Setting Up a pfSense VM Router with WireGuard VPN: Privacy Course Part 5

By Ava McKinneyOnline Safety

Privacy and Anonymity Course Using VMs, VPN, and Tor, Part 5

At this stage, your VMs’ network adapters are set to host NAT. They access the internet through the host’s VPN service. In this article, we’ll show you how to create a pfSense router/firewall VM, configure it as a VPN client, and test for leaks using Wireshark. Your Linux work environment will access the internet through a chain of VM-VPN gateways and Tor gateway virtual machines.

We’ll demonstrate the virtual gateway setup using the WireGuard protocol, as it’s fast and easy to configure in pfSense. The VPN on the host can be any convenient one that supports bypassing blocks, or you can skip the host VPN if you don’t need extra anonymity or don’t face restrictions.

Downloading and Preparing pfSense

  1. Download the pfSense-LiveCD to your host machine (using a direct VPN connection if needed) and extract the installation image (.gz can be opened with any standard Linux archiver).

Creating the pfSense VM

  1. Open VirtualBox and click New. Name the machine (e.g., “pfWork”, “pfLife”, “pfCrypto”, or just “pfSense” for testing).
  2. Select the extracted .iso file.
  3. Set Type to “BSD” and Version to “FreeBSD (64-bit)”.
  4. Set memory to 512 MB and leave the processor as is.
  5. Choose a disk size of 2-4 GB (no need for more).
  6. Click Finish.
  7. Go to VM settings, enable PAE/NX (System ? Processor).

Installing the OS

  1. Start the VM. When the “Copyright and distribution notice” appears, press Enter.
  2. Select Install (Enter).
  3. Choose Auto (ZFS).
  4. Select Install again.
  5. Choose Stripe.
  6. In the “ZFS Configuration” window, press Space, then Enter.
  7. In the warning window, press the left arrow, then Enter.
  8. Wait for the installation to finish. When prompted to reboot, power off the VM.
  9. In settings, go to Storage, select “pfSense-CE-2…iso”, and click the Remove Attachment icon. Confirm removal.
  10. Go to Network ? Adapter 2, set Attached to: “Internal Network”, and name the new virtual network (e.g., “pfSenseTest”).
  11. Restart the VM. pfSense will auto-configure. Wait for the numbered options to appear. Leave the VM running.

Configuring the Work VM (Example: Ubuntu 22.04)

  1. In the work VM’s network settings, set the first adapter to Attached to: Internal Network and enter the internal network name (“pfSenseTest”).
  2. Start the VM.
  3. In a browser, go to http://192.168.1.1. Accept the risk warning.
  4. If successful, you’ll see the pfSense admin login. Default login: admin, password: pfSense.
  5. In the “pfSense Setup” window, click Next twice.
  6. In “General Information”, you can leave everything as is. DNS settings can be left for now; we’ll cover advanced DNS configuration later.
  7. Click Next until you reach “Set Admin WebGUI Password”. Set a strong password. Click Reload and wait for the router VM to reboot.
  8. Click Finish. Accept the copyright notice and close.

Setting Up WireGuard on pfSense

  1. Install the WireGuard plugin: Go to System ? Package Manager ? Available Packages, search for “WireGuard”, click Install, then Confirm.
  2. You’ll need a WireGuard config file from your VPN provider or one you generate yourself. Example data (yours will differ):
    • Tunnel Addresses: 10.68.140.33/32 and fc00:bbbb:bbbb:bb01::5:8c20/128
    • Tunnel Private Key: ADRM6pyoYpofcDd0TkX4sb7UkR+Zj4AYeZOE2WWg2tI=
    • Peer Public Key: EPLh6pVel06dND8cE4Prix9GP4hGLYNhQhn5mSN2yzM=
    • Peer Endpoint: 86.106.143.236
    • Peer Port: 51820
    • Peer WG Address: same as Tunnel Addresses
    • Peer DNS Server: as in config
    • Allowed IPs: 0.0.0.0/0 and ::0/0
  3. Some config lines may be named differently in WireGuard.

Configuring the Tunnel

  1. Go to VPN ? WireGuard ? Tunnels.
  2. Click Add Tunnel.
  3. Fill in the fields:
    • Enable Tunnel – check the box
    • Description – “VPN”
    • Listen Port – from your config
    • Interface Keys – enter the “Private Key” from your config
  4. Click Save Tunnel.

Configuring the Peer

  1. Go to VPN ? WireGuard ? Peers.
  2. Click Add Peer.
  3. Fill in the fields:
    • Enable Peer – check the box
    • Tunnel – select your WireGuard tunnel
    • Description – name your server
    • Dynamic Endpoint – uncheck
    • Endpoint – IP from config
    • Endpoint Port – port from config
    • Public Key – from config
    • Pre-Shared Key – if you generated the config yourself; may be absent if provided by a VPN service
    • Allowed IPs – 0.0.0.0/0 for IPv4 and ::0/0 for IPv6
  4. Click Save Peer and Apply Changes.
  5. Go to VPN ? WireGuard ? Settings and check Enable WireGuard. Click Save and Apply Changes.

Assigning the Network Interface

  1. Go to Interfaces ? Assignments.
  2. Click the green Add button (the correct tunnel will be selected automatically).
  3. Click Save. The interface will be named “OPT1” by default.
  4. Click the new interface name on the left.
  5. Check Enable Interface.
  6. Optionally, rename it to “WG_VPN”.
  7. Set IPv4 Configuration Type to “Static IPv4” and IPv6 Configuration Type to “Static IPv6”.
  8. For IPv4 Address, enter the value before the slash from the “Address” line in your config.
  9. For IPv4 Upstream Gateway, click Add a new gateway; set Gateway Name to “WG_VPN_v4” and Gateway IPv4 to the same as “Address” (without “/32”).
  10. For IPv6 Address, enter the value after the slash from the “Address” line in your config. Repeat the previous step for IPv6 if needed.
  11. Click Save and Apply Changes.

Now, in Status ? WireGuard (click the arrow next to “tun_wg0”), you should see a green handshake in the “Description” column and a recent time under “Latest Handshake”. This means the virtual router sees the server and is configured correctly. If you see a red icon, double-check your settings.

Configuring Gateway Groups

  1. Go to System ? Routing ? Gateway Groups.
  2. Click Add.
  3. Configure the group:
    • Group Name – “Prefer_WireGuard_V4”
    • Gateway Priority – set “WG_VPN_v4” to “Tier 1”, “WAN_DHCP” to “Tier 2”
    • Description – “Prefer VPN, fail to WAN”
  4. Click Save and Apply Changes.

NAT Configuration

  1. Go to Firewall ? NAT ? Outbound.
  2. Set mode to Hybrid Outbound NAT.
  3. Click Save.
  4. Click Add (up arrow).
  5. Configure NAT:
    • Interface – select the WireGuard interface (last in the list)
    • Source – select “Network” and enter your LAN subnet. In Ubuntu 22.04, you can find this in network settings under “Details” as “IPv4 Address” (e.g., 192.168.1.100)
  6. Click Save and Apply Changes.

Firewall Rules

  1. Go to Firewall ? Rules ? LAN.
  2. Click Add (up arrow).
  3. Configure the rule:
    • Action – “Pass”
    • Interface – “LAN”
    • Protocol – “Any”
    • Source – “Single host or alias”, enter the same address as in the previous NAT step (e.g., 192.168.1.100)
  4. Click Display Advanced, scroll to Gateway, and select “WG_VPN_v4”.
  5. Click Save and Apply Changes.

From this point, all VM traffic will go only through the VPN.

DNS Configuration

For extra security, add DNS servers. This helps prevent DNS leaks to servers outside the VPN, but may cause a “chicken-and-egg” scenario where DNS queries fail if the VPN is down. We’ll discuss this in detail another time. The following is a theoretical example:

  1. Go to System ? General.
  2. In DNS Hostname, enter one of these resolvers (we recommend trying this one) that support DNS over HTTPS (TLS).
  3. Set Gateway to “WG_VPN_v4”.
  4. Uncheck DNS Server Override.
  5. Set DNS Resolution Behavior (three options):
    • (1) “Use local DNS, fall back to remote DNS Servers” – use this for DNS forwarding mode when DNS over TLS is not required. Best for this example.
    • (2) “Use local DNS, ignore remote DNS Servers” – use this with DNS over TLS and DNS resolver in forwarding mode. Ensures no DNS queries are sent without TLS.
    • (3) “Use remote DNS Servers, ignore local DNS” – use if the firewall shouldn’t use the DNS resolver and should interact directly with DNS servers without TLS.

To set up the DNS resolver in forwarding mode:

  1. Go to Services ? DNS Resolver.
  2. Uncheck Enable DNSSEC Support.
  3. Check Enable Forwarding Mode.
  4. Repeat for IPv6 if needed.
  5. Click Save and Apply Changes.

Testing for Leaks

To check for VPN leaks, use pfSense’s built-in tools:

  1. Go to Diagnostics ? Packet Capture.
  2. Set the interface to WAN (em0).
  3. In “Max number of packets…” (second line from the top), enter 0.
  4. Scroll down and click Start.
  5. In the log window below, you should see local IP addresses (starting with “10.0…”) and the VPN IP address. This means the VM is connecting to the internet only through the VPN.

That’s it! Your VM network adapters are now set to host NAT, and your internet traffic is routed through the pfSense VM configured as a WireGuard VPN client. This setup helps ensure privacy and anonymity for your Linux work environment.

Onion Market – a free P2P exchange on Telegram.

Leave a Reply