 So I'm here from Lawrence Systems and we're going to talk about WireGuard. Specifically WireGuard and PF Sense but I must preface this video with the fact that this is all beta. I can't express that enough because people keep asking when it's ready and it's ready when it's ready and I don't have any predictions as to the day this will be coming out in full production but the testing process has begun which is really important. It is also important for me to say this is a development beta again because people will start putting this in production and wondering why it doesn't work properly. The point of this beta is to have people do the testing. We have begun the testing here at my office and many others I know have joined in around the world with this and it's definitely exciting but there are bugs they will have to be squashed. There was bugs the day one release which day two release fixed those bugs really happily so this is actually day two of testing but I wanted to give some discussion and cover some of the topics related to WireGuard and PF Sense. This is not going to be a full tutorial. The tutorial will come out once it is not beta. I just want to express that very clearly because I know there will be a lot of questions down below of people asking. Now before we dive on to the details let's first. If you'd like to learn more about me or my company head over to LawrenceSystems.com. If you'd like to hire a short project there's a hires button right at the top. If you'd like to help keep this channel sponsor free and thank you to everyone who already has. There is a join button here for YouTube and a Patreon page. Your support is greatly appreciated. If you're looking for deals or discounts on products and services we offer on this channel check out the affiliate links down below. They're in the description of all of our videos including a link to our shirt store. We have a wide variety of shirts that we sell and new designs come out well randomly so check back frequently. And finally our forums. Forums.LauranceSystems.com is where you can have a more in-depth discussion about this video and other tech topics you've seen on this channel. Now back to our content. Now a quick little background. The Getting Started Building Your Own WireGuard VPN Server. I have an entire breakdown video of that with that right up. So it's all time index and stamped and basically I'm using this to build another digital ocean server. The same premise I used in this video here that I walked through how to build your own WireGuard server to get this system connected with PF Sense. Basically I'm only doing the server side here and I skip the whole Linux client side setup because I'm setting up PF Sense instead. If you are interested in a more in-depth tutorial on WireGuard I do have one. Now this is something I want to cover as well. These are questions that came up with the other WireGuard video I did and of course they're going to come up a lot with PF Sense. Very nice. Do you have any details for support for Second Auth Factor? And this is where Jim P right away calls people out and properly so that this is a misconception with WireGuard. I've said this before about WireGuard is people say oh look how lightweight the code is and how few lines of code and etc etc. The challenge really becomes when you don't have all these extra things like a user management system or a 2FA system that yes there's a lot less code because there's a lot less functionality. I know WireGuard at its core is a very lightweight and easier to configure system but I do want to mention that PF Sense is not building at this time per people at PF Sense a entire extra system on top of it to solve all those missing components that's still kind of being left up to third party. They are doing the kernel integration. Speaking of kernel integration if you want to know how the kernel got integrated into BSD kernel that's something you can think that folks at PF Sense for. They literally funded the development and sponsored it as the term to develop all the kernel functions of the WireGuard in BSD. I just freak to bring it up because people look at NetGate as just some open source company but they literally fund some of these things like that and we all benefit from it because for example other BSD projects can now pull the kernel that was sponsored by NetGate that has the updates for the code for WireGuard and take advantage of it. So just zone it out there something to think about and this is a Reddit post where they announced it along with a blog post etc. You can read through people's questions on here but I will address that there's that's problems not going to be solved. Not by PF Sense I should say and someone's already got their caps lock on and typing tail scale three times. No I don't plan to review it it's a closed source proprietary product that does add though the functions that you're referring to of managing WireGuard versus manually managing WireGuard. So I'm aware of the product I just don't really have a use case for it right now so I don't plan to review it if that changes in the future I'll do a video. Now the PF Sense people have put together a WireGuard thing here they also say it has no facilities for dedication there's no service statement a certain stop there's only minimal logging from the kernel and configuration is placed directly on interfaces it has no concept of connection sessions. Some of these are interesting because as a VPN protocol normally that you look at the handshakes of like open VPN and you have a status of it being up it's a lot different just because of the way WireGuard works it's actually a very quiet protocol with the exception of turning on some keep alive pings if you want them being that it's kernel based it doesn't actually create the traffic until you send a packet across so the moment you send a packet the tunnel's up and when the tunnel goes away the tunnel can go away unless you've told it to stay alive so the next time a packet sent it will then build the tunnel again and it stays up as long as that session is going and any subsequent sessions will go over that tunnel but if the tunnel goes away it can just go quiet and it doesn't really matter pretty neat from protocol standpoint but of course it's going to be confusing from users of course setting up in here now before we dive into this part let's quickly cover the setup so you understand when I ping something where it's located this is a Debian lab test machine at 192.168.40.136 it is sitting knatted behind my lab pfSense which has a WAN IP of 192.168.3.217 a LAN it's got more than one network interface we're narrowing the scope here to what's relevant to the video 192.168.40.1 is it is the IP address that's the NAT for this one that's in the same range and then has a wire guard interface that assigned 10.001 slash 24 it is behind my main pfSense just so people know why the WAN on my lab has a private space IP address and it's going to go out to the public internet and hit my digital ocean server which has a WAN IP of 134.122.135 and then a wire guard of 10.009 now this is just the basics to show that one pfSense can ping it and two the Debian lab can ping it so now that you kind of get the lay of the land here of how these are set up let's look at the settings itself and we'll start here ppn wire guard now when you add a tunnel you can all set up this to receive and be like essentially the endpoint for the wire guard so if you have remote clients promoting in or vice versa it will add peers so we can first build the interface here and then you would add each peer so let's look at the ones we do have here now don't worry about me showing all the interface keys because not this moment but after this video i will regenerate new ones because i've clearly compromised my key exposures that you'll end up seeing in here this is all demo stuff anyways but yes i'm aware so here we have i called it wg and call it whatever you want then we have the address then we have the list import and the interface keys now that sets this up so the if i were to use this as receiving but we actually want this to allow clients to connect to the other end but we build the peer the wg digital ocean peer so wg digital ocean there's a public ip address i've just left it at default port there's the public key allowed ip's we don't have to really fill any of this out but what's confusing is where does it tell you that these tunnels are up or not that is where i know there's going to be a little bit of challenge and you kind of just have to look for yourself because wire guard itself now i think this is something hopefully they do integrate is the wg show command so this is the wire guard vpn demo if i do if config you'll see there's the public ip address right here there's the wire guard address down here and if i do a wg show it shows the peers actually i have more than one thing connected this for the demo but only thing relevant is this top here and yes i blurt out my public ip address but there's the peer and that it's connected and up running and working right now we're going to ssh into the 192 1683.217 this is the lab pf sense and hey look we have this wire guard interface we'll get to that in a second let's go to the shell and let's go ahead and ping 10.9 hey look i can ping it and to kind of get you a better idea we can probably do this and if i think if i run ip ip traffic monitor and we're going to focus on this as i said it's a quiet protocol so only when we do something like we're going to ping it again hey look the digital ocean server can see the traffic what about if we were to ssh to root at 10.9 hey look it sees the ssh coming in from 10.1 are assigned to ip to pf sense and then 10.9 here um i don't have the public key so i get a permission denied and for those of you that may have been asking when you ping 10.9 it automatically adds the zero so i'm actually paying 10.009 one of the reasons on my demos i started using this range because i can cheat and type less numbers makes it easier now when pf sense adds these and you build the wire guard tunnel so far this is the way it's going to work where we have wire guard now i went over here to the interface assignments and before and actually we can do it really quickly we'll go here to wire guard and we'll just add a tunnel enable youtube i will just call it youtube address uh 192 168 518 now nice thing is if you notice it's suggesting that you use 51821 because 51820 was used generate keys save now we didn't add peers because this would be like an inbomb one but now if we go over here to interface assignments hey there's another one i can add now we've already added this one that i called wg digital ocean and for those of you familiar with pf sense uh you know that when you add interfaces go to interfaces then well actually then firewall now that it's an interface we can create rules and apply to it and if we added another interface we could add more rules to that one so now you have this ability to build all these multiple interface in here so for the layout and flow really is feels well integrated into pf sense but i know this is still a demo this is development so there may be changes that come along the way which is why this is not at all considered a full tutorial it's just kind of showing people that it's out there and does work and does function matter of fact you can see the packets sent back and forth right here now overall i'm really liking the way it works it does seem relatively fast for the demos i've done but i'm not at all going to waste my time doing speed tests on a development version because well it's going to be all over the place probably um so i'm not going to bother setting that up until it is in production same thing with as i will repeat once more that i'm not going to do the tutorial until it's in production but i do encourage people who want to get started with this start playing with it uh help with the bugs maybe you'll find some use cases that weren't thought of in some you know or use cases that may be specific to you and you can help out by going hey in this scenario it doesn't really work now things that aren't going to work still dhcp server i know this will come up because this came up a lot in my other wire card view and it's me going back to like they have right here it has no concept of connections or sessions minimal logging etc but it also it's it's not like it's going to solve your dhcp problem you still have to for each one of the peers that you add and all the people you add in there it's not like you can connect this to a user manager it's not like you can just hand this over to a dhcp server um that is just not part of the functionality that pfSense is probably going to solve with wire guard as i mentioned this is something wire guard built like the most minimal level of functionality and let's everyone else build their own things on top of it uh this is you know why wire guard i think will probably replace ipsec tunnels and won't necessarily in the short term replace platforms like open vpn it's not like the end user problem because well i know from connecting to uh directory servers and radius servers that we've worked on projects with pfSense this is a common issue you have 300 users that you need authentication that's dynamic and we need it tied to there are other authentication such as active directory and you can do that with pfSense and you can have an external authorization server that then allows these users to connect not so much with wire guard that is a completely different uh engineering problem at the moment and i mentioned i'm aware of tail scale but there's probably going to be more companies coming along that put things on top of wire guard to solve it but that doesn't appear to be something and i don't really think it's the spot so to speak that pfSense solves this there's a lot of engineering and coding that has to go into this versus something like open vpn where you just it's a facility built in you just have to connect it to the directory servers and that works quite well in pfSense and will continue to be the most popular vpn i believe for uh the foreseeable future for doing mass users but for site to sites yeah i'm excited for wire guard to really come in here and be like this is an easy way to get two sites to talk to each other this is an easy way for me to take a server one behind a nat and one public and great this solves that site to site issue you have where sometimes people have dynamic ip address because this is one of the reasons this demo um i didn't need to set public ip in my lab as long as one of the wire guard and points is there i will be able to do it now in the future like i said i will be doing more videos on it i am actively testing it because before i do videos on things i spend time standing these up testing them tearing them down making sure i understand them because i have to understand them very well to condense it down into a video but of course i'll leave links to this i'll leave links to the wire guard and uh just so we can be clear and exactly which version i'm running because it is january 21st and uh this is make it easier for people to read 2.50a20210120.2350 that is the version i did this test on so if you updated the very first implementation of the experimental that came out um you will have some issues because i i did as well and had to modify code to get it working now they pushed that code change in there that now works as of the one i downloaded just before this video which came out sometime several hours ago and i updated it and like hey it fixed all the other little bugs so um that's why i decided to do a video today to raise awareness uh this is only available once again in the latest development snapshots uh this is not for production use i will say once more um would you run this at home tom yeah i would run this at home i will say that because this is something i'll be experimenting in my lab here and me and myself will probably do some testing by setting up some of our home pf sensors with it because you know hey why not seems like a fun thing to play with um and that's how we learn and that's how we'll get better at it so when this does come to production we'll already be well versed on it all right and thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out if you'd like to hire us head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion head over to forums.laurancesystems.com where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you like to help the channel out in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time