{"id":57,"date":"2024-07-24T08:12:44","date_gmt":"2024-07-24T08:12:44","guid":{"rendered":"http:\/\/192.168.40.2\/?p=57"},"modified":"2025-07-24T08:50:21","modified_gmt":"2025-07-24T08:50:21","slug":"how-to-set-up-wireguard-in-pfsense-establish-a-secure-vpn-connection","status":"publish","type":"post","link":"https:\/\/allogman.com\/?p=57","title":{"rendered":"How to set up WireGuard in pfSense: Establish a secure VPN connection"},"content":{"rendered":"\n

Installing WireGuard<\/strong><\/h2>\n\n\n\n

WireGuard, on pfSense, is an add-on package. So the first thing we need to do is install the WireGuard package.<\/p>\n\n\n\n

    \n
  1. From the top menu, select\u00a0System<\/strong>\u00a0>\u00a0Package Manager<\/strong>. The\u00a0Package Manager<\/strong>\u00a0is displayed.<\/a><\/li>\n\n\n\n
  2. Click\u00a0Available Packages<\/strong>\u00a0to display the list of available packages.<\/a><\/li>\n\n\n\n
  3. Scroll down until you see\u00a0WireGuard<\/strong>. Click\u00a0Install<\/strong>.<\/a><\/li>\n\n\n\n
  4. You\u2019re prompted to confirm the installation. Click\u00a0Confirm<\/strong>. The installation begins. When complete, you should see\u00a0Success<\/strong>\u00a0at the bottom of the installation window.<\/a><\/a><\/li>\n<\/ol>\n\n\n\n

    Configuring the tunnel<\/strong><\/h2>\n\n\n\n

    In this step, we\u2019re going to start configuring our WireGuard tunnel to our VPN provider.<\/p>\n\n\n\n

      \n
    1. From the top menu, select\u00a0VPN<\/strong>\u00a0>\u00a0WireGuard<\/strong>. The WireGuard options are displayed. We\u2019re on the\u00a0Tunnels<\/strong>\u00a0tab by default.<\/a><\/li>\n\n\n\n
    2. Click\u00a0Add Tunnel<\/strong>. The WireGuard\u00a0Tunnels<\/strong>\u00a0page is displayed.<\/a><\/li>\n\n\n\n
    3. Make sure\u00a0Enable Tunnel<\/strong>\u00a0is ticked (it should be by default).<\/li>\n\n\n\n
    4. Fill in a description for your tunnel.<\/li>\n\n\n\n
    5. Set the\u00a0Listen Port<\/strong>.<\/li>\n\n\n\n
    6. Click\u00a0Generate<\/strong>\u00a0next to the\u00a0Interface Keys<\/strong>\u00a0boxes and copy the\u00a0public key<\/strong>. You will need to upload this to your VPN provider.<\/li>\n\n\n\n
    7. *<\/strong>For\u00a0Windscribe<\/strong>, paste the private key you obtained from the config generator in the\u00a0Private Key<\/strong>\u00a0box. Your public key will be automatically derived from the private key.<\/li>\n\n\n\n
    8. In the\u00a0Interface Addresses<\/strong>\u00a0field, paste the IP address assigned by your VPN provider, setting the subnet mask to\u00a0\/32<\/strong>. This guide assumes most people will configure only an IPv4 WireGuard tunnel. However, if your provider offers IPv4 and IPv6 and you want to use both, you can click\u00a0Add<\/strong>\u00a0Address<\/strong>\u00a0and add the IPv6 address assigned by your provider.<\/li>\n\n\n\n
    9. Add a description (optional).<\/li>\n\n\n\n
    10. Click\u00a0Save Tunnel<\/strong>. You\u2019re taken back to the\u00a0Tunnels<\/strong>\u00a0page.<\/a><\/li>\n<\/ol>\n\n\n\n

      Configuring the peer<\/strong><\/h2>\n\n\n\n
        \n
      1. Click the\u00a0Peers<\/strong>\u00a0tab.<\/a><\/li>\n\n\n\n
      2. Click\u00a0Add Peer<\/strong>. The\u00a0Peers<\/strong>\u00a0page is displayed.<\/a><\/li>\n\n\n\n
      3. Tick\u00a0Enable<\/strong>\u00a0Peer<\/strong>.<\/li>\n\n\n\n
      4. From the\u00a0Tunnels<\/strong>\u00a0drop-down menu, select the WireGuard tunnel you just configured.<\/li>\n\n\n\n
      5. In the\u00a0Description<\/strong>\u00a0box, add a description for your peer.<\/li>\n\n\n\n
      6. Untick\u00a0Dynamic<\/strong>\u00a0Endpoint<\/strong>. The\u00a0Endpoint<\/strong>\u00a0and\u00a0Port<\/strong>\u00a0boxes appear.<\/li>\n\n\n\n
      7. Enter the IP address of your VPN provider\u2019s WireGuard \u201cserver\u201d (endpoint) and the port used to connect. You can find this on your VPN provider\u2019s web page.<\/li>\n\n\n\n
      8. You can optionally set a\u00a0Keep<\/strong>\u00a0Alive<\/strong>\u00a0interval.\u00a025<\/strong>\u00a0is usually fine.<\/li>\n\n\n\n
      9. Enter the WireGuard \u201cserver\u201d\u2018s public key in the Public Key field. Again, you can find this on your VPN provider\u2019s web page.<\/li>\n\n\n\n
      10. Under\u00a0Address<\/strong>\u00a0Configuration<\/strong>, enter\u00a00.0.0.0\/0<\/strong>\u00a0in the\u00a0Allowed<\/strong>\u00a0IPs<\/strong>\u00a0field. That configures all traffic to go through the WireGuard tunnel.<\/li>\n\n\n\n
      11. Click\u00a0Save<\/strong>\u00a0Peer<\/strong>. You\u2019re taken back to the\u00a0Peers<\/strong>\u00a0page.<\/a><\/li>\n<\/ol>\n\n\n\n

        Enabling the WireGuard service<\/strong><\/h2>\n\n\n\n

        Now that we\u2019ve set up our tunnel and our peer, we can enable the WireGuard service on pfSense.<\/p>\n\n\n\n

          \n
        1. Click the\u00a0Settings<\/strong>\u00a0tab. The\u00a0Settings<\/strong>\u00a0page is displayed.<\/a><\/li>\n\n\n\n
        2. Tick\u00a0Enable<\/strong>\u00a0WireGuard<\/strong>, at the top.<\/li>\n\n\n\n
        3. Click\u00a0Save<\/strong>. The WireGuard service is now running. You should see a green banner at the top indicating this.<\/a><\/li>\n<\/ol>\n\n\n\n

          Creating the WireGuard interface & gateway<\/strong><\/h2>\n\n\n\n

          We now need to create an interface and a gateway that pfSense will use to establish and push traffic through the WireGuard tunnel.<\/p>\n\n\n\n

          Interface<\/strong><\/h3>\n\n\n\n
            \n
          1. From the top menu, select\u00a0Interfaces<\/strong>\u00a0><\/strong>\u00a0Assignments<\/strong>. The\u00a0Interface<\/strong>\u00a0Assignments<\/strong>\u00a0page is displayed.<\/a><\/li>\n\n\n\n
          2. Click the green\u00a0Add<\/strong>\u00a0button.<\/a><\/li>\n\n\n\n
          3. OPT1<\/strong>\u00a0(optional interface 1) is now listed as an interface. Click\u00a0OPT1<\/strong>.<\/a><\/li>\n\n\n\n
          4. The\u00a0OPT1<\/strong>\u00a0interface page is displayed.<\/li>\n\n\n\n
          5. Click\u00a0Enable<\/strong>\u00a0interface<\/strong>.<\/li>\n\n\n\n
          6. In the\u00a0Description<\/strong>\u00a0box, name your interface.<\/li>\n\n\n\n
          7. From the\u00a0IPv4 Configuration Type<\/strong>\u00a0drop-down menu, select\u00a0Static<\/strong>\u00a0IPv4<\/strong>.<\/li>\n\n\n\n
          8. Under\u00a0Static<\/strong>\u00a0IPv4<\/strong>\u00a0Configuration<\/strong>, in the\u00a0IPv4<\/strong>\u00a0Address<\/strong>\u00a0box, paste the IP address your VPN provider assigned to you and set the\u00a0\/32<\/strong>\u00a0subnet mask.<\/li>\n\n\n\n
          9. Repeat the steps for IPv6 if you want to use both IPv4 and IPv6. Select\u00a0Static<\/strong>\u00a0IPv6<\/strong>\u00a0from the\u00a0IPv6<\/strong>\u00a0Configuration<\/strong>\u00a0Type<\/strong>\u00a0drop-down menu and paste the IPv6 address assigned by your VPN provider in the\u00a0IPv6<\/strong>\u00a0Address<\/strong>\u00a0box (with a\u00a0\/128<\/strong>\u00a0subnet mask).<\/a><\/li>\n<\/ol>\n\n\n\n

            Gateway<\/strong><\/h3>\n\n\n\n
              \n
            1. Next to the\u00a0IPv4<\/strong>\u00a0Upstream<\/strong>\u00a0gateway<\/strong>\u00a0drop-down menu, click\u00a0Add<\/strong>\u00a0a<\/strong>\u00a0new<\/strong>\u00a0gateway<\/strong>. The\u00a0New<\/strong>\u00a0IPv4<\/strong>\u00a0Gateway<\/strong>\u00a0menu is displayed.<\/a><\/li>\n\n\n\n
            2. In the\u00a0Gateway<\/strong>\u00a0name<\/strong>\u00a0box, provide a name for your gateway. It must be different from the interface name.<\/li>\n\n\n\n
            3. In the\u00a0Gateway<\/strong>\u00a0IPv4<\/strong>\u00a0box, paste the IP address assigned to you by your VPN provider, as we did with the interface above.<\/li>\n\n\n\n
            4. In the\u00a0Description<\/strong>\u00a0box<\/strong>, type in a description (optional).<\/li>\n\n\n\n
            5. Click\u00a0Add<\/strong>. You\u2019re back on the\u00a0OPT1<\/strong>\u00a0interface page.<\/li>\n\n\n\n
            6. Under\u00a0Static<\/strong>\u00a0IPv4<\/strong>\u00a0Configuration<\/strong>, from the\u00a0IPv4<\/strong>\u00a0Upstream<\/strong>\u00a0gateway<\/strong>\u00a0drop-down menu, select the gateway we just created.<\/a><\/li>\n\n\n\n
            7. Click\u00a0Save<\/strong>.<\/li>\n\n\n\n
            8. Click\u00a0Apply<\/strong>\u00a0Changes<\/strong>\u00a0at the top. We\u2019ve created the WireGuard interface and gateway.<\/a><\/li>\n\n\n\n
            9. Repeat these steps for IPv6 (using the IPv6 address assigned by your VPN provider) if you want to use both IPv4 and IPv6.<\/li>\n<\/ol>\n\n\n\n

              Setting the LAN MSS clamping<\/strong><\/h2>\n\n\n\n

              WireGuard\u2019s maximum transmission unit (MTU) is 1420. What that means is that if a datagram exceeds 1420 bytes, it will be fragmented, which may break the connection. If you have MTU issues while using WireGuard, one symptom will be that certain websites won\u2019t load. And you\u2019ll be scratching your head trying to figure out why some sites load just fine while others do not. When I first set up WireGuard on my router, I scratched my head with this issue for days before considering MTU issues and setting up MSS clamping.<\/p>\n\n\n\n

              MSS stands for Maximum TCP Segment Size and adjusts the size of the datagram being transmitted to \u201cfit\u201d the data link over which it\u2019s being transmitted without fragmentation. In other words, MSS clamping makes sure it is small enough to fit through the transiting interface\u2019s MTU.<\/p>\n\n\n\n

              We will MSS clamp our LAN interface to make sure our WireGuard tunnel works smoothly.<\/p>\n\n\n\n

                \n
              1. From the top menu, select\u00a0Interfaces<\/strong>\u00a0>\u00a0LAN<\/strong>.<\/a><\/li>\n\n\n\n
              2. Under\u00a0General<\/strong>\u00a0Configuration<\/strong>, in the\u00a0MSS<\/strong>\u00a0field, enter\u00a01380<\/strong>. 1380 is a good value that should work on most systems. Other values may work too. Feel free to experiment; just remember to stay under 1420. Repeat these steps for any other OPT interfaces you want to add.<\/a><\/li>\n\n\n\n
              3. Click\u00a0Save<\/strong>\u00a0at the bottom of the page and\u00a0Apply<\/strong>\u00a0Changes<\/strong>.<\/li>\n<\/ol>\n\n\n\n

                Configuring NAT<\/strong><\/h2>\n\n\n\n

                We now need to configure Network Address Translation for our WireGuard tunnel.<\/p>\n\n\n\n

                  \n
                1. From the top menu, select\u00a0Firewall<\/strong>\u00a0><\/strong>\u00a0NAT<\/strong>.<\/a><\/li>\n\n\n\n
                2. Select the\u00a0Outbound<\/strong>\u00a0tab.<\/a><\/li>\n\n\n\n
                3. Under\u00a0Outbound<\/strong>\u00a0NAT<\/strong>\u00a0Mode<\/strong>, select\u00a0Manual<\/strong>\u00a0Outbound<\/strong>\u00a0NAT<\/strong>\u00a0rule<\/strong>\u00a0generation<\/strong>. We need to set this because we want to create our own NAT rules to route our traffic through the WireGuard tunnel.<\/a><\/li>\n\n\n\n
                4. Click\u00a0Save<\/strong>.<\/a><\/li>\n\n\n\n
                5. Click\u00a0Apply<\/strong>\u00a0Changes<\/strong>\u00a0at the top.<\/a><\/li>\n\n\n\n
                6. Because we want to force all LAN traffic through the WireGuard tunnel, we want to delete any NAT rules that allow LAN traffic to go out through the WAN interface. Select the rules as shown below for your LAN interface and click\u00a0Delete<\/strong>.<\/a><\/li>\n\n\n\n
                7. Click\u00a0Apply<\/strong>\u00a0Changes<\/strong>. Your rules should look like the screenshot below.\u00a0<\/a><\/li>\n\n\n\n
                8. Note<\/strong>: If you only want to use IPv4, you can also delete the IPv6 rules.<\/a><\/li>\n<\/ol>\n\n\n\n

                  Configuring firewall rules<\/strong><\/h2>\n\n\n\n

                  We\u2019re now going to create firewall rules to route our LAN traffic through the WireGuard tunnel.<\/p>\n\n\n\n

                    \n
                  1. From the top menu, select\u00a0Firewall<\/strong>\u00a0>\u00a0Rules<\/strong>. The\u00a0Firewall<\/strong>\u00a0Rules<\/strong>\u00a0page is displayed.<\/a><\/li>\n\n\n\n
                  2. Select the\u00a0LAN<\/strong>\u00a0tab. The LAN firewall rules are displayed.<\/a><\/li>\n\n\n\n
                  3. Click the\u00a0Add<\/strong>\u00a0(top) button. An empty firewall rule is displayed.<\/a><\/li>\n\n\n\n
                  4. Set the\u00a0Action<\/strong>\u00a0field to\u00a0Pass<\/strong>.<\/li>\n\n\n\n
                  5. Make sure the\u00a0Interface<\/strong>\u00a0field is set to\u00a0LAN<\/strong>.<\/li>\n\n\n\n
                  6. Set the\u00a0Address<\/strong>\u00a0Family<\/strong>\u00a0field to\u00a0IPv4<\/strong>.<\/li>\n\n\n\n
                  7. Set the\u00a0Protocol<\/strong>\u00a0to\u00a0Any<\/strong>.<\/li>\n\n\n\n
                  8. Under\u00a0Source<\/strong>, set the\u00a0Source<\/strong>\u00a0drop-down menu to\u00a0LAN.net<\/strong>.<\/li>\n\n\n\n
                  9. Under\u00a0Destination<\/strong>, set the\u00a0Destination<\/strong>\u00a0drop-down menu to\u00a0any<\/strong>.<\/a><\/li>\n\n\n\n
                  10. Under\u00a0Extra<\/strong>\u00a0Options<\/strong>, next to the\u00a0Advanced<\/strong>\u00a0Options<\/strong>\u00a0field, click the\u00a0Display<\/strong>\u00a0Advanced<\/strong>\u00a0button. The\u00a0Advanced<\/strong>\u00a0Options<\/strong>\u00a0are displayed.<\/li>\n\n\n\n
                  11. Scroll down to the\u00a0Gateway<\/strong>\u00a0field and select the WireGuard gateway we configured earlier from the drop-down menu.<\/a><\/li>\n\n\n\n
                  12. Click\u00a0Save<\/strong>.<\/li>\n\n\n\n
                  13. Click\u00a0Apply<\/strong>\u00a0Changes<\/strong>. The new rule is displayed under the Anti-Lockout Rule. If you want to use both IPv4 and IPv6, repeat these steps for IPv6.<\/li>\n\n\n\n
                  14. Click the\u00a0green<\/strong>\u00a0arrow<\/strong>\u00a0next to two default LAN rules to disable them. Now our LAN traffic can only go out through the WireGuard gateway.<\/a><\/li>\n<\/ol>\n\n\n\n

                    Static routes<\/strong><\/h2>\n\n\n\n

                    In a few steps, we\u2019re going to set our WireGuard gateway as the default gateway for our pfSense box. To make sure that there are no errors when booting up pfSense (where it would try to initiate the tunnel through the WireGuard gateway itself), we\u2019re going to set up a static route for pfSense to use the WAN interface to initiate the tunnel.<\/p>\n\n\n\n

                      \n
                    1. From the top menu, select\u00a0System<\/strong>\u00a0>\u00a0Routing<\/strong>. The Routing page is displayed.<\/a><\/li>\n\n\n\n
                    2. Select the\u00a0Static<\/strong>\u00a0Routes<\/strong>\u00a0tab. The\u00a0Static<\/strong>\u00a0Routes<\/strong>\u00a0page is displayed.<\/a><\/li>\n\n\n\n
                    3. Click the\u00a0Add<\/strong>\u00a0button.<\/a><\/li>\n\n\n\n
                    4. In the\u00a0Destination<\/strong>\u00a0network<\/strong>\u00a0field, enter the IP address for the WireGuard \u201cserver\u201d you\u2019re connecting to. That is the same address used when configuring our WireGuard peer.<\/li>\n\n\n\n
                    5. From the\u00a0Gateway<\/strong>\u00a0drop-down menu, select the\u00a0WAN<\/strong>\u00a0gateway.<\/li>\n\n\n\n
                    6. In the\u00a0Description<\/strong>\u00a0field, enter a description for your static route (optional).<\/li>\n\n\n\n
                    7. Click\u00a0Save<\/strong>. You\u2019re taken back to the\u00a0Static<\/strong>\u00a0Routes<\/strong>\u00a0page.<\/a><\/li>\n\n\n\n
                    8. Click\u00a0Apply<\/strong>\u00a0Changes<\/strong>.<\/a><\/li>\n<\/ol>\n\n\n\n

                      Setting the default gateway<\/strong><\/h2>\n\n\n\n

                      We\u2019re now going to set our WireGuard gateway as the pfSense box\u2019s default gateway.<\/p>\n\n\n\n

                        \n
                      1. Select the\u00a0Gateways<\/strong>\u00a0tab.<\/a><\/li>\n\n\n\n
                      2. Under\u00a0Default<\/strong>\u00a0gateway<\/strong>, from the\u00a0Default<\/strong>\u00a0gateway<\/strong>\u00a0IPv4<\/strong>\u00a0drop-down menu, select your (IPv4) WireGuard gateway.<\/a><\/li>\n\n\n\n
                      3. If you want to use both IPv4 and IPv6, repeat the above steps for\u00a0Default<\/strong>\u00a0gateway<\/strong>\u00a0IPv6<\/strong>.<\/li>\n\n\n\n
                      4. Click\u00a0Save\u00a0<\/strong>and\u00a0Apply Changes.<\/strong><\/li>\n<\/ol>\n\n\n\n

                        Configuring DNS<\/strong><\/h2>\n\n\n\n

                        In the following steps, we\u2019re going to configure our DNS settings for our WireGuard tunnel.<\/p>\n\n\n\n

                        General Setup<\/strong><\/h3>\n\n\n\n
                          \n
                        1. From the top menu, select\u00a0System<\/strong>\u00a0>\u00a0General<\/strong>\u00a0Setup<\/strong>. The\u00a0General<\/strong>\u00a0Setup<\/strong>\u00a0page is displayed.<\/a><\/li>\n\n\n\n
                        2. Under\u00a0DNS<\/strong>\u00a0Server<\/strong>\u00a0Settings<\/strong>, in the\u00a0DNS<\/strong>\u00a0Servers<\/strong>\u00a0field, enter your VPN provider\u2019s DNS server IP address.<\/li>\n\n\n\n
                        3. In the\u00a0Gateway<\/strong>\u00a0field, select the WireGuard gateway.<\/li>\n\n\n\n
                        4. Uncheck the\u00a0DNS<\/strong>\u00a0Server<\/strong>\u00a0Override<\/strong>\u00a0box.<\/a><\/li>\n\n\n\n
                        5. Scroll down to the bottom of the page and click\u00a0Save<\/strong>.<\/li>\n<\/ol>\n\n\n\n

                          DNS Resolver<\/strong><\/h3>\n\n\n\n
                            \n
                          1. From the top menu, select\u00a0Services<\/strong>\u00a0>\u00a0DNS<\/strong>\u00a0Resolver<\/strong>. The\u00a0DNS<\/strong>\u00a0Resolver<\/strong>\u00a0page is displayed.<\/a><\/li>\n\n\n\n
                          2. If your VPN provider supports\u00a0DNSSEC<\/strong>, enable it by ticking the box. That provides a small enhancement in the security (authentication) of your DNS requests.<\/li>\n\n\n\n
                          3. Next to\u00a0DNS<\/strong>\u00a0Query<\/strong>\u00a0Forwarding<\/strong>, tick the\u00a0Enable Forwarding Mode<\/strong>\u00a0box. This forwards your DNS queries to the DNS server we configured in the previous step, in\u00a0System<\/strong>\u00a0>\u00a0General<\/strong>\u00a0Setup<\/strong>.<\/a><\/li>\n\n\n\n
                          4. Scroll down to the bottom of the page and click\u00a0Save<\/strong>\u00a0and\u00a0Apply<\/strong>\u00a0Changes<\/strong>.<\/li>\n<\/ol>\n\n\n\n

                            DHCP DNS settings<\/strong><\/h3>\n\n\n\n
                              \n
                            1. From the top menu, select\u00a0Services<\/strong>\u00a0>\u00a0DHCP<\/strong>\u00a0Server<\/strong>. The\u00a0LAN<\/strong>\u00a0DHCP<\/strong>\u00a0Server<\/strong>\u00a0page is displayed.<\/a><\/li>\n\n\n\n
                            2. Under\u00a0Servers<\/strong>, in the\u00a0DNS<\/strong>\u00a0Server<\/strong>\u00a01<\/strong>\u00a0field, enter your VPN provider\u2019s DNS server IP address (the same server that we set in\u00a0System<\/strong>\u00a0>\u00a0General<\/strong>\u00a0Setup<\/strong>).<\/a><\/li>\n\n\n\n
                            3. Scroll down and click\u00a0Save\u00a0<\/strong>and\u00a0Apply Changes.<\/strong><\/li>\n<\/ol>\n\n\n\n

                              So the DHCP-assigned DNS server is for our LAN clients, while the DNS Resolver is set to be used by the pfSense box itself and any other OPT interfaces that you may add in the future. Both are configured to use your VPN provider\u2019s DNS server, only accessible through the WireGuard tunnel.<\/p>\n\n\n\n

                              Extra \u2013 Configuring a kill switch<\/strong><\/h2>\n\n\n\n

                              Most decent VPN apps include a kill switch. A kill switch cuts off your traffic from the internet if your VPN connection ever goes down. This ensures that packets don\u2019t go out through your regular ISP gateway \u2013 the WAN interface on a router.<\/p>\n\n\n\n

                              While we don\u2019t need a dedicated app to connect to our VPN provider when it\u2019s set up on the router (hooray), we can still configure a kill switch using floating firewall rules. Floating rules differ from regular firewall rules in that they\u2019re applied first and that they can apply to multiple interfaces at once \u2013 though it\u2019s the former that interests us here.<\/p>\n\n\n\n

                              We will use pfSense\u2019s floating rules to set up a kill switch for our WireGuard tunnel.<\/p>\n\n\n\n

                                \n
                              1. From the top menu, select\u00a0Firewall<\/strong>\u00a0>\u00a0Rules<\/strong>. The\u00a0Firewall<\/strong>\u00a0Rules<\/strong>\u00a0page is displayed.<\/a><\/li>\n\n\n\n
                              2. Click on the\u00a0Floating<\/strong>\u00a0tab. The\u00a0Floating<\/strong>\u00a0Rules<\/strong>\u00a0page is displayed.<\/a><\/li>\n\n\n\n
                              3. Click the\u00a0Add<\/strong>\u00a0(top) button.<\/a><\/li>\n\n\n\n
                              4. Set the\u00a0Action<\/strong>\u00a0field to\u00a0Reject<\/strong>.<\/li>\n\n\n\n
                              5. Tick the\u00a0Quick<\/strong>\u00a0box.<\/li>\n\n\n\n
                              6. Make sure the\u00a0Interface<\/strong>\u00a0is set to\u00a0WAN<\/strong>.<\/li>\n\n\n\n
                              7. Set the\u00a0Direction<\/strong>\u00a0to\u00a0any<\/strong>.<\/li>\n\n\n\n
                              8. Set the\u00a0Address Family<\/strong>\u00a0to\u00a0IPv4<\/strong>\u00a0(or\u00a0IPv4 + IPv6<\/strong>\u00a0if you are using both).<\/li>\n\n\n\n
                              9. Set the\u00a0Protocol<\/strong>\u00a0to\u00a0Any<\/strong>.<\/li>\n\n\n\n
                              10. Set the\u00a0Source<\/strong>\u00a0to\u00a0any<\/strong>.<\/li>\n\n\n\n
                              11. Set the\u00a0Destination<\/strong>\u00a0to\u00a0any<\/strong>.<\/li>\n\n\n\n
                              12. In the\u00a0Description<\/strong>\u00a0field, enter a description for your rule (optional).<\/li>\n\n\n\n
                              13. Click\u00a0Save<\/strong>. You\u2019re taken back to the Floating Rules page.<\/a><\/li>\n\n\n\n
                              14. Click the\u00a0Add<\/strong>\u00a0(top) button again.<\/li>\n\n\n\n
                              15. Set the\u00a0Action<\/strong>\u00a0field to\u00a0Pass<\/strong>.<\/li>\n\n\n\n
                              16. Tick the\u00a0Quick<\/strong>\u00a0box.<\/li>\n\n\n\n
                              17. Make sure the\u00a0Interface<\/strong>\u00a0is set to\u00a0WAN<\/strong>.<\/li>\n\n\n\n
                              18. Set the\u00a0Direction<\/strong>\u00a0to\u00a0any<\/strong>.<\/li>\n\n\n\n
                              19. Set the\u00a0Address Family<\/strong>\u00a0to\u00a0IPv4<\/strong>\u00a0(or\u00a0IPv4 + IPv6<\/strong>\u00a0if you are using both).<\/li>\n\n\n\n
                              20. Set the\u00a0Protocol<\/strong>\u00a0to\u00a0Any<\/strong>.<\/li>\n\n\n\n
                              21. Set the\u00a0Source<\/strong>\u00a0to\u00a0any<\/strong>.<\/li>\n\n\n\n
                              22. Set the\u00a0Destination<\/strong>\u00a0drop-down menu to\u00a0Single host or alias<\/strong>.<\/li>\n\n\n\n
                              23. Enter the\u00a0IP address<\/strong>\u00a0of your WireGuard \u201cserver\u201d in the box to the right of the<\/li>\n\n\n\n
                              24. Destination<\/strong>\u00a0field.<\/li>\n\n\n\n
                              25. In the\u00a0Description<\/strong>\u00a0field, enter a description for your rule (optional).<\/li>\n\n\n\n
                              26. Click\u00a0Save<\/strong>. You\u2019re taken back to the Floating Rules page.<\/a><\/li>\n\n\n\n
                              27. Click\u00a0Apply<\/strong>\u00a0Changes<\/strong>.<\/a><\/li>\n<\/ol>\n\n\n\n

                                Last steps<\/strong><\/h2>\n\n\n\n

                                OK, so we\u2019ve configured our WireGuard tunnel & peer. We\u2019ve configured NAT, DNS, and our firewall rules. And we\u2019ve also configured a kill switch to boot. We\u2019re now going to reboot our pfSense box. After the reboot, we\u2019ll confirm that everything is up and running as expected.<\/p>\n\n\n\n

                                Rebooting<\/strong><\/h3>\n\n\n\n
                                  \n
                                1. From the top menu, select\u00a0Diagnostics<\/strong>\u00a0>\u00a0Reboot<\/strong>.<\/a><\/li>\n\n\n\n
                                2. Make sure the\u00a0Reboot<\/strong>\u00a0method<\/strong>\u00a0is set to\u00a0Normal<\/strong>\u00a0reboot<\/strong>.<\/li>\n\n\n\n
                                3. Click\u00a0Submit<\/strong>. pfSense will reboot. Once rebooted, log back into pfSense.<\/a><\/li>\n<\/ol>\n\n\n\n

                                  Final checks<\/strong><\/h2>\n\n\n\n

                                  Checking the WireGuard tunnel status<\/strong><\/h3>\n\n\n\n

                                  We can check the status of our WireGuard within pfSense.<\/p>\n\n\n\n

                                    \n
                                  1. From the top menu, select\u00a0VPN<\/strong>\u00a0>\u00a0WireGuard<\/strong>. The WireGuard options are displayed.<\/a><\/li>\n\n\n\n
                                  2. Click the\u00a0Status<\/strong>\u00a0tab. The\u00a0Status<\/strong>\u00a0page is displayed.<\/a><\/li>\n\n\n\n
                                  3. Click the\u00a0small<\/strong>\u00a0arrow<\/strong>\u00a0to the left of the tunnel\u2019s\u00a0Name<\/strong>\u00a0field. This displays your peer\u2019s connection status.\u00a0Green<\/strong>\u00a0is good.<\/a><\/li>\n<\/ol>\n\n\n\n

                                    Testing the WireGuard tunnel<\/strong><\/h3>\n\n\n\n

                                    We can use curl on pfSense to test whether or not our traffic is being routed through the WireGuard tunnel.<\/p>\n\n\n\n

                                      \n
                                    1. From the top menu, select\u00a0Diagnostics<\/strong>\u00a0>\u00a0Command<\/strong>\u00a0Prompt<\/strong>.<\/a><\/li>\n\n\n\n
                                    2. In the\u00a0Execute<\/strong>\u00a0Shell<\/strong>\u00a0Command<\/strong>\u00a0box, enter:<\/li>\n<\/ol>\n\n\n\n