Cloudflare WARP setup on pfSense using WireGuard

Apr 14, 2025

In this blog post, we will walk you through setting up Cloudflare WARP on pfSense using the native WireGuard client. Please note that this method is not officially supported by Cloudflare and is intended for educational purposes only. It should not be used in production environments.

What is Cloudflare WARP?

You’re probably familiar with Cloudflare’s WARP if you’ve found your way to this guide — but just in case, let’s quickly go over what it actually is.
Cloudflare WARP is a service that’s designed to make your internet connection both faster and more secure. While traditional VPNs are mostly about hiding your IP address, WARP is more focused on improving performance. It routes your traffic through Cloudflare’s massive global network to help speed things up, all while keeping your data encrypted and private.

Privacy: Cloudflare promises not to log your browsing activity for things like ads or tracking.
Free to Use: You can use WARP for free, though there’s also WARP+ if you want even faster speeds, this routes traffic through the least congested paths.

Getting your Cloudflare WARP Wireguard Config

To generate a WireGuard configuration for Cloudflare WARP, we'll use the following GitHub project: https://github.com/rany2/warp.sh

As always, I recommend reviewing the script before running it. You can view it here: https://github.com/rany2/warp.sh/blob/master/warp.sh

By using this you agree to Cloudflare's ToS: https://www.cloudflare.com/application/terms/

First ensure you have the required packages:
sudo apt install curl jq wireguard

Run the config generator:
curl -sL https://raw.githubusercontent.com/rany2/warp.sh/refs/heads/master/warp.sh | bash

Installing Wireguard on pfSense

If you don't already, go ahead and install Wireguard on your pfSense router.

After installation, you may need to reboot pfSense.

You can find this under System > Package Manager > Available Packages

2) Now select WireGuard:

3) Hit the big green add tunnel button

4) In the configuration window, fill in the Description, Private Key, and Interface Address based on the WireGuard config you generated earlier.

5) Now create a peer to join up to the tunnel:

6) Hit save
7) If you see a red banner indicating that the service is not enabled. Navigate to Wireguard settings (to the right of the peer tab) and enable it.

Creating the interface

8) Go to Interfaces > Assignments, then click Add to create a new WireGuard interface, usually named “tun_wg0.”

9) Click on the newly created interface (likely OPT1) so we can configure it:

Enable the interface
Set the Description (e.g., “Cloudflare WARP”)
Set IPv4 Configuration Type to Static IPv4
Assign the IP address (e.g., 172.16.0.2) from the generated config.

10) Head over to NAT, this will allow Network Address Translation for your LAN devices.
Firewall > NAT > Outbound
Hit the green Add under Mappings

11) Configure the NAT rule to look like the following. Change the IP range to suite you're internal range.

12) Now lets add it as a Gateway to route our traffic:
System > Routing > Gateways
Create a new one with the fancy green button bottom right

13) Create your Gateway:

14) Now that everything is set up, you can route your traffic through Cloudflare WARP. Create a firewall rule that specifies which traffic you want to route.

To route all LAN traffic over Cloudflare WARP, go to Firewall > Rules > LAN, and under Advanced Options, select the Cloudflare WARP Gateway.

Under advanced, select your Cloudflare Warp Gateway.

Your IP should now show as belonging to Cloudflare!

You can verify that your traffic is routing through Cloudflare by checking your IP here: ipinfo.io/json.

Cloudflare WARP setup with Wireguard on a Ubiquiti Firewall