Jump to content

Ascrod & Ashus / pfSense-pkg-wireguard Tutorial / Guide

Rate this topic


Recommended Posts


Dear TorGuard Pfsense WireGuard Users,

Please Read The Entire Guide / Tutorial Before You Begin -
It Will Save You Potential Setup Issues and Detail All Setup Options

First you all know the drill by now - " The Intro " to pay homage to an all time oft forgotten Stax Great who speaks my mind right about now / lyrics - https://genius.com/Otis-redding-respect-lyrics and video : https://www.youtube.com/watch?v=7BDw-H_hUzw - and Nina Simone to boot : lyrics : https://genius.com/Nina-simone-mississippi-goddam-lyrics and video : https://www.youtube.com/watch?v=LJ25-U3jNWM

Hello and I hope all are safe and well. Ascrod has been kind enough to make available a package for WireGuard on pfsense. I have tested the package and would like to recommend

this to all of those who might be interested. The package thread and discussion are found here : https://forum.netgate.com/topic/150943/i-made-a-wireguard-package-for-pfsense

and here on Github : https://github.com/Ascrod/pfSense-pkg-wireguard  Here are Ascrod assets in releases on github : https://github.com/Ascrod/pfSense-pkg-wireguard/releases

There is a webgui for WireGuard and it works well.The package works very well on pfsense 2.4.5. I was finally able to build my own Lucasnz pfsense 2.5.0 package successfully - and it worked as intended. Read the update for pfsense 2.5.0 pfSense-pkg-wireguard below. There also is a fork of this pfsense package developed by Ashus / pfSense-pkg-wireguard  found here : https://github.com/Ashus/pfSense-pkg-wireguard

Lucasnz see here for homepage : https://github.com/lucasnz/pfSense-pkg-wireguard
forked from Ascrod/pfSense-pkg-wireguard
Here are Lucasnz assets in releases on github : https://github.com/lucasnz/pfSense-pkg-wireguard/releases/tag/v1.0.1
Please Note He Has Only One Package Which Is For pfSense 2.4.5 . If you want Lucasnz for pfSense 2.5.0 then you may
either use the pre-compiled package I offer up here or build your own by following the tutorial provided below.
For those interested - I have one link to a tutorial and another which points you to
an already compiled Lucasnz package for pfsense 2.5.0 - which is based on FreeBSD 12. The tutorial
illustrates and instructs you how to build your own Lucasnz pfSense-pkg-wireguard-1.0.1.txz package.
The reason that I chose Lucasnz is because " that it just works ". Lucasnz WireGuard for pfsense 
survives reboots, upgrades - and has no issues with DNS or any such other related problems.
The links are here below for all those interested :

These really work well IMHO - so I hope this helps and a word to the wise should be sufficient. I am going to try to get Ashus / pfSense-pkg-wireguard to work on pfsense 2.5.0 and I will report my findings. UPDATE BELOW :

Well,  I got in touch with Ashus - and he was kind enough to build and compile a " proper and official " pfSense-pkg-wireguard-1.0.1-freebsd12-amd64.txz ( this is the package needed for pfsense 2.5.0 ) .  Here are Ashus assets in releases on github :  https://github.com/Ashus/pfSense-pkg-wireguard/releases      by using Ashus packages you can either install pfSense-pkg-wireguard-1.0.1-freebsd11-amd64.txz ( for pfsense 2.4.5 / based on FreeBsd 11 ) or use his new pfSense-pkg-wireguard-1.0.1-freebsd12-amd64.txz ( for pfsense 2.5.0 -devel - based on FreeBsd 12 ) .

Always check https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/ or https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ for the latest packages in the FreeBsd Repo depending on your architecture - especially as bash, wireguard-go, and wireguard packages are updated periodically. I have found as of late that if you try to access the main FreeBSD repo by entering the " https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/ " url - you will get the " 403 Forbidden - nginx error ". This precludes you from viewing the current FreeBSD package list. I searched around and found a FreeBSD package repo that seems to be up and stable - it is " http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/ " or http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/ which is  located in South Africa. Virtually all of the FreeBSD package repos are inaccessible as well. Oddly, enough you are still able to download the FreeBSD packages from the main repo - it is just that you can not see the repo packages ( to check package latest versions by entering the url ). With that being said - let's proceed.   the complete needed software installation is outlined like this here - see below :
Use Putty or Kitty to enter an SSH session on your pfsense router in order to proceed :

Or Use FreeBsd Mirror - http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/

These packages indicated below are correct and updated as of 10/19/2020 / always remember check FreeBSD package repo for latest dependency packages

The procedure detailed below is for pfsense 2.5.0 / FreeBsd 12 :

Best To Use FreeBsd Mirror - http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/

1. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/bash-5.0.18_3.txz
2. (opt.) pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/bash-completion-2.11,2.txz
3. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/wireguard-go-0.0.20200320.txz
4. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/wireguard-1.0.20200827.txz
5. pkg add https://github.com/Ashus/pfSense-pkg-wireguard/releases/download/v1.0.1b/pfSense-pkg-wireguard-1.0.1-freebsd12-amd64.txz

Best To Use FreeBsd Mirror - http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/

This procedure detailed below is for pfsense 2.4.5 / FreeBsd 11 :

1. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/bash-5.0.18_3.txz
2. (opt.) pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/bash-completion-2.11,2.txz
3. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/wireguard-go-0.0.20200320.txz
4. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/wireguard-1.0.20200827.txz
5. pkg add https://github.com/Ashus/pfSense-pkg-wireguard/releases/download/v1.0.1b/pfSense-pkg-wireguard-1.0.1-freebsd11-amd64.txz 


Please Note and Understand : I strongly recommend using
Lucasnz pfSense-pkg-wireguard-1.0.1.txz package for the reasons
detailed above.
For pfSense 2.4.5 ( Based on FreeBsd 11 ) in step # 5 substitute the line below :

5. pkg add https://github.com/lucasnz/pfSense-pkg-wireguard/releases/download/v1.0.1/pfSense-pkg-wireguard-1.0.1-freebsd11-amd64.txz

For Lucasnz for pfSense 2.5.0 ( Based on FreeBsd 12 ) -
1 - Download the already compiled Lucasnz pfSense-pkg-wireguard-1.0.1.txz package above ( or build your own from tutorial above ) to usb drive or desktop folder where you can find this later.

2 - Next fire up your pfSense 2.5.0 router. WinSCP ( scp protocol ) into your 2.5.0 router and transfer ( drag and drop ) the Lucasnz pfSense-pkg-wireguard-1.0.1.txz from the local directory you exported it to earlier ( in this case on my Windows 10 machine ) into the /root directory of your pfSense 2.5.0 router.

3 - Finally, for pfSense 2.5.0 in step # 5 substitute the line below :

5. pkg add pfSense-pkg-wireguard-1.0.1.txz  ( Use / substitute your WinSCP transferred package here )

You can also try Ascrod's Wireguard package but this is described in detail in the first link above. Ashus has more features - you can read the documentation for each and make your decision.

These are Ashus' Wireguard setup directions below :
Configure an interface and any number of peers. Then go to the 
Assign Interfaces screen and create a new interface for tunwg0. 
Name it, enable it, and don't touch any other settings. Once the 
interface is up, you can create firewall rules for it, forward ports 
to it, and generally treat it the same as a physical interface. 
It should also persist across reboots.

If there is a need for more interfaces, add the tunwg1.conf or more 
files with incremental interface number to /usr/local/etc/wireguard/. 
Unfortunately those cannot be currently edited via GUI, and everytime 
you add more, you need to reinstall this package or wireguard service. 
Each time the service is reinstalled, all tunnels are detected from files 
again, so they could persist across reboots and could be reloaded from 
GUI all at once.

For help with configuring WireGuard, please read the official documentation .
The unofficial documentation and examples may also be helpful.

1 - You must fill in your TorGuard WirGuard information in the WireGuard webgui -
under VPN > WireGuard > Interface and VPN > WireGuard > Peers -  and Save Both entries
See this tutorial here for directions as to how to generate your TorGuard Wireguard Configuration Files : 
Read Step 2 on that page for detailed explanation

2- Create WireGuard Interface with this command : # wg-quick up tunwg0
Then go to Interfaces > Assign Interfaces  Add tunwg0 ( opt 1 , 2 etc depending on your setup )
Name it, enable it, and don't touch any other settings.

3 - Then setup firewall rules for tunwg0 - there are many firewall setup options to be
found here : https://forum.netgate.com/topic/150943/i-made-a-wireguard-package-for-pfsense
Just read through the thread. If you want a simple firewall rule setup see below :

4 - Now head to pfSense WEBGUI in order to configure Wireguard Interface ( created earlier ) and FireWall Rule. First, go to Interfaces > Assignments -you will see tunwg0 interface - click (+) add button /symbol. Once the tunwg0 interface is listed as ( OPT 1 - 2 depending on your setup ) - Click underneath it - - enter check in " Enable interface " - and enter description - I call mine " WIRE " - DO NOTHING ELSE HERE ! Save and Apply - Done with this phase.

5 - Next - Firewall Rule - go to Firewall > NAT > Outbound  Once on this Landing Page put a Dot in radio button Hybrid outbound NAT rule generation - Click on Save - Do Not - Repeat Do Not Click Save and Apply At This Time - Instead Click on Add Square with Up Arrow (underneath Mappings ) on the page which opens change Interface from WAN in drop down menu to your WireGuard ( tunwg0 ) Interface which you created and labeled previously - in this example  " WIRE " . Next - Change Source Address to " ANY "  from the  drop down menu. Leave / Set Translation/target to Interface address. Enter " Description -e.g. " Made For Wire "  now Click " Save " at bottom of page. You will be taken back to Firewall:Nat:Outbound Landing Page - Click on " Apply Changes " in right upper hand corner - Done with Firewall Rule. This rule is the only one you need. Now that your TorGuard WireGuard Client is  installed and ready - you may enter command # /usr/local/etc/rc.d/wireguard.sh restart in order to start it up.  You may also reboot your pfsense Router

Hope this helps someone -  See screenshots below for illustrative purposes - enjoy !!!  Naturally substitute your own TorGuard WireGuard connection information








Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...