Timestamps: 0:00 Introduction 1:10 Site-to-Site Routing 101 12:54 WireGuard Configurations 17:25 WireGuard Allowed IPs 22:15 Interface Assignments 24:53 Upstream Gateways and NAT Implications 27:15 Gateways and Static Routes 30:12 Firewall Rules 35:15 Demonstration 43:46 Wrapping things up Links: Upcoming Release Notes : docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html WireGuard Documentation : docs.netgate.com/pfsense/en/latest/vpn/wireguard/index.html Discussions: Facebook : facebook.com/groups/pfsense.official/ Reddit : reddit.com/r/PFSENSE and reddit.com/r/netgate Forum : forum.netgate.com/

Great video!

Surely one of the best networking video tutorials I've watched in a long time. Thank you very much for explaining this so clearly and thoroughly. Including an overview diagram and taking the time to explain not just what to enter on which screen, but WHY, is so often missed in other tutorials. You've clearly thought this through and will help many people with this. Awesome work. Worth watching the full video.

Absolutely the best video on wireguard and pfsense! I have re-watched it several times because your teaching of routing, interface, firewall rules, wireguard config, and how it all relates is explained so clearly and thorough. Thank you!

"basic" *me crying in the corner [edit] *frankly speaking, your explaination is amazing. very detail. you surely know how thing works. thanks for sharing. i will watch 100 times more

Everything is perfect about this video -diagramm, concept and speech. Good product and talented people!

This has provided a great getting started with dealing with CGNAT with 5G and StarLink ISP's. Setting up a cloud hosts VPS and then creating a site-to-site VPN with Wireguard to bring traffic into my network for hosted services is my goal.

Thanks for this Video. It helped a lot to unverstand the basics of wireguard and to finish my project.

Thank you very much 🙏 I noticed that i had misunderstood a few things about how site to site works and you cleared that up.

Thanks for this and very timely just switched out an old USG at my home for a SG 2100 and was switching from an IPsec to WireGuard. Absolutely perfect timing and awesome information!

Awesome video. Great to see the explanation on the basic principles, I can imagine this will help ALOT of people. Keep up the great work!

This was the best video I have come across. I was setting up my tunnel the other day using just the documentation and various other sites and you explained it in such a way that I could easily set up all of this again without any of that. Keep it up man!

Such a good video very very very clearly explain and in simple term.. Good job, very few people are able to explain in such simplicity

I was banging my head against a wall trying to make a site-to-site cloud vps and this video saved me, great explanation and excellent breakdown of pitfalls and what would happen if reconfigured. great video!!!

Fantastic Guide! and with well delivered insights into the workings of pfsense and the pitfalls one could encounter. Thank you for all your hard work creating the wireguard package and this great video!

Long time pfsense user, finally decided to check wireguard and thanks to You and this extraordinary tutorial everything is clear.

Great, great video. A huge amount of information presented clearly and concisely. This should be a template for all tech tutorials. Learned a lot about wireguard here. Thank you!

I was able to get my site to site working because of your video. I also have a deeper understanding of network traffic.

Excellent Video !!! Simple and lucid language. Proper explanation of everything. Kudos. The problem is I can click LIKE button once only.

Great video. Thank you. A tip would be that when working with internet dynamic IP we can use a dynamic DNS for endpoint IP, that way if our public IP changes we should be good establishing the tunnel. I've been using Duck DNS and so far so good.

This was a terrific tutorial. I now can use both public IP's from my provider tunneled securely together with PFSense and WireGuard. Thanks very much!

Amazing video, so so so clear and very well explained. Always struggled with WireGuard and site to site VPN's, but this covers the basics and then some. The extra tips and little explanations are super helpful to prevent getting tripped up! Thanks so much, Christian.

Thank you so much Christian for the hard work and time you've put into these videos. They've helped me to solve issues that have plagued me for a couple years now. I sincerely appreciate it! I look forward to your upcoming videos, especially the one you teased about the use of FRR and BGP for use with dynamic routing. I've been curious about its use and if it's something that could help streamline things for me.

Thank you for an excellent video! Really good explanations, and with your video, I got my site to site WireGuard working!!

Thank you and i wish you a merry Christmas.

Great video! It would be nice if you could add a chapter describing how to do this with policy based routing. Thanks.

One of the best Video about pfSense with WireGuard..

Wow man, this is a really well-done tutorial and explanation. Pretty impressive that you can go through that so seamlessly! Thanks!

Thanks a lot! Very needful information in such an easy expanation!

This is a great video! I was able to follow and wrap my brain around some concepts I didn't get. Thank you!

Thank you Chris for this. I’ll be trying this after Christmas

nice.. helped a lot to get my head around this topic!

You are a very good teacher ! Thank you for this.

Excellent video.....finally somebody who explains tunnel routing.....gets a like subscribe bell and a share !!!

An IPv6 tutorial would be great, maybe with a method to avoid IPv6 traffic leak to the WAN interface instead of going into the VPN tunnel.

Amazing video. Keep up the great work!

Thank you Chris. this is amazing

0:27 Irregardless is a fairly common colloquialism _regardless_ of your opinion. 🙉😉

Thanks man, perfectly explained!!

This demo/guide is no less than awesome!!! 👍

I would love to see a video with a more complex setup, i.e. failover with two providers while at the same time having site-to-site wireguard vpn and road warrior vpn. May be even hub and spoke wireguard VPN setup with failover to two different ISPs.

Super well done, Christian, thanks! Can you recommend or would you consider another video that covers the roaming laptop endpoint use case?

Thank you sooo much for this amazing tutorial! You are awesome!

Thanks Christian - great video and work on Wireguard - much appreciated. You have mentioned it in the past and touched on it in this video, but I was wondering why the Allowed IPs do not become static routes so we wouldn’t have to create an interface, do static routes etc, unless we had more advanced needs (firewall rules, nat). Would it be possible in pfSense (a static route is created for the tunnel network without creating an interface)? Presumably all traffic for an Allowed IP should be routed there anyway. Just wondering what you're thinking is on this topic.

Excellent video.....👍

Awesome video mate. Thanks heaps.

This video was very helpful and helped me debug a site-to-site VPN I needed. One problem I still have is that the two sites I have connected have an overlapping subnet. I would like to NAT the overlapping subnet at my main site so that all of the devices are accessible to the remote site. I know how to do this with IPsec with NAT/BINAT settings. How is this accomplished when using a WireGuard tunnel?

Thank you for this detailed, informative video. I hope it will help me with keeping my mom's internet/network working (retired in sunnier places). Unfortunately, their ISP assigns private IP addresses, so unable to use dynamic DNS and all that to establish remote connections. I am hopeful the pfSense device I am sending to them will initiate that S2S link and allow me to get through their ISPs NAT. I have a DDNS so I am using that for their side to establish the link. Interesting because so many other services can break through ISP NAT (Never had problem with Google Remote Desktop). Kind of wish there was a package/server just for that in pfSense. Initial setup looks good from their device (the WAN of their device is hooked into my LAN). My box though won't show their Gateway as reachable. My guess is my pfSense is sending it out through its WAN (and not back through the LAN, maybe I should try NAT reflection lol) and should not be an issue once my mom's device is connected to the internet and not to my LAN. I don't really want to mess up my network to validate that it will work. Worst case if it doesn't, I look at other means of helping them when the time comes.

Nice work as always! Really useful guide

Great video, thanks for the effort you put into this.

As usual a great video Christian, thank you. But I am trying to do something else. Connecting from LAN from Site1 to LAN from Site2 is working for me, but how could I allow users connecting to Site1 via WireGuard (they get a different IP from different range) also allow connecting to LAN from Site2? I thought that by allowing it at the Firewall Rules "WireGuard" would be enough but eventhough I see traffic going out from the S2S interface I don't see a return traffic (when pinging). If you have some ideas please let me know and Thank you and regards!

Thanks! Have a beer with this thank you!

Really good video man, I learned a lot here. Thanks!

Great video Christian, thanks!

I want to know if you have video for wireguard site a multi-site and how to set it up. It will be lovely to have video for that.

whats software do you use for your diagrams?

Helped me out, Thank you

Very helpful video.

That's great! But what if I need to access both networks from outside using a WireGuard client? How should I approach this solution?

Hi Christian, Great video, I was able setup the site to site VPN and I created a seperate remote access tunnel and both works. But when I connect using remote access I cannot access the remote site subnet throught site to site VPN tunnel? Do I need to make a interface for the remote access and setup gateway? or create a NAT? It would be great if you can create a video on this. thanks.

Chris It Helped me out alot

Excellent!

Wait a minute: Aren't you supposed to add "Site 2"-IPs to the "Site 1 AllowedIPs" in order to make sure, that "When calling an IP in the range of Site2 on Site 1, it goes through the tunnel"? At around 19:00, you add "Site 1 IPs" to the "Allowed IPs" of "Site 1". Nevermind: I skipped over your explanation that "white theme = Site 1 & dark theme = Site 2". You did all correct and I was just confused/skipped too much.

Thanks for the video, it's been very helpful! One question. I want to a site to multisite config (which is working). Is it possible for remote sites to access each other through their one connection to the main site?

Awesome video.

Awesome video. I used this setup for a Wiregaurd VPN connection from my phone to my home, and my mobile laptop to my home. When I connect to my home via the wireguard vpn from my laptop, on the interface statistics widget I get around 20-40 "errors out" per minute. I don't get the same result when connecting via wireguard vpn from my phone, that doesn't give me any "errors out" on the interface statistics widget on the dashboard. The connection works from my laptop, but I'm not sure why I'm getting these errors. Running the VPN for about a half hour gives me 1000 "errors out." Any idea where I can start to try and fix this?

Amazing video. Thank you very much for your hard work! I would appreciate if yourself or someone else in the comments could answer - can I make ALL internet traffic flow from site 2 via site 1 (so that all traffic appears to an outside server to come from site 1). Thanks in advance.

Thank you for this amazing video, I ran into an interesting issue where I could connect to Site 2 using transit 10.100.x.x but couldn't connect using Site 2s LAN 10.69.x.x. I am using 2 eth ports, one goes to pfsense LAN, one goes to home LAN. I wanted to know if I maybe need to add a route to my windows 10 routing table so that I can reach Site 2s LAN while both ports are active.

good content, i mean really good, but why the datatransfer between 2 VIRTUAL pfsenses (site2site) following your description step by step, is even slower than ipsec. i was looking for any answer , why the datatransfer latency do not pass over 7 or 8 mb/s? both HQ internet speed over 600 mb/s (fiber) . Is it for to be virtual devices? or what deppend that? thanks again

Thanks!

I followed along and had all the traffic go through that connection. Is it possible to create an alias so I can state which devices go through and which ones don't?

Thank you

Great video! Still having something wrong... If I test with ping in the pfsense diagnostic tool it works perfect, but it doesn't work if i do ping from y pc, I do research with no success, do yo have some clue?

Can you do a video how to fix the issue that if running a multi WAN setup as failover and WAN1 goes down, Wireguard is connecting via WAN2. But if WAN1 comes up again Wireguard is never switching back to WAN1 and stays at WAN2.

Hye, Thanks for video. I see handshack between two sites, but I can't ping from my pc to camera on other side.

I have successfully set up the wireguard s2s tunnel and entered "none" in the field for upstream gateway on both sides, yet the tunnel ip address displays when i connect to the remote site which indicates there is NAT though the tunnel. What could cause this? What NAT rules should i look for and erase?

Hey mate, I took a break from it as I had massive problems after 1 month on it

Will this type of networking with Wireguard, ends MPLS market ???? I am just curious !!

I had seen u always touch the mtu or mss, is rule for WG or is just for your specific for your network? thanks for the video.

Hi Thanks for great video :) Is it possible to route the internet traffic from Site 2 to go out WAN on Site 1 ? Thank you :)

Awesome video, I have a multi site setup. It was working fine before switching to the package based version of Wireguard. Right now I cannot get traffic to pass from one remote site through the central site to another remote site. Any ideas as I have tried almost every combination of options.

Thanks a lot for this video. I am using FRR/BGP for site-site VPN. The pfsense routing table is correctly being populated by FRR. However, i dont know how to get FRR to populate routes in the crypto routing table (at the moment i am populating manually the allowed ips hence defeating the purpose of FRR). Any hints?

Hey Christian. I have a question. I did setup the wireguard tunnel between two pfsense sites. I further would like to have a client on remote pfsense connect through the tunnel to main pfsense and use main pfsense wan. how do I need to route this? best regards

Ok so I have three sites all behind NAT and routing through a cloud VPS. Everything works fine except for if I need to Halt or Reboot the firewall, the WireGuard gateway gets disabled automatically for some reason and upon next login have to manually enable it. Weird thing is that the WireGuard service doesn't start until the gateway is enabled even having it added to ServiceWatchdog. Any ideas?

Any reason why "only unassigned tunnels" seems to do nothing? My sole VPN tunnel is an assigned interface but it's still being managed by the "Wireguard" firewall rules...

Hi I have a question I try to connect a client with wireguard vpn, I create a link between site A and site B by creating a tunnel beetween A & B it seem to communicate Each other i would like to connect the client into the site A with vpn and active directory to join the site B. I create a new peer on the same tunnel when I connect the hand is red and the customer no longer has any connection would you have some idea

Question: for example on one of my pfsense I have a router on WAN that is 192.168.1.1 and on LAN I also have 192.168.1.1. Would this be a problem?

Is it possible to set this up with just a WAN interface only behind another firewall. Basically using pfsense as a wireguard appliance? I have it successfully working from PC's / iPhones to pfsense, but this site to site tutorial I have been unsuccessful in getting it working. Port forwarding is enabled on the UDM Pro on both networks, everything is setup correctly, but it seems to want a LAN and WAN interface.

Roinding tyblu files writing work?

I my setup (up-to-date OPNSense os-wireguard 1.9 and up-to-date Windows Wireguard 0.5.3 peer) everything works well but I have strange short timeout (like no connection) for about 15 seconds each time very closely to handshake which is every ~ 2 minutes. Each time after handshake connection resumes. Is there any setting that I can try to edit to resolve this problem? I set keepalive to 15s but it seems that it has no effect.

How do you route to vlan with site to site?

thanks , kindly what is the name of the app for network design

If I assign WireGuard to an interface, do I now need to add firewall rules in this interface to allow traffic?

Please do the same video with IPv6 😊

I’m currently using the wireguard network in /32 for both allowed ip and interfaces in other to connect 5 sites all together. For 2 sites vpn you can also use /32 but is there any reason for using /31 instead?

Hi. Thank you for the video. I have question, I have vps with subnet/24, the subnet all is publics IPs. I want to use thos publics ips on my infrastructure home like asign them to my servers. What the best solution to make it possibel to use all thos ny publics ip on my vps to my servers. Thank you.

26:45 copacetic

God dammit man i always forget AllowedIPs

pfSense is far far better than Sophos and other commercial firewalls except voip traffic.

OVPN is better than WG because the former can use QoS within the tunnel and also can be pinned to a particular WAN interface. WG is lame and for VPN babies / noobs.