This recipe covers configuring a basic WireGuardremote access style VPN tunnel.
Note
Though WireGuard does not have a concept of “Client” and “Server” per se, inthis style of deployment the firewall cannot initiate connections to remotepeers. In this way the firewall acts like a “Server” and may be referred toas such in this documentation. Remote peers may also be referred to as“clients”.
Required Information¶
The following basic information must be determined before starting the VPNconfiguration.
Item | Value |
---|---|
Design | Remote access, one tunnel+many peers |
Firewall WAN |
|
Listen Port |
|
Tunnel Subnet |
|
Tunnel Address |
|
Peer Addresses |
|
Peer Endpoints | Dynamic |
Generating Keys¶
WireGuard requires public/private key pairs for each peer, including thisfirewall.
Warning
Keys cannot be reused between clients, as WireGuard requires unique keys toidentify clients and where to send their traffic.
Tunnel Keys¶
To generate keys for the firewall itself, click the Generate button whenconfiguring a tunnel. The GUI will populate the private and public key fieldsautomatically.
The peers will need the public key for their configuration.
Peer Keys¶
Each peer will need its own public/private key pair. The private key will beneeded on the peer client software while the public key will be needed on thefirewall itself for the peer definition.
These keys can be generated by the clients themselves, or via command line on asystem which has the WireGuard utilities installed. This includes the firewallitself; these commands may be run from a console or SSH shell or fromDiagnostics > Command Prompt.
From a command line, execute the following:
$ wg genkey | tee privatekey | wg pubkey > publickey
This command outputs files named privatekey
and publickey
whichrespectively contain a private key and its associated public key. This key paircan be used for a WireGuard peer.
To view the keys, inspect the contents of the files:
$ cat privatekeyWGpL3/ejM5L9ngLoAtXkSP1QTNp4eSD34Zh6/Jfni1Q=$ cat publickeyb9FjbupGC7fomO5U4jL5Irt1ZV5rq4c+utGKj53HXgU=
Repeat the commands as needed as many times as is necessary for the number ofpeers required by this tunnel. Note the keys in a secure place.
Tip
Change the commands to output files named for their associated peer, thenstore the resulting files in a secure location.
Alternately, the keys can be output in one command without storing thempersistently. This behavior is not be supported on all platforms, but issupported on the firewall itself.
$ wg genkey | tee /dev/stderr | wg pubkey4BSH81zC3/OWl25XrzqWy7WnAiARXySHd+K+KFxNrWU=rzWOC0zH9v2zF6r92uCbjs7JOmhqy8N+cUdA+GCynSM=
Tunnel Configuration¶
Now it’s time to create the WireGuard tunnel.
Navigate to VPN > WireGuard > Tunnels
Click Add Tunnel
Fill in the options using the information determined earlier:
- Enable:
Checked
- Description:
Remote Access
- Listen Port:
51820
- Interface Keys:
Click Generate to create a new set of keys.
- Interface Addresses:
10.6.210.1/24
Click Save
Peer Configuration¶
Peers can be added when editing a tunnel. To edit a tunnel:
Navigate to VPN > WireGuard > Peers
Click Add Peer
Fill in the options using the information determined earlier:
- Enable:
Checked
- Tunnel:
tun_wg<num> (Remote Access)
- Description:
The name of this client (e.g. The name of a person, device, username, orother uniquely identifying information.)
- Dynamic Endpoint:
Checked
- Keep Alive:
Typically left blank, but may be filled in if clients have problemstraversing certain firewalls.
- Public Key:
The public key for this peer. Obtained from the key generation processearlier, or from the peer itself if it was generated by client softwaredirectly.
- Pre-Shared Key:
Not used in this example, but for additional security this pre-shared keycan be generated and copied to the peer. Must match on the client andserver.
- Allowed IPs:
The tunnel IP address for this peer, from the list determined above, witha
/32
CIDR mask. For example, the first peer will be10.6.210.2/32
,the second will be10.6.210.3/32
, and so on.
Click Save Peer
Repeat the steps to add additional peers as needed.
Firewall Rules¶
First add a rule to pass external WireGuard traffic on the WAN:
Navigate to Firewall > Rules, WAN tab
Click Add to add a new rule to the top of the list
Use the following settings:
- Action:
Pass
- Interface:
WAN
- Protocol:
UDP
- Source:
any
- Destination:
WAN Address
- Destination Port Range:
(other),
51820
- Description:
Pass traffic to WireGuard
Click Save
Click Apply Changes
Next, add a rule to pass traffic inside the WireGuard tunnel:
Navigate to Firewall > Rules, WireGuard tab
Click Add to add a new rule to the top of the list
Use the following settings:
- Action:
Pass
- Interface:
WireGuard
- Protocol:
Any
- Source:
any
- Destination:
any
- Description:
Pass VPN traffic from WireGuard peers
Click Save
Click Apply Changes
Client Configuration¶
Client configuration varies by platform, see WireGuard documentation fordetails. This section covers a basic configuration.
This is an example configuration from a WireGuard client for a split-tunnel configuration:
[Interface]PrivateKey = WGpL3/ejM5L9ngLoAtXkSP1QTNp4eSD34Zh6/Jfni1Q=ListenPort = 51820Address = 10.6.210.2/24[Peer]PublicKey = PUVBJ+zuz/0mRPEB4tIaVbet5NzVwdWMX7crGx+/wDs=AllowedIPs = 10.6.210.1/32, 10.6.0.0/24Endpoint = 198.51.100.6:51820
This is an example configuration from a WireGuard client for a full-tunnel configuration:
[Interface]PrivateKey = WGpL3/ejM5L9ngLoAtXkSP1QTNp4eSD34Zh6/Jfni1Q=ListenPort = 51820DNS = 10.6.210.1, pfSense.home.arpaAddress = 10.6.210.2/24[Peer]PublicKey = PUVBJ+zuz/0mRPEB4tIaVbet5NzVwdWMX7crGx+/wDs=AllowedIPs = 0.0.0.0/0Endpoint = 198.51.100.6:51820
The fields in that file are as follows:
- Interface:
Settings for this client.
- PrivateKey:
The private key for this peer. Obtained from the key generation processearlier, or from the peer itself if it was generated by client softwaredirectly.
- ListenPort:
A static port to listen on, or omit the line to use a random port instead.
- DNS:
The DNS server(s) and search domain that should be used by the system whenthe tunnel is enabled.
- Address:
The tunnel address for this client. Not supported on all platforms, as somerequire configuring the address using command-line utilities. However,clients on Windows and Android, for example, support this directive.
This should use the same CIDR mask as the Tunnel address. In thisexample, the first peer is
10.6.210.2/24
.
- Peer:
Configuration for the firewall end of the tunnel.
- PublicKey:
The public key from the Tunnel configuration on the firewall.
- AllowedIPs:
The Tunnel address, and any additional networks which should be routedacross the VPN in a comma-separated list. This could be a LAN subnet (e.g.
10.6.0.0/24
) or use0.0.0.0/0
to route all traffic, includingInternet traffic, across the tunnel.- Endpoint:
The firewall WAN IP address and WireGuard Listen Port
Note
This only covers the basics, there are numerous other fields which can be usedto control client behavior plus additional client options which vary byplatform. For additional details, see the WireGuard documentation and thedocumentation for the WireGuard software used by a peer.
Transfer the resulting client configuration file to the peer in a secure manner.Methods vary by platform and client software.
Finish Up¶
After configuring the client and activating the VPN, the client should be ableto pass traffic to the networks listed in the AllowedIPs
list in itsconfiguration.
See also
WireGuard
Routing
WireGuard Site-to-Site VPN Configuration Example
WireGuard Site-to-Multisite VPN Configuration Example
WireGuard VPN Client Configuration Example