Excellent..... the fudging, the explanations, the fixes, it was all great. Please do more. I like the style, very matter of fact as if I was 'fudging my way through it along with you.' Thank you.
Thank you! This is the first time I've received a compliment on my style. I don't like adding extra fluff (I've tried it, but I don't like it) and I try to minimize as much editing as possible. Glad you like it! I'll be doing more as my schedule permits!
Wireguard works very much like ssh (if you use ssh with keys only). Big point: Wireguard works in kernel space (as a module), while other VPN apps work in user space.
Travis, these are my comments: 1. I suggest you also include the tunnel transit network (in your case, it's 10.235.0.0/24) to the "Allowed IP's" field of the peer settings. Without it, gateway monitoring does not seem to work. 2. Add the WG rules on the WG Interface tab and NOT on the WG group tab (where you added them in your video). This is so that reply-to's will work (if you need them). This is documented in the Netgate documentation pages. If you add rules in the WG group tab, those will affect all WG interfaces (if you have multiple) and are always evaluated first. If you keep the WG group tab empty and add your custom rules in each individual WG interface, then you get more granular and reply-to's will work. I just setup my WG S2S now by following your guide and these are the two things that I noticed are lacking.
Thank you for these tips! I appreciate it. Like I said, I'm a noob when it comes to Wireguard and have always struggled to get it working. I'm going to pin this comment as it could be helpful to others!
Given the recent update, my question is not very timely. I mostly followed your instructions, but I'm new to VPNs. Do you really only need to add the firewall rules to the host pfSense installation? I didn't see you making similar settings on your client pfSense.
Yeah do not use WireGuard on pfSense. See my blog post in the description. In fact, I’d almost say stop using pfSense and move to OPNSense. Netgate is a terrible company that seems to thrive on drama. Back to your question, I might have left a firewall rule in place. But yes, you’d want a rule that allows each side.
Thank you very much. Very simple and easy to follow guide. Just one question, please see at 8:34 On 10.200.6.1 Peer WG Address => 10.235.0.2/24 On 10.200.5.1 Peer WG Address => 10.235.0.2/32 Shouldn't those be on different IPs and the same subnet instead of /24 and /32?
Is there a way to state what IP address can connect to the other site so not all traffic connects to site to site setup? Also, can this somehow be setup while you're running wireguard to specified addresses to a VPN provider?
1. How would you lock it down ??? On main-server: set source to client-wan-ip:UDP, set destination to server-wan-ip / port=51820, then allow On Client: set source to server-wan-ip:UDP, set destination to client-wan-ip / port=51820, then allow 2. You have in Rules WAN, OPT1, WireGuard, how does that traffic work here? Which interface get the traffic first? The main lock down happens on the WAN interface, so what traffic goes to the OPT1 interface ??? The WireGuard interface is after the link is established, yes? This affect the communication within the tunnel.
@13.38 you had mentioned we need to create a static route to the other side using the new interface. But for me, there was no static route created for this interface by default. So should I create a new route?
So it turns out it wasn't needed. When I first set this up, I had to create a route as there was no route in place. When I re-did it for this video, a route was automatically created since the interface is local.
@@TravisNewton1 since I am new to this, it would be better if you can put the route Definition based on this video. Since my tunnel is not working and only static route is missing.
I recreated the tunnel & now the static route automatically got created and my tunnel is up. Not sure what happens with the initial configuration. Thanks, you had done an amazing video
I’m not actually sure. I’ll try it again with /24 to see if it works but I think you’re telling the interface “THIS is your IP”. Just like how if you want to identify a single IPv4 address in an alias among networks, you use /32. I could be wrong. But I’ll try it again.
Thanks for this video! Can I use Wireguard to connect my Android smartphone to my pfSense box? I'm currently doing that with OpenVPN and was wondering if I can replace it with Wireguard.
You can! However, I have not done this yet with either iOS, Android, or even stand alone Windows/Mac clients, but I know there can be a bit of a process getting the config loaded. I currently use OpenVPN for connecting these clients to my network, just because it is tried and true, and not that much of a hassle.
Well done Travis. This is one of the first videos to pop up for pfSense 2.5.0.
Thank you!
Excellent..... the fudging, the explanations, the fixes, it was all great. Please do more. I like the style, very matter of fact as if I was 'fudging my way through it along with you.' Thank you.
Thank you! This is the first time I've received a compliment on my style. I don't like adding extra fluff (I've tried it, but I don't like it) and I try to minimize as much editing as possible. Glad you like it! I'll be doing more as my schedule permits!
Wireguard works very much like ssh (if you use ssh with keys only). Big point: Wireguard works in kernel space (as a module), while other VPN apps work in user space.
Thanks for taking the time to create a howto video on this. It was very helpful!
Travis, these are my comments:
1. I suggest you also include the tunnel transit network (in your case, it's 10.235.0.0/24) to the "Allowed IP's" field of the peer settings. Without it, gateway monitoring does not seem to work.
2. Add the WG rules on the WG Interface tab and NOT on the WG group tab (where you added them in your video). This is so that reply-to's will work (if you need them). This is documented in the Netgate documentation pages. If you add rules in the WG group tab, those will affect all WG interfaces (if you have multiple) and are always evaluated first. If you keep the WG group tab empty and add your custom rules in each individual WG interface, then you get more granular and reply-to's will work.
I just setup my WG S2S now by following your guide and these are the two things that I noticed are lacking.
Thank you for these tips! I appreciate it. Like I said, I'm a noob when it comes to Wireguard and have always struggled to get it working. I'm going to pin this comment as it could be helpful to others!
Given the recent update, my question is not very timely. I mostly followed your instructions, but I'm new to VPNs. Do you really only need to add the firewall rules to the host pfSense installation? I didn't see you making similar settings on your client pfSense.
Yeah do not use WireGuard on pfSense. See my blog post in the description. In fact, I’d almost say stop using pfSense and move to OPNSense. Netgate is a terrible company that seems to thrive on drama. Back to your question, I might have left a firewall rule in place. But yes, you’d want a rule that allows each side.
That is awesome. I was wondering if you could do a pFsense Wireguard configuration with pia vpn. Thanks
Thank you very much. Very simple and easy to follow guide. Just one question, please see at 8:34
On 10.200.6.1
Peer WG Address => 10.235.0.2/24
On 10.200.5.1
Peer WG Address => 10.235.0.2/32
Shouldn't those be on different IPs and the same subnet instead of /24 and /32?
Is there a way to state what IP address can connect to the other site so not all traffic connects to site to site setup? Also, can this somehow be setup while you're running wireguard to specified addresses to a VPN provider?
1. How would you lock it down ???
On main-server: set source to client-wan-ip:UDP, set destination to server-wan-ip / port=51820, then allow
On Client: set source to server-wan-ip:UDP, set destination to client-wan-ip / port=51820, then allow
2. You have in Rules WAN, OPT1, WireGuard, how does that traffic work here?
Which interface get the traffic first?
The main lock down happens on the WAN interface, so what traffic goes to the OPT1 interface ???
The WireGuard interface is after the link is established, yes? This affect the communication within the tunnel.
Exactly. You wouldn’t be able to have dynamic endpoints but you’d control the endpoints that could connect. Just another layer of the security onion!
@@TravisNewton1 What if you have WAN1, WAN2 and WAN3 ??? How do you group them ?
@@fbifido2 System -> Routing -> Gateway Groups
You must be grandfathered into the verification status on youtube. I thought it was 100k subs minimum. Could you explain?
Yes, I’ve been here a _really_ long time.
Thanks mate. Hope you wear a cape these days :)
Can such configuration circumvent GFW?
Sir you are awesome. You Save my job 😉.
Do a new video with the wireguard add on in 2.5.2 pls.
@13.38 you had mentioned we need to create a static route to the other side using the new interface. But for me, there was no static route created for this interface by default. So should I create a new route?
So it turns out it wasn't needed. When I first set this up, I had to create a route as there was no route in place. When I re-did it for this video, a route was automatically created since the interface is local.
@@TravisNewton1 since I am new to this, it would be better if you can put the route Definition based on this video. Since my tunnel is not working and only static route is missing.
I recreated the tunnel & now the static route automatically got created and my tunnel is up. Not sure what happens with the initial configuration. Thanks, you had done an amazing video
Question. I see that you define the InterfaceIP with X.X.X.X/24. But when you add the IP in the peer config, you type it in as X.X.X.X/32 ?
I’m not actually sure. I’ll try it again with /24 to see if it works but I think you’re telling the interface “THIS is your IP”. Just like how if you want to identify a single IPv4 address in an alias among networks, you use /32. I could be wrong. But I’ll try it again.
www.ionos.com/digitalguide/server/know-how/cidr-classless-inter-domain-routing/ im no expert but I think the/32 only allows 1 address to connect
x.x.x.x/32 is the same as simply specifying a single IP (x.x.x.x). To keep it simple, just do x.x.x.x in the peer IP address field.
@@kevindd992002 I suspected it as such. Thx for confirming :)
Nice! Thank you.
Well done Thanks for the video !
You’re welcome!
Ty For The Video
Outdated and doesn't apply. Gw port needs to be made. Tunnel interface look different
Nice, thanks.
👍
Nice video sir. Make a demo how zeek works
Thanks for this video!
Can I use Wireguard to connect my Android smartphone to my pfSense box?
I'm currently doing that with OpenVPN and was wondering if I can replace it with Wireguard.
You can! However, I have not done this yet with either iOS, Android, or even stand alone Windows/Mac clients, but I know there can be a bit of a process getting the config loaded. I currently use OpenVPN for connecting these clients to my network, just because it is tried and true, and not that much of a hassle.
+1 sub
How are you verifyed
It wasn’t a status symbol back in 2011.