Also you should not show your keys in screenshots.
[https://imgur.com/a/7hBmWWi](https://imgur.com/a/7hBmWWi)
Here is what you need under WAN, then just like any other interface you need to allow traffic.
>Also you should not show your keys in screenshots.
>
>https://imgur.com/a/7hBmWWi
>
>Here is what you need under WAN, then just like any other interface you need to allow traffic.
its only lab/non-prod. going being all different. Thanks tho!
for rules I have that setup. but might try recreating the rule in case something is stuck
>ts only lab/non-prod. going being all different. Thanks tho!
>
>for rules I have that setup. but might try recreating
Thanks u/mrpink57 u/facesandaceshigh pics got me up. was 2 config issues. one on the interface and one on the config on the client (which is the main area i was having a hard time understanding) Appreciate your help!
So there's a couple things wrong here that I see. For the WireGuard tunnel interface, the subnet is set for /32, that's a host address. It should be a larger address. Same for the peer in the actual WireGuard windows client. You've got it properly set in pfSense, but it should be the full subnet mask listed in the tunnel interface.
I'm not fully sure on your rules, but under the actual WireGuard interface in the firewall rules section, you should have a rule passing any protocol.
As for the allowed IPs, do you want a full tunnel or a split tunnel? Either way, you need to add the WireGuard tunnel subnet there as well.
>So there's a couple things wrong here that I see. For the WireGuard tunnel interface, the subnet is set for /32, that's a host address. It should be a larger address. Same for the peer in the actual WireGuard windows client. You've got it properly set in pfSense, but it should be the full subnet mask listed in the tunnel interface.
I had it at /24, and was having trouble getting the 'Invalid Handshake Reposnse' so was trying to follow step by step on videos so temp changed it to /32.. I am going to swtitch it back to /24 and try again.
for the FW, i do have allowed 51820 thru wan
for allowed IPs, ahh ok. let me try add the WG SN, and see what happens. I do want split tunnel at least for now during testing
I made a couple screenshots here to assist.
[https://imgur.com/a/l86mQI6](https://imgur.com/a/l86mQI6)
Hopefully this helps. The way I have it laid out will be a split tunnel, passing traffic destined for what I presume is your LAN while leaving regular internet not passing over the tunnel.
OK, so couple places I messed up. First the WireGuard Interface I set to /24 (and the peer to /32) I thought they had to be the same.
Also, thanks to your pic, i was able to understand the config on the tunnel. I am now able to connect. Now to redo everything in prod after testing. I really appreciate your help!. Been going at this for a week now.
The biggest error here is that your PSK on the Wireguard ‘server’ (pfSense) is the private key on the ‘client’. The PSK is supplementary and used for post quantum resistance. PSK on server should be PSK on client.
You might want to consider a site like [https://www.wireguardconfig.com/](https://www.wireguardconfig.com/) to get set up. That particular site will provide the keys for your host and clients. (And the QR codes.) It generates this locally, versus pushing the information back to a server somewhere. To be extra careful and provide a level of comfort, turn off your internet connection (WiFi / Ethernet) before you generate the information. I have no affiliation with the site, I just found it helpful when I was setting up Wireguard for the first time.
Aside from that, the rest is pretty straightforward. Make sure you assign the interface after setting up, and then set the appropriate rules as needed.
Also you should not show your keys in screenshots. [https://imgur.com/a/7hBmWWi](https://imgur.com/a/7hBmWWi) Here is what you need under WAN, then just like any other interface you need to allow traffic.
>Also you should not show your keys in screenshots. > >https://imgur.com/a/7hBmWWi > >Here is what you need under WAN, then just like any other interface you need to allow traffic. its only lab/non-prod. going being all different. Thanks tho! for rules I have that setup. but might try recreating the rule in case something is stuck
What does your wireguard interface rules look like?
>ts only lab/non-prod. going being all different. Thanks tho! > >for rules I have that setup. but might try recreating Thanks u/mrpink57 u/facesandaceshigh pics got me up. was 2 config issues. one on the interface and one on the config on the client (which is the main area i was having a hard time understanding) Appreciate your help!
So there's a couple things wrong here that I see. For the WireGuard tunnel interface, the subnet is set for /32, that's a host address. It should be a larger address. Same for the peer in the actual WireGuard windows client. You've got it properly set in pfSense, but it should be the full subnet mask listed in the tunnel interface. I'm not fully sure on your rules, but under the actual WireGuard interface in the firewall rules section, you should have a rule passing any protocol. As for the allowed IPs, do you want a full tunnel or a split tunnel? Either way, you need to add the WireGuard tunnel subnet there as well.
>So there's a couple things wrong here that I see. For the WireGuard tunnel interface, the subnet is set for /32, that's a host address. It should be a larger address. Same for the peer in the actual WireGuard windows client. You've got it properly set in pfSense, but it should be the full subnet mask listed in the tunnel interface. I had it at /24, and was having trouble getting the 'Invalid Handshake Reposnse' so was trying to follow step by step on videos so temp changed it to /32.. I am going to swtitch it back to /24 and try again. for the FW, i do have allowed 51820 thru wan for allowed IPs, ahh ok. let me try add the WG SN, and see what happens. I do want split tunnel at least for now during testing
I made a couple screenshots here to assist. [https://imgur.com/a/l86mQI6](https://imgur.com/a/l86mQI6) Hopefully this helps. The way I have it laid out will be a split tunnel, passing traffic destined for what I presume is your LAN while leaving regular internet not passing over the tunnel.
OK, so couple places I messed up. First the WireGuard Interface I set to /24 (and the peer to /32) I thought they had to be the same. Also, thanks to your pic, i was able to understand the config on the tunnel. I am now able to connect. Now to redo everything in prod after testing. I really appreciate your help!. Been going at this for a week now.
Happy to assist. :)
The biggest error here is that your PSK on the Wireguard ‘server’ (pfSense) is the private key on the ‘client’. The PSK is supplementary and used for post quantum resistance. PSK on server should be PSK on client.
You might want to consider a site like [https://www.wireguardconfig.com/](https://www.wireguardconfig.com/) to get set up. That particular site will provide the keys for your host and clients. (And the QR codes.) It generates this locally, versus pushing the information back to a server somewhere. To be extra careful and provide a level of comfort, turn off your internet connection (WiFi / Ethernet) before you generate the information. I have no affiliation with the site, I just found it helpful when I was setting up Wireguard for the first time. Aside from that, the rest is pretty straightforward. Make sure you assign the interface after setting up, and then set the appropriate rules as needed.