Tutorial: pfSense Wireguard Self-Hosted VPN

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey what's going on guys script tactics here and today we'll be going to be going over the PF sense tutorial for wire guard so we're going to be hosting a wire guard server on our PF sense firewall or router application or box whatever you want to however yours is set up in your environment this would be going over the PF sense version of that so here I am I'm on my dashboard for pfSense this is in a virtualbox a virtual machine as you can see here um are I land on my way interface again is going to be all private IP addresses so you can see down here 192.1680202 192168 1.1 so those IP addresses are again in the RFC 1918 schema so there's only two modifications that I've done ahead of time uh usually on the WAN interface there's two rules set up block Bogan networks and block RFC 1918 networks I had to disable those because in order to access over the WAN interface um I'm becoming from an internal IP address so that's just one minor thing that I had to address but everything else in this configuration in this tutorial should be one-to-one match for you and you should be able to go right ahead and just copy what I do here and apply it to your own server so let's go ahead and get started here so first things first we actually need to install wireguard so we're going to come over here to the system come down a package manager click available packages this might just take a quick second and we can just scroll over to the bottom or type in wireguard here and you can see the latest version at this time is 0.1.6 underscore two so we're just going to hit install and confirm so let this run really quick should take like a few seconds here and we're done okay so next thing we're going to come over to VPN and now you should see wireguard installed here so we're going to click this and you can see we have no tunnels no peers settings and Status so nothing right now I'm just gonna go tunnels and we're going to hit add tunnel by default make sure this is checked description I'm going to call this home VPN you can name this whatever you want does not really matter listen Port I'm going to keep mine default 51820 you can change this to whatever you want as long as it's not in the reserved Port status or the port range 51820 is usually the default so we'll just keep it there uh interface Keys just click this generate button right here and it'll generate your private and public keys for you and interface address we're going to do the 10.0.0.0 subnet range 10.0.0.1 and this will be slash 20. 24 so where is it there it is and this just means anything from 10.0.0.0 to 10.0.0.256. I will say wire guard subnet and the reason why I'm doing this is just so Simplicity you could see these IP addresses when you're looking over the firewall logs any IP address as long as it's in the RFC 1918's specification should be fine but once we have that we're just going to hit save tunnel we'll need to save that there so now we have our tunnel set up as you can see ton underscore wg0 descriptions home VPN and we have our public key so now we're going to come over to peers and we're going to add a pier so first thing we're going to assign this to the tunnel we just created so you can see in parentheses we have the description here description for this so I'm going to make this phone one we're going to keep this Dynamic this will have to be checked unless you plan on connecting from the same IP every single time uh spoiler alert you're not if you're using this on your phone you're going to be connecting from different cell towers from different Wi-Fi addresses and they're all going to have different public IPS so keep this Dynamic endpoint checked keep alive we're gonna keep that default as empty as disabled public key we're not going to put anything that in there and right now that when we switch over to the Android application we'll be generating the public keys there and then they're going to be populated here pre-shared key we can generate this here so click generate and then a loud subnet or host so for this we're going to do 10.0.0.2 and we're going to say slash 32. so the 10.0.0.1 is reserved for the tunnel itself and then we can use any IP inside of that range that we specified for the tunnel which was 0 to 256. so I'm going to do 2 here if you were to make another one you could do three four five et cetera et cetera so for this we'll just do two and I don't think it'll allow me to save because I need to create the public key so let me go switch over to the Android application and then we can actually go ahead and start generating our public key and get some of our config set up so let's go ahead and do that really quick so here we are over in Android and so this is in a virtual machine that I have and right at the bottom here you're gonna see this plus button we're going to click this and we're going to start from scratch so interface name I'm just going to name this PF sense private key and public key we're going to generate these by clicking this refresh icon here and that should pre-populate our values here then addresses so here this is going to be the exact same address that we just configured in virtualbox or PF sense rather right down here allowed IPS 10.0.0.2 that should be the exact same we set up in this addresses so it's 10.0.0.2 32. and I didn't want to do that nothing else we're gonna leave this all blank and we're gonna hit add Pier leave this blank and leave this blank for now endpoint so this will be the public IP of your server so I'm going to leave this blank because I'll show you where to grab that and allowed IP so we're going to do 0.0.0.0 that means anything in the ipv4 range comma colon colon slash zero that means anything in the IPv6 range so we're making a full tunnel VPN here and this full tunnel VPN allows us to send all traffic encrypted over this tunnel you can change this to uh separate IPS if you want it to be a split tunnel meaning only traffic that is destined for your home subnet you can make it those different IPS but for this sake of this tutorial we're just going to make it all IPS so now we're going to scroll down to this pre-shared key so if we switch back over to PF sense here this value right here is going to go into that Android thing so I'm going to hit copy now I'm going to have to manually enter these the way my virtual machines are set up but that's going to go right here in this pre-shared key so let me go and input that and then I'll come right back okay so I have my pre-shared key input here now I'm going to come up to the public key and I'm going to copy this value and that's going to go in pfSense right here in the public key section so again let me go and input these values okay so now I've put in my public key from my peer so if we switch back over remember it's this public key value here goes down here right here so now we're going to hit save peer don't need to save that and we're going to go back to tunnels because we've got one more config to just copy over hit the edit button here this public key we're going to copy and this goes down here in the peer section on this public key so again I have to manually input input that value so I'm going to switch back and I'm going to enter that okay so now I've copied over the public key and the last part will be the end point so if we switch back over to pfSense here and I come to the dashboard if you scroll down to the WAN section here you should see an IEP address so this IP address is what you want to put into your Android application so it was 192.168.0.202 and we're going to do colon for the report 51820. if you change this value you will have to copy this change value put here but this is the default for wireguard so that's what I'm going to put once everything's filled out we're going to hit the save button so we're done in Android for now we're going to go back over to PF sensor we're going to have to configure a couple things we need firewall rules and we're going to do some nap rules okay so next we gotta set up a couple firewall rules so here we're going to come down to firewall and we're going to go 10 that so we're going to come over to outbound Nat and we're going to do two things we're going to select hybrid outbound Nat rule generation and we're going to click this add here we're going to keep the interface as Wan we're going to come down to ipv4 protocol we're going to do UDP actually we're going to keep this as any and the source network is going to be 10.0.0.0 24. and so what this is doing is it's creating a rule since we're since wireguard comes in over Wan we have a rule that we're going to be generating next of allowing traffic in over the WAN interface but we also want to access the internet with our tunnel so we need a way to take the addresses coming in convert them back to the outbound address of our Lan interface and then allow the traffic back through out the Wham so what this is doing is it's basically doing that is it's saying coming in on this 10.0.0 24 Network convert this to an outbound interface or IP address rather and the hybrid outbound that just creates a hybrid rule so it'll always generate whenever we have a network coming in or a connection coming in rather so here we're going to hit apply and now everything has been updated and that's what we have to do for the outbound section next we need to go to firewall rules so the WAN we're gonna have to you would have two rules here you would have block Bogan networks and block RFC 1918. I do not have those rules currently because again my PF sense box is on an internal IP address range and I'm connecting internal to internal so RFC 1918 would actually prevent any connections coming in across the Wham so I had to disable it for this tutorial however you're by adding this next rule that we're about to generate you do not have to worry about block deleting those two rules you have so keep everything default you only have to follow the steps that I'm doing here so you're going to hit this add button here actions pass interfaces Wham address family is ipv4 then you're going to switch this protocol to UDP and we're doing that because wire regard operates on the UDP protocol source we're going to say when address and destination we're going to keep this as any and we're going to set the port to 51820 and 51820. we're going to log these packets now we're going to say wire guard allow wan to 51820 just as I have there and I'm going to log this just to see what traffic comes in on the wireguard address and then we're going to hit save and apply the changes so now this will allow wire guard traffic in to my Wan address so any anything that pings or tries to connect to my firewall or my public IP address that's specified to 50820 allow it in and then wireguard will actually handle the connections to help prevent unauthorized connections but now we're going to come over to the wire guard Tab and by default there's nothing here so no rules currently defined for the interface all incoming connections will be blocked until a pass rule are added So in theory we could just turn on our our connection and try to connect but we're not going to be able to go anywhere so for the sake of this tutorial we're only going to create one rule and this is going to allow everything I do not recommend this for your home network or your production setup or however you set it up but for the sake of the tutorial just showing you how to get a connection up and running this is going to be the quickest and fastest way to do it I would suggest creating other firewall rules to block your Lan interface to block any other vlans you have lock down what traffic can come in what you know IPS are allowed all that other stuff you'd want to set those rules up here but for the sake of Simplicity we're just going to add one simple rule it's going to be the pass interface is wireguard ipv4 we're going to keep that and we're going to do any any and we're just going to name this allow all so any Source IP is allowed any destination IP is allowed I block IPv6 by default so ipv4 will be the specification we have here doesn't matter the protocol because we're coming in on wireguard and then we still want to use other protocols to then connect out to different services and we're just going to hit save here and now you should have this one rule just allow everything and then we're going to hit apply changes once that's done reloaded we're going to come back up to VPN and wireguard and we're going to go to settings and we're going to enable it so before it was not enabled then now we're going to turn it on so now you should see your tunnel once this refreshes okay wireguard is up and we have status really quick and now you should see the green arrow pointing up we got the description our public key and you see we have one peer configured so if we hit this Arrow here you'll see we got phone one never connected so let's go switch back over to Android and let's see if we can get a connection I doubt I'm going to get a clean connection on the first try because I had to manually copy over my keys and they're pretty long so I probably made a mistake but let's see what happens if we hit connect here and we come in yep okay so something's wrong I did type something else something wrong here so as you can see we have a TX that's going out but my Rx is still zero so that means nine times out of ten it's usually a key error re typing something in wrong so let me go back and just verify that where I made that mistake um and then we'll come back in and we'll get that up and running so we'll be right back okay so we have fixed the issues and now if we switch back and we turn on our connection here you should see we have RX and TX coming through so I just had my keys wrong that was one of the issues with the I had to regenerate them and retype them in but everything else was the same um but now you can see we have a latest handshake this number will increase and the RX ntx will also increase now back over to pfSense you can see here in the tunnel you check our peer so I'm under status now you can see the end point of when it's where it's coming from and you can see we have a the handshake which less than five minutes so it's green it'll tell us okay it was 26 seconds ago if your refresh this page this number will update and it'll give you an RX and TX per peer now this value up here the RX and TX will increment for all the peers but at least you know you have connections specifically per peer so it's a little bit easier to diagnose so if I had four different peers in this list you can check and see to make sure that hey they're getting the connection what hope this tutorial was useful for you this was the PF sense wire guard tutorial this is also the same tutorial that I have on my website which will also be in the description of this video so the next video we're going to be doing will be using this PF sense wireguard server as our wireguard server we're going to be doing a travel router using openwrt and a Raspberry Pi so the Raspberry Pi the setup will be very similar to the open wrt video we did previously and the other tutorials we've done with showing off the the phone configuration the only difference is now the Pier will be the router and it won't be a site to site VPN because that router is going to go with us everywhere so it needs to have a dynamic endpoint but it'll be a client and then we can connect multiple devices to that and then we'll all tunnel back through that same tunnel that same interface that's subnet there so we'll go over that in the next video but I hope that you look forward to that like subscribe comment and be sure to check out my links below thanks for watching
Info
Channel: Script_Tactics
Views: 3,695
Rating: undefined out of 5
Keywords: pfsense, wireugard, vpn, self-hosted, security, firewall, remote access
Id: ralWaBL98pU
Channel Id: undefined
Length: 16min 44sec (1004 seconds)
Published: Fri May 26 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.