← All posts

pfSense WireGuard Remote Access: Browser RDP and SSH to Your Entire LAN

How to set up WireGuard on pfSense to get browser-based RDP, VNC, and SSH access to every device on your LAN — no static IP, no port forwarding.

pfSense is one of the most widely deployed open-source firewalls, used by MSPs, small businesses, and home labs worldwide. If you are running pfSense at a client site, adding WireGuard to it gives you encrypted, authenticated remote access to every device on that LAN — and with a browser-based layer on top, your engineers never need to install a VPN client or RDP software.

Why pfSense + WireGuard Over Other Approaches

pfSense supports several VPN options: OpenVPN, IPsec, and WireGuard (via the wireguard package, available since pfSense 2.5.0). WireGuard has a significant advantage for MSP use: the tunnel stays up with minimal keepalive traffic, reconnects almost instantly after a link failure, and has a simpler key-based authentication model than certificate-heavy OpenVPN setups.

For MSPs managing multiple sites, each pfSense installation becomes a single tunnel point that covers the entire LAN behind it — regardless of how many devices are on that network.

Installing WireGuard on pfSense

On pfSense 2.5.2+, WireGuard is available as a built-in package:

  1. Go to System → Package Manager → Available Packages
  2. Search for wireguard and install
  3. After install, navigate to VPN → WireGuard

On pfSense CE 2.7.x and pfSense Plus 23.09+, WireGuard is included by default — no package install needed.

Tunnel Configuration

Create a new tunnel under VPN → WireGuard → Tunnels → Add Tunnel:

  • Listen Port: 51820 (or any unused UDP port)
  • Interface Keys: Generate a new keypair — copy the public key, you'll need it for the relay server
  • Interface Addresses: Assign the peer IP from your relay's address pool (e.g. 10.100.0.X/32)

Then add a peer pointing at your relay server:

  • Public Key: Your relay server's WireGuard public key
  • Endpoint: use the endpoint shown in your ProxyLink tunnel config (e.g. 46.225.153.241:51820)
  • Allowed IPs: 10.100.0.0/16 (the relay's tunnel range)
  • Keep Alive: 25 seconds (essential for NAT traversal)

Firewall Rules

pfSense does not automatically allow traffic through a new WireGuard interface. You need rules on both the WireGuard interface and (if applicable) the LAN interface.

Under Firewall → Rules → WireGuard, add a rule to allow traffic from the relay's tunnel range to reach the LAN:

Action:     Pass
Interface:  WireGuard
Source:     10.100.0.0/16
Destination: LAN net (or specific host IPs)
Protocol:   Any (or restrict to TCP ports 3389, 22, 80, 443 as needed)

Add a corresponding rule on the LAN interface to allow return traffic:

Action:     Pass
Interface:  LAN
Source:     LAN net
Destination: 10.100.0.0/16
Protocol:   Any

Do not add NAT/masquerade for the WireGuard interface — it will break the return path. pfSense handles the routing automatically once the interface and rules are in place.

Multi-VLAN Access

If the pfSense instance routes multiple VLANs (common in office and hotel setups), add each VLAN subnet to the WireGuard peer's Allowed IPs and add corresponding firewall rules on each VLAN interface. One pfSense tunnel → all VLANs accessible through ProxyLink.

This is the configuration that lets an MSP engineer reach the NVR camera system on the cameras VLAN and the PBX on the VoIP VLAN through the same single tunnel — without static IPs on either device, without agents, purely through pfSense.

Verifying the Tunnel

Under VPN → WireGuard → Status, you should see the peer with a recent handshake time once the tunnel connects. If the handshake is not occurring, check:

  • UDP port 51820 is allowed outbound from pfSense (WAN rules)
  • The relay server's public key and endpoint are correct
  • Keep Alive is set — without it, pfSense behind NAT will not initiate the handshake

Browser Access After Tunnel Is Up

Once the tunnel is established, every device on the pfSense LAN is reachable through ProxyLink by IP. Create a proxy link for each device and service (RDP on port 3389, SSH on port 22, NVR web UI on port 80, etc.). Your engineers open a browser, click the device, and the session opens — no VPN client, no local RDP software required.

Audit logs capture every connection automatically. Session recording is available per proxy link and can be enabled for any SSH, RDP, or VNC link.

Get free early access — no card, no limits. Connect your first pfSense site in under 20 minutes.

ProxyLink is free during Early Access

One WireGuard tunnel on a router gives you browser RDP, VNC, and SSH to every device on the LAN. No agent on the target. No credit card. No trial countdown.

Get free access →
← Back to all posts