TL;DR
The author continues building a home NAS on FreeBSD 14.3 by adding a WireGuard VPN to link an office and a home LAN and to enable access from Arch Linux clients. The post walks through installing WireGuard, enabling IP forwarding, updating Packet Filter rules to permit WireGuard handshakes and VPN transit, and validating the configuration.
What happened
Building on a FreeBSD 14.3 home NAS project, the author chose WireGuard over OpenVPN for a small home VPN and documented setup steps and firewall changes. WireGuard was installed with the wireguard-tools package, the kernel module was loaded (if_wg), and the interface was prepared for autostart. IP forwarding was enabled by setting gateway_enable in rc.conf and flipping net.inet.ip.forwarding via sysctl. The Packet Filter (pf) ruleset was extended to allow incoming UDP on port 51820 for WireGuard handshakes, to permit VPN clients (10.8.0.0/24) to reach the FreeBSD host and both office (192.168.0.0/24) and home (192.168.100.0/24) subnets, and to allow ICMP/SSH from those nets to the host. Rules were syntax-checked with pfctl and the pf service reloaded. The network uses TP-Link Archer AX12 routers with NAT port-forwarding to the FreeBSD box, and Arch Linux laptops act as peers.
Why it matters
- WireGuard’s smaller codebase and kernel-level operation reduce complexity and runtime overhead compared with a user-space VPN service, according to the author’s comparison.
- Running WireGuard on the NAS lets the FreeBSD host act as a central VPN peer and router, enabling cross-LAN access between office and home subnets.
- Tightening Packet Filter rules for WireGuard handshakes and transit traffic provides controlled remote access while keeping default-deny firewall posture.
- Enabling IP forwarding on the NAS allows it to route traffic between the physical LAN and the WireGuard virtual network, a required step for cross-network connectivity.
Key facts
- Host OS: FreeBSD 14.3 (project continuation).
- VPN network chosen: 10.8.0.0/24; office LAN: 192.168.0.0/24; home LAN: 192.168.100.0/24.
- FreeBSD LAN IP used in examples: 192.168.0.2.
- WireGuard was installed with pkg install wireguard-tools and the kernel module loaded via kldload if_wg.
- WireGuard interfaces enabled in rc.conf with wireguard_enable=YES and wireguard_interfaces=wg0.
- IP forwarding enabled persistently by setting gateway_enable=YES and immediately via sysctl net.inet.ip.forwarding=1.
- Primary pf adjustments: allow UDP/51820 to the host, permit traffic from 10.8.0.0/24 to host and both LANs, and permit ICMP/SSH as needed.
- pf rules were checked with pfctl -vnf /etc/pf.conf and applied with service pf reload.
- Network entry points are TP-Link Archer AX12 routers; the routers are configured to NAT-forward WireGuard traffic to the FreeBSD host.
- Client peers in the setup include Arch Linux laptops in office and home networks.
What to watch next
- Ensure NAT port-forwarding on the router forwards UDP 51820 to the FreeBSD host (confirmed in the source).
- Validate pf rules with pfctl -vnf before reloading and monitor for unintended drops (confirmed in the source).
- Routing table and cross-LAN access configuration steps are handled later in the post series (confirmed in the source).
- Whether the blog server rtfm.co.ua will be connected for backups is noted as a possible future step but not confirmed in the source.
Quick glossary
- WireGuard: A modern VPN protocol implemented as a lightweight kernel module that presents as an encrypted network interface and uses public-key peers and allowed IPs.
- OpenVPN: A widely used, user-space VPN solution that typically relies on SSL/TLS stacks and runs as an application communicating with the kernel network stack.
- Packet Filter (pf): A firewall facility used on BSD systems to filter and control network packets according to configured rules and policies.
- IP forwarding: The kernel capability to forward network packets between interfaces, enabling a host to route traffic between connected networks.
- Kernel module: A piece of code that can be loaded into the operating system kernel to add functionality, such as a device driver or network protocol implementation.
Reader FAQ
Why did the author choose WireGuard instead of OpenVPN?
The author cites WireGuard’s much smaller codebase, kernel-space operation, built-in cryptography, and peer-to-peer model as reasons; OpenVPN is described as larger and user-space based.
How is WireGuard enabled on FreeBSD in this setup?
Install wireguard-tools, load the if_wg module, enable wireguard in rc.conf, and configure wireguard_interfaces; IP forwarding and pf rules must also be updated.
Will internet traffic be routed through the VPN?
Routing internet traffic through the VPN is not required in this configuration; the intent is limited to traffic between the home and office networks (confirmed in the source).
Will the existing blog server be moved to the NAS over this VPN?
Not confirmed in the source.
FreeBSD: Home NAS, part 3 – WireGuard VPN, Linux peer, and routing 0 (0) By setevoy | 12/25/2025 0 Comments Click to rate this post! [Total: 0 Average: 0] I…
Sources
- FreeBSD Home NAS, part 3: WireGuard VPN, routing, and Linux peers
- FreeBSD Home NAS, part 3: WireGuard VPN, routing, and …
- WireGuard VPN, routing, and Linux peers
- How to Configure WireGuard VPN Server and Client …
Related posts
- JavaScript engines zoo: Side‑by‑side comparison of every JS engine
- Researchers Connect Descriptive Set Theory’s Infinity Problems to Algorithms
- Reconsidering Comments: When ‘What’ Explanations Belong in Code