Previous
WireGuard
WireGuard Package Settings¶
The WireGuard package contains the following configurable options:
- Enable
Controls whether or not the WireGuard service itself is enabled or disabled.
Note
See AlsoHow to get started with WireGuard VPNWireGuard vs OpenVPN: Is WireGuard Better Than OpenVPN?How To Set Up WireGuard VPN on LinuxEntering a public key in the configuration generatorThe WireGuard service cannot be disabled when one or more tunnels isassigned to an interface via Interface Configuration.
- Keep Configuration
Controls whether or not the tunnel/peer configurations and package settingswill persist when the package is removed.
- Endpoint Hostname Resolve Interval
Controls how often peer endpoint hostnames are resolved and updated by theWireGuard service. By default this is
300seconds (5 minutes).- Track System Resolve Interval
This option overrides the Endpoint Hostname Resolve Interval setting andconfigures the WireGuard service to track and use the system AliasesHostnames Resolve Interval.
- Interface Group Membership
Controls which WireGuard tunnels are implicit members of the WireGuardinterface group. By default this is
All Tunnels.Tip
See Rule Methodology for more onInterface Groups and Rule Processing Order.
- Hide Secrets
Controls whether or not secrets (private and pre-shared keys) are hidden inthe user interface.
Warning
Hide Secrets only hides secrets in the user interface. It does notobfuscate secrets for storage in the pfSense® software configuration file,
config.xml. For more information on password storage and protectingconfiguration file backups see Password Storage Security Policies
WireGuard Tunnel Settings¶
When creating or editing a WireGuard tunnel, the following options areavailable:
- Enable
Controls whether or not this WireGuard tunnel is enabled or disabled.
Note
A WireGuard tunnel cannot be disabled while assigned as an interface.
- Description
A short text description of this WireGuard tunnel.
- Listen Port
The local port upon which this WireGuard tunnel will listen for incomingtraffic from peers, and the port from which it will source outgoing packets.The default port is
51820, additional tunnels must use a different port.Note
The GUI will automatically suggest the next highest available port.
- Interface Keys
The private and public key pair for this WireGuard tunnel. The public key isderived from the private key and does not need to be entered separately. TheGUI will display the public key automatically when possible. When entering anew private key manually, the public key will be available after saving thetunnel.
The private key will stay only on this firewall, the public key will be copiedto peers.
A new set of keys can be generated by the
Generate button.Tip
Click Copy under the public key to copy it to the clipboard.
- Interface Addresses
A list of IPv4 and/or IPv6 addresses which will be assigned to this WireGuardtunnel.
Note
Interface addresses are configured here only for WireGuard tunnels thatare not assigned to an interface via Interface Configuration.
Generate button.WireGuard Peer Settings¶
When creating or editing a WireGuard peer, the following options are available:
- Enable
Controls whether or not this WireGuard peer is enabled or disabled.
- Tunnel
Controls which WireGuard tunnel to associate with this peer. The default isUnassigned.
Tip
Peers can easily be staged or moved between tunnels using this option.
- Description
A short text description of this peer.
- Dynamic Endpoint
This option controls whether a WireGuard peer should be considered dynamic.Uncheck this option for a peer that has a fixed, static endpoint address orhostname.
- Endpoint
The IP address or hostname of the remote WireGuard peer, from which the peerwill connect to this firewall, and to which this WireGuard instance will sendtraffic destined for this peer.
This can be left empty if the peer endpoint is unknown, such as for dynamicremote access clients. When empty, the tunnel will track the endpointdynamically based on the key used by the peer. Additionally, when empty, thisfirewall cannot initiate traffic on the tunnel to the peer until the remotepeer sends traffic.
- Endpoint Port
The port used by the peer for WireGuard traffic. The default port is
51820if left empty.Note
If the Endpoint is empty, this value is ignored.
- Keep Alive
An interval, in seconds, at which an empty packet is sent to the peer to keepthe session active. This can improve handling through stateful firewalls.Disabled by default.
- Public Key
The public key of this peer.
- Pre-Shared Key
An optional pre-shared key which provides an additional layer of symmetric-keycryptography on top of the public key cryptography for post-quantumresistance.
A new pre-shared key can be generated by the
Generate button.Tip
Click Copy under the public key to copy it to the clipboard.
- Allowed IPs
List of networks on the peer side which the firewall can reach throughthis peer. For example, on a site-to-site VPN this would be the tunnel addressof the peer and any LAN segments reachable via this peer.
When a tunnel has multiple peers this list allows WireGuard to determine whichpeer will receive traffic for destinations routed through the WireGuardinterface.
The networks listed here are transformed into proper subnet start boundariesprior to validating and saving.
Warning
These networks cannot be duplicated between multiple peers on the sametunnel, they must be unique. Otherwise, only the last peer in the list willbe configured properly.
Note
All traffic may be associated with a peer by using
0.0.0.0/0for IPv4or::/0for IPv6, but this won’t work for a tunnel with multiple peers.Only the last peer in the list will be configured properly.Note
Routes are not automatically created in the system routing table. Routesfor networks other than the tunnel network itself must be configuredseparately using static or dynamic routes.
Tip
For those familiar with OpenVPN, the internal routing used by WireGuard issimilar to
iroutestatements which associate remote networks withspecific clients.
The article you provided delves into the comprehensive documentation of pfSense software, particularly focusing on Virtual Private Networks (VPNs) and WireGuard, among various other networking concepts and configurations. To demonstrate expertise, I'll break down the content and highlight the concepts covered:
-
Networking Concepts:
- IPv6: Configuration and usage of IPv6 addressing.
- Hardware: Information about hardware compatibility and requirements.
- Installing and Upgrading: Steps and procedures for installation and upgrades.
- Configuration: How to configure various aspects of the software.
- Backup and Recovery: Methods for backing up and recovering configurations.
-
VPN Technologies:
- Virtual Private Networks (VPNs):
- Common Deployments: Various scenarios and configurations for deploying VPNs.
- Choosing a VPN Solution: Factors to consider while selecting a VPN solution.
- Remote Access & Mobile VPN Client Compatibility: Information about remote access VPNs and compatibility with mobile clients.
- VPN Scaling: Strategies for scaling VPN solutions effectively.
- Virtual Private Networks (VPNs):
-
Specific VPN Protocols:
- WireGuard:
- Settings: Configurable options for WireGuard packages and tunnels.
- Package Settings: Controlling WireGuard service, endpoint hostname resolution, etc.
- Tunnel Settings: Configuring and managing WireGuard tunnels, including port, keys, addresses, etc.
- Peer Settings: Settings specific to WireGuard peers, including dynamic endpoints, keys, allowed IPs, etc.
- Design Considerations: Factors to consider while designing WireGuard implementations.
- Limitations: Understanding limitations inherent to the WireGuard protocol.
- WireGuard:
-
Network Services and Configurations:
- Firewall: Management of firewall rules, network address translation, etc.
- Routing: Information about routing protocols and configurations.
- DHCP, DNS, Dynamic DNS: Services related to IP address assignment and domain name resolution.
- Traffic Shaper, Captive Portal: Tools for managing and controlling network traffic.
- High Availability: Ensuring high availability and fault tolerance in the system.
-
Troubleshooting and Configuration Management:
- Troubleshooting: Methods for identifying and resolving issues.
- Configuration Recipes: Preset configurations for common setups.
- System Monitoring: Tools and techniques for monitoring system performance and logs.
This documentation seems detailed and comprehensive, covering a wide range of networking concepts, VPN technologies, and configuration settings within pfSense software. Each section seems to offer in-depth information for both beginners and advanced users, allowing for efficient setup, management, and troubleshooting of network configurations.
