COMPLETE WireGuard on PFsense 2.7 Setup - Covering Windows, Mac, & Mobile + DuckDNS & Firewall 2024

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how do you connect to your home network when you're away say for example you want to make a change in your router or you want to power on or power off a computer how do you do it do you just open up a bunch of ports to the internet do you use a reverse proxy maybe a combination with the VPN well if your answer was a VPN or virtual private Network you're in luck because today I'm going to show you step by step how to configure my favorite VPN in my favorite routing software wire guard in pf sense the reason I like wire guard so much is because of course it's super secure but it's the fastest VPN protocol out there seriously can be three to four times faster than openvpn and leaves IP sack in the dust and vpns are notoriously slow it's also built into the Linux kernel the codebase is open source and leaner so it's a lot easier to audit and well there are some cons as well well of course for starters it's very recent it was only released I believe to the Linux kernel in 2016 so we're still kind of all like a little bit guinea pigs here also for authentication it relies on cryptographic keys so no username and password and that might be an issue for some people but anyway enough talk try wire guard you'll love it and to set it up don't worry because I'm going to guide you every step of the way and I know that dealing with crypto might sound a little bit dunting at first but don't worry because it's super simple first just make sure that you have the latest major release of pfSense that's 2.7 right now pfSense doesn't ship with wire guard out of the box so you'll need to install the package for it go to system and package manager and click on available packages search for wire guard and when you get the results click on the install button in green right next to it click click on confirm and just wait for the installation to complete if you now click on VPN you will notice that wire guard is installed so click on the chicky wire guard label and go to tunnels select add tunnel on the description just enter wire guard on Port just leave it as default and then click on generate so that we can generate a public key next copy The Key by clicking on the link right underneath it and paste it onto say Notepad for example as we are going to need this later make sure that enable tunnel is selected also notice that interface configuration is already provided for you so good job pfSense team now let's create a network for this interface something unique let's say for example 10.00.01 sl24 and just give it any description that you like save the tunnel click where it says settings and enable wire guard hit save and apply the changes make sure you apply the changes cuz sometimes I forget to do that now click on interfaces and assignment then on interface groups and notice that the interface for wire guard is already set up awesome don't touch that now go back to dashboard and check the service status if the wire guard service is running if you don't have the service status just click the plus button and select service status and then click save I don't have to because I already have it on the dashboard sweet now now let's configure the firewall rules now select firewall and then rules and then choose wire guard add the new rule make sure that action is passed the interface is wire guard and change the protocol to any you can enter a description such as wire guard pass any traffic and then hit save and then apply changes next hit when and add the new rule set the protocol to UDP the destination to when address and set custom Port from to 51820 and the two port to 51820 so same port enter whatever description you like such as wire guard you know wire guard when pass rule for example whatever you want then save and apply the changes now to connect to your home router you're going to need your internet IP address and if you don't have a static IP address from your ISP is likely that you will change it well the whim of your ISP but don't worry because towards the end of the video I will show you how we can get around this problem for now we will use your internet IP address and in pfSense you can check it by going back into the dashboard and under interfaces on Wan that's your public IP now unless of course if you're doing double natat in which case you will have a private IP address like you can see here for me now that's because this isn't my real home PF sense instance this is not my personal instance it's just a VM running PF sense that I use for my tutorials so I'll you know I'll be using this private IP but just imagine it's a public one now write down that IP address into notepad because we will need it in a second okay let's chill for a bit Ah bet yourself in the back because we have just created a VPN server directly in our router I mean this this is Big Stuff okay no need for Docker or any kind of like extra VMS it's running in our router cool the next step is to create our clients we'll be doing Windows and Android but Mac and Linux is pretty similar of course if you like what you're seeing don't forget to subscribe and give us a like the channel is still really tiny and I wanted to grow a little bit more so that I can keep making tutorials for you guys now let's start with Windows Linux and Mac clients because well it's the same and we're going to do Android later go to wiard website and download and install install wire guard for your OS in this case I'm going with Windows but it's the same for Mac or for Linux because this is the same software just different platform fire the application and click the tiny Arrow next to add tunnel and select add empty tunnel instantly you get a public and a private key generated enter the name for your tunnel and add the private IP address and this is the one that your VPN is going to be using make sure it's in the same network that you created earlier uh for that particular interface if in doubt go back to pfSense VPN and wire guard edit your tunnel and copy the interface IP address okay you can type the address or paste it the the one that you just copied but make sure that you remove the last digit and enter something like 10 for example followed by /24 which is the cider or subnet mask now for DNS set whatever you like I'm using cloudflare and Google next copy the public key from your new client's tunnel and let's paste it into the wire guard server go back to pfSense VPN and wire guard addit your Tunnel right at the bottom and select add Pier make sure it's enabled add a description and this could be the name of the client uh and enter here the public key that you just copied from the client this is from here not not the other public key that we saved earlier in notepad you can also click on generate pre-shared key for you know extra safety on the allowed IPS copy the IP you assigned yourself in the wire guard client tunnel so that your VPN is allowed just make sure that you set the cider to 32 hit save pier and apply changes we're nearly there now go back to your client tunnel and add the following type Pier between brackets then set the public key and this will be the key from the wire guard server that we stored earlier in notepad and set pre-shared key to the one we also generated earlier for allowed IPS we have two choices split tunnel or full tunnel split tunnel where the only traffic that goes through the network is when you're trying to access a resource inside your network like your NZ or your jelly fin server for example but if you Tred to go to Google Loom you are not going to go through the VPN full tunnel where all the traffic just goes through the VPN now option two full tunnel tends to make everything slower for split tunnel which is what I use enter the subnets that you would like to access this should be at least your VPN subnet which is 10.1 100. z.0 and the subnets in the networks you would like to access like in my case my office VPN which I can check back in pfSense under interfaces and clicking on the interface that I'm interested in so you can copy that value but remember to remove the last digit and put a zero which is for the network ID slash whatever cider you configured if you have been following it will be sl24 if you want full tunnel just enter 0.0.0.0 sl0 well it's all0 sl0 and all the traffic will go through now for the final step we need to add the endpoint which is your public IP address which like I said in the beginning you can check on your dashboard under interfaces when or you can go to your router modem and check it there now enter endpoint and set it to the IP address followed by colon 51820 like I said in my case it's a private IP because I'm doing this tutorial on a VM that I installed exclusively for that purpose but in your case it will be a different IP address like 83. something or 212 whatever okay that should be it let's try this out I'm going to change the network real quick so that I can use the VPN now open the command line and as you can see I'm on 192.168 do10 subnet if I try to Ping the default gateway of 10.00.01 I get nothing if I try to access BF sense I get nothing now let's enable the VPN and there you go I have a response let's try to access pfSense at T 100.0 do1 which is the full Gateway there you go it works let's access Google blazing fast because I'm not using the the tunnel I'm not in full tunnel mode now we have a little problem like we said in the beginning if you do not have a static IP assigned from your ISP your public IP is dynamic which means it can change change and if that happens you're screwed so what we need to do is the way to bind our public IP to a DNS and make sure that our PF sense instance updates that DNS every time that the IP changes to do that I recommend duck duck I always say that not duck duck.com I recommend duck DNS which is free go to duck DNS and sign in enter your domain at the top it will have created a token for you now go to pfSense click services and Dynamic DNS from here click add select custom on the service type scroll down and update the URL just make sure that you change domains to The Domain you just created and token to well the token that was on the dashboard of duck DNS go back to your wire guard click on edit and where it says endpoint replace that public IP with your DNS host name that you just created in Du DNS colon 51820 which would be something like bbbb1 123. duckdns.org colon 51820 or something whatever the host name is okay desktop versions done all configured and working you already subscribed and if not please do for mobile it's exactly the same procedure but in the interest of time I'm going to speed things up a little bit install the wire guard official Client app on your phone click the plus sign create from scratch and give it a name click the arrows button to generate a private and a public key on addresses enter the IP that you want for your VPN this time change the last digit so it doesn't clash with your desktop client since the windows client was1 we're going to make something incredibly unique which is 11 and original like 10.00.01 followed by sl24 and for DNS enter whatever DNS you'd like again I'm using Google and cloudflare copy the public key on your wire guard client and copy it over to the pfSense wire guard click on ADD Pier enter a description and paste your mobile phone previously copied public key into public key and generate a pre-shared key key before copying it over under allowed IPS enter the IP you assigned to your wire guard client in this case it was 10.00.01 with a CER of sl32 now you can copy the pre-shared key copy it somewhere I like to message myself on WhatsApp or use my one Drive account Facebook Messenger you know use whatever you see fit save the pier and apply the changes now let's add the pier to our mobile mobile client click on ADD pier and paste there the public key from the wire guard server you remember the same one that we used for the desktop client okay it's that one and also paste the pre-shared key we also just generated on endpoint you enter your public IP address or the Dynamic DNS we just created on Duck DN gosh I keep calling it duck duck DNS on duckdns.org followed by colon 51820 now enter alloud IP network IDs that you want to access including the vpn's own subnet ID this is for using split tunnel or the 0.0.0.0 Z for the full tunnel and that's it wire guard fully set up on your computer and mobile now that was a lot all this just for a simple VPN connection but trust me it's worth it because this is the fastest VPN out there hands down and you know to access your home network where you're constrained sometimes by your ISP speed especially the Upstream speed wire guard is just the best choice now there are other Technologies out there that make this process less tedious like tail scale for example I personally don't use it because well a I like to avoid layers as much as possible and B well I like my VPN to be sort of like a multi-directional vector meaning from point A to point B you know without the intervention of additional vendors however if you want to know more about tail scare sorry I mean tail scale tail scale no pun intended or any other kind of like novel VPN you know things that appeared in the last years like zero tier and twin gate and there's a bunch out there just let me know in the comments and again don't forget to subscribe so that you can see them that's it for now thank thank you for watching and I will see you in the next video take care and see you [Music] soon

Info

Channel: Digital Mirror

Views: 10,426

Rating: undefined out of 5

Keywords: WireGuard, PFsense 2.7, VPN Setup, Secure VPN, Windows VPN, macOS VPN, Linux VPN, Android VPN, Firewall Configuration, VPN Security, Network Security, PFsense Tutorial, WireGuard Configuration, High-Speed VPN, PFsense Firewall, Online Privacy, VPN Tips, Cross-Platform VPN, Secure Networking, VPN Guide 2024, Advanced VPN Setup, PFsense WireGuard, Cybersecurity Tips

Id: IvGjWndvTk0

Channel Id: undefined

Length: 16min 7sec (967 seconds)

Published: Wed Mar 06 2024