enter 24 .  Finally, set ( leave )  Translation/target to Interface address. Enter " Description -e.g. " Made For Wire "  now Click " Save " at bottom of page. You will be taken back to Firewall:Nat:Outbound Landing Page - Click on " Apply Changes " in right upper hand corner - Done with Firewall Rule for LAN. Repeat this Firewall Rule Operation for all of your other LAN Interface Subnets if you choose to do so.

6 - Your WireGuard Client is now installed and ready - you must enter command # /usr/local/etc/rc.d/wireguard.sh restart in order to start it up. Lastly, issue command  # wg show which prints out your WireGuard Connection statistics and configuration.  Sample output for wg show below:

interface: wg0
  public key: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
  private key: (hidden)
  listening port: 51820

peer: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
  endpoint: 159.x.xxx.xxx:xxx
  allowed ips:
  latest handshake: 1 minute, 46 seconds ago
  transfer: 3.35 MiB received, 859.23 KiB sent
  persistent keepalive: every 25 seconds

7 - The Catch 22: Good and Bad News. When you reboot your pfSense FireWall, the WireGuard interface will be removed. Further you will be asked and required to " Assign Interfaces " again. You will see this message : Network interface mismatch - Running interface assignment option -  In order to get your WireGuard VPN up and running again simply follow these steps after reassigning your vlans ( if you have any ), WAN, and LAN interfaces. All your network configurations will have been preserved including your firewall rules, addresses and so on.
A -  Remember your WireGuard interface (  wg 0 ) was removed on reboot.  so, simply repeat this step to add it again: In the pfSense WEBGUI  go to Interfaces > Assignments -you will see wg0 interface - click (+) add button /symbol. Once the wg0 interface is listed as OPT ( 1 - 2 depending on your setup ) - Click underneath it - - enter check in " Enable interface " - and enter description - I call mine " WIRE " - DO NOTHING ELSE HERE ! Save and Apply - Done with this phase.
B - In order to get WireGuard up and running again - simply  issue this command once again  -  # /usr/local/etc/rc.d/wireguard.sh restart
You do not have to recreate any of your Firewall Rules as they are all still there.  Your WireGuard VPN connection is now reestablished.

Last Notes and Thoughts: I realize that this implementation is not perfect albeit it works. I run OpenVPN on pfSense as well. You must disable OpenVPN client before and when running WireGuard. I will write up a tutorial to switch between OpenVPN and WireGuard on pfSense. Currently, I am running WireGuard on pfSense 2.5.0 Development SnapShot VmWare Machine. pfSense 2.5.0 is based on FreeBSD 12 - so you must modify url's thusly and get the packages from : https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/  If anyone can provide me with a solution that will allow WireGuard interface ( wg0 ) the ability to survive a reboot; I will be most appreciative and edit this tutorial to include that solution.

Peace and Grace Be Unto All God's Creation

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...