教程：用於遠程訪問的 pfsense Wireguard

39 comments

1. Our pfsense tutorials
   https://lawrence.technology/pfsense/

   Getting Started Building Your Own Wireguard VPN Server
   https://forums.lawrencesystems.com/t/getting-started-building-your-own-wireguard-vpn-server/7425

   pfsense manual
   https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/index.html

   Christian McDonald
   pfSense Software + WireGuard Package – Project Report 011
   https://youtu.be/K55jP80dOLM

   ⏱ Timestamps ⏱
   00:00 pfsense wireguard remote access
   02:30 pfsense wireguard Documentation
   03:00 Lab Setup
   05:31 Install Wiregaurd Package
   06:05 Wiregaurd Firewall Rules
   07:02 Creating Wireguard Tunnel
   08:46 WAN Wireguard Rule
   09:22 Wireguard Outbound NAT Rule
   11:03 Adding Peers
   11:44 Configuring Linux Peer
   16:00 Configuring Windows Peer
   19:52 Split VS Full Tunnel
   22:19 Wireguard Troubleshooting

2. Quick Q: You added the subnets of multiple vLANs at the PEER's config, which allows the PEER to get to each vLAN. However, if the firewall rules allow ALL traffic between vLAN1 and vLAN2, (including the WireGuard & WAN rules allowing all traffic) and you only specify vLAN1 (with or without the WireGuard subnet) at the PEERs config, you can't get traffic from the PEER device to vLAN2. Is this expected ?

3. The only question I have in relation to this is the ability to use this for mobile devices to connect. Is that possible as of the current moment?

4. Any additional configuration to enable local DNS in this setup?

5. Excited to replace my home router with a custom built one running pfsense. I was just in the process of figuring out what VPN to use and this popped up in my feed. Thanks for sharing!!

6. Thanks Tom! I've been waiting for this exact video to get WG up and running.

7. Thank you Tom, great tutorial video, as always. Thank you very much!

8. so you have to set up a peer for every host on the network? with openvpn, I can use my phone to get to any device on my network, no configuration needed on the clients except to let me in the front door. is that not possible with wiregaurd?

9. Please make video for setup standalone suricata!

10. I recall they removed it due to sloppy implementation for bsd that had security issues. Did it undergo any security review?

11. Tom – Thanks again for another great video. I'll definitely refer back to this when I need to set up external access. Not sure if you're planning on releasing a video similar to Christian's about setting up Wireguard access to a VPN provider (or at least troubleshooting steps), but I've been having at least one strange issue there.

    I've got the Wireguard tunnel set up and peer added for the endpoint (Sweden, for example) and all the traffic is passing fine. However, if I modify the same peer to go to a different location, like Mexico, Wireguard seems to hold on to the old peer information and connects to Sweden again. I've tried restarting Wireguard and the appliance, enabling/disabling the WG interface, but nothing seems to drop that hold aside from making a new peer from scratch. It's not a huge issue, since all the traffic is still going out encrypted, but I'm used to simply changing the OpenVPN endpoint and it going to the new location without hassle. Any thoughts on what might cause this or how to mitigate it?

    Thanks so much!

12. Been meaning to do this for months… This will help me get off my ass, lol. thanks!

13. I agree completely Tom.
    The front end management for Wireguard needs to come a long way for dialing in.
    S2S though, using it on Opnsense and working great.

14. Thanks Tom. Another great tutorial. Is there a way to introduce some form of 2FA into the remote connection? Just concerned about remote users connecting from home and their home network is compromised. At least Openvpn allows for a password prompt?

15. Don』t think I could ever let pfSense go… Wonderful solution! Ty for the video!

16. How could I get airplay lan devices to be seen by Wireguard clients? Avahi didn』t work.

17. Thanks Tom; I hope this gets more straightforward as it gets to the production version. My brain is spinning having watched this! Is there a major speed increase for remote users dialling to WG, versus oVPN?

18. This is awesome. I needed this as I'm getting back into pfsense again. Played from 2016ish to Dec 2019 with a functional machine as my home router. I moved right before Covid and didn't have control over the internet in the new place. Anyways, I'm just a novice enthusiast user and I'd like to request for your "pfsense to pfsense" video… one of my main goals was to build a portable pfsense (with AP) box I could plug in at a family member's/friend's house or hotel that connects to my home pfsense (via VPN), ideally automatically, so its just like I'm on my home network and have access to everything without having to configure all my traveling devices individually (which I don't mind doin). But would love that all-in-one solution partly to build and learn but also convenience or to get around hotel restrictions/control. Thanks for all the info and tutorials on pfsense you provide to the community 🙂

19. Thanks Tom. I've been waiting for this. I followed the instructions, but I can't get full tunnel to work. I can browse the local network but I just can't get traffic out to the internet. I did the allow all rule for wireguard. I can't figure out why.

20. is there any way to use a dhcp assigned address for a client?
    seems like a big hassle to have to manage every client by statically adding their ip

21. That's pretty cool feature 🙂
    Have a great week ahead and keep it up the great job <3

22. Great video!

23. Untangle wireguard seems much simpler

24. Thank you for the time you invested into creating and sharing this. I watched on my treadmill and I see a lot of usefulness for it! Great Job!

25. Wonderful video. Thanks Tom. Was looking forward to this video for a while.

26. Hi, what's the name of the tool used to draw network scheme? Thanks in advance.

27. Read The Fucking Manual

28. Been a Palo Alto fan since working in gov, but by watching your videos, pfsense has been proven a really fantastic alternative!

29. for your site to site vid coming up – it may be worth mentioning that there's this glaring bug under the hood with pfsense which netgate is saying is a bsd issue preventing people from opening a port on the far end of a site to site tunnel and trying to do port forwarding across the tunnel. the return traffic will get sent out the default gateway, not back across the vpn link. I have had to do super gross, dumb, hacky things to get around this, but its probably worth mentioning! 😀

30. Hopefully I'll get it to work on OPNsense as well! ….. …
    Thank you for this share!

31. I can't connect to the pfsense DNS resolver from WG even after adding a interface for the indiv tunnel and firewall and adding it to the DNS resolver.

32. Nice, thanks Lawrence, but how about DNS? Is there a way to set clients to use pfsense DNS server?

33. Thank you for the video! It has been really helpful. How would I go about configuring this for a home lab with dynamic WAN IP?

34. what software is that to switch between OS

35. VERY NICE, at the exact day I needed this tutorial! Thanks Lawrence!

36. I'm gutted that it's now package, I know it doesn't bother most people but I'm really not a fan of packages in pfSense. I do love WireGuard though. The argument for the kernel-module being able to be updated more quickly isn't valid. It's not meant to get regular crypo updates (maybe every 5-8 years or so), hence why it was originally built right into the pfSense build first time around before the kernel implementation issues came to light.

37. once the wg server end point times out – without using keep alive – does it reestablish the link once traffic to one of the allowed networks is detected? eg, client attempt to access a remote file share. Just trying to determine if the end user has to reconnect the VPN manually, or if it just reestablishes it on it's own?

38. I used the user manual and suffered a little until I realized what was what. Therefore, I love to watch videos in which they show all the steps that are needed and without unnecessary actions))
    Thank you for the video.

39. You might want to change the "Wiregaurd" in the title :^)

Comments are closed.