Using Wireguard PFsense and Linode to get a Static IP for both inbound and outbound traffic

 
 
 

Some pretext before I begin, I have a home ISP and as such my IP changes every 24h ish. So for some things i would like to do like making my own phone server i would need a Static IP.

You will need a PFsense router to follow this guide. Also I will not be going through setting up security on your Linode that will be up to you whether you choose to use SSH keys or not.

Setting up your linode

Lets just start with why linode, I selected this cloud provider against others like Digital Ocean or Vultur because the pricing scales linearly you double your specs and it's only double the price. The other services can be 50% more.

Once you have set up your linode account head over to create and put in the following settings.

Images: Debian 11

Region: Select the one closest to your location

Linode Plan: Select shared CPU, Nanode 1 GB. (this gives 1TB of traffic per month if you want more select the plan to suit you)

Linode Label: I selected Wireguard1 but you can change this as you wish

Root Password: make sure this is strong as it gives you total control over the server

Private IP: Check this box

Hit Create Linode and your server will be built, for my server it took about 2 mins. Now grab the IP of your server and use that with putty to login to your server.

Once you have logged in run the below commands

apt update

apt upgrade

If there are any updates for your server this will grab them and update. Next run the below to install wireguard

apt install wireguard

Next we generate some keys to use with wireguard

cd /etc/wireguard/

umask 077; wg genkey | tee privatekey | wg pubkey > publickey

cat privatekey

cat publickey

Make note of the keys that are made as we will need them for the wireguard config next

nano /etc/wireguard/wg0.conf

This will bring up a text editor enter the below and add the private key you generated earlier next to PrivateKey.

[Interface]

Address = 10.1.0.1/24

ListenPort = 51830

PrivateKey =

PostUp = /etc/wireguard/up.sh

PostDown = /etc/wireguard/down.sh

[Peer]

PublicKey =

AllowedIPs = 10.1.0.2/24

PersistentKeepAlive = 25

Now hit ctrl+x this will them prompt you if you wish to save changes press y and then enter.


That script sets the below


Interface: Section for configuration of the server

Address: The IP address of the server in the VPN network

ListenPort: The port number WireGuard will run on

PrivateKey: The servers private key that we just generated

PostUp: Commands that will be run when the VPN server starts

PostDown: Commands that will be run when the VPN server stops

Peer: Section for configuration of clients

PublicKey: The public key of the client, which we have not yet created

AllowedIPs: The IP address of the client on the VPN network, which we will also configure on the client


Now we configure the firewall rules that are set when the connection comes up


Nano /etc/wireguard/up.sh

#!/bin/bash

iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT

iptables -A INPUT -i wg0 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.1.0.2

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to-destination 10.1.0.2

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 10.1.0.2

iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE

iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT

iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT

iptables -P FORWARD DROP


Hit Ctrl-x and save this file

Ill detail what these rules are doing

iptables -A INPUT -i eth0 -p tcp(udp) --dport 443(53) -j ACCEPT

Accepts all incoming connections on the specified port and protocol

iptables -t nat -A PREROUTING -i eth0 -p tcp(udp) --dport 443(53) -j DNAT --to-destination 10.1.0.2

This alters the packers destination to enable it to route between networks correctly

iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE

This alters the packets source address so the reply is sent to the correct address

iptables -A FORWARD -i wg0(eth0) -o eth0(wg0) -j ACCEPT

Allow traffic to be forwarded between eth0 and wg0 - in both directions


Now enter the following command and ether the below


nano /etc/wireguard/down.sh


iptables -D INPUT -i eth0 -j ACCEPT

iptables -D INPUT -i wg0 -j ACCEPT

iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.1.0.2

iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to-destination 10.1.0.2

iptables -t nat -D PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 10.1.0.2

iptables -t nat -D POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE

iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT

iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT

iptables -P FORWARD DROP


Hit ctrl-x and then save your changes


This script is deletes all the rules created above when the tunnel is down

Now its time to enable ip forwarding


Nano /etc/sysctl.conf


Find the line in this file with net.ipv4.ip_forward and change it from 0 to 1. Hit ctrl-x and save your changes.

Lastly we need to open the firewall ports to allow wireguard to connect type the below

ufw allow 51830/udp

And your now mostly done with your server. Before we are done we need to setup the gateway on PFsense


Setting up and routing on PFsense

On your PFsense router login and go to VPN > Wireguard then in the lower right click add tunnel.

Now on this screen fill in the below

Description: fill in something meaningful to you

Interface Keys: click generate and then copy the public key somewhere safe

 Then in the lower right click save tunnel

Now click on the peers tab and select add peer in the bottom right

On the new screen enter the below.

Tunnel: Select the tunnel you just created

Dynamic Endpoint: unselect this

Endpoint: Enter the Static IP of your wireguard server and for Port enter 51830

Keep Alive: 25

Public Key: Enter the public key generated on your wireguard server

Allowed IP: 0.0.0.0/0

Now hit save peer.

ow head to Interfaces > Assignments

At the bottom you will have “Available network ports” and a drop down on the right in the drop down select “tun_wg*” where * is the highest number as that should be the tunnel you just created. Now select add on the right.

Now we need to configure the interface. You should have a tun_wg* above the Available network ports click on that and you will see the settings screen. Change the below settings.

Description: enter something meaningful for you

IPv4 Configuration Type: Static IPV4

IPv4 Address: 10.1.0.2 /24

IPv4 Upstream gateway: click add new gateway

    On the menu that appears

    Gateway name: something meaningful to you

    Gateway IPv4: 10.1.0.2

    Then click add this should add it to the IPv4 Upstream gateway

Now click save and that's the gateway set up time to set up the peer on the wireguard server.

Finishing up

Hopefully you are still connected to your wireguard server.  Enter the below to get back to your wireguard config.

nano /etc/wireguard/wg0.conf

Now for the public key under peer enter the the public key from your PFsense firewall

Exit the file and save

Enter the below commands to reset the wireguard connection

Wg-quick down wg0

Wg-quick up wg0

Now if you look at your firewall in VPN > Wireguard under the status tab you should see an active handshake.

You now have a tunnel set up that will allow give you a static IP out to the world and also forward traffic sent to your static IP over 443 and 53, You should be able to figure out how change the ports if you need something else and you can route your traffic as normal.


I wrote this guide because i had not seen this use case and spent 2 days bashing my head against a wall trying to get it working. Thanks to the guys at Level 1 Techs for the help in resolving my issues finishing this project. Thank you for reading.

 
 
Andrew WebbPFSense, WireGuard, Linode, Static IP1 Comment