How to Set Up WireGuard on pfSense

How to Set Up WireGuard on pfSense

  • Post author:Frank Joseph
  • Post published:April 15, 2025
  • Post last modified:May 20, 2026
  • Post category:pfSense
  • Reading time:11 mins read

WireGuard is my favorite VPN protocol to use on pfSense. It is fast, lightweight, reliable, and a lot easier to live with once it is configured properly. The setup process is a little more involved on pfSense than it is on some other platforms, but once it is working, it has been extremely stable for me.

I’ve used WireGuard for years across pfSense, Raspberry Pi, UniFi, and other Linux-based systems, and pfSense is still one of the best places to run it if you want the VPN handled directly by your firewall. That gives you more control over firewall rules, routing, VLAN access, split tunneling, full tunneling, and which clients can access which networks.

That said, this is not the simplest WireGuard setup. If you want the easiest possible VPN, something like UniFi Teleport, Tailscale, or PiVPN may be easier. If you already run pfSense and want a fast remote-access VPN that you fully control, WireGuard is absolutely worth setting up.

In this guide, we’ll install WireGuard on pfSense, create the tunnel, assign the interface, configure firewall rules, add a client peer, and then set up split tunnel or full tunnel access.

Table of Contents show

When I Would Use WireGuard on pfSense

I would use WireGuard on pfSense if pfSense is your main firewall and you want remote access directly into your network. This is usually cleaner than running WireGuard on a separate Raspberry Pi or server because the firewall already controls your routing and firewall rules.

This setup makes sense if you want to:

  • Access your home or business network remotely.
  • Connect to a NAS, Proxmox server, Home Assistant, Blue Iris, UniFi controller, or internal web interface.
  • Create separate VPN profiles for phones, laptops, tablets, or remote devices.
  • Control exactly which VLANs or subnets VPN clients can access.
  • Avoid exposing internal services directly with port forwarding.

I would not use this setup if you are not comfortable managing pfSense firewall rules. WireGuard itself is simple, but the pfSense side requires tunnel configuration, interface assignment, WAN rules, WireGuard interface rules, and client peer settings.

Install the WireGuard Package on pfSense

The first step is installing the WireGuard package in pfSense.

  1. Open System > Package Manager.
  2. Select Available Packages.
  3. Search for WireGuard.
  4. Install the latest WireGuard package.
Installing the WireGuard package on pfSense
Install the WireGuard package from the pfSense Package Manager.

After the package is installed, you should see WireGuard under the VPN menu.

Create the WireGuard Tunnel

Next, create the WireGuard tunnel. This is the server-side WireGuard configuration on pfSense.

  1. Go to VPN > WireGuard.
  2. Open the Tunnels tab.
  3. Select Add Tunnel.
  4. Set the description to something like WireGuard VPN.
  5. Set the listen port to 51820.
  6. Generate the private and public keys.
  7. Copy the public key because you’ll need it for the client configuration.
  8. Save the tunnel.
Creating a WireGuard tunnel on pfSense
Create the WireGuard tunnel, set the listen port, and generate the keys.

After the tunnel is created, go to the WireGuard settings and make sure WireGuard is enabled.

I usually keep the default port of 51820/UDP unless there is a specific reason to change it. The important thing is that the port you configure here must match the WAN firewall rule and the client endpoint later.

Assign the WireGuard Interface

After the tunnel is created, assign it as a pfSense interface. This makes it much easier to create firewall rules and manage WireGuard traffic cleanly.

  1. Go to Interfaces > Assignments.
  2. Add the WireGuard tunnel interface, usually listed as tun_wg0.
  3. Open the new interface.
  4. Enable it.
  5. Give it a description like WG_VPN.
  6. Set IPv4 Configuration Type to Static IPv4.
  7. Set the interface IP to something like 10.200.0.1/24.
  8. Save and apply the changes.
Adding the WireGuard tunnel as a pfSense interface
Add the WireGuard tunnel as an interface in pfSense.
Configuring the WireGuard interface on pfSense
Enable the WireGuard interface and assign it a static IPv4 address.

You can use a different subnet if you want, but make sure it does not overlap with any of your existing LAN, VLAN, VPN, or site-to-site networks. Overlapping subnets are one of the easiest ways to make VPN routing confusing.

Create the pfSense Firewall Rules

There are two firewall rule areas that matter for WireGuard on pfSense:

  • WAN: allows external clients to reach the WireGuard service.
  • WG_VPN: controls what connected WireGuard clients can access.

WAN Rule for WireGuard

On the WAN interface, create a rule allowing UDP traffic to the WireGuard listen port.

  • Interface: WAN
  • Protocol: UDP
  • Destination: WAN address
  • Destination port: 51820
Creating the WAN firewall rule for WireGuard on pfSense
Create a WAN rule allowing UDP 51820 to the pfSense WAN address.

WireGuard Interface Rule

On the WireGuard interface, create a rule that allows the VPN clients to access what they need. For basic testing, you can allow all traffic from the WireGuard interface, but long-term, I would tighten this down based on your network.

For example, you might allow WireGuard clients to access your LAN, but block access to an IoT VLAN or camera VLAN. That’s one of the reasons I like running WireGuard directly on pfSense — the firewall rules are right where they should be.

The important thing to remember is that pfSense firewall rules are applied on the interface where traffic enters pfSense. WireGuard client traffic enters through the WireGuard interface, so the access rules belong there.

Create the WireGuard Client Peer

WireGuard works with peers. In this setup, pfSense is the server, and each phone, laptop, or remote device is a peer.

I recommend creating one peer per device. Do not reuse the same WireGuard configuration across multiple devices if you can avoid it. Separate peers make it easier to revoke access for one device later without affecting everything else.

Create the Client Keys

On the client device, create a new WireGuard tunnel and generate the public/private key pair. You can do this in the WireGuard app on Android, iOS, Windows, macOS, or Linux.

Assign the client an address from your WireGuard subnet. For example:

10.200.0.5/24
Creating a WireGuard tunnel on Android
Create a WireGuard tunnel on the client device and generate the client keys.

Copy the client public key. You will add that public key to pfSense in the next step.

Add the Peer in pfSense

On pfSense, go to VPN > WireGuard > Peers and add a new peer.

  • Select the WireGuard tunnel you created earlier.
  • Add a description for the device.
  • Paste in the client public key.
  • Set the Allowed IPs to the client’s WireGuard IP using /32.

For example, if the client IP is 10.200.0.5, the pfSense peer Allowed IP should be:

10.200.0.5/32
Adding a WireGuard peer on pfSense
Add a peer in pfSense for each client device.
Setting WireGuard peer Allowed IPs on pfSense
On pfSense, the peer Allowed IP should normally be the individual client IP with /32.

This part is important: the Allowed IPs value on pfSense is not the same thing as the AllowedIPs value on the client. On pfSense, you are telling pfSense which WireGuard IP belongs to that specific peer. On the client, AllowedIPs controls what traffic the client sends through the tunnel.

Use a Pre-Shared Key

WireGuard already uses public/private keys, but pfSense also lets you generate a pre-shared key for the peer. I usually use one because it adds another layer to the connection.

Generate a pre-shared key in the pfSense peer settings, then copy that same key into the client configuration.

Generating a WireGuard pre-shared key in pfSense
A pre-shared key is optional, but I generally use one for WireGuard peers.

Do not share the private key or pre-shared key. The public key can be copied between devices, but the private key and pre-shared key should be treated as secrets.

Configure the WireGuard Client

On the client device, the WireGuard configuration needs a few important values:

  • Private Key: generated on the client device.
  • Address: the client WireGuard IP, such as 10.200.0.5/24.
  • DNS: your internal DNS server, Pi-hole, pfSense, or a public DNS server.
  • Peer Public Key: the public key from the pfSense WireGuard tunnel.
  • Pre-shared Key: optional, but recommended if you generated one.
  • Endpoint: your public IP or DDNS hostname with port 51820.
  • AllowedIPs: split tunnel or full tunnel routing.

The endpoint should look like this:

YOUR_PUBLIC_IP_OR_DDNS_HOSTNAME:51820

If your public IP changes, use DDNS. You can use my DuckDNS on pfSense guide or Cloudflare DDNS on pfSense guide.

Configuring the WireGuard endpoint and pre-shared key on Android
The client needs the pfSense public key, optional pre-shared key, endpoint, and AllowedIPs configuration.

Split Tunnel vs Full Tunnel WireGuard

This is the part I would think through before connecting every device. WireGuard can work as either a split tunnel or full tunnel VPN, and the better option depends on what you want the VPN to do.

Split tunnel vs full tunnel VPN diagram
A split tunnel VPN only routes selected traffic through the VPN, while a full tunnel VPN routes everything through it.

Split Tunnel WireGuard Configuration

For most home lab remote access, I would start with a split tunnel. This lets you access your internal networks without forcing all internet traffic through your home connection.

On the client, AllowedIPs should include the WireGuard subnet and any internal subnet you want to access. For example:

AllowedIPs = 10.200.0.0/24, 192.168.1.0/24

If you have multiple VLANs, add only the ones the client should access:

AllowedIPs = 10.200.0.0/24, 192.168.1.0/24, 192.168.20.0/24

Then use pfSense firewall rules on the WireGuard interface to control what the client can actually reach.

Full Tunnel WireGuard Configuration

A full tunnel sends all client traffic through the VPN. This is useful when you are on public Wi-Fi or an untrusted network and want all traffic routed through your home or business network.

On the client, AllowedIPs should be:

AllowedIPs = 0.0.0.0/0

If you use IPv6, you may also see:

AllowedIPs = 0.0.0.0/0, ::/0

Full tunnel is useful, but it can be slower because all traffic depends on the client connection, your pfSense connection, and your home/business upload speed.

For a more detailed breakdown, read my split tunnel vs full tunnel VPN guide.

Connect and Test WireGuard

After the tunnel, interface, firewall rules, peer, and client config are done, connect from an external network. Do not test only from inside your LAN and assume it works.

Use cellular data or another external network, connect the WireGuard client, then check the WireGuard status in pfSense under Status > WireGuard. If everything is working, you should see a recent handshake.

Successful WireGuard handshake status in pfSense
A recent handshake in pfSense means the WireGuard client successfully connected.

After connecting, test a few things:

  • Can you access pfSense over the VPN?
  • Can you access your NAS, Proxmox server, Home Assistant, or other internal services?
  • If you configured split tunnel, does normal internet traffic still use the local connection?
  • If you configured full tunnel, does your public IP change to your home/business network?
  • Can you resolve internal hostnames?

If the VPN connects but you cannot access anything internally, I would check firewall rules first, then AllowedIPs, DNS, and whether the client is actually using the route you expect.

Troubleshooting WireGuard on pfSense

If WireGuard stops responding or something looks wrong, you can restart the service from Status > Services. Restarting WireGuard is not something you should need to do regularly, but it can help after configuration changes or troubleshooting.

The most common issues I see are:

  • No handshake: check the WAN rule, endpoint, public IP/DDNS hostname, UDP port, and client keys.
  • Handshake works but no LAN access: check the WireGuard interface firewall rules and client AllowedIPs.
  • Split tunnel does not route correctly: check the client AllowedIPs list.
  • Hostnames do not resolve: check the DNS server in the client configuration.
  • Full tunnel connects but internet does not work: check outbound NAT and DNS.

What I Would Avoid

There are a few mistakes I would avoid when setting up WireGuard on pfSense:

  • Do not reuse the same peer on multiple devices. Create one peer per client so you can revoke devices cleanly.
  • Do not forget the WAN rule. WireGuard needs UDP traffic allowed to the pfSense WAN address.
  • Do not confuse pfSense Allowed IPs with client AllowedIPs. On pfSense, it identifies the peer. On the client, it controls routing.
  • Do not start with overly complicated firewall rules. Get it working first, then tighten access down.
  • Do not skip DDNS if your public IP changes. A dynamic IP can break your client profiles later.
  • Do not test only from inside your own network. Test from cellular or another external network.
  • Do not assume full tunnel is always better. Split tunnel is usually better for normal remote access.

The best WireGuard setups are usually simple in the right places: one peer per device, a dedicated WireGuard interface, clear firewall rules, a stable DDNS hostname if needed, and a deliberate split tunnel or full tunnel decision.

Final Thoughts

WireGuard on pfSense takes more steps than setting it up on something like a Raspberry Pi, but it is also one of the cleanest ways to run a remote-access VPN if pfSense is already your firewall.

For most people, I would start with a split tunnel configuration. It gives you access to internal resources without forcing every website and app through your home connection. If you travel often or use public Wi-Fi, create a full tunnel profile too.

The main things that matter are the WireGuard tunnel, assigned interface, WAN rule, WireGuard interface rules, one peer per device, correct AllowedIPs, and a real external test. Once those are right, WireGuard on pfSense is fast, reliable, and one of the best VPN setups you can run.

Post author avatar

Frank Joseph

I'm Frank, founder of WunderTech. I've been working in enterprise IT for 15+ years and running home labs for nearly a decade — every tutorial on this site is tested on hardware I actually own, including Synology NAS units, a DIY TrueNAS server, a Proxmox cluster, a full UniFi network, and more. I hold a BS in Computer Information Systems and an MBA, but most of what you'll read here comes from my home lab, not a classroom. You can also find video versions of these tutorials on my YouTube channel.