 Time here from Lauren systems and we're going to talk about wire guard for remote access whether you're using your phone a windows computer or a Linux desktop laptop while anything running Linux really specifically. I'm going to be using Debbie in here, but it does extend all diversions You may want to be using wire guard to remotely access your network now This was originally in PF since 2.5 as part of integration Then it moved to a package and the team at netgate has done a great job of developing it But right here in November of 2021. It is still marked as experimental But all of my testing whether it's gone really well, but it's still going through plenty of active development So I wanted to do a video on it because well, it's come a long way But one of the things I want to get out of the way This is a great remote access tool, but it's not necessarily replacement for all VPNs I say it like that because people Inevitably will say well, I'm using open VPN now should I switch to wire guard and that kind of depends on your situation I think wire guard is a great VPN, but it does not have a user manager Everything is managed with keys because you're managing it with keys that may not be optimal for your setting if you have Oh, I don't know a hundred users and a radius server that handles authentication Or even if you have authentication tied right to your PF sense or whatever methodology you're using If you have a lot of external users that you would like to access through your PF sense and VPN Wireguard is not necessarily the easiest way to manage it because you'd have to set up every single user And there's not really good logging to when they came in when they came out It doesn't work the way open VPN works, but it doesn't have a user manager in the same way So I wanted to get that out of the way up front and answer those questions for people asking Should they switch what they're doing now if you what you're doing now works You should probably stay with that but for those of you that like to use wire guard because when you're outside of your office Or outside of your home You want to use wire guard to tunnel back in it's a great system for that now This is not a video specifically how to do a site to site VPN between two PF sense systems That will be a separate video and if that video is completed that will be linked down below So it depends on when you're watching this I'm getting there Haven't got it done as of the recording of this one We're doing the essentially one to many many peers into one PF sense one first for remote access Before we dive into these details if you like to learn more about me my company However to laurencesystems.com I feel like to hire sure project there's a higher spot right at the top Which includes network consulting if you want to help this channel out in other ways There's the affiliate links down below to get you deals and discounts on products and services We talk about on this channel First thing to get out of the way is RT FM and read the fine manual It is a great manual for PF sense as a whole but specifically for wire guard They have a lot of different configuration information in here I will also leave a link down to a video done by Christian McDonald actually a series of them He's been doing some video updates He's one of the developers working at netgate on the PF sense project And has done a great series of videos and talking in depth about wire guard And plenty of other PF sense developments So the video will be linked down below Now let's start here at our lab setups we can cover kind of how this is laid out I'm not using a bunch of public IP addresses and routing us across the internet But this simulation works the same way We have our lab windows system at 192.1683.175 This is at 3.123 for Linux one And then our lab cloud connects over just a switch And then our lab PF sense is at 192.1683.217 So I'm able to get from either one of these right to the WAN side of here Now these can be double-naded It doesn't matter be triple-naded for all that matters You can have your clients behind whichever number of routing devices It doesn't make a huge difference As long as they can get to the public IP side of the WAN of your system Now if your PF sense happens to be Unfortunately behind some other carry-grade NAT Or you don't have it publicly-routable You're going to have a hard time getting this work Because it's not designed to work that way You have to be able to get to a port forward All the way from the outside world to the inside world Not an issue here but just something I wanted to address Now here we have 3.217 being the lab PF sense Then we have two internal LANs One is 40.1, the other one is 22.1 Then we have this Debian speed test And this is our target We want to be able to be outside of the network And get to this Debian speed test It actually just has Libre speed on there So I can, you know, see how fast the VPN goes Now this is at 40.137 So it's attached to our LAN network Now the way WireGuard works Is it does have to have its own subnet That's part of the WireGuard system And how it's going to attach all the devices to a subnet And it's going to take care of all the routing To get things from where they are to where they need to be And you can't have that subnet The 172.1616 that I've set up here 1 slash 24 is its address Or 0 slash 24 would be the whole network It is important to know that that should not overlap With existing networks Or you're going to have a routing problem If it overlaps with these networks here It would be a problem If it overlaps with networks over here It can possibly be a problem Because it doesn't know where to send traffic If it's got pairs of routing table Well, there's priority So you actually does know where to send traffic But it may cause some conflicts and some trouble So when choosing the network layout for WireGuard Please note it does have to be Non-overlapping with existing networks that you have So nothing overlaps with 172.1616 So that's what I used Over to PF Sense itself This is the 2.52 release of PF Sense It's on the latest version As of November 28th, 2021 That's important because You want to make sure you're running the latest release That will also have all the latest packages And then just go ahead to the package manager And install the WireGuard package Which I've already done And as of today it is 0.015 underscore 3 Like I said, it's still labeled experimental But I've had no problems getting to work And if you want to join the experimental club in testing this Absolutely, this is the one to go with Then we're going over here to firewall rules I know the VPN's installed But we want to do this And if we don't do this And we don't add a firewall rule And by the way, by default it does does TCP So make sure you change this to any add a rule And this is allow all traffic Or WireGuard Now it's important that you do this Because if you don't You'll be like me and spend way too long setting up a demo Because you forgot to add a firewall rule When you were setting it up And you will just not understand why things don't work If you set it to TCP You'll have weird problems where Well, you can't paint things Because ICMP is not allowed But you can get to things that use a TCP protocol But make sure this is set to any This is just a wide open rule You can still get more fine grained And do things a little bit more secure Or granular That goes beyond the scope of this I've carded firewall rules in other videos But at least open it up first Wide open when you're setting this up Makes troubleshooting way easier Because then you can rule out this as being the problem Then the next part's really simple We're going to go to WireGuard And we're going to add a tunnel There's no peer setup There's no nothing set up right now This is the default Oh, one new thing they added Since the last time WireGuard was originally installed Was the hide secrets This was a people worrying about shoulder surfing I don't think it's a huge deal But hey, it's great that they have it there My answer really is If someone's inside your PF sense You have much bigger problems But nonetheless, it's kind of cool If they added this and I'll show you what it does You too, but demo And let's choose a port We're going to choose 51 420 in support You could just use the default port of 51 820 But I feel like changing it Then we need to have a private key and public key Generate Now, if you have this set up With that private key checkbox That'll take the interface key and hide it The interface key of the private side Should never leave this system Should never be copied somewhere else This is what keeps everything nice and secure So it's important that you have that key In a good secure place like right here And no one else can see it Then we need to set up that interface address 172.16.16.1 And we're going to make this a slash 24 Now, the reason for that is We're going to add numerous peers to this So this particular one should be a slash 24 Or as big as you need it to be to have that many peers Or you can make it smaller and have fewer peers But just for simplicity sake And it doesn't overlap with any networks I'm going to use a slash 24 in here for the peer address Then we're going to go ahead and hit save tunnel Apply And now we have our tunnel setup Now one more firewall rule that I've already created But we'll go ahead and go to rules And we're going to look at the WAN here And we're going to look at this rule right here Pass WAN IPv4 UDP Source any unless you want to filter it for some reason WAN address And whatever the port you set for WireGuard is We chose 51 420 So we put 51 420 And this allows for WireGuard WireGuard does not automatically Like the OpenVPN wizard does Create a rule that allows external traffic to come in So you have to create that rule And that's really all it is One rule, one port, just UDP And done Now we have that rule that allows WireGuard Now while we're here in rules We'll go to firewall And we're going to go to NAT We're going to look at the outbound NAT One thing you need If you want for example Your phone to be able to come in And tunnel all the traffic back out So I'm on some network that I don't want to be on With my phone with let's say a public Wi-Fi At a library or at a McDonald's Wherever you go And you would like all your network traffic Tunnelled as in full tunnel Not split tunnel where you're only accessing local resources We'll cover how to do that later When we set up the clients But if you would like the traffic to go out There are a couple of ways of doing it This is the easiest way to do it We're going to go here And first we chose hybrid outbound NAT rule generation And this is the hybrid rule that we added to make this work 172.16.16.0 slash 24 So we're going to edit this rule so it looks like WAN IPv4 protocol any source network 172.16.16.0 slash 24 Destination any Because this is interface WAN We're going to use all the other settings the same And this is allow WireGuard to go out the WAN This is only needed as I said If you have a full tunnel network Where I want to take all the traffic from a laptop Or whatever I'm using and tunnel it Into my network at my lab my home my business And then have all my traffic go back out As in full tunnel This is what allows that traffic to occur The other way of doing it that'll be covered in a different video What I'd like to cite to cite As you can add WireGuard as an interface on there This is good for routing to a traffic back and forth And some other use cases beyond the scope of this video But that's another way to do it Now we can go back over to VPN WireGuard And we have this setup and we need to add a peer So we're going to go ahead here and just hit add peer Now the peers is separate Because you can actually have many tunnels on this And many instances of WireGuard running That way if you wanted one that was site to site And one that's a you know user remote access Like we're setting up here You can have multiple side by side They don't have to conflict with each other in any way And this will be the first one We're going to do a Debian Linux system Go down here Now with the Debian Linux system I have an entire video on getting started Building your own WireGuard And I kind of covered it more in depth there So I'll reference that video on how to set it up I also have a full write up on my forum That'll be linked down below Of how you build keys inside your Debian And actually get it loaded and set up So we've already got that done So we're just going to go here And grab my public key for my Debian system So I need the public key We just copy paste into public key Then we need an address for it 172.16.16.2 .1 is our main system .2 will be the Debian system we do here No problem We're just going to hit save peer Now please note This is a slash 32 Each one of the extra peers you have Need to be in their own space as well So each one should be a slash 32 If you put them all at slash 24 So conflicting you'll have different problems So that's the reason those are set like that So here's the system Now we should go and set this one up Go ahead and go back and edit this Because we need the public key information here So we're going to hit copy Now you don't ever need to copy this key here Matter of fact, let's go back and set that setting real quick Hide secrets, save, edit And it's not displayed anymore So no one can shoulder surf That long complicated one And kudos to anyone that can actually look at that quickly And memorize that number and recite I know people that can do it But it's always impressive when I watch it So we've copied this to the clipboard Now we're going to go back over here And we have a file called PFLab I've already set up So we're going to edit this And there's the address of 172.16.2 slash 24 Then here we have the public key Insert There If you're wondering why this isn't slash 32 If you put this at slash 32 You wouldn't be able to ping 172.16.16.1 Just heads up on that So now we've pasted in the public key The endpoint 192.16.8 3.217 colon 51 420 That's it Allowed IPs 172.16.16.0 24 192.16.8 40.0 slash 24 192.16.8 22.0 slash 24 These are all the allowed IPs And this is what sets up the routing If I only needed the 40 network Which technically when only one were testing is 40 I could delete this one But I wanted it in here Just to show you what it looks like When you put many in there But this is decided by the peer For each one of these Routable networks on there If you want more granular controls Yes, you can dive deeper into the wire guard Firewall settings Under the firewall rules to have to Stop someone from adjusting their peer To a network you don't want to access But heads up, that's how this works On here So we have the public key We have the endpoint And we've taken the public key From our WLAB And pasted it into that peer So everything's worked Everything should set up So we'll go ahead and Move this so we can see what I'm doing We're just going to go ahead And hit WQ For right All right Now we go in here And W I will split it one more time We're just using team ox If you don't know why the screen split And WG quick Up And PFLAB is what it's called Oh, already exists Forgot to take it down from Previous test Down PFLAB Was broken if it was up anyways Because it had the wrong settings in it Now from here Let's go ahead and ping 192.168.40.137 And see if our experiment worked And there we go I can get to that system here So we're on the Debian system That has the IP address here Of the 192.168.3.123 So 3.123 through here Through here Over to here is able to now get to that Pretty simple to set up And if we go over here to status And we show our peers We see that the handshake was done right here Debian Linux system 23 seconds ago And allowed IPs Great All that's working And if we go back over here When you have WireGuard installed You get this little widget on the dashboard That shows you how many active peers How much data is being sent And refresh interval Activity threshold So all this is great And everything is working But now we got to add Another peer again Pretty simple We're going to go over to peers We'll add another peer Sign to this tunnel And this is our Windows system And now we got to get the public key For the Windows system And an IP address for the Windows system And for that We're going to go over here Now this is just Windows 10 Loaded with the WireGuard default Next, yes, install Nothing special done here Downloaded right from the WireGuard website And we're going to add an empty tunnel When you add an empty tunnel I'm going to call this one pflab It automatically generates a key for you So we're going to go ahead and Copy this key Because we need the public key for this one here We need to have an assigned IP address And we'll go with 172.16.16.3 My tab over automatically changes it to that So pretty much good to go here All right We can apply Now we need to finish the setup in Windows So now we go over here We're going to add the main tunnel Because we need to copy this key Go back over here And now we got to fill in the rest of it And among the things we have to fill in Is the public key from PF Sense To get it into here Already has the private key in here Now we get to put in the rest of the details So here's the address The private key that it generated automatically The address that we want it assigned 172.16.16.15 Then we put peer public key Is the public key from PF Sense That we put in here Then the endpoint 192.16.8.3.217uts 51 4 20 Just like the setup was from that port That allowed IPs The 16.16 16.16 Everything in here may be a couple extra spaces. I'll delete out of that. Save. Activate. See if we did this right. Now, one thing of note, when you're doing the activation, right away, you may see some data going back and forth, but it may not display right away. And the reason for that is because until there's some packet sent for the handshake, the handshake may not be there. In fact, right now, this handshake is now gone for a few minutes without a talk. So it's going to turn yellow and eventually it kind of falls off. Wire guard is a quiet protocol. And unless you have a keep alive in there to regularly refresh it, it go ahead and drops connection. But the connection immediately starts back up as soon as some resource that's on the other side of that route. So because we have those routes pushed for like the 40 network, if we try to access anything on that 40 network, that immediately spins up the wire guard does a very quick handshake and starts talking again, kind of the way of wire guard and the way it works, it automatically will shut down the tunnels because they time out or automatically starts them up without user intervention as needed. That way you're not sending a lot of wasted packets, but that's where if you want, there is a keep alive option you can choose to just keep sending a packet every so often to keep the connection so it never actually stops. But that's what that is right there. We've got the handshake. Now let's go ahead and go here, open up Google Chrome. And there's our 192.164137. Now I can ping it from the command line, it would ping. But I said, Hey, why not? Let's do a test. And this is just running Libre speed on that system. And we're getting about 470, 490 megs. Not bad on this. Your mileage is going to vary based on the speed of the machine connecting to it, the device connecting to it, if it's a phone or the speed of the PF sense. There's a lot of factors that can affect your speed, but we're not getting unreasonable speeds out of the system in our lab. It's not all the highest end equipment, but works pretty reasonably well here. So 489, 610, pretty good overall. Good ping times and not much jitter on the network. So pretty simple for setting it up. But what about that next question that I talked about earlier? What if I'm outside my network and I want everything tunneled in? So we're going to go ahead and edit this tunnel. We're just going to change the allowed IPs. And I'm going to put a second one in here. We take the allowed IPs, 0.0.0.0 slash 0. Now this works whether you're in Debian, whether you're in Windows, whether you're doing this on a phone. When you set the allowed IPs equals 0,0,0,0, means just take everything and send it out through there. And because we put that rule in the outbound that, this is what allows the PF sense system to go, okay, I can take all the traffic in and then send it back out the WAN. And that was what that rule did. So we're going to go ahead and also we have the kill switch in here for block untunneled traffic. That's a checkbox right here at the bottom. That way there's any untunneled traffic. And I believe as soon as I click this, it will drop this connection that I have with our remote access tool that we're using, which is connect-wise control. I believe I will, yes, it has broken access to it, but we can go out of work around. This system's running in a virtual machine in our XCPNG server. So we have access to it here and we'll go ahead and start the speed test, but you can see it's working. The differences because I locked it out for myself and I said, take all traffic and routed here. It's routing all the traffic and not allowing any more outside access. Now, if this was external, I'm technically, cause any traffic I route is instead going through the PF sense completely. That's what you're basically tunneling all the traffic is right here to activate. And if we want to put it back, we can just go ahead and edit this tunnel. And it deleted out the system. Actually now it just jumped back to connect-wise. As soon as I stopped that, I can switch it back and forth. Now, an alternative option for doing this would be to create two separate tunnels if you want and call one of them full tunnel and one split tunnel depending on your use case. That way, do you want all your traffic to go there or do you only want some of your traffic to go there? Those would be the two options you have for doing it. And as I said, this works the same. If we jump back over to our Debian system, I would just change this here to allowed IPs and then put allowed IPs equals the same thing, zero dot zero. And the same thing if you're doing it on a phone, it's the same concept. And of course, like I said, the easier way to do is actually create two configurations and switch back and forth kind of as needed basis. Now, one last thing I'm going to cover is some troubleshooting and confusion that comes with WireGuard when it's not working, but it looks like it is. We're going to go ahead and set up a ping test here. So this is just pinging away and we've got this all set up back to the way it was, just allowing these IPs connected and it's activated. So if I deactivate it, the ping stop, we activate it again, we get some time out and then immediately we're back to sending ping traffic. So we're just going to leave this pinging right now. Then we're going to go over here and we're going to go ahead and restart WireGuard and show you how it auto reconnects. So no problem here, we're going to do this. And if I go back over here after restarts, we look at the status, we look at the show peers. It'll take just a second and it'll automatically reconnect. Just got to refresh. There we go. Windows has done the handshaking, just reconnect it. So there's nothing I had to do in Windows to get it to reconnect. We can go back over here. There's the timeouts for where we paused it from the restart, but it's back to pinging everything again. Let's go back over and actually break something. This is where things get a little bit confusing because if I go here, actually we'll just adjust the one windows peer. We're going to disable it. So we disabled this windows peer. It thinks it's talking to a WireGuard server. The port is open, but nothing's going to happen here. So the request is timed out, but we can deactivate it. Let's activate it. It says active. This is where the confusion comes in because there's not an error message you can go off of to say, why isn't it working? We've received nothing, but we keep sending data. It keeps sending handshakes. It's just not getting reports back from there. If we look at the log, sending handshake, but nothing ever comes back. So these are one of those things where it doesn't necessarily tell you other than the handshake not coming back, what's wrong? This is where the troubleshooting can be very tricky. And even if we went over here in PF Sense and we're going to go ahead and look at the system logs, we see, well, VPN configured, syncing firewall. All right, there's firewall logs, but there's not an authentication error. There's not really anything to go off of here. This is where it's just kind of tricky when you're troubleshooting it. It's because it's a quiet protocol, is the best way to describe it. The data's coming in, but it's not anywhere to put that data because it doesn't match. The system does not have a handshake because we've disabled that pier, so it won't handshake back. It's just ignoring the keys coming in because it doesn't have a matching key on the other side. So if we go back over here to VPN, WireGuard, status, we can see that that pier's not even showing up. No handshake from this one, except pier's disabled. So let's go ahead and enable this pier again. Apply the change. Let's watch the logs. Sending handshake. Key pier one created for pier one. Now it's working again, so it's replying. It's the little things like that that make it a little bit harder to troubleshoot, but as long as you know what you're looking for and double checking everything, because most of the time, whenever I've done any troubleshooting with WireGuard, even before I set this video, it has always come down to a typo somewhere. Something overlooked, something really simple. You didn't paste something in, right? You don't have the network set up, right? You're causing it and you'll spend a lot of time staring at it to try and sort this out. Hopefully this video helps you get set up with WireGuard, gets your devices connected to your home network, your lab, or wherever you're using WireGuard. If you'd like to have a more in-depth discussion about this topic, head over to my forums. If you just want to leave some comments down below, that's appreciated too. I try to reply to everyone and thank you. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to laurancesystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts, and offers, check out our affiliate links and description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly. So check back frequently. And finally, our forums. laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.