How to setup WireGuard on pfSense

This guide was created by a community member and reviewed by us. Firmware and router interfaces may change over time, so some steps may differ depending on your device or version.

Prerequisites

pfSense version must be 2.7.2 or later
You will need a WireGuard config for the location you selected in the WireGuard generator

Setup

Open pfSense at 192.168.1.1 (by default)
Log in (username is admin and password is pfsense by default)
Go to System → Package Manager → Available Packages
Search for wireguard and click Install, then Confirm
After installation, go to VPN → WireGuard → Tunnels
Click Add Tunnel
Check the Enable Tunnel box
Enter a name in Description
- Example: xeovo-fi
Enter 51820 in Listen Port
Open your WireGuard config file
- Example: xeovo-fi.conf
Copy and paste the PrivateKey from your config file into Private Key
- Example: cBPr9I+87zEMwkuIVFE0KRTPWOyGe25EKaTl3gxisSQ=
Copy and paste the Address from your config file into Interface Addresses
- Example IPv4: 10.143.71.121 / 32
Click Save Tunnel
Go to the Peers tab and click Add Peer
Check the Enable box
Select your tunnel in Tunnel
- Example: tun_wg0 (xeovo-fi)
Enter a name in Description
- Example: xeovo-fi
Uncheck the Dynamic Endpoint box
Copy and paste the PublicKey from your config file into Public Key
- Example: sb61ho9MhaxhJd6WSrryVmknq0r6oHEW7PP5i4lzAgM=
Copy and paste the Endpoint address without the port into Endpoint
- Example: fi.gw.xeovo.com
Copy and paste only the port from the Endpoint into Endpoint Port
- Example: 51820
Set Allowed IPs to 0.0.0.0 / 0 and :: / 0
Click Save Peer
Go to VPN → WireGuard → Settings, check Enable WireGuard and click Save
Go to Status → WireGuard Status and verify the tunnel is active — Latest Handshake should show a value
Go to Interfaces → Assignments, select tun_wg0 in Available network ports and click Add
Click on the newly added interface (e.g. OPT1)
Check the Enable box
Enter WG_VPN in Description
Enter 1420 in MTU
Set IPv4 Configuration Type to Static IPv4
Copy and paste the Address from your config file into IPv4 Address with a /32 mask
- Example: 10.143.71.121 / 32
Click Save, then Apply Changes
Go to System → Routing → Gateways and click Add
Fill in the gateway:
- Interface: WG_VPN
- Name: WG_VPN_GW
- Gateway: the Address from your config file (same as in step 12)
  - Example: 10.143.71.121
- Click Display Advanced and check Use non-local gateway
Click Save, then Apply Changes
Go to Interfaces → WG_VPN
Set IPv4 Upstream gateway to WG_VPN_GW
Click Save, then Apply Changes
Go to Firewall → NAT → Outbound
Select Manual Outbound NAT rule generation and click Save, then Apply Changes
Find the rule with description Auto created rule - LAN to WAN and click the pencil icon to edit it
Change Interface from WAN to WG_VPN
Change Translation Address to WG_VPN address
Click Save, then Apply Changes
Go to Firewall → Rules → LAN
Click the pencil icon next to the rule Default allow LAN to any rule
Click Display Advanced and set Gateway to WG_VPN_GW
Click Save, then Apply Changes
Verify the VPN connection, visit DoesMyVPN.work

DNS Configuration

To use the DNS servers from your WireGuard config and prevent DNS leaks:

Open your WireGuard config file and find the DNS line
- Example: DNS = 10.0.0.20, fd64:e20:68a2::20
Go to System → General Setup
Under DNS Server Settings, remove any existing DNS entries
Enter the DNS addresses from your config file one by one into the DNS Server fields
- Example: 10.0.0.20, fd64:e20:68a2::20
For each DNS entry, set Gateway to WG_VPN_GW
Uncheck DNS Server Override to prevent WAN from overwriting your DNS settings
Click Save

DNS Resolver

Go to Services → DNS Resolver
Set Outgoing Network Interfaces to WG_VPN
Under DNS Query Forwarding, check Enable Forwarding Mode
Click Save, then Apply Changes

Disconnecting

To disconnect the VPN, go to VPN → WireGuard → Settings, uncheck Enable WireGuard and click Save. Your configuration will be preserved and can be re-enabled the same way.