Skip to main content

pfsense 2.7.2 Setup WireGuard Site to Site Tunnel

  • On BOTH site pfsense installations, install the WireGuard package from System ---> Package Manager ---> Available Packages. Enter Wireguard in the Search term field, click search and then click on the Install button next to WireGuard package (Figure  1).

Figure 1

image.png

  • On Site A,A, refresh the pfsense web GUI and navigate to VPN ---> WireguardWireguard, click on the Tunnels tab and then click on Add Tunnel button (Figure 2).

Figure 2

image.pngimage.png

  • OnIn the Tunnels tab, click on Add Tunnel and in the Tunnel Configuration fill in the following fields (Figure 3)3):
      • Enable: Checked
      • Description: Optionally, describe the purpose of this tunnel (Ex: Tunnel to Site B)
      • Listen Port: Leave blank to use port UDP/51820 or enter a specific port number you with to use
      • Interface Keys: click the Generate button to create a new Private/Public key pair and copy the Public Key that's generated in order to enter it in the Public Key field on Site B.
      • Click the Save Tunnel button

Figure 3

image.png

    • On Site B, refresh the pfsense web GUI and navigate to VPN ---> Wireguard, click on the Tunnels tab and then click on Add Tunnel button (Figure 4).


Figure 4

image.png

  • In the Tunnel Configuration fill in the following fields (Figure 5):
      • Enable: Checked
      • Description: Optionally, describe the purpose of this tunnel(Ex: Tunnel to Site A) 
      • Listen Port: Leave blank to use port UDP/51820 or enter a specific port number you with to use
      • Interface Keys: click the Generate button to create a new Private/Public key pair and copy the Public Key that's generated in order to enter it in the Public Key field on Site B.
      • Click the Save Tunnel button

Figure 5

image.png

On BOTH sites, navigate to VPN ---> WireGuard, click on the Settings tab and click on the Enable WireGuard checkbox, select Only Unassigned Tunnels on the Interface Group Membership and then click on the Save button (Figure 6).

Figure 6

image.png

On Site A, navigate to VPN ---> WireGuard, click on the Peers tab and then click on the Add Peer button (Figure 7).

Figure 7

image.png

In the Peer Configuration fill in the following fields (Figure 8):

  • Enable: Checked
  • Tunnel: Select the Tunnel previously configured from the drop-down list
  • Description: Optionally, describe the purpose of this Peer (Ex: Peer to Site B)
  • Listen Port: Leave blank to use port UDP/51820 or enter a specific port number you with to use
  • Dynamic Endpoint: Unchecked
  • Endpoint: Fill in the Internet IP or Hostname as well as the port number for Site B
  • Public Key: Paste the previously copied Public Key from the Tunnel on Site B
  • Pre-shared Key: Click the Generate button to generate a new pre-shared key and copy it in order to paste in the Peer configuration of Site B
  • Allowed IPs: Enter an UNUSED Network address (Example: 10.10.12.0) with a CIDR of 30 (For a total of two IPs) in the first field, click the Add Allowed IP and then enter the Network Address and corresponding CIDR of the subnet for Site B
  • Click the Save Peer button

Figure 8

image.png

On Site B, navigate to VPN ---> WireGuard, click on the Peers tab and then click on the Add Peer button (Figure 9).

Figure 9

image.png

In the Peer Configuration fill in the following fields (Figure 10):

  • Enable: Checked
  • Tunnel: Select the Tunnel previously configured from the drop-down list
  • Description: Optionally, describe the purpose of this Peer (Ex: Peer to Site A)
  • Listen Port: Leave blank to use port UDP/51820 or enter a specific port number you with to use
  • Dynamic Endpoint: Unchecked
  • Endpoint: Fill in the Internet IP or Hostname as well as the port number for Site A
  • Public Key: Paste the previously copied Public Key from the Tunnel on Site A
  • Pre-shared Key:  Paste the previously copied Pre-Shared key from the Peer on Site A
  • Allowed IPs: Enter the SAME Tunnel Subnet Network address and CIDR you set on the Peer on Site A, click the Add Allowed IP and then enter the Network Address and corresponding CIDR of the subnet for Site A
  • Click the Save Peer button

Figure 8

image.png