rcmcdonald91/pfSense-pkg-WireGuard: This is a port of the original WireGuard UI bits as implemented by Netgate in pfSense 2.5.0 to a package suitable for rapid iteration and more frequent updating on future releases of pfSense.
Posted by jpluimers on 2025/12/25
This is actually the WireGuard package you can install on pfSense CE 2.5.2 and higher: [Wayback/Archive] rcmcdonald91/pfSense-pkg-WireGuard: This is a port of the original WireGuard UI bits as implemented by Netgate in pfSense 2.5.0 to a package suitable for rapid iteration and more frequent updating on future releases of pfSense.
Note that the source code mentions a lot of web-technologies but that is because the majority of the code is the pfSense plugin. Underneath it pulls the actual build from [Wayback/Archive] git.zx2c4.com/wireguard-freebsd/snapshot which is almost exclusively C code.
Like WireGuardNT on Windows, it uses a high performance kernel mode driver.
Some more links on it:
- [Wayback/Archive] Virtual Private Networks — WireGuard | pfSense Documentation
- [Wayback/Archive] WireGuard safe to use? : PFSENSE
- [Wayback/Archive] pfSense: WireGuard returns as an Experimental Package (although by now it certainly is not experimental any more)
- [Wayback/Archive] WireGuard: fast, modern, secure VPN tunnel
- [Wayback/Archive] New WireGuardNT shatters throughput ceilings on Windows | Ars Technica
- [Wayback/Archive] How to Set Up WireGuard on pfSense in 2023
- [Wayback/Archive] Simple and Secure VPN in FreeBSD – Introducing WireGuard | Klara Inc
The in-kernel version is faster, but must be customized for each OS, and not every OS supports this yet. The first kernel implementation was offered for Linux, but there is now an in-kernel implementation for FreeBSD, and also one for OpenBSD, with a NetBSD implementation in progress.
WireGuard repositories:
- [Wayback/Archive] ZX2C4 Git Repository a some of the [Wayback/Archive] ZX2C4 Git Repository: filtered by “wireguard”:
- [Wayback/Archive] WireGuard mirrors the official [Wayback/Archive] WireGuard repositories, for instance
- [Wayback/Archive] WireGuard/wireguard-freebsd: Mirror only. Official repository is at
https://git.zx2c4.com/wireguard-freebsd. - [Wayback/Archive] WireGuard/wireguard-linux: Mirror only. Official repository is at
https://git.zx2c4.com/wireguard-linux - [Wayback/Archive] WireGuard/wireguard-windows: Download WireGuard for Windows at
https://www.wireguard.com/install. This repo is a mirror only. Official repository is athttps://git.zx2c4.com/wireguard-windows
- [Wayback/Archive] WireGuard/wireguard-freebsd: Mirror only. Official repository is at
WireGuard on Linux:
- [Wayback/Archive] How WireGuard made it into Linux • The Register
- [Wayback/Archive] LKML: Linus Torvalds: Re: [GIT] Networking
Btw, on an unrelated issue: I see that Jason actually made the pull request to have wireguard included in the kernel.
Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.
One of the best videos on getting site-to-site WireGuard running between two pfSense devices: [Wayback/Archive] Basic Site-to-Site VPN Using WireGuard and pfSense – YouTube
Timestamps:
Another video that to me was slightly more clear on the firewall settings was [Wayback/Archive] Tutorial: How to Configure WireGuard and pfSense for Remote Access – YouTube.
It also showed another trick, which is to generate the required private and public keys plus configuration files used by other WireGuard implementations on-line. This is convenient, especially for mobile applications as these benefit from the generated QR codes. Some of these sites are below.
Peers can be road warriors without a known IPv4
[Wayback/Archive] Virtual Private Networks — WireGuard — Design Considerations | pfSense Documentation
WireGuard does not have a concept of “Client” and “Server” per se, but depending on the configuration the firewall can behave in a manner similar to a “Client” (initiates locally, remote never initiates) or “server” (never initates, remotes always initiate).Technically every WireGuard tunnel is a peer to peer connection, but there are three main ways a WireGuard tunnel can be configured depending on whether or not a peer endpoint is known or defined:
Configuring other peers than pfSense is harder than needed
Since at the time of writing, there is no easy way to export peer configuration (see below) it is a bit tougher than needed to configure non-pfSense systems as peers.
For instance, Android benefits from being able to read the config via a QR Code. Otherwise it is a manual key exchange (public pfSense tunnel interface key goes to Android; Android public peer key goes to pfSense).
Anyway: here are some links that also discuss connecting non-pfSense clients:
- [Wayback/Archive] Configuring WireGuard on pfSense 21.02 and Android
- [Wayback/Archive] Configuring WireGuard Package on pfSense 21.05 and Android
Now that the server tunnel is configured we turn our focus to the client (a.k.a peer). This involves configuring it as a peer in WireGuard on pfSense and configuring it on the device itself.First we must generate a new public/private key pair for the Android device. Then we must exchange public keys between the Android device and pfSense.After the key exchange is completed the Android peer can be configured on the WireGuard server. - [Wayback/Archive] pfsense wireguard android – Google Search
- [Wayback/Archive] How to Set Up WireGuard on pfSense in 2023
Oh, and the Android client of course:
Online WireGuard configuration generators
The above idea is cool, so I searched for more so that you can try them and get a feel for which one is the most secure (some are console scripts which you are sure won’t communicate security details back to a server side):
- [Wayback/Archive] WireGuard Tools – Configuration Generator
This tool is to assist with creating config files for a WireGuard ‘road-warrior’ setup whereby you have a server and a bunch of clients. Simply enter the parameters for your particular setup and click Generate Config to get started.
All keys, QR codes and config files are generated client-side by your browser and are never seen by our server.
Given a text config, it can also produce the QR code on [Wayback/Archive] WireGuard Tools – QR Code Generator
This tool allows you to easily convert a wireguard config file into a QR code
QR codes are generated client-side by your browser and are never seen by our server.
Found via [Wayback/Archive] Wireguard Config Generator (Free web-based tool) : WireGuard.
- [Wayback/Archive] Wireguard Config Generator
This page intends to generate a config that can be saved to a server, which allows for all client config to be regenerated/updated from the servers config as required. The config is a very basic tunnel, where each client can only access the servers IP, and no routing/masquerading is allowed (ideal for single server remote access).
It is open source at [Wayback/Archive] dbca-wa/wg-webcfg: Web based wireguard config generator.
- [Wayback/Archive] https://wg-conf-gen.vercel.app/ is also open source, this time at [Wayback/Archive] ppodds/wg-conf-gen: A wg-quick config generator and available on web browser..
- [Wayback/Archive] WireGuard configuration – Egor Tensin
This page assumes that you have a WireGuard server configured on interface
wg0. You can then generate the new client’s keys, feed them to this page and it will show configuration files that can be used by the client.Take a look at an example configuration [Wayback/Archive] to learn more.
(where the configuration can optionally be saved in an URL: be careful with that), supports various formats (wg-quick, NetworkManager, systemd-networkd and ip & wg) and is open source too: [Wayback/Archive] egor-tensin/wireguard-config: Generate WireGuard configuration files
Easily generate WireGuard client & server configuration for the following connection managers:
- wg-quick,
- systemd-networkd,
- NetworkManager,
ipand wg.
…
This is a static website, so no server-side processing is happening. You can easily verify that your browser doesn’t make any requests to any servers using your browser’s debugging tools.
…
The search for the above links also taught me about GitHub topics: [Wayback/Archive] wireguard-config-gen · GitHub Topics.
That last link also made me find these that are interesting outside the pfSense context:
- [Wayback/Archive] ngoduykhanh/wireguard-ui: Wireguard web interface might be interesting for Linux
- [Wayback/Archive] dashboardlabs/wireguard-manager: Simple WireGuard VPN Manager for provisioning WireGuard profiles for multiple users which is interesting for kubernetes usage.
- [Wayback/Archive] k4yt3x/wg-meshconf: WireGuard full mesh configuration generator. which gives me the feeling by time I would need it, that Tailscale would be a better solution.
Will pfSense allow export itself?
At the time of writing this was a long standing feature request:
- [Wayback/Archive] Peer for each mobile client?(SOLVED) | Netgate Forum
Long story short, they are working on it, but it’s not that “simple” as just create a QR code as WG treats every peer the same so it’s not just a “client export” thingy but the exporter has to be flexible as to the settings the user wants the device to have.
- [Wayback/Archive] feature suggestion: Auto configuration of wireguard bridges between pfsense installs | Netgate Forum
- [Wayback/Archive] Feature #11281: Generating WireGuard QR codes for fast mobile deployments – pfSense – pfSense bugtracker
Hopefully by now…
Why use the /32 network for peer AllowedIPs?
My first every WireGuard setup was just of two nodes talking to each other thereby allowing traffic between the two underlying LANs.
So I wondered why on the tunnel network interface [Interface] side Address was using /24, but on the [Peer] side AllowedIPs was using /32.
So I found these interesting links:
- [Wayback/Archive] Help on /24 and /32 when using as a VPN Server : WireGuard
…
In Address the notation specifies a single IP address and a subnet mask. In AllowedIPs the notations specifies a group of IP addresses where /32 would be just a single address and /24 would be 256 IP addresses. The addresses in AllowedIPs should not overlap. This setting is used by WireGuard to decide to which peer to send a packet. If, for example, 10.0.0.42 is part of two different AllowedIPs sets, WireGuard would not know to which peer it should send a packet addressed to 10.0.0.42.…
- [Wayback/Archive] Why use /32 instead of /24 for a client’s [Interface]? · Issue #73 · pirate/wireguard-docs
- [Wayback/Archive] Some Unofficial WireGuard Documentation – HedgeDoc (one of the best documentation efforts on WireGuard)
📖 Unofficial WireGuard Documentation: Setup, Usage, Configuration, and full example setups for VPNs supporting both servers & roaming clients.
…
Config Shortcuts
Credit for these shortcuts goes to:
https://www.ericlight.com/new-things-i-didnt-know-about-wireguard.htmlSharing a single peers.conf file
WireGuard will ignore a peer whose public key matches the interface’s private key. So you can distribute a single list of peers everywhere, and only define the
[Interface]separately on each server.See: https://lists.zx2c4.com/pipermail/wireguard/2018-December/003703.html
You can combine this with
wg addconflike this:- Each peer has its own
/etc/wireguard/wg0.conffile, which only contains its[Interface]section. - Each peer also has a shared
/etc/wireguard/peers.conffile, which contains all the peers. - The
wg0.conffile also has aPostUphook:PostUp = wg addconf /etc/wireguard/peers.conf.
It’s up to you to decide how you want to share the
peers.conf, be it via a proper orchestration platform, something much more pedestrian like Dropbox, or something kinda wild like Ceph. I dunno, but it’s pretty great that you can just wildly fling a peer section around, without worrying whether it’s the same as the interface.Setting config values from files or command outputs
You can set config values from arbitrary commands or by reading in values from files, this makes key management and deployment much easier as you can read in keys at runtime from a 3rd party service like Kubernetes Secrets or AWS KMS.
See: https://lists.zx2c4.com/pipermail/wireguard/2018-December/003702.html
Example
You can read in a file as the
PrivateKeyby doing something like:PostUp = wg set %i private-key /etc/wireguard/wg0.key <(some command)…
- Each peer has its own
- [Wayback/Archive] Wireguard VPN: Typical Setup – The poetry of (in)security
- [Wayback/Archive] Wireguard VPN: Chained Setup – The poetry of (in)security
- [Wayback/Archive] Meet Algo, the VPN that works | Trail of Bits Blog
Today we’re introducing Algo, a self-hosted personal VPN server designed for ease of deployment and security. Algo automatically deploys an on-demand VPN service in the cloud that is not shared with other users, relies on only modern protocols and ciphers, and includes only the minimal software you need.
And it’s free.
- Open source at [Wayback/Archive] trailofbits/algo: Set up a personal VPN in the cloud
Algo VPN is a set of Ansible scripts that simplify the setup of a personal WireGuard and IPsec VPN. It uses the most secure defaults available and works with common cloud providers.
- Open source at [Wayback/Archive] trailofbits/algo: Set up a personal VPN in the cloud
One host, multiple peers
These are related to the /32 posts above:
- [Wayback/Archive] Cannot connect to Wireguard tunnel if more than one peer is configured (wireguard package) : PFSENSE
The issue is you can’t have multiple peers on the same tunnel with overlapping AllowedIPs. You have 0.0.0.0/0 configured for both peers, this is not possible. Typically if you’re doing road warrior setups, the “server” would have /32 and/or /128 host routes for the peer’s interface address. On the “client” then you would have 0.0.0.0/0 for full tunnel, or specific subnets for split-tunnel
- [Wayback/Archive] Constrained_Entropy comments on WireGuard – How to have multiple clients on the same machine connected to one server?
…
My WG subnet is 10.28.5.0/29 (10.28.5.0-10.28.5.7). The server is at 10.28.5.1, the first client peer is at 10.28.5.2, and the second client peer is at 10.28.5.3. Note the /29 after the server Address in the Interface, to allow the server to talk to all clients, but the /32 after each peer address, to ensure that only traffic for that particular peer goes through that tunnel.
…
Videos
Most via [Wayback/Archive] pfsense wireguard site to site – YouTube.
- [Wayback/Archive] Basic Site-to-Site VPN Using WireGuard and pfSense – YouTube (22.01 – similar to 2.6.0)
- [Wayback/Archive] Site to Site VPN with Wireguard on OPNsense and pfSense (2022) – YouTube (2.6.0)
- [Wayback/Archive] Tutorial: pfsense Wireguard For Remote Access – YouTube (2.5.2, also showing where things can go wrong: WireGuard is really bad at reporting why things do not work: it’s a quiet protocol)
- [Wayback/Archive] How to Install WireGuard on pfSense (Tutorial) – YouTube (2.6.0, lots of explanation on the why in addition to the how)
- [Wayback/Archive] PFsense and Wireguard Site to Site VPN (2022 Edition) – YouTube (2.6.0, quick walk through without much on the “why”)
Queries
- [Wayback/Archive] wireguard experimental – Google Search
- [Wayback/Archive] wireguard bsd experimental – Google Search
- [Wayback/Archive] wireguard in the linux kernel – Google Search
- [Wayback/Archive] wireguard pfsense – Google Search
- [Wayback/Archive] pfsense wireguard example 192 – Recherche Google
- [Wayback/Archive] wireguard config generator – Google Search
- [Wayback/Archive] github wireguard config generator – Google Search
- [Wayback/Archive] pfsense wireguard generate qr code – Google Search
- [Wayback/Archive] why does wireguard use 32 networks – Google Search
- [Wayback/Archive] pfsense wireguard multiple peers – Google Search
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment