Objective
To install and configure WireGuard as a more lightweight VPN solution compared to OpenVPN.
Prerequisites
Steps
Step 1: Download and Install WireGuard package
On your dashboard, navigate to System > Package Manager.
Search WireGuard under Available Packages and then click on Install.
Step 2: Generate Peer Keys
Each peer will require its own public / private key pair. This can be generate either on the client’s machine or in the firewall itself. For this case, the key pair will be generated in the command prompt of the firewall.
Navigate to Diagnostics > Command Prompt then execute the following command: –
wg genkey | tee privatekey | wg pubkey > publickey
Then, inspect the contents of the files with the cat command.
cat privatekey WGpL3/ejM5L9ngLoAtXkSP1QTNp4eSD34Zh6/Jfni1Q= cat publickey b9FjbupGC7fomO5U4jL5Irt1ZV5rq4c+utGKj53HXgU=
Ensure the details are jotted down on a notepad.
Step 3: Configure Tunnel
Navigate to VPN > WireGuard > Tunnels.
Click on +Add Tunnel to create a new tunnel.
Under the Tunnel Configuration section: –
Enable: Checked
Description: Remote Access
Listen Port: 51821
Interface Keys: Click on Generate to generate a new key pair
Under the Interface Configuration: –
Interface Addresses: *Define a gateway IP for this interface* (e.g: 10.10.0.1/24)
Click on Save.
Step 4: Configure Peer
Navigate to VPN > WireGuard > Tunnel.
Edit the tunnel that was just created, click on +Add Peer.
Under Peer Configuration section: –
Enable: Enable Peer
Tunnel: *Select the WireGuard tunnel that was just created*
Description: Optional
Dynamic Endpoint: Checked
Keep Alive: Leave it blank
Public Key: *Place in the key that was generated earlier*
Pre-shared Key: Optional
Allowed IPs: *The tunnel IP address for this client / machine, typically specified with a /32 CIDR mask*
Save the peer settings.
Step 5: Configure Firewall Rule
Ensure the interface is enabled via Interfaces > *WireGuard Tunnel Name*
Navigate to Firewall > Rules > WAN tab.
Click on Add to create a new rule to the top of the list.
Create an Allow Traffic rule with the following settings: –
Action: Pass
Interface: WAN
Protocol: UDP
Source: any
Destination: WAN Address
Destination Port Range: (others), 51829
Description: Pass traffic to WireGuard
Save and Apply Changes
Create a similar under the WireGuard tab
Navigate to Firewall > Rules > WireGuard tab
Create an Allow Traffic rule with the following settings: –
Action: Pass
Interface: WireGuard
Protocol: any
Source: any
Destination: any
Description: Pass VPN traffic from WireGuard peers
Save and Apply Changes
Step 6: Check the Status of WireGuard
Navigate to Status > WireGuard
The tunnel should be active once the firewall rules are created accordingly.
Step 7: Install and Configure WireGuard Client
At the WireGuard client, create a tunnel with the following configuration: –
## Ensure the values are adjusted according to your setup. ## For a split-tunnel configuration [Interface] PrivateKey = WGpL3/ejM5L9ngLoAtXkSP1QTNp4eSD34Zh6/Jfni1Q= ListenPort = 51820 Address = 10.6.210.2/24 [Peer] PublicKey = PUVBJ+zuz/0mRPEB4tIaVbet5NzVwdWMX7crGx+/wDs= AllowedIPs = 10.6.210.1/32, 10.6.0.0/24 Endpoint = 198.51.100.6:51820 ## For a full-tunnel configuration [Interface] PrivateKey = WGpL3/ejM5L9ngLoAtXkSP1QTNp4eSD34Zh6/Jfni1Q= ListenPort = 51820 DNS = 10.6.210.1, pfSense.home.arpa Address = 10.6.210.2/24 [Peer] PublicKey = PUVBJ+zuz/0mRPEB4tIaVbet5NzVwdWMX7crGx+/wDs= AllowedIPs = 0.0.0.0/0 Endpoint = 198.51.100.6:51820
Then, simply connect with the newly-created tunnel configuration file.