October 1, 2025

Guide: Setting Up WireGuard Site-to-Site VPN Between Two pfSense Devices

admin013 mins

Introduction

WireGuard is a modern, high-performance VPN protocol that is known for its simplicity and speed. In this guide, we will walk through the steps to configure a site-to-site VPN using WireGuard between two pfSense devices. This setup is ideal for securely connecting two remote networks, allowing them to communicate as if they were on the same local network.

Prerequisites

  1. Two pfSense firewalls running version 2.5.0 or higher.
  2. WireGuard package installed on both pfSense devices.
  3. Administrative access to both pfSense devices.
  4. Basic knowledge of networking and pfSense interface.

Step 1: Install WireGuard Package on pfSense

On Both pfSense Devices

  1. Log in to the pfSense web interface.
  2. Go to System > Package Manager > Available Packages.
  3. In the search box, type WireGuard.
  4. Click Install next to the WireGuard package.
  5. Wait for the installation to complete, then navigate to VPN > WireGuard to confirm the installation was successful.

Step 2: Configure WireGuard on Site 1 (pfSense A)

1. Generate Key Pairs

  1. Go to VPN > WireGuard on pfSense A.
  2. Under the Tunnels tab, click + Add Tunnel.
  3. In the Interface Keys section, click Generate to create a new public/private key pair for pfSense A.
  4. Save the public and private keys in a secure location for use in the configuration of pfSense B.

2. Set Up the Tunnel

  1. Name: Enter a name for the WireGuard tunnel, e.g., WG-Site1.
  2. Private Key: The private key will be auto-populated after generating the key pair.
  3. Listen Port: Enter a port number, e.g., 51820 (ensure this port is allowed through the firewall).
  4. Tunnel Address: Assign an internal IP address range, e.g., 10.0.0.1/24. This is used for internal communication between both sites.
  5. Peers: Add the peer (pfSense B) by clicking the + Add Peer button.

3. Configure the Peer (pfSense B)

  1. Public Key: Paste the public key generated on pfSense B here.
  2. Endpoint: Enter the WAN IP address of pfSense B (or its dynamic DNS if applicable).
  3. Endpoint Port: Enter the port number pfSense B is listening on (e.g., 51820).
  4. Allowed IPs: Enter the network range of the remote site (e.g., 10.0.1.0/24 for pfSense B’s LAN).

4. Enable the Tunnel

  • Check the Enabled box to activate the tunnel.
  • Click Save and then Apply Changes.

Step 3: Configure WireGuard on Site 2 (pfSense B)

Follow the same steps as pfSense A, with a few differences as noted below.

1. Generate Key Pairs on pfSense B

  1. Go to VPN > WireGuard on pfSense B.
  2. Under the Tunnels tab, click + Add Tunnel.
  3. Generate a public/private key pair for pfSense B and save them securely.

2. Set Up the Tunnel for pfSense B

  • Name: Enter WG-Site2.
  • Private Key: Enter the private key for pfSense B.
  • Listen Port: Enter the listening port (e.g., 51820).
  • Tunnel Address: Assign an internal IP range like 10.0.0.2/24.

3. Configure the Peer (pfSense A)

  1. Public Key: Paste the public key generated on pfSense A.
  2. Endpoint: Enter the WAN IP address of pfSense A.
  3. Endpoint Port: Use the same port (e.g., 51820).
  4. Allowed IPs: Enter the network range of pfSense A (e.g., 10.0.0.0/24).

4. Enable the Tunnel

  • Enable the tunnel by checking the Enabled box.
  • Click Save and then Apply Changes.

Step 4: Configure Firewall Rules on Both Sites

On Both pfSense Devices

  1. Go to Firewall > Rules.
  2. Click on the WireGuard tab (a new interface will have been created for WireGuard).
  3. Click + Add to create a new rule.
  4. Action: Select Pass.
  5. Interface: Select the WireGuard interface.
  6. Protocol: Set to Any to allow all traffic (you can restrict this later if needed).
  7. Source: Select WireGuard net.
  8. Destination: Choose any or restrict to a specific subnet based on your security requirements.
  9. Click Save, then Apply Changes.

Step 5: Test Connectivity

  1. On a device behind pfSense A, attempt to ping a device on the LAN of pfSense B (and vice versa). For example:
    • From Site A: ping 10.0.1.1 (a device on pfSense B’s LAN).
    • From Site B: ping 10.0.0.1 (a device on pfSense A’s LAN).
  2. If the pings are successful, the WireGuard tunnel is functioning properly.

Step 6: Optional – Configure Persistent Keepalives

In scenarios where one of the pfSense devices is behind NAT or has an unstable connection, enabling persistent keepalives can help maintain the tunnel.

  1. On pfSense A, go to VPN > WireGuard > Peers.
  2. Edit the peer (pfSense B) and set Persistent Keepalive to 25 (seconds).
  3. Repeat this step on pfSense B for pfSense A.

Step 7: Advanced Routing Configuration

1. Define Static Routes

In some cases, especially if you have multiple subnets behind each pfSense firewall, you may need to configure static routes to ensure proper traffic flow between the two networks.

On pfSense A:

  1. Go to System > Routing.
  2. Click on the Routes tab and then + Add.
  3. Destination Network: Enter the remote subnet behind pfSense B (e.g., 10.0.1.0/24).
  4. Gateway: Choose the WireGuard gateway for pfSense B (the peer’s tunnel address, e.g., 10.0.0.2).
  5. Description: Add a description, e.g., Route to Site B.
  6. Click Save and Apply Changes.

On pfSense B:

  1. Go to System > Routing.
  2. Click on the Routes tab and then + Add.
  3. Destination Network: Enter the remote subnet behind pfSense A (e.g., 10.0.0.0/24).
  4. Gateway: Choose the WireGuard gateway for pfSense A (e.g., 10.0.1.1).
  5. Description: Add a description, e.g., Route to Site A.
  6. Click Save and Apply Changes.

2. Verify Routing

Once the routes are in place, you can test connectivity across subnets by pinging from devices behind each firewall. For example:

  • From Site A: Ping a device in Site B’s LAN (e.g., ping 10.0.1.10).
  • From Site B: Ping a device in Site A’s LAN (e.g., ping 10.0.0.10).

If the ping is successful and you can reach devices in both directions, routing is configured correctly.

Step 8: Performance Tuning and Encryption Considerations

WireGuard is designed for high performance, but there are additional steps you can take to ensure that your site-to-site VPN operates optimally.

1. Optimize Encryption Settings

WireGuard uses state-of-the-art cryptography, including ChaCha20 for encryption and Poly1305 for message authentication, both of which are extremely fast and secure. These encryption standards are generally sufficient for most use cases, but here are a few considerations:

Hardware Support for Encryption

  • AES-NI (Advanced Encryption Standard New Instructions): If your pfSense hardware supports AES-NI, ensure it’s enabled. While WireGuard uses ChaCha20, other tasks within pfSense may benefit from AES-NI for enhanced security and performance.
  • To check AES-NI support, go to System > Advanced > Miscellaneous and ensure that Hardware Crypto is enabled.

2. Adjust MTU (Maximum Transmission Unit)

The MTU can impact VPN performance, especially in networks with varying MTU values between devices. If you experience issues with packet fragmentation or unstable VPN connections, you can adjust the MTU size:

On pfSense A and pfSense B:

  1. Go to VPN > WireGuard.
  2. Edit the WireGuard tunnel.
  3. Scroll to MTU, and enter a value (e.g., 1420 is often a good starting point).
  4. Click Save and Apply Changes.

You may need to experiment with different MTU values to find the one that works best for your specific network.

3. Enable Multi-Threading for WireGuard (If Available)

WireGuard is highly efficient, but to maximize throughput, you can take advantage of multi-threading on systems with multiple CPU cores:

  1. Go to System > Advanced > Miscellaneous.
  2. Under Cryptography and Hardware Acceleration, make sure Use multiple WireGuard threads is enabled (this option may vary based on pfSense version and hardware).

4. Monitor Performance

You can monitor VPN performance by tracking the throughput and CPU usage to identify potential bottlenecks:

  1. Go to Status > Monitoring.
  2. Select the WireGuard interface and observe the traffic patterns.
  3. Check System > CPU to ensure that CPU usage remains reasonable during VPN traffic.

By configuring advanced routing and optimizing performance tuning for WireGuard, you have created a robust and secure site-to-site VPN that is well-optimized for both security and speed. This extended setup ensures smooth communication between your remote networks while maintaining optimal encryption standards and performance.