This guide will help you set up WireGuard on pfSense 2.7.0-RELEASE with our servers. We will connect to one of our Swedish servers (se1-wireguard). You will need to change this to match the server you wish to use.

For using OpenVPN instead of WireGuard see the guide Using pfSense with Mullvad.

Install the WireGuard package

WireGuard is available as an experimental add-on package.

  1. Log in to pfSense using the web GUI.
  2. Go to System → Package Manager → Available Packages.
  3. Search for “wireguard”, then click on the green + Install button and then the ✔ Confirm button.

Generate WireGuard keys and get your IP from our API

  1. Log in to pfsense using SSH.
  2. Run cd /usr/local/etc/wireguard/
  3. Run wg genkey | tee privkey | wg pubkey > pubkey
  4. Run echo "public wireguard key"; cat pubkey; echo; echo "private wireguard key"; cat privkey
  5. Run curl https://api.mullvad.net/wg/ -d account=YOURMULLVADACCOUNTNUMBER --data-urlencode pubkey=YOURPUBLICKEY | tee mullvad-ip Replace YOURMULLVADACCOUNTNUMBER with your Mullvad account number without any spaces, and replace YOURPUBLICKEY with the pubkey above.
  6. The IP-address to use when configuring your WireGuard interface will be returned and saved in the “mullvad-ip” file. You will need this later.

Configure WireGuard

  1. Log in to pfSense using the web GUI.
  2. Go to VPN → WireGuard.
  3. Click on + Add Tunnel.
  4. Description: Enter a name for the tunnel. We’ll call it “mullvad”.
  5. Listen Port: This can be left empty.
  6. Interface Keys: Enter your private key that you generated earlier (cat /usr/local/etc/wireguard/privkey).
  7. Interface Addresses: Enter the IP you got when running the curl command earlier.
  8. Click on 💾 Save Tunnel.

Peer configuration

Now we will add the WireGuard server (known as a “Peer” in the web GUI). You can find the IP-addresses and Public Keys for the servers in our Servers list.

  1. In the WireGuard → Tunnels overview, click on the pencil button under “Actions” to edit the tunnel.
  2. Click on + Add Peer.
  3. Tunnel: select “tun_wg0 (mullvad)”
  4. Description: “se1-wireguard”.
  5. Dynamic Endpoint”: Uncheck this so that you’re able to manually enter an IP and port.
  6. Endpoint (This is the WireGuard server of your choice IPv4 address): 193.138.218.220.
  7. Endpoint Port: 51820.
  8. Public Key: “Qn1QaXYTJJSmJSMw18CGdnFiVM0/Gj/15OdkxbXCSG0=”.
  9. Allowed IPs: 0.0.0.0/0.
  10. Click on 💾 Save Peer.

Enable WireGuard

  1. Go to VPN → WireGuard → Settings.
  2. Check Enable WireGuard.
  3. Click on 💾 Save.

Configure interface assignments

  1. Go to Interfaces → Assignments.
  2. Available network ports: select “tun_wg0”.
  3. Click + Add.
  4. Click on OPT1 on the left side.
  5. Check Enable interface.
  6. IPv4 Configuration Type: Select “Static IPv4”.
  7. IPv4 Address: Enter the IP you got from the Mullvad API earlier.
  8. Click on 💾 Save and then click on ✔ Apply Changes.


Add the VPN gateway to the WireGuard tunnel

  1. Go to System → Routing → Gateways.
  2. Click on +Add to add a new gateway.
  3. Interface: select OPT1.
  4. Name: enter a name for your gateway. We’ll use “se1_gw”.
  5. Gateway: Enter 10.64.0.1.
  6. Click on the button Display Advanced settings.
  7. Check Use non-local gateway.
  8. Click on 💾 Save and then click on ✔ Apply Changes.

Add the gateway to our WireGuard tunnel

  1. Go to Interfaces → OPT1
  2. Change IPv4 Upstream gateway to our newly created “se1_gw – 10.64.0.1”.
  3. Click on 💾 Save and then click on ✔ Apply Changes.

Configure the outbound firewall

Now it’s time to change the NAT firewall rules so that our local clients will exit through the WireGuard tunnel.

  1. Go to Firewall → NAT → Outbound.
  2. Select Manual Outbound NAT rule generation.
  3. Click on 💾 Save and then click on ✔ Apply Changes.
  4. Locate your current NAT rule that contains 192.168.1.0/24 by default. (Auto created rule – LAN to WAN).
  5. Click on the pencil button to edit that rule and change the Interface from WAN to OPT1.
  6. Click on 💾 Save and then click on ✔ Apply Changes.

Configure the firewall rules

We also need to change the firewall rules so that our clients are allowed to reach the WireGuard gateway.

  1. Go to Firewall → Rules → LAN.
  2. Click on the pencil button next to the rule with the description “Default allow LAN to any”.
  3. Click on the button Display Advanced.
  4. Gateway: select “se1_gw – 10.64.0.1”.
  5. Click on 💾 Save and then click on ✔ Apply Changes.

DNS setup

The WireGuard servers run an unfiltered DNS on the internal IP 10.64.0.1. They also have several blocklist filtered DNS options for blocking ads, trackers, malware, adult content and gambling websites. In this guide we will use the unfiltered DNS. If you want to use all the filters then enter 100.64.0.31.

  1. Go to System → General Setup → DNS.
  2. DNS Servers: enter “10.64.0.1” and set Gateway to “se1_gw”.
  3. DNS Server Override: Uncheck “Allow DNS server list to be overridden…”.
  4. Click on 💾 Save.

DNS resolver

  1. Go to Services → DNS Resolver.
  2. DNS Query Forwarding: check “Enable Forwarding mode”.
  3. Click on 💾 Save and then click on ✔ Apply Changes.

Troubleshooting

The DNS does not seem to work and I can’t always ping 10.64.0.1.

Go to VPN > WireGuard > Peers > and set Keep Alive to 25.

If it doesn’t help then go to Services > DHCP Server > LAN > Servers > and  add 10.64.0.1.

“WireGuard” is a registered trademark of Jason A. Donenfeld.