directnupe 5 Posted June 6, 2020 Report Share Posted June 6, 2020 Dear TorGuard Pfsense WireGuard Users, Please Read The Entire Guide / Tutorial Before You Begin - It Will Save You Potential Setup Issues and Detail All Setup Options First you all know the drill by now - " The Intro " to pay homage to an all time oft forgotten Stax Great who speaks my mind right about now / lyrics - https://genius.com/Otis-redding-respect-lyrics and video : https://www.youtube.com/watch?v=7BDw-H_hUzw - and Nina Simone to boot : lyrics : https://genius.com/Nina-simone-mississippi-goddam-lyrics and video : https://www.youtube.com/watch?v=LJ25-U3jNWM Hello and I hope all are safe and well. Ascrod has been kind enough to make available a package for WireGuard on pfsense. I have tested the package and would like to recommend this to all of those who might be interested. The package thread and discussion are found here : https://forum.netgate.com/topic/150943/i-made-a-wireguard-package-for-pfsense and here on Github : https://github.com/Ascrod/pfSense-pkg-wireguard Here are Ascrod assets in releases on github : https://github.com/Ascrod/pfSense-pkg-wireguard/releases There is a webgui for WireGuard and it works well.The package works very well on pfsense 2.4.5. I was finally able to build my own Lucasnz pfsense 2.5.0 package successfully - and it worked as intended. Read the update for pfsense 2.5.0 pfSense-pkg-wireguard below. There also is a fork of this pfsense package developed by Ashus / pfSense-pkg-wireguard found here : https://github.com/Ashus/pfSense-pkg-wireguard Lucasnz see here for homepage : https://github.com/lucasnz/pfSense-pkg-wireguard lucasnz/pfSense-pkg-wireguard forked from Ascrod/pfSense-pkg-wireguard Here are Lucasnz assets in releases on github : https://github.com/lucasnz/pfSense-pkg-wireguard/releases/tag/v1.0.1 Please Note He Has Only One Package Which Is For pfSense 2.4.5 . If you want Lucasnz for pfSense 2.5.0 then you may either use the pre-compiled package I offer up here or build your own by following the tutorial provided below. For those interested - I have one link to a tutorial and another which points you to an already compiled Lucasnz package for pfsense 2.5.0 - which is based on FreeBSD 12. The tutorial illustrates and instructs you how to build your own Lucasnz pfSense-pkg-wireguard-1.0.1.txz package. The reason that I chose Lucasnz is because " that it just works ". Lucasnz WireGuard for pfsense survives reboots, upgrades - and has no issues with DNS or any such other related problems. The links are here below for all those interested : https://drive.google.com/file/d/1b8coPZvqmhisHpoFBfOBV9BYaH917yaC/view?usp=sharing / tutorial link https://drive.google.com/file/d/1SaggDk6-1BOwcSa4-498jQfGZICqqvsb/view?usp=sharing / package download These really work well IMHO - so I hope this helps and a word to the wise should be sufficient. I am going to try to get Ashus / pfSense-pkg-wireguard to work on pfsense 2.5.0 and I will report my findings. UPDATE BELOW : Well, I got in touch with Ashus - and he was kind enough to build and compile a " proper and official " pfSense-pkg-wireguard-1.0.1-freebsd12-amd64.txz ( this is the package needed for pfsense 2.5.0 ) . Here are Ashus assets in releases on github : https://github.com/Ashus/pfSense-pkg-wireguard/releases by using Ashus packages you can either install pfSense-pkg-wireguard-1.0.1-freebsd11-amd64.txz ( for pfsense 2.4.5 / based on FreeBsd 11 ) or use his new pfSense-pkg-wireguard-1.0.1-freebsd12-amd64.txz ( for pfsense 2.5.0 -devel - based on FreeBsd 12 ) . Always check https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/ or https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ for the latest packages in the FreeBsd Repo depending on your architecture - especially as bash, wireguard-go, and wireguard packages are updated periodically. I have found as of late that if you try to access the main FreeBSD repo by entering the " https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/ " url - you will get the " 403 Forbidden - nginx error ". This precludes you from viewing the current FreeBSD package list. I searched around and found a FreeBSD package repo that seems to be up and stable - it is " http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/ " or http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/ which is located in South Africa. Virtually all of the FreeBSD package repos are inaccessible as well. Oddly, enough you are still able to download the FreeBSD packages from the main repo - it is just that you can not see the repo packages ( to check package latest versions by entering the url ). With that being said - let's proceed. the complete needed software installation is outlined like this here - see below : Use Putty or Kitty to enter an SSH session on your pfsense router in order to proceed : Or Use FreeBsd Mirror - http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/ These packages indicated below are correct and updated as of 10/19/2020 / always remember check FreeBSD package repo for latest dependency packages The procedure detailed below is for pfsense 2.5.0 / FreeBsd 12 : Best To Use FreeBsd Mirror - http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/ 1. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/bash-5.0.18_3.txz 2. (opt.) pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/bash-completion-2.11,2.txz 3. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/wireguard-go-0.0.20200320.txz 4. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/wireguard-1.0.20200827.txz 5. pkg add https://github.com/Ashus/pfSense-pkg-wireguard/releases/download/v1.0.1b/pfSense-pkg-wireguard-1.0.1-freebsd12-amd64.txz Best To Use FreeBsd Mirror - http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/ This procedure detailed below is for pfsense 2.4.5 / FreeBsd 11 : 1. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/bash-5.0.18_3.txz 2. (opt.) pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/bash-completion-2.11,2.txz 3. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/wireguard-go-0.0.20200320.txz 4. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/wireguard-1.0.20200827.txz 5. pkg add https://github.com/Ashus/pfSense-pkg-wireguard/releases/download/v1.0.1b/pfSense-pkg-wireguard-1.0.1-freebsd11-amd64.txz Please Note and Understand : I strongly recommend using Lucasnz pfSense-pkg-wireguard-1.0.1.txz package for the reasons detailed above. For pfSense 2.4.5 ( Based on FreeBsd 11 ) in step # 5 substitute the line below : 5. pkg add https://github.com/lucasnz/pfSense-pkg-wireguard/releases/download/v1.0.1/pfSense-pkg-wireguard-1.0.1-freebsd11-amd64.txz For Lucasnz for pfSense 2.5.0 ( Based on FreeBsd 12 ) - 1 - Download the already compiled Lucasnz pfSense-pkg-wireguard-1.0.1.txz package above ( or build your own from tutorial above ) to usb drive or desktop folder where you can find this later. 2 - Next fire up your pfSense 2.5.0 router. WinSCP ( scp protocol ) into your 2.5.0 router and transfer ( drag and drop ) the Lucasnz pfSense-pkg-wireguard-1.0.1.txz from the local directory you exported it to earlier ( in this case on my Windows 10 machine ) into the /root directory of your pfSense 2.5.0 router. 3 - Finally, for pfSense 2.5.0 in step # 5 substitute the line below : 5. pkg add pfSense-pkg-wireguard-1.0.1.txz ( Use / substitute your WinSCP transferred package here ) You can also try Ascrod's Wireguard package but this is described in detail in the first link above. Ashus has more features - you can read the documentation for each and make your decision. These are Ashus' Wireguard setup directions below : Configuration Configure an interface and any number of peers. Then go to the Assign Interfaces screen and create a new interface for tunwg0. Name it, enable it, and don't touch any other settings. Once the interface is up, you can create firewall rules for it, forward ports to it, and generally treat it the same as a physical interface. It should also persist across reboots. If there is a need for more interfaces, add the tunwg1.conf or more files with incremental interface number to /usr/local/etc/wireguard/. Unfortunately those cannot be currently edited via GUI, and everytime you add more, you need to reinstall this package or wireguard service. Each time the service is reinstalled, all tunnels are detected from files again, so they could persist across reboots and could be reloaded from GUI all at once. For help with configuring WireGuard, please read the official documentation . The unofficial documentation and examples may also be helpful. 1 - You must fill in your TorGuard WirGuard information in the WireGuard webgui - under VPN > WireGuard > Interface and VPN > WireGuard > Peers - and Save Both entries See this tutorial here for directions as to how to generate your TorGuard Wireguard Configuration Files : https://forums.torguard.net/index.php?/topic/1698-pfsense-wireguard-client-working-with-catch-22/ Read Step 2 on that page for detailed explanation 2- Create WireGuard Interface with this command : # wg-quick up tunwg0 Then go to Interfaces > Assign Interfaces Add tunwg0 ( opt 1 , 2 etc depending on your setup ) Name it, enable it, and don't touch any other settings. 3 - Then setup firewall rules for tunwg0 - there are many firewall setup options to be found here : https://forum.netgate.com/topic/150943/i-made-a-wireguard-package-for-pfsense Just read through the thread. If you want a simple firewall rule setup see below : 4 - Now head to pfSense WEBGUI in order to configure Wireguard Interface ( created earlier ) and FireWall Rule. First, go to Interfaces > Assignments -you will see tunwg0 interface - click (+) add button /symbol. Once the tunwg0 interface is listed as ( OPT 1 - 2 depending on your setup ) - Click underneath it - - enter check in " Enable interface " - and enter description - I call mine " WIRE " - DO NOTHING ELSE HERE ! Save and Apply - Done with this phase. 5 - Next - Firewall Rule - go to Firewall > NAT > Outbound Once on this Landing Page put a Dot in radio button Hybrid outbound NAT rule generation - Click on Save - Do Not - Repeat Do Not Click Save and Apply At This Time - Instead Click on Add Square with Up Arrow (underneath Mappings ) on the page which opens change Interface from WAN in drop down menu to your WireGuard ( tunwg0 ) Interface which you created and labeled previously - in this example " WIRE " . Next - Change Source Address to " ANY " from the drop down menu. Leave / Set Translation/target to Interface address. Enter " Description -e.g. " Made For Wire " now Click " Save " at bottom of page. You will be taken back to Firewall:Nat:Outbound Landing Page - Click on " Apply Changes " in right upper hand corner - Done with Firewall Rule. This rule is the only one you need. Now that your TorGuard WireGuard Client is installed and ready - you may enter command # /usr/local/etc/rc.d/wireguard.sh restart in order to start it up. You may also reboot your pfsense Router Hope this helps someone - See screenshots below for illustrative purposes - enjoy !!! Naturally substitute your own TorGuard WireGuard connection information Peace, directnupe Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.