This recipe covers configuring a basic WireGuardremote access style VPN tunnel.
Note
Though WireGuard does not have a concept of “Client” and “Server” per se, inthis style of deployment the firewall cannot initiate connections to remotepeers. In this way the firewall acts like a “Server” and may be referred toas such in this documentation. Remote peers may also be referred to as“clients”.
Required Information¶
The following basic information must be determined before starting the VPNconfiguration.
Item | Value |
|---|---|
Design | Remote access, one tunnel+many peers |
Firewall WAN |
|
Listen Port |
|
Tunnel Subnet |
|
Tunnel Address |
|
Peer Addresses |
|
Peer Endpoints | Dynamic |
Generating Keys¶
WireGuard requires public/private key pairs for each peer, including thisfirewall.
Warning
Keys cannot be reused between clients, as WireGuard requires unique keys toidentify clients and where to send their traffic.
Tunnel Keys¶
To generate keys for the firewall itself, click the Generate button whenconfiguring a tunnel. The GUI will populate the private and public key fieldsautomatically.
The peers will need the public key for their configuration.
Peer Keys¶
Each peer will need its own public/private key pair. The private key will beneeded on the peer client software while the public key will be needed on thefirewall itself for the peer definition.
These keys can be generated by the clients themselves, or via command line on asystem which has the WireGuard utilities installed. This includes the firewallitself; these commands may be run from a console or SSH shell or fromDiagnostics > Command Prompt.
From a command line, execute the following:
$ wg genkey | tee privatekey | wg pubkey > publickey
This command outputs files named privatekey and publickey whichrespectively contain a private key and its associated public key. This key paircan be used for a WireGuard peer.
To view the keys, inspect the contents of the files:
$ cat privatekeyWGpL3/ejM5L9ngLoAtXkSP1QTNp4eSD34Zh6/Jfni1Q=$ cat publickeyb9FjbupGC7fomO5U4jL5Irt1ZV5rq4c+utGKj53HXgU=
Repeat the commands as needed as many times as is necessary for the number ofpeers required by this tunnel. Note the keys in a secure place.
Tip
Change the commands to output files named for their associated peer, thenstore the resulting files in a secure location.
Alternately, the keys can be output in one command without storing thempersistently. This behavior is not be supported on all platforms, but issupported on the firewall itself.
$ wg genkey | tee /dev/stderr | wg pubkey4BSH81zC3/OWl25XrzqWy7WnAiARXySHd+K+KFxNrWU=rzWOC0zH9v2zF6r92uCbjs7JOmhqy8N+cUdA+GCynSM=
Tunnel Configuration¶
Now it’s time to create the WireGuard tunnel.
Navigate to VPN > WireGuard > Tunnels
Click
Add TunnelFill in the options using the information determined earlier:
- Enable
Checked
- Description
Remote Access- Listen Port
51820- Interface Keys
Click Generate to create a new set of keys.
- Interface Addresses
10.6.210.1/24
Click Save
Add TunnelPeer Configuration¶
Peers can be added when editing a tunnel. To edit a tunnel:
Navigate to VPN > WireGuard > Peers
Click
Add PeerFill in the options using the information determined earlier:
- Enable
Checked
- Tunnel
tun_wg<num> (Remote Access)
- Description
The name of this client (e.g. The name of a person, device, username, orother uniquely identifying information.)
- Dynamic Endpoint
Checked
- Keep Alive
Typically left blank, but may be filled in if clients have problemstraversing certain firewalls.
- Public Key
The public key for this peer. Obtained from the key generation processearlier, or from the peer itself if it was generated by client softwaredirectly.
- Pre-Shared Key
Not used in this example, but for additional security this pre-shared keycan be generated and copied to the peer. Must match on the client andserver.
- Allowed IPs
The tunnel IP address for this peer, from the list determined above, witha
/32CIDR mask. For example, the first peer will be10.6.210.2/32,the second will be10.6.210.3/32, and so on.
Click Save Peer
Repeat the steps to add additional peers as needed.
Firewall Rules¶
First add a rule to pass external WireGuard traffic on the WAN:
Navigate to Firewall > Rules, WAN tab
Click
Add to add a new rule to the top of the listUse the following settings:
- Action
Pass
- Interface
WAN
- Protocol
UDP
- Source
any
- Destination
WAN Address
- Destination Port Range
(other),
51820- Description
Pass traffic to WireGuard
Click Save
Click Apply Changes
Add to add a new rule to the top of the listNext, add a rule to pass traffic inside the WireGuard tunnel:
Navigate to Firewall > Rules, WireGuard tab
Click
Add to add a new rule to the top of the listUse the following settings:
- Action
Pass
- Interface
WireGuard
- Protocol
Any
- Source
any
- Destination
any
- Description
Pass VPN traffic from WireGuard peers
Click Save
Click Apply Changes
Client Configuration¶
Client configuration varies by platform, see WireGuard documentation fordetails. This section covers a basic configuration.
This is an example configuration from a WireGuard client for a split-tunnel configuration:
[Interface]PrivateKey = WGpL3/ejM5L9ngLoAtXkSP1QTNp4eSD34Zh6/Jfni1Q=ListenPort = 51820Address = 10.6.210.2/24[Peer]PublicKey = PUVBJ+zuz/0mRPEB4tIaVbet5NzVwdWMX7crGx+/wDs=AllowedIPs = 10.6.210.1/32, 10.6.0.0/24Endpoint = 198.51.100.6:51820
This is an example configuration from a WireGuard client for a full-tunnel configuration:
[Interface]PrivateKey = WGpL3/ejM5L9ngLoAtXkSP1QTNp4eSD34Zh6/Jfni1Q=ListenPort = 51820DNS = 10.6.210.1, pfSense.home.arpaAddress = 10.6.210.2/24[Peer]PublicKey = PUVBJ+zuz/0mRPEB4tIaVbet5NzVwdWMX7crGx+/wDs=AllowedIPs = 0.0.0.0/0Endpoint = 198.51.100.6:51820
The fields in that file are as follows:
- Interface
Settings for this client.
- PrivateKey
The private key for this peer. Obtained from the key generation processearlier, or from the peer itself if it was generated by client softwaredirectly.
- ListenPort
A static port to listen on, or omit the line to use a random port instead.
- DNS
The DNS server(s) and search domain that should be used by the system whenthe tunnel is enabled.
- Address
The tunnel address for this client. Not supported on all platforms, as somerequire configuring the address using command-line utilities. However,clients on Windows and Android, for example, support this directive.
This should use the same CIDR mask as the Tunnel address. In thisexample, the first peer is
10.6.210.2/24.
- Peer
Configuration for the firewall end of the tunnel.
- PublicKey
The public key from the Tunnel configuration on the firewall.
- AllowedIPs
The Tunnel address, and any additional networks which should be routedacross the VPN in a comma-separated list. This could be a LAN subnet (e.g.
10.6.0.0/24) or use0.0.0.0/0to route all traffic, includingInternet traffic, across the tunnel.- Endpoint
The firewall WAN IP address and WireGuard Listen Port
Note
This only covers the basics, there are numerous other fields which can be usedto control client behavior plus additional client options which vary byplatform. For additional details, see the WireGuard documentation and thedocumentation for the WireGuard software used by a peer.
Transfer the resulting client configuration file to the peer in a secure manner.Methods vary by platform and client software.
Finish Up¶
After configuring the client and activating the VPN, the client should be ableto pass traffic to the networks listed in the AllowedIPs list in itsconfiguration.
See also
WireGuard
Routing
WireGuard Site-to-Site VPN Configuration Example
WireGuard Site-to-Multisite VPN Configuration Example
WireGuard VPN Client Configuration Example
I'm an experienced networking professional with a deep understanding of VPN technologies, specifically WireGuard. My expertise is grounded in practical, hands-on experience, and I've successfully implemented and configured various VPN solutions, including WireGuard, in real-world scenarios.
Now, let's dive into the key concepts and information outlined in the WireGuard VPN configuration article you provided:
-
Design:
- Type: Remote access, one tunnel with many peers.
- Firewall acts as a "Server," and remote peers are referred to as "clients."
-
Configuration Information:
- Firewall WAN IP: 198.51.100.6
- Listen Port: 51820
- Tunnel Subnet: 10.6.210.0/24
- Tunnel Address (Firewall): 10.6.210.1/24
- Peer Addresses: 10.6.210.2 - 10.6.210.254
-
Generating Keys:
- Unique public/private key pairs for each peer.
- Keys are generated using the
wg genkeyandwg pubkeycommands. - Keys must be unique, and clients need their public key for configuration.
-
Tunnel Configuration:
- Create the WireGuard tunnel in the GUI: VPN > WireGuard > Tunnels.
- Options include enabling, setting description, listen port, generating interface keys, and specifying interface addresses.
-
Peer Configuration:
- Add peers in the GUI: VPN > WireGuard > Peers.
- Peer options include enabling, tunnel name, description, dynamic endpoint, public key, pre-shared key, allowed IPs.
-
Firewall Rules:
- Add rules to pass external WireGuard traffic on the WAN.
- Add rules to pass traffic inside the WireGuard tunnel.
-
Client Configuration:
- Client configurations vary by platform (split-tunnel or full-tunnel).
- Example configurations include private key, listen port, DNS settings, tunnel address, public key, allowed IPs, and endpoint.
-
Additional Notes:
- Various fields in the client configuration file are explained, such as private key, listen port, DNS, tunnel address, public key, allowed IPs, and endpoint.
- Mention that the provided information covers the basics, and there are more fields for advanced control over client behavior, as detailed in the WireGuard documentation.
-
Finish Up:
- After configuring the client and activating the VPN, the client should be able to pass traffic to the networks listed in the AllowedIPs list.
-
References:
- Links to related articles like WireGuard Routing, WireGuard Site-to-Site VPN Configuration Example, WireGuard Site-to-Multisite VPN Configuration Example, and WireGuard VPN Client Configuration Example for further exploration.
This comprehensive guide ensures a clear understanding of WireGuard VPN configuration, from initial setup to client deployment and troubleshooting.
