Router Setup

How to Connect pfSense to Your Private VPN Cloud with WireGuard

Last updated: September 11, 2025
Table of Contents

pfSense + Private VPN Cloud Integration

Connect your pfSense firewall to TorGuard's Private VPN Cloud using WireGuard for secure, high-performance networking. Choose from three flexible setup options based on your specific needs: cloud resource access, internet gateway routing, or internet connection sharing.

Understanding Your Connection Options

Choose Your Setup Method

Option 1: Cloud Access Only

Purpose: Access cloud services and devices from pfSense network

  • pfSense LAN can reach cloud resources
  • Optional: Cloud devices can access pfSense LAN
  • Internet traffic uses regular connection
  • Perfect for accessing cloud-hosted services

Option 2: Internet Access

Purpose: Route all internet traffic through VPN cloud

  • Use VPN cloud as default gateway
  • All devices show VPN cloud IP
  • Includes cloud resource access
  • Full VPN protection for network

Option 3: Share Internet

Purpose: Share pfSense internet with cloud devices

  • Cloud devices use pfSense internet
  • Shows pfSense public IP
  • LAN access possible
  • Useful for backup internet sharing

Throughout this guide, we'll refer to these as "Setup Options". Choose the one that best fits your network architecture needs.

Prerequisites

Before You Begin

  • pfSense firewall (version 2.5.0 or higher recommended)
  • Active TorGuard Private VPN Cloud subscription
  • Admin access to pfSense web interface
  • Basic understanding of firewall and routing concepts

Step 1: Login to pfSense

Access Your Firewall

Open your web browser and navigate to your pfSense admin interface (typically https://192.168.1.1 or your custom IP).

Step 2: Install WireGuard Package

Add WireGuard Support

  1. Check if WireGuard is already installed under VPN tab
  2. If not present, navigate to System → Package Manager → Available Packages
  3. Search for "wireguard"
  4. Click Install to add WireGuard package
  5. Wait for installation to complete
pfSense package manager
Installing WireGuard package in pfSense

Step 3: Configure Private VPN Cloud

Step 3-1: Access Your VPN Cloud

  1. Login to your TorGuard account
  2. Go to Services → My Services
  3. Click Manage VPN cloud beside your Private VPN Cloud service
TorGuard services page
Access Private VPN Cloud management

Step 3-2: Create pfSense Device

Add New Device

  1. Device Name: Enter "pfsense" or descriptive name
  2. LAN Subnet:
    • If exposing pfSense LAN to cloud: Enter your subnet (e.g., "192.168.2.0/24")
    • Otherwise: Leave empty
  3. Gateway Selection:

    Based on your chosen Setup Option:

    • Option 1 or 3: Select "Internal communication only"
    • Option 2: Select "Default Gateway"
  4. Click Add to generate configuration
Add device configuration
Creating pfSense device in Private VPN Cloud

Step 3-3: Download Configuration

  1. Click Download config link beside your new device
  2. Save the WireGuard configuration file
  3. Open it with a text editor (Notepad, TextEdit, etc.)
  4. Keep this file open - you'll need values from it
Download configuration
Download WireGuard configuration file

Step 4: Configure WireGuard Tunnel

Step 4-1: Create Tunnel

  1. In pfSense, navigate to VPN → WireGuard
  2. Click + Add Tunnel
Add WireGuard tunnel
Adding new WireGuard tunnel

Step 4-2: Configure Tunnel Settings

Tunnel Configuration

  • Enable: ✓ Checked
  • Description: My Private Cloud
  • Listen Port: Leave blank
  • Private Key: Copy PrivateKey value from config file
  • Interface Address: Copy Address value from config file

Click Save Tunnel

Tunnel configuration
WireGuard tunnel configuration settings

Step 5: Configure Peer

Step 5-1: Add Peer

  1. Click Peers tab
  2. Click + Add Peer
Add peer
Adding WireGuard peer

Step 5-2: Configure Peer Settings

Peer Configuration

  • Enabled: ✓ Check
  • Dynamic: ☐ Uncheck
  • Endpoint:
    • From config: "Endpoint = 60.60.60.60:1443"
    • IP: 60.60.60.60
    • Port: 1443
  • Keepalive: 25
  • Public Key: Copy from config file
  • Allowed IPs: Copy AllowedIPs value from config

Click Save Peer

Peer configuration
WireGuard peer configuration

Step 6: Enable WireGuard

  1. Navigate to VPN → WireGuard → Settings
  2. Enable WireGuard
  3. Click Save
  4. Click Apply Configuration
Enable WireGuard
Enabling WireGuard service

Step 7: Configure Interface

Step 7-1: Assign Interface

  1. Go to Interfaces → Assignments
  2. Find the WireGuard interface (tun_wg0)
  3. Click Add to assign it
Interface assignment
Assigning WireGuard interface

Step 7-2: Configure Interface

  1. Click on the new interface (likely OPT1, OPT2, etc.)
  2. Enable: ✓ Check
  3. Description: Change to "WG_TG"
  4. IPv4 Configuration Type: Static IPv4
  5. IPv4 Address: Same as Interface Address from config (e.g., 10.184.1.3/16)

For Setup Option 2 Only (Internet Access)

  1. Click + Add next to IPv4 Upstream Gateway
  2. Gateway name: WG_TG_GWV4
  3. Gateway IPv4: Same IP as Interface Address but with /32 (e.g., 10.184.1.3)
  4. Click Add

Click Save and Apply Changes

Interface configuration
Configuring WireGuard interface settings

Step 7-3: Configure Interface Group

  1. Navigate to Interfaces → Interface Groups
  2. Edit your WireGuard Interface group
  3. Select group based on Setup Option:
    • Option 2: Choose WAN
    • Options 1/3: Choose LAN
  4. Click Save and Apply Configuration
Interface groups
Setting interface group membership

Step 8: Configure Firewall Rules

Required for Options 1 & 3, Optional for Option 2

  1. Navigate to Firewall → Rules → WireGuard
  2. Click Add to create new rule
  3. Configure to allow incoming traffic on WireGuard interface
  4. Click Save and Apply Configuration
Firewall rules
Adding firewall rule for WireGuard
Firewall rule details
Firewall rule configuration

Setup Complete for Options 1 & 3!

If you're using Option 1 (Cloud Access) or Option 3 (Share Internet), your setup is now complete. The following steps are only needed for Option 2 (Internet Access).

Step 9: Configure NAT (Option 2 Only)

Outbound NAT Configuration

  1. Navigate to Firewall → NAT → Outbound
  2. Select Manual Outbound NAT rule generation
  3. Click Save and Apply changes
NAT configuration
Enabling manual outbound NAT

Configure NAT Rules

  1. For each existing rule under Mappings:
  2. Click Copy button
  3. Change Interface to tun_wg0
  4. Save each copied rule
  5. Click Apply changes
NAT rules
Configuring outbound NAT rules

Step 10: Routing Fix (If Needed)

Routing Table Update

If tunnel shows active but traffic isn't routing through it:

  1. Go to System → Routing → Groups
  2. Add new group with:
    • VPN interface: Tier 1 priority
    • WAN interface: Tier 2 priority
    • Trigger: Packet Loss
  3. Apply configuration
  4. Go to System → Routing
  5. Select new group from Default gateway dropdown
  6. Apply changes
Routing group configuration
Configuring gateway group for proper routing

Verify Your Connection

Test Your Setup

  1. Browse to https://torguard.net/whats-my-ip.php
  2. Verify based on your setup option:
    • Option 1: IP should remain your regular ISP IP
    • Option 2: IP should show VPN cloud location
    • Option 3: Test from cloud device to see pfSense IP

Troubleshooting

No Handshake

  • Verify endpoint IP and port are correct
  • Check firewall isn't blocking UDP traffic
  • Confirm keys were copied correctly
  • Try regenerating configuration in VPN Cloud

Connected but No Traffic

  • Check interface assignment and configuration
  • Verify firewall rules allow traffic
  • For Option 2, confirm NAT rules are correct
  • Try the routing fix in Step 10

LAN Access Issues

  • Ensure LAN subnet was specified correctly in VPN Cloud
  • Check firewall rules on WireGuard interface
  • Verify routing between interfaces
  • Test with ping from both directions

Was this article helpful?

Share:

Ready to Get Help?

Our support team is available 24/7 to assist you with any questions.

Submit a Ticket Email Support