How to setup Wireguard on PFSense 2.5/21.02 with iPhone Peers
For this guide, I am setting this up in the following example network:
Main LAN is 192.168.1.0/24
Firewall is at 192.168.1.1
External IP is 172.16.16.1
I: Create the VPN Tunnel
– Click on VPN and then Wireguard
– Click Add Tunnel
– Select Enabled
– Give the tunnel a description of your choosing
– Specify an address for your VPN network. This should not overlap your main LAN subnet and should be big enough to fit all your peers. The address will be the address of the interface on the firewall for routing purposes. In this example, I will be using 10.0.0.1/24
– Click Generate on Interface Keys
– Copy the Public key to a location for use later in this guide. For purposes of this guide, we’ll call this $PUBKEYFIREWALL=
– Hit Save
II: Create the Interface
– Click on Interfaces and then Assignments
– For Interface WG0 (assuming this is your first tunnel) click Add
– Click on Interfaces again then WG0
– Select Enable interface
– Put a description for the interface, I just used WG0
– Hit Save
III: Create Firewall rules
– Click Firewall and go to Rules
– Under WAN click Add (either top or bottom depending on your existing config)
– Make sure Action is set to Pass, Interface is set to WAN, and address family is set to IPv4
– Set Protocol to UDP
-Set Source to Any (Tailor if necessary to your own security desires)
– Set Destination to “WAN Address”
– Set Destination Port Range to custom and from 51820 to 51820
– Hit Save
– Go back to rules and then to the WG0 tab
– Hit Add
– Make sure action is set to Pass, Interface is WG0 and Address Family is IPv4
– Set Protocol to Any
– Set Source to “WG0 net”
– Set Destination to Any (or whatever you desire the peers to be able to connect to, in this example I’m using it for all Internet traffic. If you’re just needing to access your network, you can set it to a more narrow destination)
– Hit Save
– Hit Apply Changes at the top of the screen (Very Important)
IV: Set up peers (iPhone)
– On your iPhone go to the Wireguard app, hit the plus button and select “Create from scratch”
– For Name, put PFSense, or whatever you want to call the connection
– Hit Generate keypair
– Save the public key for later, we’ll call it $PUBKEYPHONE= for this guide.
– For Addresses, fill in an IP on your new VPN network. In this case, I’m using 10.0.0.2/24
– Leave Listen port and MTU blank
– Specify a DNS server if desired
– Scroll down to Peer
– For Public Key, put $PUBKEYFIREWALL= (the public key you generated for your firewall)
– Leave Preshared key blank for now
– Endpoint put the IP of your firewall and port of Wireguard, in this example 172.16.16.1:51820
– For Allowed IPs, put the IP addresses you are trying to reach on your network. If you just want to access your network, then 192.168.1.0/24 is fine. If you want to route all Internet traffic through the VPN, put 0.0.0.0/0
– Hit Save at the the top right
– Allow the app to make changes to your VPN config
V: Set up peers (PFSense)
– Go back to VPN and Wireguard
– Click edit next to WG0
– Hit Add peer
– For Description put iPhone or whatever you want to call it
– Leave Endpoint, Endpoint port, and Keep Alive blank
– For Public Key use the one we generated on the phone $PUBKEYPHONE=
– For Allowed IPs, these are the IPs you want to route from this end. In this case, it’s going to only be the phone as there is nothing else on that network, so put 10.0.0.2/32
– Hit Update
– Hit Save
VI: Connect your VPN
You should be able to now open the Wireguard app up on your iPhone and hit the slider on your PFSense network to connect. If you go to Settings and View Log you can see what the app is doing.
Try and access what you need to and see if it works. Wireguard works a bit different than other VPNs and won’t actually try to do anything unless you are passing traffic over it. Once it sees traffic heading to an IP on it’s Allowed IP subnet. It’ll then try to handshake.
VII: Next steps and other considerations
If you want the VPN to connect whenever you’re off your network, you can go into the Wireguard app, edit the tunnel, and go down to On-Demand activation. There you can configure it how you want. For example you can set Cellular on so it connects when you’re not on Wi-Fi. You can also select Wi-Fi and specify SSID’s you want it to not connect to the VPN when you’re on.
For example when you’re on your main network locally.
Pre-Shared key is optional, but increases the security of your network. To configure that, go into PFSense and peer configuration. Hit generate on the Pre-Shared key. Hit update and save, and then copy that Pre-Shared key onto your PFSense peer settings in the Wireguard app.
Make sure you are copying and pasting everything perfectly. To set this up I used the browser on my iPhone to access PFSense and copy the pub key and pre-shared keys directly from the PFSense interface and also to copy my phones pub key direct into PFSense.
They are super long strings and really aren’t very conducive to just manually typing out.
Edit: Update III.6 to WAN Address from “This Firewall (self)” per PFSense official documentation.