pfSense Wireguard Site-to-Site VPN Setup (3-Way) Tutorial

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

are you interested in creating a sight to sight VPN with pfSense using wire guard if so this video is really going to be for you we're going to start off with two sites we're going to create a wire guard tunnel between them uh and we're going to be able to access the lamp from each side on either side of the tunnel now if that floats your Bel if you stick around once we've done that we'll introduce the third site and we'll show you how to introduce that into into the scenario and access the subnets from the third site as well from your main site um if you like this video please consider subscribing to the channel it does help these videos do take quite a long time to produce um hit that like button so other people know to watch this video as well and if you hit the notifications icon you'll get notified as any more videos come out which we do have a few more planned regarding wiard especially a road warrior virgin um but yeah let's just jump right in and get to it [Music] so we've got our two systems pfSense a and pfSense B um we don't have wire guard installed hence the option is missing so the first thing we're going to need to do is to install wire guard so to do that let's go into the system package manager available packages and search for wi guard we'll go ahead and click install so now we have y guard installed let's do the same on system B so again let's go to system package manager got nothing on here search for wi guard and go ahead and install it so now wire guard is installed we do have a couple of settings that we need to make so if we go to wire guard settings obviously we need to enable it the keep configure keep configuration option um I strongly suggest you keep this enabled if you disable it if you uninstall wire guard you'll uninstall all the settings um you'll probably need to uninstall it when you do an upgrade for pfSense so I'd leave that enabled um the endpoint host name resolve interval we can leave that for now now um the other important option is interface group membership so the obvious configures which wire guard tunnels are members of the wire guard interface group I'll go through this with you in a minute but what we want to select is only assigned tunnels so we can fine-tune our firewall Wheels a bit we'll go ahead and do that these options basically in um just censor the private keys in the uh web interface so they're not displayed always a good idea to leave them enabled apply the changes and again we'll do that on system B so VPN wire guard settings enable wire guard uh change tunnels to only assign tunnels and save that and apply the changes so we've got it installed on both systems and uh set up and running so we're good to go ahead and start doing our configuration now we've got wi guard installed um we can go ahead and configure the tunnels so uh we want to go into tunnels um add tunnel so you want to enable the tunnel um the description optional generally good idea to put a description in so you know what it is um the listen Port by default is 51820 so um you can change that if you want to that is the port that you're going to have to to allow incoming one traffic to uh we need interface keys so the way wire guard works is it has a private key and a public key um the public key is used on the remote systems to connect to this one so we going and go ahead and generate those um I'm just going to save this apply changes I'm going to go back and edit our tunnel um so we need to do interface assignments so we can go into interface assignments which is the same as going into interface and assignment and now we have our wire guard tunnel here so we're going to go and add that save it give the interface a name so I got wg0 we obviously want to enable the interface the configuration type is going to be static ipv4 we don't need IPv6 I'm not covering that in this at all um now the interface IP address this is system a so this is our tunnel IP address so it's going to be 17225 25.1 so in there we're going to put 17225 25.1 the subnet mask I'm going to put to 24 which will allow me to do uh anything from dot two onwards the remote systems um once you've got this working you can obviously narrow your subnets down if you really want to the ipv4 Upstream Gateway we don't need to um B with that and obviously we don't want it to block private Network um or bogons because um buard uses private IP addresses so that's how we enable interface configuration so we're going to go ahead and save that apply those changes and that's our tunnel set up I think let's go back into wire guard look at our tunnel so we've got we can see the interface assignment now is on wg0 which is opt one you can get straight back to your interface configuration clicking at that firewall rules um so this option here where is it settings uh only un assigned tunnels um if you don't set it then you just leave it as all tunnels then we go into firewall rules this will apply to all your wire guard traffic setting it to unselected tunnels basically allows us to control our wi guard tunnel firewall rules so for this I'm just going to leave it wide open I'm going to allow all wide all wi guard traffic to pass so y pv4 any Source any destination any pass all traffic let's save that F the changes and now we got um let's back into W uh tunnels and to our firewall wheels are now in place so we need to do the same thing on uh site BPF sense so tunnels add tunnel um looking at our diagram this is 17225 25.2 so we're going to just leave that leave the default Port um if you've changed it on the end they do need to match so we'll generate that and save it apply the changes now let's set our um add the wi guard tunnel as an interface again give it a descriptive name that uh enable interface static ipv4 same as previously this one is 17225 252 so 17225 25.2 we'll set this to 24 uh we don't need to bother with the Upstream Gateway same as previously and obviously we don't want to block the network so if we go ahead and save that we've got our interface assigned and then now we need to um go into firewall rules and allow the traffic for our wg0 so you don't need to set any rules on this at all on your the wi guard uh firewall settings we just use a tunnel that we created we're going to add again pass wg0 ipv4 want to pass all traffic uh and again we'll do pass all WG traffic save it so now our firewall Rules match on both sides um let's go back into wi guard and I'll do the same on the main system so we've got both our tonnel setup no pairs as yet so site B is going to be the pair for site a and site a is going to be the pair for site B so let's go ahead and start setting the pairs up let's first start by creating site b as a pair so add pair we need to obviously enable the pair select T wg0 so we'll call this site B for the pair now the end point um if the other side doesn't have a static IP address you can leave this as um Dynamic but then on your firewall rules you will have to allow all traffic to connect to Port 51820 if you've got a static IP address then you can restrict it down to the IP addresses so I do recommend it but it will work um set your keep lives if you want to do that um so we need the public key and the pre-shared key um the pre-shared key is optional but I do recommend that you um create a pre-shared key for extra security so we're going to go ahead and generate that and we need the public key for site B so if we go into B tunnels um the public key is here so we can copy that just paste that in um so we've got that pre-shared key we're going to need that in a second um when it comes down to in fact we'll do the at the same time when it comes down to the allowed IPS are subnets um we need to put where's it gone we need to allow the tunnel IP um the if you don't then um your gateways will show offline but they will still work I have seen a few questions about that online but anyway 17225 25.2 um 32 so we want a 32 bit subnet mask so it's only that so we don't start sending traffic desting for other tunnels over this one um so say B WG IP and we're going to add another allowed IP so looking at this site B the subnet Mass behind it is 192.168 57.0 um which we can see that's how we have our L set on here so we going into here and we need to do 192.168 57.0 zero which will allow that traffic across um now that's 24 cuz we want to be able to access everything so call that site b l um so to set the pair up to TI a let me just save that for a second we will apply the changes and now we'll do the same in here so in site B into wire guard appears and we need to add site a as a pair so add pair select the tunnel so this is going to be site a um Dynamic again um at least one end needs to have a static IP address um we'll leave that for a minute just while we set these down so so again set a keep alive if you want it so we need the public key for site a so now if we go into site a tunnel for site a edit that grab that public key Stick that in there we're also going to need the same pre-shared key so obviously you can only generate it on one side um so if we go into pears side BP because this is where we generated the pre-share key let's edit that and the pre-share key is here it copied on the one it doesn't on this one I'm sure it does um appreciate key and we'll copy that so the allowed hosts for site a is going to be 17225 25.1 so always start with the wi guard IP so 17225 25.1 G for 32 um site me site a wi guard IP we need to add another allowed IP so on this side the local L is 192.168 56 so we're going to want go 1 192 168 560 for that's 24 for the whole subnet I'm going do site a subnet okay so now we've got the public keys in place and everything um it won't work because we've got both sides set to Dynamic that's obviously not going to work so let going to um the root of site a we're on the pairs for the site B pair which we're editing um we're going to untick that and I'm going to set this to the IP address of site B so if we go into which is one IP so 172 1.20 let me just check that this is right 172 1.20 so we're going to go ahead and stick the endpoint address in there um so the main site does need a static IP um but the remote sites w't so we'll go ahead and save that that's all good and apply the changes so site a had a static public IP address um then you'd leave but site B didn't you'd leave this as Dynamic um but we're assuming the static IP address is on both sides so again we're want to go into VPN wire guard up appears and then we've got site a PA going into that I'm just going to give it its IP address which is we're following this 172 1.10 172 1.10 uh n. IP address so we're leaving this clear because it'll default to 51820 now if we save the pairs apply um that should be us so now we've got traffic successfully passing our wire guard TN so we're going to do 172 25 25.1 um and that's fine right so now our wire guard tunnel is up and running we actually need to um go ahead and configure the roots on either side so we need to pass the roots from site a to site B and site B to site a so we'll go ahead and do that next so we wanted our wire guard as an interface so we can add it as a Gateway which is what we're going to need to do set up the system routing this a bit bigger um to site a is on 192168 56.0 and site B is on 192168 57.0 so what we're going to do is go to system uh routing gateways now we need to add the new Gateway on site B um so to get that to appear here we can do add wg0 for our interface ipv4 we're going to call this site B Gateway the Gateway is going to be 17225 252 so 17225 25.2 um that's all we need to add no it's not interface name oh sorry no spaces allowed apply that um let me just change that firewall wheel real quick uh I changed this didn't I just to date so I could ping it and we're going to put that back to any sorry um UDP uh site B1 IP one address move on uh over 51 [Music] 820 so that just set us back um I did that for Diagnostics purposes just so ping it um right now we've added that as a Gateway if' got to status dashboard you can see the our sight beat Gateway is online so let's go ahead and do the same here so we're going to go to system routing uh oh one thing to know if this is set to automatic you need to actually set it to your one Gateway um let me just check on here real quick yeah it can cause problems if it's set to automatic um so we're good there so just double check that when you're doing this so we want to add a new Gateway and this time the Gateway that we're going to add is going to be the Gateway for um site a so again want ipv4 want site a me site a Gateway that's going to be 17225 25.1 save that apply there um it's always a good idea to put descriptions in I suppose um so a wiard Gateway but if you use descriptive Gateway names yeah okay so now we've got the Gateway let's go to dashboard and we can see that the Gateway is online so that means oh wi guard connection is up and we can ping the gateways on either side um the next thing is we need to add the static routs for the subnet so we'll start with site a go to system we'll go to routing and I'm going to go to static routs now again looking at our picture the subnet for site B is 192.168 57.0 but we're going to add that as a static route so destination network is going to be 1 192 168 [Music] 570 and set that to 24 because we want the whole network Now by default is sending them out the one Gateway we need to change that and we need to change it to site B Gateway [Music] so rout to site B subet go ahead and apply that uh and we're going to want to do the same on this side so we're going to rooting and then we want to static rout and this was 1 1921 16856 dot whatever so we're going to add that subnet so 192 16856 0 424 and if we change that to the site a Gateway cuz obviously we need to root it through the site a but uh rout to site a subnet at that stage we're set up um we can go into system uh so Diagnostics routs just to confirm so we can see that anything destined for 19 1921 168 56.0 is going to go over the wi guard tunnel uh 192 16857 is obviously our local connection uh with our IP address being 10 so we should be able to Ping lead from either side uh and again just for Diagnostics purposes it should be working at this stage so routs so we can go in and we can see that uh anything destined for 192 168 57 is going to shoot over our wiard tunnel and go ahead oh sorry I've done this myself where I've not put the actual IP of the other wire guards side it will still work but your gateways will show offline so just make sure that when you go into uh Pairs and here to make sure that you do have the entry for that for the wi guard for the other side say if you don't everything will still work but when you go into dashboard um these will show offline even though everything's working because they're not pingable to each other so just keep that in mind so if we go into where is it Diagnostics ping um what's the L IP address 192 168 56 uh what did put 56.10 stoping 192 168 56.10 and again Diagnostics ping 192 168 5710 you can tell it which so I'll address if you want so that means that the we this is the exact scenario that we now have um obviously ignore these e CG not IPS that have set up just for so we don't have to censor everything on the screen um that's the first time we did the video everything was censored out and it didn't look too clever so this is the exact scenario we now have set up with site a with a one IP address of 172 1.10 we've got the site a with the wire guard tunnel IP of this um and the local subnet which is completely reachable from either side just for Diagnostics purposes The Roots is the best scenario just to so you can see um the only time I've ever had problems um when the settings have not been right on this side so I've not put the right public key in from the from the like site B for example um all the pre-shared key has been wrong that's generally the only time it's not worked now we're working with um site a and site B able to access each other what if you've got another site then what' you do let me walk through that so you don't need to create a separate tunnel for site a let me pull another H up so uh admin we have sense let me put my fingers in the right place on the keyboard next next so we're going to call this PF and C uh quad 9 for DNS servers disable that sorry let me just spin this up very quickly it won't take long uh okay so we have site C what that is that keeps beeping we have site c um we've just introduced it and we want to get this connected to site a as well so obviously so we need to install wire guard it isn't there so system package manager find wire guard let install it Okay so we've got wire guard installed um um I'm going to go into the settings set it back up again so enable uh all that's the same sign tunnels only save apply settings this is exactly the same as what we've done previously um so we're going to go to tunnels atal um leave that blank so again I'm going to leave this on Five 1820 they generate that so yeah um so we generated the interface Keys we've got our public key uh I'm going to save the tunnel for a second stop it and then I'm going to go into interface assignments it's not there cuz I need to apply the changes interfaces assignments as we did previously we want to um add that save it change his name again to wg0 or whatever you want enable the interface we're going to do static ipv4 but this time we're going to set it to 1 7225 25.3 if look at our image we have this on one this on two um this on three now this is if you set your subnet mask obviously you're limited to how easy it is to set up um so we'll do this on three Forest 24 we don't want to block um any private networks save it apply the changes can you remember what's next quite right we need to set the firewall rules so let's go ahead into rules um again this is redundant to us we need to pass the traffic on here though so we'll pass everything on W on wg0 any pass all Ward traffic okay um so now we've got that done we now need to go and create app here so this is all already configured well not one you can see the IP address is assigned firewall configuration is done go into appears We'll add a new one again we need to select our wi guard tunnel and this is going to be site a it's not Dynamic it does have an IP address which is 17 17211 and I'm just going to copy and paste this there's no mistakes I don't have problems copying anything that's playing um so one. 10 default Port so you'll notice here uh if we go back into wi guard we only have one tunnel listen on 51820 and it has got a pair assigned to it but we can assign more than one pair so we don't need to create a separate tunnel um we can use the existing one so we can go site a 10 again if you want to stick a keep alive in so we need the public key of site A's wire guard tunnel which is this here not relying on copying anything anymore copy no it says copied so that worked so we've got the public key um the pre-shared key we going to Wi guard sorry do wi guard P we're going to add a new one for site C so we're going to go add Pier I'm going to do obviously select our tunnel uh tunnel's going to be site C it's not Dynamic it's on 17 sorry 100. 72. 1.30 I think um ports the same keep live the same we're going to generate this information and we need the public key from the other side so generate a key here okay to add we need this public key so we're going to site C uh going into our wire guard tunnel grab this public key which does copy and we going to stick in there and then we good so what public UT H you Te You te I'm sorry let me just double check that you te yeah so you um you so that copied fine um I'm going to go back into my pairs edit I need this pre-share key so appears site a we save up apply changes and then I need to go into site a uh again we're in PA and we're on the pair for site C and we just making sure that pre that pre-share key is exactly identical just copy that in uh right so as we did with over sites now this bit's fine um so we want to allow allow IP so it's going to be 172 25. 25.3 which is how we set a y guard assignment so that equals that and it's on a 32 so it's going to be site c y gu IP now we want to allow site C subnet which is 58 yeah 192 168 58 so it's 58 zero because we want to allow the entire sub there 24 this is going to be let's C subnet save that play changes and then again the same here going Ward P site a and as we know site a is 172 25251 172 25 251 30 2 hopefully you understand why these are like got a 32bit subnet mask because with multiple tunnels multiple tunnels uh multiple gateways on the same tunnel sorry so this is going to be site a do whyard IP IP and this is going to be the subnet so one I want this and paste it in there one a subnet is 192 168 56.0 24 obviously andless is going to be site a lan save that apply the changes uh W guard Rel status so now we can see we've got both site B which it shows the latest handshake now we've also got site C showing the latest handshake um so if we go in can we ping site C from here uh ping 172 what was on 25 253 at least something's starting to work and on here Diagnostics ping 172 25 251 so once you're at that stage where you can actually ping the tunnels from either end um do you remember what's next we've only just been through this yes correct we need to add the gateways and the rooting so we go to rooting again don't ever forget to ensure that your default gateway is set and it needs to be set to your one address otherwise it will cause rooting issues so we're going to add our new Gateway and we want uh name we'll call it site a Gateway IP address is 17225 25.1 just leave the rest of it g way door side a sve up uh why is it not oh the gateway address 172 25251 does not lie within the chosen interface subnet of course it doesn't put it on the one so don't speed for It Like Me app that let going do uh again to stay to dashboard get off where is it plus come on come on come on Gateway so we can see site a gateways online um right static Roots so again we need to do exactly the same thing that we did with um site B to access site a um if you remember correctly we went into static roots and we anything destined for that subnet we're basically throwing it through site a Gateway and we need to do that as well so we're going to do add uh 192 168 560 proc 24 the Gateway make sure we select the Gateway so it needs to go through site a because that's where that subnet is put rout to site a subnet apply the changes um and again on site a we're going to go into roting we've got a gateway to site B but if we want to access um devices on the site C subnet we're going to need to do this as well so don't forget to uh add your select your correct interface as I just did and this is going to be site ccore Gateway that was 172 25 25.3 which is our IP address that we set on the interface for s c wi guard TN them so here that all good uh static routs so the site way that's site way it's going to light so site C subnet is 1 192 168 58.0 24 and obviously we want the site C Gateway for that so rout to site C so to be specific and apply that so if we go into dashboard we can now see that we've got our one Gateway we've got our site B Gateway and we've got our site C Gateway um what site see on 19 2168 5810 so from here I should be able to do diagnostics ping 192 168 5810 so I should be able to Ping the ls side which we come so that's pretty much it we've got this um and we've now added a third option so that should all work correctly um the only thing to keep in mind now um should be pretty much up and running I'm doing this on Virtual box so things will fly across and run quite easily anyway but um the only thing to keep in mind if you want subn to be able to access each other on your lamb rules you might need to add them in um so you can put like site a subnet whatever and add them in or you can block whatever you want so obviously keep your rules in mind but that is basically how you do site to S sites with wire guard I've done a lot of them um I took I've obviously not done a video on the this for a while I've done a lot of them and I just wanted to make sure it worked well and it really does the tunnels come up very quickly um and I've had no issues so far the only issue I've had actually is um a PF sense box D or hard drive dining one which happens let me switch this back over I hope that's give you a better understanding in how to set up sight to sight VPN using wi guard or at least that's the way I've done it and I found it to work uh I've deployed quite a few of these and I've had no issues whatsoever wiard's very very stable the tunnels come up and go down very quickly and I've just had no problems with it at all um like mentioned at the beginning of the video if you do like what you've learned please uh subscribe to the channel and hit that notifications icon um but yeah give the video a thumbs up and let other people know to watch it and we'll see you in the next video

Info

Channel: Sheridan Computers

Views: 7,019

Rating: undefined out of 5

Keywords: pfsense wireguard setup, pfsense wireguard site to site, pfsense wireguard site to site vpn, pfsense wireguard full tunnel, pfsense wireguard site to site setup, pfsense wireguard firewall rules, pfsense wireguard vs openvpn, pfsense wireguard, wireguard vpn, site to site vpn, site to site, site-to-site vpn, how to, wireguard pfsense, wireguard site to site vpn, wireguard setup, wireguard vpn setup, pfsense tutorial, pfsense vpn site to site, pfsense vpn tunnel

Id: 7_gLPyipFkk

Channel Id: undefined

Length: 46min 56sec (2816 seconds)

Published: Tue Nov 14 2023