Surely one of the best networking video tutorials I've watched in a long time. Thank you very much for explaining this so clearly and thoroughly. Including an overview diagram and taking the time to explain not just what to enter on which screen, but WHY, is so often missed in other tutorials. You've clearly thought this through and will help many people with this. Awesome work. Worth watching the full video.
Absolutely the best video on wireguard and pfsense! I have re-watched it several times because your teaching of routing, interface, firewall rules, wireguard config, and how it all relates is explained so clearly and thorough. Thank you!
"basic" *me crying in the corner [edit] *frankly speaking, your explaination is amazing. very detail. you surely know how thing works. thanks for sharing. i will watch 100 times more
Thanks for this and very timely just switched out an old USG at my home for a SG 2100 and was switching from an IPsec to WireGuard. Absolutely perfect timing and awesome information!
So very close. I have the tunnel fully working (I can access both ends) but for some reason the Gateway says 100% loss and down, though I'm actually running through it. Logs say something to the effect of "dpinger TUNNEL 10.222.222.0: sendto error: 93", obviously it cannot ping the gateway, even with wide open rules.
Great, great video. A huge amount of information presented clearly and concisely. This should be a template for all tech tutorials. Learned a lot about wireguard here. Thank you!
This was the best video I have come across. I was setting up my tunnel the other day using just the documentation and various other sites and you explained it in such a way that I could easily set up all of this again without any of that. Keep it up man!
Fantastic Guide! and with well delivered insights into the workings of pfsense and the pitfalls one could encounter. Thank you for all your hard work creating the wireguard package and this great video!
I was banging my head against a wall trying to make a site-to-site cloud vps and this video saved me, great explanation and excellent breakdown of pitfalls and what would happen if reconfigured. great video!!!
Great video. Thank you. A tip would be that when working with internet dynamic IP we can use a dynamic DNS for endpoint IP, that way if our public IP changes we should be good establishing the tunnel. I've been using Duck DNS and so far so good.
Thank you so much Christian for the hard work and time you've put into these videos. They've helped me to solve issues that have plagued me for a couple years now. I sincerely appreciate it! I look forward to your upcoming videos, especially the one you teased about the use of FRR and BGP for use with dynamic routing. I've been curious about its use and if it's something that could help streamline things for me.
Amazing video, so so so clear and very well explained. Always struggled with WireGuard and site to site VPN's, but this covers the basics and then some. The extra tips and little explanations are super helpful to prevent getting tripped up! Thanks so much, Christian.
@@ChristianMcDonald i tried to set this up yesterday. it seemed like it worked but no traffic will pass. everything looks exactly like you have it setup. i get the handshake, but cant goto site 2 lan for some reason. firewall rules look right.
@@ChristianMcDonald I wasn't expecting a response from you over my trivial comment, but thank you! Thanks for the excellent/clear/accurate content. Subscribed.
I would love to see a video with a more complex setup, i.e. failover with two providers while at the same time having site-to-site wireguard vpn and road warrior vpn. May be even hub and spoke wireguard VPN setup with failover to two different ISPs.
Thanks Christian - great video and work on Wireguard - much appreciated. You have mentioned it in the past and touched on it in this video, but I was wondering why the Allowed IPs do not become static routes so we wouldn’t have to create an interface, do static routes etc, unless we had more advanced needs (firewall rules, nat). Would it be possible in pfSense (a static route is created for the tunnel network without creating an interface)? Presumably all traffic for an Allowed IP should be routed there anyway. Just wondering what you're thinking is on this topic.
The most obvious reason is when you’re using dynamic routing with FRR. In that case you need to define allowed IPs but the routes are managed by FRR. It might be possible to add some additional config options to automatically create static routes if necessary. Once we ship 22.01/2.6 here soon, I will be revisiting a list of todos to work on. I will consider this and see if the usability can be improved
Wait a minute: Aren't you supposed to add "Site 2"-IPs to the "Site 1 AllowedIPs" in order to make sure, that "When calling an IP in the range of Site2 on Site 1, it goes through the tunnel"? At around 19:00, you add "Site 1 IPs" to the "Allowed IPs" of "Site 1". Nevermind: I skipped over your explanation that "white theme = Site 1 & dark theme = Site 2". You did all correct and I was just confused/skipped too much.
Thank you for this detailed, informative video. I hope it will help me with keeping my mom's internet/network working (retired in sunnier places). Unfortunately, their ISP assigns private IP addresses, so unable to use dynamic DNS and all that to establish remote connections. I am hopeful the pfSense device I am sending to them will initiate that S2S link and allow me to get through their ISPs NAT. I have a DDNS so I am using that for their side to establish the link. Interesting because so many other services can break through ISP NAT (Never had problem with Google Remote Desktop). Kind of wish there was a package/server just for that in pfSense. Initial setup looks good from their device (the WAN of their device is hooked into my LAN). My box though won't show their Gateway as reachable. My guess is my pfSense is sending it out through its WAN (and not back through the LAN, maybe I should try NAT reflection lol) and should not be an issue once my mom's device is connected to the internet and not to my LAN. I don't really want to mess up my network to validate that it will work. Worst case if it doesn't, I look at other means of helping them when the time comes.
This video was very helpful and helped me debug a site-to-site VPN I needed. One problem I still have is that the two sites I have connected have an overlapping subnet. I would like to NAT the overlapping subnet at my main site so that all of the devices are accessible to the remote site. I know how to do this with IPsec with NAT/BINAT settings. How is this accomplished when using a WireGuard tunnel?
As usual a great video Christian, thank you. But I am trying to do something else. Connecting from LAN from Site1 to LAN from Site2 is working for me, but how could I allow users connecting to Site1 via WireGuard (they get a different IP from different range) also allow connecting to LAN from Site2? I thought that by allowing it at the Firewall Rules "WireGuard" would be enough but eventhough I see traffic going out from the S2S interface I don't see a return traffic (when pinging). If you have some ideas please let me know and Thank you and regards!
Awesome video. I used this setup for a Wiregaurd VPN connection from my phone to my home, and my mobile laptop to my home. When I connect to my home via the wireguard vpn from my laptop, on the interface statistics widget I get around 20-40 "errors out" per minute. I don't get the same result when connecting via wireguard vpn from my phone, that doesn't give me any "errors out" on the interface statistics widget on the dashboard. The connection works from my laptop, but I'm not sure why I'm getting these errors. Running the VPN for about a half hour gives me 1000 "errors out." Any idea where I can start to try and fix this?
Hi Christian, Great video, I was able setup the site to site VPN and I created a seperate remote access tunnel and both works. But when I connect using remote access I cannot access the remote site subnet throught site to site VPN tunnel? Do I need to make a interface for the remote access and setup gateway? or create a NAT? It would be great if you can create a video on this. thanks.
Great video! Still having something wrong... If I test with ping in the pfsense diagnostic tool it works perfect, but it doesn't work if i do ping from y pc, I do research with no success, do yo have some clue?
Thanks for the video, it's been very helpful! One question. I want to a site to multisite config (which is working). Is it possible for remote sites to access each other through their one connection to the main site?
Thank you for this amazing video, I ran into an interesting issue where I could connect to Site 2 using transit 10.100.x.x but couldn't connect using Site 2s LAN 10.69.x.x. I am using 2 eth ports, one goes to pfsense LAN, one goes to home LAN. I wanted to know if I maybe need to add a route to my windows 10 routing table so that I can reach Site 2s LAN while both ports are active.
Amazing video. Thank you very much for your hard work! I would appreciate if yourself or someone else in the comments could answer - can I make ALL internet traffic flow from site 2 via site 1 (so that all traffic appears to an outside server to come from site 1). Thanks in advance.
Can you do a video how to fix the issue that if running a multi WAN setup as failover and WAN1 goes down, Wireguard is connecting via WAN2. But if WAN1 comes up again Wireguard is never switching back to WAN1 and stays at WAN2.
good content, i mean really good, but why the datatransfer between 2 VIRTUAL pfsenses (site2site) following your description step by step, is even slower than ipsec. i was looking for any answer , why the datatransfer latency do not pass over 7 or 8 mb/s? both HQ internet speed over 600 mb/s (fiber) . Is it for to be virtual devices? or what deppend that? thanks again
I have successfully set up the wireguard s2s tunnel and entered "none" in the field for upstream gateway on both sides, yet the tunnel ip address displays when i connect to the remote site which indicates there is NAT though the tunnel. What could cause this? What NAT rules should i look for and erase?
Hi I have a question I try to connect a client with wireguard vpn, I create a link between site A and site B by creating a tunnel beetween A & B it seem to communicate Each other i would like to connect the client into the site A with vpn and active directory to join the site B. I create a new peer on the same tunnel when I connect the hand is red and the customer no longer has any connection would you have some idea
Any reason why "only unassigned tunnels" seems to do nothing? My sole VPN tunnel is an assigned interface but it's still being managed by the "Wireguard" firewall rules...
Hey Christian. I have a question. I did setup the wireguard tunnel between two pfsense sites. I further would like to have a client on remote pfsense connect through the tunnel to main pfsense and use main pfsense wan. how do I need to route this? best regards
Ok so I have three sites all behind NAT and routing through a cloud VPS. Everything works fine except for if I need to Halt or Reboot the firewall, the WireGuard gateway gets disabled automatically for some reason and upon next login have to manually enable it. Weird thing is that the WireGuard service doesn't start until the gateway is enabled even having it added to ServiceWatchdog. Any ideas?
I my setup (up-to-date OPNSense os-wireguard 1.9 and up-to-date Windows Wireguard 0.5.3 peer) everything works well but I have strange short timeout (like no connection) for about 15 seconds each time very closely to handshake which is every ~ 2 minutes. Each time after handshake connection resumes. Is there any setting that I can try to edit to resolve this problem? I set keepalive to 15s but it seems that it has no effect.
Not unique to my network. The reason behind this is if you’re passing 1500 byte packets inside the tunnel, once the WireGuard header is attached, it will put that packet over 1500 bytes, which will likely result in fragmentation once it leaves your outer layer for transport to the remote peer. By clamping you ensure that no fragmentation will occur.
Thanks a lot for this video. I am using FRR/BGP for site-site VPN. The pfsense routing table is correctly being populated by FRR. However, i dont know how to get FRR to populate routes in the crypto routing table (at the moment i am populating manually the allowed ips hence defeating the purpose of FRR). Any hints?
Is it possible to set this up with just a WAN interface only behind another firewall. Basically using pfsense as a wireguard appliance? I have it successfully working from PC's / iPhones to pfsense, but this site to site tutorial I have been unsuccessful in getting it working. Port forwarding is enabled on the UDM Pro on both networks, everything is setup correctly, but it seems to want a LAN and WAN interface.
This can be achieved. If you deploy pfSense with a single interface the WAN also becomes the LAN and in this mode you effectively use pfSense as a VPN termination point.
Awesome video, I have a multi site setup. It was working fine before switching to the package based version of Wireguard. Right now I cannot get traffic to pass from one remote site through the central site to another remote site. Any ideas as I have tried almost every combination of options.
So let's assume we have Site A, B, and C. Site A and Site C connect to Site B. If Site A wants to speak to Site C, it has to go through Site B. Site B has one tunnel with two peers: Site A and Site C. The trick is you still require a permissive firewall rule at Site B. It's a bit confusing, but packets coming from Site A to Site B are going to be evaluated by pf even though the packets are going to enter and leave via the same virtual interface (tun_wgX interface). This is most likely a firewall issue.
@@ChristianMcDonaldOK but I have an allow all rule for both the WireGuard and the WG0 interfaces. From Site B I can ping any host at Site A or C. Does it not have anything to do with the allowed IP's?
Hi. Thank you for the video. I have question, I have vps with subnet/24, the subnet all is publics IPs. I want to use thos publics ips on my infrastructure home like asign them to my servers. What the best solution to make it possibel to use all thos ny publics ip on my vps to my servers. Thank you.
Starting at around 30:25 in the video, the answer is yes, you do. Also be aware of the wireguard group that can also have rules that are processed before the interface level rules. This is based on a scenario of static routing. You said " If I assign WireGuard to an interface " I take that to mean, if I assign a wireguard interface to a pfsense interface . . .
I’m currently using the wireguard network in /32 for both allowed ip and interfaces in other to connect 5 sites all together. For 2 sites vpn you can also use /32 but is there any reason for using /31 instead?
/31 is used for point to point networks and there is not broadcast or network address it is used to make the best use of ip space when only 2 hosts are needed.
OVPN is better than WG because the former can use QoS within the tunnel and also can be pinned to a particular WAN interface. WG is lame and for VPN babies / noobs.
