Networking / VPNs / Windows Hacks

pfSense WireGuard VPN Tutorial: Easy Setup for Windows 11 Users

- by Talha Ali - Leave a Comment

In an era where digital privacy is paramount, setting up a Virtual Private Network (VPN) is no longer just a luxury but a necessity. While many commercial VPN services exist, hosting your own offers unparalleled control, privacy, and often, superior performance, especially for internal network access. This guide will walk you through the process of installing and configuring WireGuard VPN on your pfSense firewall, and then setting up a client on your Windows 11 machine.

Why WireGuard on pfSense?
  1. Speed: WireGuard is designed for high performance, often outperforming older VPN protocols like OpenVPN.
  2. Simplicity: Its codebase is significantly smaller, making it easier to audit and understand.
  3. Security: Utilizes modern cryptographic primitives for robust security.
  4. Integration with pfSense: pfSense provides a stable and feature-rich platform to manage your WireGuard server.
  5. Cost-Effective: Leverage your existing pfSense hardware without recurring VPN subscription fees.
Prerequisites

Before we begin, ensure you have:

  1. A running pfSense installation: Updated to the latest stable version.
  2. Administrative access to your pfSense interface.
  3. A Windows 11 machine: This will be our client device.
  4. Basic networking knowledge: Understanding of IP addresses, subnets, and firewalls is helpful.
  5. A static public IP address or Dynamic DNS (DDNS) configured on your pfSense WAN interface: This is crucial for external access to your VPN.
https://youtu.be/zMiGHw-orSo

Step 1: Install the WireGuard Package on pfSense

The first step is to install the WireGuard package on your pfSense firewall.

  1. Log in to your pfSense web interface.
  2. Navigate to System > Package Manager.
  3. Click on the Available Packages tab.
  4. In the search bar, type “WireGuard” and press Enter.
  5. Locate the wireguard package and click the Install button.
  6. Confirm the installation process. Once completed, you should see WireGuard listed under VPN in the main menu.

Step 2: Configure the WireGuard Tunnel on pfSense

 

Now, let’s create the WireGuard tunnel interface.

  1. Go to VPN > WireGuard.

  2. Click on the “Tunnels” tab.

  3. Click the “Add Tunnel” button.

  4. Description: Give your tunnel a descriptive name, e.g., “WireGuard_VPN_Server”.

  5. Listen Port: Choose a UDP port for WireGuard to listen on. The default is 51820, but 51822 is the one I used. Ensure this port is open on your WAN firewall rules later.

  6. Interface Keys: Click “Generate” next to “Private Key” and “Public Key”. These are unique to your pfSense WireGuard server.

  7. Address: Assign an IP address to your WireGuard interface. This should be an IP address from a new, unused subnet. For example, 192.168.100.1/24. This will be the gateway for your VPN clients.

  8. MTU: (Optional) You can leave this blank or set it to 1420.

  9. Click “Save Tunnel”.

 

Step 3: Create a Peer for Windows 11

 

Next, we’ll create a peer entry for your Windows 11 client. Each client connecting to your WireGuard server requires its own peer configuration.

  1. While still in VPN > WireGuard, go to the “Peers” tab.

  2. Click “Add Peer”.

  3. Description: A descriptive name, e.g., “Windows11_Client”.

  4. Tunnel: Select the WireGuard tunnel you just created (e.g., “WireGuard_VPN_Server”).

  5. Allowed IPs: This is crucial. Enter the IP address you will assign to your Windows 11 client on the WireGuard network, along with its subnet mask. For example, if your WireGuard subnet is 192.168.100.0/24, you might assign 192.168.1.12/32 for this specific client. This tells WireGuard which IP addresses this peer is allowed to use.

  6. Peer Public Key: Leave this blank for now. We will generate this on the Windows 11 client and paste it here later.

  7. Click “Save Peer”.

 

Step 4: Configure Firewall Rules

 

For your WireGuard VPN to function correctly, you need to allow traffic through your pfSense firewall.

  1. WAN Rule:

    • Go to Firewall > Rules.

    • Click on the “WAN” tab.

    • Click “Add” (the plus icon to add a new rule at the top).

    • Action: Pass

    • Interface: WAN

    • Protocol: UDP

    • Source: Any

    • Destination: WAN address

    • Destination Port Range: Enter the WireGuard Listen Port you chose (e.g., 51822) for both “From” and “To” ports.

    • Description: “Allow WireGuard VPN Incoming”

    • Click “Save” and “Apply Changes”.

  2. WireGuard Interface Rule (Assign Interface First):

    • Go to Firewall > rules.

    • Select Wireguard.

    • Click “Add” (the plus icon to add a new rule at the top).

    • Action: Pass

    • Interface: wireguard

    • Protocol: Any

    • Source: any

    • Destination: Any (This allows VPN clients to reach your LAN and the internet. Be cautious if you want to restrict access.)

    • Description: “Allow WireGuard Client Traffic”

    • Click “Save” and “Apply Changes”.

 

Step 5: Install and Configure WireGuard Client on Windows 11

 

Now for the client-side configuration.

  1. Download WireGuard Client: Go to the official WireGuard website: https://www.wireguard.com/install/ and download the Windows client.

  2. Install WireGuard Client: Run the installer and follow the prompts.

  3. Generate Client Keys:

    • Open the WireGuard application.

    • Click “Add Tunnel” (the dropdown arrow) and select “Add empty tunnel…”.

    • This will automatically generate a Private Key and Public Key for your Windows 11 client.

    • Copy the Public Key generated for your Windows 11 client.

  4. Update pfSense Peer with Client Public Key:

    • Go back to your pfSense web interface: VPN > WireGuard > Peers.

    • Edit the “Windows11_Client” peer you created earlier.

    • Paste the copied Public Key from your Windows 11 client into the “Peer Public Key” field.

    • Click “Save Peer” and “Apply Changes”.

  5. Configure WireGuard Client: Now, populate the configuration in the WireGuard Windows client:

    Ini, TOML
     
    [Interface]
PrivateKey = YOUR_WINDOWS_CLIENT_PRIVATE_KEY_HERE
Address = 192.168.100.224/32  ; The IP you assigned to this peer in pfSense
DNS = 192.168.1.1           ; Your pfSense LAN IP 

[Peer]
PublicKey = PF_SENSE_WIREGUARD_PUBLIC_KEY_HERE ; This is the Public Key from your pfSense WireGuard tunnel (Step 2)
AllowedIPs = 192.168.1.0/24, 0.0.0.0/0 ; 192.168.1.0/24 to access your LAN, 0.0.0.0/0 for full tunnel (all traffic through VPN)
Endpoint = YOUR_PFSENSE_PUBLIC_IP_OR_DDNS_HOSTNAME:51822 ; Your pfSense WAN IP or DDNS hostname, and the WireGuard Listen Port

    • Replace placeholders:

      • YOUR_WINDOWS_CLIENT_PRIVATE_KEY_HERE: The Private Key generated by the Windows WireGuard client.

      • 192.168.100.224/32: The IP address you designated for this specific Windows 11 client on the WireGuard network (as set in pfSense Peer’s “Allowed IPs”).

      • 192.168.1.1: Replace with your actual pfSense LAN IP address for DNS, or a public DNS like 8.8.8.8.

      • PF_SENSE_WIREGUARD_PUBLIC_KEY_HERE: The Public Key of your pfSense WireGuard tunnel (found under VPN > WireGuard > Tunnels on pfSense).

      • 192.168.1.0/24: Replace with your actual pfSense LAN subnet if you want to access devices on your LAN.

      • 0.0.0.0/0: This routes all traffic through the VPN. If you only want to access your LAN, remove this.

      • YOUR_PFSENSE_PUBLIC_IP_OR_DDNS_HOSTNAME: Your actual public IP address or configured DDNS hostname for your pfSense WAN.

      • 51822: The WireGuard Listen Port you configured on pfSense.

  6. Save the Tunnel: In the Windows WireGuard client, save the tunnel configuration.

  7. Activate the Tunnel: Click the “Activate” button for your new tunnel in the WireGuard application.

 

Step 6: Test Your VPN Connection

 

Once activated, verify your connection:

  1. Check IP Address: On your Windows 11 machine, go to whatismyip.com (or similar). If 0.0.0.0/0 is in your AllowedIPs, your public IP should now reflect your pfSense’s public IP.

  2. Access Local Resources: Try to ping a device on your pfSense LAN (e.g., ping 192.168.1.10).

  3. Check WireGuard Status on pfSense: Go to Status > WireGuard on pfSense. You should see your Windows 11 peer connected with transferred data.

 

Troubleshooting Tips

 

  • Firewall Rules: Double-check your WAN and WireGuard interface firewall rules. This is the most common issue.

  • IP Addresses & Subnets: Ensure the Address in your client config matches the AllowedIPs for that peer on pfSense, and the AllowedIPs in the client config correctly points to the subnets you want to access (e.g., your LAN and 0.0.0.0/0).

  • Keys: Verify that the Public Key of the pfSense tunnel is in the client’s peer config, and the Public Key of the client is in the pfSense peer config.

  • Listen Port & Endpoint: Ensure the listen port matches in both configurations and that your public IP/DDNS is correct in the client’s endpoint. 

  • Logs or Status: Check the WireGuard logs on pfSense (Status > System Logs > OpenVPN/WireGuard).

 

You have successfully installed WireGuard VPN on your pfSense firewall and configured a Windows 11 client. You now have a fast, secure, and private way to access your home network or browse the internet securely from anywhere. WireGuard on pfSense provides a powerful and flexible solution for maintaining your digital sovereignty. Experiment with additional peers for other devices and explore more advanced WireGuard features to further enhance your network security!

 

 

Related Posts

About Talha Ali

View all posts by Talha Ali →

Leave a Reply

Your email address will not be published. Required fields are marked *