pfSense WireGuard VPN: Road Warrior Setup for Remote Access

WireGuard is the modern choice for pfSense VPN — it’s faster, simpler, and more battery-efficient than OpenVPN. Since pfSense CE 2.5 and pfSense Plus 21.05, WireGuard is available as a built-in package (no longer an add-on). This guide sets up a road warrior configuration for remote access to your home network.

Concepts

WireGuard uses a peer model: the pfSense router is the server (called the “tunnel interface”), and each remote device is a peer. Each peer has a public/private keypair. The server knows each peer’s public key; each peer knows the server’s public key and endpoint.

Step 1: Install WireGuard (pfSense CE)

System → Package Manager → Available Packages → search WireGuard → Install.

On pfSense Plus, WireGuard is built-in — skip this step.

After install: VPN → WireGuard.

Step 2: Create the tunnel interface

VPN → WireGuard → Tunnels → Add Tunnel:

• Description: WG_RoadWarrior
• Listen Port: 51820 (default; can change for obscurity)
• Interface Keys: Generate — click the Generate button to create a server keypair
• Interface Address: 10.10.0.1/24 (WireGuard subnet — separate from your LAN)
• DNS Server: 192.168.1.1 (your pfSense LAN IP, or a split-DNS resolver)

Save. Note the Public Key — you’ll need it for client configs.

Step 3: Add peers (clients)

VPN → WireGuard → Peers → Add Peer:

For each client device:

• Tunnel: WG_RoadWarrior
• Description: iPhone (or laptop, etc.)
• Public Key: paste the client’s WireGuard public key
• Allowed IPs: 10.10.0.2/32 (unique IP per peer within the WireGuard subnet)
• Persistent keepalive: 25 (recommended for mobile clients behind NAT)

Generating client keys

On Linux/macOS:

wg genkey | tee private.key | wg pubkey > public.key
cat public.key   # paste this into pfSense as the peer's public key

On iOS/Android: the WireGuard app generates the keypair in-app.

Step 4: Assign the WireGuard interface

Interfaces → Assignments → select the WireGuard tunnel from the drop-down → Add → Enable interface → Save.

Step 5: Firewall rules

WAN rule — allow WireGuard UDP

Firewall → Rules → WAN → Add:

Action: Pass
Protocol: UDP
Destination: WAN address
Destination Port: 51820
Description: Allow WireGuard inbound

WireGuard interface rule — allow traffic to LAN

Firewall → Rules → WireGuard → Add:

Action: Pass
Protocol: Any
Source: WireGuard subnets (10.10.0.0/24)
Destination: LAN subnets
Description: WireGuard peers access LAN

Step 6: Client configuration

Create a .conf file for each peer:

[Interface]
PrivateKey = <peer private key>
Address = 10.10.0.2/32
DNS = 192.168.1.1

[Peer]
PublicKey = <pfSense WireGuard public key>
Endpoint = your-home-ip-or-ddns:51820
AllowedIPs = 192.168.1.0/24, 10.10.0.0/24
PersistentKeepalive = 25

For full-tunnel (route all traffic through pfSense): set AllowedIPs = 0.0.0.0/0, ::/0.

Import the .conf file into the WireGuard app on your device, or scan the QR code (the WireGuard app can display a QR code from the config).

Step 7: DDNS (if you don’t have a static IP)

System → Dynamic DNS → Add:

• Choose your DDNS provider (CloudFlare, DuckDNS, etc.)
• Set the hostname your clients will use as the endpoint

Use this hostname in client configs instead of a raw IP.

Verify the connection

# On the pfSense console or via SSH:
wg show

# Should show the peer with a recent handshake timestamp and traffic counters

From the client, ping 192.168.1.1 — you should reach your pfSense LAN interface.

Prefer OpenVPN? OPNsense has strong OpenVPN tooling too. See firewallcompare.com ↗ for a WireGuard vs OpenVPN comparison across platforms.