Tutorial: pfsense Wireguard For Remote Access

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Thank you Lawrence systems, for all of the awesome tutorials y'all have. And just the cool videos in general

👍︎︎ 13 👤︎︎ u/white_nrdy 📅︎︎ Nov 29 2021 🗫︎ replies

Agreed! Thank you so much Lawrence Systems. You taught me practically everything I needed to know about my pfSense setup.

👍︎︎ 6 👤︎︎ u/the262 📅︎︎ Nov 29 2021 🗫︎ replies

Nice!

👍︎︎ 4 👤︎︎ u/LiquidPsycho 📅︎︎ Nov 29 2021 🗫︎ replies

Bookmarking this. I’ve been meaning to setup Wiregaurd access.

👍︎︎ 3 👤︎︎ u/Neo-Neo 📅︎︎ Nov 29 2021 🗫︎ replies

Thanks! I’ve been waiting for this video to drop

👍︎︎ 3 👤︎︎ u/jmedlin 📅︎︎ Nov 29 2021 🗫︎ replies

Thanks for this. Can finally move away from OpenVPN fully now.

👍︎︎ 3 👤︎︎ u/Outcasst 📅︎︎ Nov 29 2021 🗫︎ replies

Jumping in to say thanks, this has been on the backburner to set up, always love the tutorial videos on your channel!

👍︎︎ 2 👤︎︎ u/knightrider64 📅︎︎ Nov 29 2021 🗫︎ replies

I'd also like to share my gratitude for all your work Tom. Your biggest UK fan. Not that my bank manager would agree! 🤪

👍︎︎ 2 👤︎︎ u/chrisgtl 📅︎︎ Nov 29 2021 🗫︎ replies

Attempted to do this myself a few times - failed.

Followed your video - worked first time.

Thank you kindly!

👍︎︎ 2 👤︎︎ u/psylenced 📅︎︎ Nov 30 2021 🗫︎ replies
Captions
tommy here from lawrence systems and we're going to talk about wire guard for remote access whether you're using your phone a windows computer or a linux desktop laptop well anything running linux really specifically i'm going to be using debbie in here but it does extend to other versions you may want to be using wire guard to remotely access your network now this was originally in pf sense 2.5 as part of integration then it moved to a package and the team at netgate has done a great job of developing it but right here in november of 2021 it is still marked as experimental but all of my testing with it has gone really well but it's still going through plenty of active development so i wanted to do a video on it because well it's come a long way but one of the things i want to get out of the way this is a great remote access tool but it's not necessarily a replacement for all vpns i say it like that because people inevitably will say well i'm using openvpn now should i switch to wireguard and that kind of depends on your situation i think where is a great vpn but it does not have a user manager everything is managed with keys because you're managing it with keys that may not be optimal for your setting if you have oh i don't know 800 users and a radius server that handles authentication or even if you have authentication tied right to your psense or whatever methodology you're using if you have a lot of external users that you would like to access through your psense and vpn wireguard is not necessarily the easiest way to manage it because you'd have to set up every single user and there's not really good logging to when they came in when they came out it doesn't work the way openvpn works but it doesn't have a user manager in the same way so i wanted to get that out of the way up front and answer those questions for people asking should they switch what they're doing now if what you're doing now works you should probably stay with that but for those of you that like to use wire guard because when you're outside of your office or outside of your home you want to use wire guard to tunnel back in it's a great system for that now this is not a video specifically how to do a site-to-site vpn between two pfcent systems that will be a separate video and if that video is completed that will be linked down below so it depends on when you're watching this i'm getting there haven't got it done as of the recording of this one doing essentially one to many many peers into one pf sense one first for remote access before we dive into these details if you like to learn more about me my company head over to lawrences.com if you like to hire share a project there's the hires button right at the top which includes network consulting if you want to help this channel out in other ways there's the affiliate links down below to get your deals and discounts on products and services we talk about on this channel first thing to get out of the way is rtfm and read the fine manual it is a great manual for pf sense as a whole but specifically for wire guard they have a lot of different configuration information in here i will also leave a link down to a video done by christian mcdonald actually a series of them he's been doing some video updates he's one of the developers working at netgate on the pf sense project and has done a great series of videos and talking in depth about wire guard and plenty of other pf sense developments so the video will be linked down below now let's start here at our lab setup so we can cover kind of how this is laid out i'm not using a bunch of public ip addresses and routing us across the internet but this simulation works the same way we have our lab windows system at 192 168 3.175 this is at 3.123 for linux one and then our lab cloud connects over it's just a switch and then our lab pf sense is at 192.168.3.217. so i'm able to get from either one of these right to the land side of here now these can be double netted it doesn't matter be triple netted for all that matters you can have your clients behind whichever number of routing devices it doesn't make a huge difference as long as they can get to the public ip side of the wan of your system now if your pf sense happens to be unfortunately behind some other carrier grade nat or you don't have it publicly routable you're going to have a hard time getting this work because it's not designed to work that way you have to be able to get to a port forward all the way from the outside world to the inside world not an issue here but just something i wanted to address now here we have 3.217 being the lab pf sense then we have two internal lands one is 40.1 the other one is 22.1 then we have this debian speed test and this is our target we want to be able to be outside of the network and get to this debian speed test it actually just has libre speed on there so i can you know see how fast the vpn goes now this is at 40.137 so it's attached to our lan network now the way wire guard works is it does have to have its own subnet that's part of the wire guard system and how it's going to attach all the devices to a subnet and it's going to take care of all the routing to get things from where they are to where they need to be and you can't have that subnet the 172 1616 that i've set up here one slash 24 is its address or 0-24 would be the whole network it is important to know that that should not overlap with existing networks or you're going to have a routing problem if it overlaps with these networks here it would be a problem if it overlaps with networks over here it can possibly be a problem because it doesn't know where to send traffic if it's got pairs of routing table well there's priorities so you actually does know where to send traffic but it may cause some conflicts and some trouble so when choosing the network layout for wire guard please note it does have to be non-overlapping with existing networks that you have so nothing overlaps with 172 1616 so that's one i used over to pf sense itself this is the 2.52 release of pf sense it's on the latest version as of november 28 2021 that's important because you want to make sure you're running the latest release that will also have all the latest packages and then just go ahead to the package manager and install the wire guard package which i've already done and as of today it is point zero one five underscore three like i said it's still labeled experimental but i haven't had no problems getting to work and if you wanna join the experimental club and testing this absolutely uh this is the one to go with then we're going over here to firewall rules i know the vpn's installed but we want to do this and if we don't do this and we don't add a firewall rule and by the way by default it does does tcp so make sure you change this to any add a rule and this is allow all traffic or wire guard now it's important that you do this because if you don't you'll be like me and spend way too long setting up a demo because you forgot to add a firewall rule when you were setting it up and you will just not understand why things don't work if you set it to tcp you'll have weird problems where well you can't ping things because icmp is not allowed but you can get to things that use a tcp protocol but make sure this is set to any this is just a wide-open rule you can still get more fine-grained and do things a little bit more secure or granular that goes beyond the scope of this i've carried firewall rules in other videos but at least open it up first wide open when you're setting this up makes troubleshooting way easier because then you can rule out this as being the problem then the next part is really simple we're going to go to wireguard and we're going to add a tunnel there's no peers set up there's no nothing set up right now this is the default oh one new thing they added since the last time where guard was originally installed was the hide secrets this was a people worrying about shoulder surfing i don't think it's a huge deal but hey it's great that they have it there my answer really is if someone's inside your pf sense you have much bigger problems but nonetheless it's kind of cool if they added this and i'll show you what it does youtube demo and let's uh choose a port we're going to choose 51 420 as support you could just use the default port of 51 820 but i feel like changing it then we need to have a private key and public key generate now if you have this set up with that private key checkbox it'll take the interface key and hide it the interface key for the private side should never leave this system should never be copied somewhere else this is what keeps everything nice and secure so it's important that you have that key in a good secure place like right here and no one else can see it then we need to set that interface address 172.16.16.1 and we're going to make this a slash 24. now the reason for that is we're going to add numerous peers to this so this particular one should be a slash 24 or as big as you need it to be to have that many peers or you can make it smaller and have fewer appears but just for simplicity's sake and it doesn't overlap with any networks i'm going to use the slash 24 in here for the peer address then we're going to go ahead and hit save tunnel apply and now we have our tunnel set up now one more firewall rule that i've already created but we'll go ahead and go to rules and we're going to look at the way in here and we're going to look at this rule right here pass when ipv4 udp source any unless you want filter for some reason lan address and whatever the port you set for wire guard is we chose 51 420 so we put 51 420 and this allows for wire guard wire guard does not automatically like the openvpn wizard does create a rule that allows external traffic to come in so you have to create that role that's really all it is one rule one port just udp and done now we have that rule that allows wireguard now while we're hearing rules we're going to hit firewall and we're going to go to nat we're going to look at the outbound nat one thing you need if you want for example your phone to be able to come in and tunnel all the traffic back out so i'm on some network that i don't want to be on with my phone with let's say a public wi-fi at a library or at a mcdonald's wherever you go and you would like all your network traffic tunneled as in full tunnel not split tunnel where you're only accessing local resources we'll cover how to do that later when we set up the clients but if you would like the traffic to go out there are a couple ways of doing it this is the easiest way to do it we're going to go here and first we chose hybrid outbound nat rule generation and this is the hybrid rule that we added to make this work one seven two sixteen sixteen zero slash twenty four so go ahead and edit this rule it looks like when ipv4 protocol any source network one seven two sixteen sixteen 0 24 destination any because this is interface when we're going to use all the other settings the same and this is allow wire guard to go out the lan this is only needed as i said if you have a full tunnel network where i want to take all the traffic from a laptop or whatever i'm using and tunnel it into my network at my lab my home my business and then have all my traffic go back out as in full tunnel this is what allows that traffic to occur the other way of doing it that'll be covered in a different video what i'd like to say to site is you can add wireguard as an interface on there uh this is good for routing two-way traffic back and forth and some other use cases beyond the scope of this video but that's another way to do it now we can go back over to vpn wireguard and we have this set up and we need to add a pier so we're going to go ahead here and just hit add pier now the piers is separate because you can actually have many tunnels on this and many instances of wire guard running that way if you wanted one that was site to site and one that's a you know user remote access like we're setting up here you can have multiple side by side they don't have to conflict with each other in any way this will be the first one we're going to do a debian linux system go down here now with the debian linux system i have an entire video on getting started building your own wire guard and i kind of covered it more in depth there so i'll reference that video on how to set it up i also have a full write up on my forum that'll be linked down below of how you build keys inside of debbie and actually get it loaded and set up so we've already got that done so we're just going to go here and grab my public key for my debian system so i need the public key we just copy paste into public key then we need an address for it 172.16.16.2.1 is our main system.2 will be the debian system we do here no problem we're going to hit save peer now please note this is a slash 32 each one of the extra peers you have need to be in their own space as well so each one should be a slash 32 if you put them all at slash 24 zero conflict and you'll have different problems so that's the reason those are set like that so here's the system now we should go and set this one up go ahead and go back and edit this because we need the public key information here so we're going to hit copy now you don't ever need to copy this key here matter of fact let's go back and set that setting real quick hide secrets save edit and it's not displayed anymore so no one can shoulder surf that long complicated one and kudos to anyone that can actually look at that quickly and memorize that number and recite it i know people that can do it but it's always impressive when i watch it so we've copied this to the clipboard now we're gonna go back over here and we have a file called pf lab i've already set up so we're going to edit this and there's the address of 172 16.2 24 then here we have the public key insert there if you're wondering why this isn't slash 32 if you put this at slash 32 you wouldn't be able to ping 172 16 16 1. just heads up on that so now we've pasted in the public key the end point 192 eight three dot two one seven colon fifty one four twenty three set allowed ips one seven two sixteen sixteen zero twenty four one nine two one six eight forty dot zero twenty four one nine two one six eight twenty two dot zero slash twenty four these are all the allowed ips and this is what sets up the routing if i only needed the 40 network which technically the only one we're testing is 40. i could delete this one but i wanted it in here just to show you what it looks like when you put many in there but this is decided by the pier for each one of these roundable networks on there if you want more granular controls yes you can dive deeper into the wire card firewall settings under the firewall rules to have to stop someone from adjusting their peer to a network you don't want to access but heads up that's how this works on here so we have the public key we have the endpoint and we've taken the public key from our debian lab and pasted it into that pier so everything's worked everything should set up so we'll go ahead and move this we can see what i'm doing we're just going to go ahead and hit wq for right all right now we go in here and uh w uh we'll split it one more time we're just using tmox if you don't know why the screen split and wg quick up and uh pf lab is what it's called oh already exists forgot to take it down from previous test down pf lab was broken if it was up anyways because it had the wrong settings in it now from here let's go ahead and ping 192.168.40.137 and see if our experiment worked and there we go i can get to that system here so we're on the debian system that has the ip address here of the 192.168.3.123 so 3.123 through here through here over to here is able to now get to that pretty simple to set up and if we go over here to status and we show our peers we see that the handshake was done right here wn linux system 23 seconds ago and allowed ips great all that's working and if we go back over here when you have wire guard installed you get this little widget on the dashboard that shows you how many active peers how much data is being sent and refresh interval activity threshold so all this is great and everything's working but now we got to add another peer again pretty simple we're going to go over to peers we'll add another peer assign to this tunnel and this is our windows system and now we got to get the public key for the windows system and an ip address for the windows system and for that we're going to go over here now this is just windows 10 loaded with the wire guard next yes install nothing special done here download it right from the warehouse website and we're going to add an empty tunnel when you add an empty tunnel i'm going to call this one pf lab it automatically generates a key for you so we're going to go ahead and copy this key because we need the public key for this one here we need to have an assigned ip address and we'll go with 172 16 16.3 i tab over it automatically changes it to that so pretty much good to go here all right we can apply now we need to finish the setup in windows so now we go over here we're going to add the main tunnel because we need to copy this key go back over here and now we got to fill in the rest of it among the things we have to fill in is the public key from pfsense to get it into here it already has the private key in here now we got to put in the rest of the details so here's the address the private key that it generated automatically the address that we wanted to sign 172 16 16.3 then we put peer public key as the public key from pfsense that we put in here then the endpoint dot two one 192.1683.217 colon fifty one four twenty just like we set up with that port then allowed ips the 1616 the 40 network and this one here so we've got everything in here maybe a couple extra spaces i'll delete out of that save activate see if we did this right now one thing of note when you're doing the activation right away you may see some data going back and forth but it may not display right away and the reason for that is because until there's some packet sent for the handshake the handshake may not be there where in fact right now this handshake is now gone for a few minutes without a talk so it's going to turn yellow and eventually kind of falls off whiter is a quiet protocol and unless you have a keep alive in there to regularly refresh it it go ahead and drops connection but the connection immediately starts back up as soon as some resource that's on the other side of that route so because we have those routes pushed for like the 40 network if we try to access anything on that dot 40 network that immediately spins up the wire guard does a very quick handshake and starts talking again kind of the way of wire guard and the way it works it automatically will shut down the tunnels because they time out or automatically starts them up without user intervention as needed that way you're not sending a lot of wasted packets but that's where if you want there is a keep a live option you can choose to just keep sending a packet every so often to keep the connection so it never actually stops but that's what that is right there we've got the handshake now let's go ahead and go here open up google chrome and there's our 19216 4137 now i can ping it from the command line it would ping but i said hey why not let's do a test and this is just running libre speed on that system and we're getting about 470 490 megs not bad on this your mileage is going to vary based on the speed of the machine connecting to it the device connected to it if it's a phone or the speed of the pf sense there's a lot of factors that can affect your speed but we're not getting unreasonable speeds out of the system in our lab it's not all the highest and equipment but works pretty reasonably well here so 489 610 pretty good overall good ping times and not much jitter on the network so pretty simple for setting it up but what about that next question that i talked about earlier what if i'm outside my network and i want everything tunneled in so we're going to go ahead and edit this tunnel we're just going to change the allowed ips and i'm going to put a second one in here so if we take the allowed ips 0.0.0.0 slash zero now this works whether you're in debian whether you're in windows or whether you're doing this on a phone when you set the allowed ips equals zero zero zero zero means just take everything and send it out through there and because we put that rule in the outbound that this is what allows the pfcent system to go okay i can take all the traffic in and then send it back out the wan and that was what that rule did so we're gonna go ahead and also we have the kill switch in here for block untunnel traffic that's a checkbox right here at the bottom that way there's any untunnel traffic and i believe as soon as i click this it will drop this connection that i have with our remote access tool that we're using which is connectwise control i believe i will yes it has broken access to it but we can go out and work around this system is running in a virtual machine in our xcpng server so we have access to it here and we'll go ahead and start the speed test but you can see it's working the difference is because i locked it out for myself and i said take all traffic and route it here it's routing all the traffic and not allowing any more outside access now if this was external i'm technically because any traffic i route is instead going through the pf sense completely that's what you're basically tunneling all the traffic is right here deactivate if we want to put it back we can just go ahead and edit this tunnel and it deleted out the system actually now just jump back to connect wise as soon as i stop that i can switch it back and forth now an alternative option for doing this would be to create two separate tunnels if you want and call one of them full tunnel in one split tunnel depending on your use case that way do you want all your traffic to go there or do you only want some of your traffic to go there those will be the two options you have for doing that and as i said this works the same if we jump back over to our debian system i would just change this here to allowed ips and input cloud ips equals the same thing 0.0 and the same thing if you're doing it on a phone it's the same concept and of course like i said the easier way to do is actually create two configurations and switch back and forth kind of as needed basis now one last thing i want to cover is some troubleshooting and confusion that comes with wire guard when it's not working but it looks like it is we're going to go ahead and set up a ping test here so this is just pinging away and we've got this all set up back to where it was just allowing these ips connected and it's activated so if i deactivate it the ping stop we activate it again we get some time out and immediately we're back to sending ping traffic so we're just gonna leave this pinging right now then we're gonna go over here and we're gonna go ahead and restart wire guard and show you how it auto reconnects so no problem here we're going to do this and if i go back over here after restarts we'll go status look at a show peers it'll take just a second and it'll automatically reconnect just gotta refresh there we go windows has done the handshake and just reconnected so there's nothing i had to do in windows to get it to reconnect we can go back over here there's the timeouts for where we paused it from the restart but it's back to pinging everything again let's go back over and actually break something this is where things get a little bit confusing because if i go here actually we'll just adjust the one windows pair we're going to disable it so we disabled this windows pier it thinks it's talking to a wireguard server the port is open but nothing's going to happen here so the request is timed out but we can deactivate it let's activate it it says active this is where the confusion comes in because there's not an error message you can go off of to say why isn't it working we've received nothing but we keep sending data it keeps sending handshakes it's just not getting reports back from there if we look at the log sending handshake but nothing ever comes back so these are one of those things where it doesn't necessarily tell you other than the handshake not coming back what's wrong this is where the troubleshooting can be very tricky and even if we went over here in pf sense and we're going to go ahead and look at the system logs we see well vpn configured syncing firewall all right there's firewall logs but there's not there's not an authentication error there's not uh really anything to go off of here this is where it's just kind of tricky when you're troubleshooting and it's because it's a quiet protocol is the best way to describe it the data is coming in but it's not anywhere to put that data because it doesn't match the system does not have a handshake because we've disabled that pier so it won't handshake back it's just ignoring the keys coming in because it doesn't have a matching key on the other side so if we go back over here to vpn wireguard status we can see that that pier's not even showing up no handshake from this one that appears disabled so let's go ahead and enable this peer again apply the change let's watch the logs sending handshake key pair one creative for pier one now it's working again so it's replying it's the little things like that that make it a little bit harder to troubleshoot but as long as you know what you're looking for and double checking everything because most of the time whenever i've done any troubleshooting with wireguard even before i stop this video it has always come down to a typo somewhere something overlooked something really simple you didn't pay something in right you don't have the network set up right causing it and you'll spend a lot of time staring at it to try and sort this out hopefully this video helps you get set up with wire guard get your devices connected to your home network your lab or wherever you're using wire guard if you'd like to have a more in-depth discussion about this topic head over to my forums if you just want to leave some comments down below that's appreciated too i try to reply to everyone and thank you and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you'd like to hire a short project head over to lawrences.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you you
Info
Channel: Lawrence Systems
Views: 22,956
Rating: undefined out of 5
Keywords: LawrenceSystems, wireguard pfsense, wireguard pfsense setup, wireguard pfsense 2.5.2, wireguard pfsense tutorial, wireguard pfsense package, wireguard pfsense install, wireguard pfsense client, wireguard pfsense 2.5.2 setup, wireguard pfsense dns, wireguard pfsense no handshake
Id: 8jQ5UE_7xds
Channel Id: undefined
Length: 27min 19sec (1639 seconds)
Published: Sun Nov 28 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.