How to Create a WireGuard VPN on FreeBSD

Introduction

WireGuard is a modern, high-performance VPN protocol that is easy to configure, lightweight, and provides robust security. Unlike traditional VPNs like OpenVPN and IPSec, WireGuard operates within the Linux kernel, but it is also supported on other operating systems, including FreeBSD.

FreeBSD, known for its stability and security, is a popular choice for servers and networking applications. This guide provides a step-by-step process to install and configure a WireGuard VPN on FreeBSD.

Prerequisites

Before setting up WireGuard on FreeBSD, ensure you have the following:

• A FreeBSD server (version 12.2 or later recommended)
• Root or sudo access
• The pkg package manager installed and updated
• Basic familiarity with command-line operations

Step 1: Install WireGuard on FreeBSD

FreeBSD supports WireGuard through the wireguard-tools package and a kernel module. To install them, follow these steps:

1.1 Update the Package Repository

Run the following command to ensure your package repository is up to date:

sudo pkg update && sudo pkg upgrade

1.2 Install WireGuard Tools and Kernel Module

Execute the following command to install WireGuard:

sudo pkg install wireguard wireguard-tools

To load the WireGuard kernel module, run:

sudo kldload if_wg

To ensure the module loads automatically at boot, add the following line to /etc/rc.conf:

echo 'if_wg_load="YES"' | sudo tee -a /boot/loader.conf

Step 2: Generate Key Pairs

WireGuard uses public and private key pairs for authentication. To generate these keys, use the following commands:

wg genkey | tee privatekey | wg pubkey > publickey

You will have two files:

• privatekey: Your private key (keep this secure)
• publickey: Your public key (share this with peers)

Step 3: Configure WireGuard

Now, create a WireGuard interface configuration file.

3.1 Create the WireGuard Interface

Create a configuration file for WireGuard:

sudo mkdir -p /usr/local/etc/wireguard
sudo nano /usr/local/etc/wireguard/wg0.conf

Add the following contents to wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <YourPrivateKey>

[Peer]
PublicKey = <PeerPublicKey>
AllowedIPs = 10.0.0.2/32
Endpoint = <PeerIPAddress>:51820
PersistentKeepalive = 25

Replace <YourPrivateKey> with the contents of your privatekey file. Similarly, replace <PeerPublicKey> with your peer’s public key and <PeerIPAddress> with their IP address.

Save and exit the file.

3.2 Enable and Start WireGuard

To start WireGuard, run:

sudo wg-quick up wg0

To enable WireGuard on boot, add the following line to /etc/rc.conf:

echo 'wireguard_enable="YES"' | sudo tee -a /etc/rc.conf

Step 4: Configure Firewall and Network

To allow WireGuard traffic through the firewall, add the following rules to your firewall (PF example):

sudo nano /etc/pf.conf

Add the following lines:

pass in quick on egress proto udp from any to any port 51820
pass on wg0

Then reload the firewall:

sudo pfctl -f /etc/pf.conf

To enable packet forwarding, modify /etc/sysctl.conf:

echo 'net.inet.ip.forwarding=1' | sudo tee -a /etc/sysctl.conf

Apply the changes:

sudo sysctl net.inet.ip.forwarding=1

Step 5: Configure a Peer

For each peer (client) connecting to the VPN, generate a key pair and create a configuration file, similar to the server setup.

On the peer machine, create /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.2/24
PrivateKey = <PeerPrivateKey>

[Peer]
PublicKey = <ServerPublicKey>
AllowedIPs = 0.0.0.0/0
Endpoint = <ServerIP>:51820
PersistentKeepalive = 25

Start WireGuard on the client:

sudo wg-quick up wg0

Step 6: Verify and Test Connectivity

On the FreeBSD server, check the WireGuard interface status:

wg show

You should see the peer listed with handshake details. Test connectivity by pinging from the client:

ping 10.0.0.1

If the ping is successful, the VPN is correctly set up.

Conclusion

Setting up WireGuard on FreeBSD is straightforward and provides a secure, high-performance VPN solution. By following these steps, you can establish a private, encrypted connection between your FreeBSD server and clients. Always keep your system updated and review security best practices to ensure the safety of your VPN setup.