OPNSense – WireGuard Road Warrior Setup

Author:
Introduction

This article aims to provide a comprehensive guide on configuring Wireguard on OPNSense. As a VPN solution, Wireguard is currently undergoing significant development and is widely acknowledged as the industry’s most secure, user-friendly, and uncomplicated option.

The instructions in this article will assist in setting up Wireguard on OPNSense, ensuring that the configuration process is both straightforward and secure. Following the steps outlined in this guide, you can be confident that your VPN solution is appropriately configured to maximize security while minimizing complexity.

Check out my YouTube channel if you prefer video content over written posts. Here’s the link to the video:

https://youtu.be/uiJCE-cWCt0
Step 1. Create a Backup of System Configuration

It’s essential to create a backup of your system configuration. If anything happens unexpectedly, having a backup file lets you quickly restore your settings. You should consider automating this process using the Google Drive API for seamless automatic backups. I have provided a step-by-step tutorial on how to back up your configuration in case of a system failure or if you need to restore your settings. Check it out here: https://sysadmin102.com/2024/03/opnsense-automatic-configuration-backup-with-google-drive/.

  • Go to System ‣ Configuration ‣ Backup
Step 2 – Configure the Wireguard Instance
  • Go to VPNWireGuardSettingsInstances
  • Click + to add a new Instance
  • Configure the Instance as follows (if an option is not mentioned below, leave it as the default):
  • Advance Mode: Toggled.
  • Public key/Private Key: Generate new keypair.
  • Listen port: Choose a port (default is 51820, but you can select a custom port for obfuscation).
  • MTU1420 (WireGuard default) or 1412 when connecting to a PPPoE network (like most DSL connections).
  • DNS Servers: your local DNS server or any referred DNS provider, such as Quad9 (9.9.9.9) or Cloudflare (1.1.1.1).
  • Tunnel Address: Use Class A or Class B addresses:
    • Class A Private Range: 10.0.0.0 to 10.255.255.255
    • Class C Private Range: 192.168.0.0 to 192.168.255.255
    • Choose a unique one
    • Avoid using common default router IP addresses such as 10.0.0.1/24 or 192.168.1.1/24. VPN won’t know how to route packets between multiple sites if those sites don’t use a subnet that uniquely identifies them.
  • Save.
  • Enable WireGuard: checked.
  • Apply
Step 3 – Configure the WireGuard clients using Peer Generator
  • Go to VPN ‣ Peer generator.
  • Instance: Select one if you have multiple.
  • Enpoint: Enter your DDNS FQDN or Static IP address. Follow this tutorial to setup a DDNS: https://bit.ly/3RCeAPp
  • Name: create a user name.
  • Keepalive interval: 25.
  • Everything else should be prepopulated.
  • Store and generate next: Before you select Store and generate next. Copy that config and add that to an Empty Tunnel on your Mac/PC or scan the QR code with Wireguard app on your mobile devices.

MacOS Client

  • Download and install the WireGuard App: https://www.wireguard.com/install/
  • Click + to add a new tunnel ‣ Add Empty Tunnel
  • Copy and paste the config from the Peer Generator.
  • Save

Windows Client

  • Download and install the WireGuard App: https://apps.apple.com/us/app/wireguard/id1451685025?ls=1&mt=12
  • Click + Add Tunnel to add a new tunnel ‣ Add Empty Tunnel
  • Copy and paste the config from the Peer Generator.
  • Block untunneled traffic (kill-switch): If the option is enabled the WireGuard client adds Windows Firewall rules to block all traffic that is neither to nor from the tunnel interface. So that it prevents accidentally sending IP packets outside the VPN.
  • Save
Step 4 – Assign an interface to WireGuard (required if not setting NAT rules)
  • Go to InterfacesAssignments
  • In the dropdown, select the WireGuard device (wg1 if this is your first one).
  • Add a description (ex WireGuardVPN).
  • Click + to add it, then click Save.
  • Then select your new interface under the Interfaces menu.
  • Configure it as follows (if an option is not mentioned below, leave it as the default):
  • Go to Interfaces ‣ SYSADMIN102_WireGuard (Name of interface assigned in the last step)
  • Enable Interface
  • Prevent interface removal
  • Save
  • Apply changes
Step 5 – Create Firewall rules
  1. The first rule will allow clients to connect to the OPNsense WireGuard server
  • Go to Firewall ‣ Rules ‣ WAN
  • Click Add to add a new rule
  • Configure the rule as follows (if an option is not mentioned below, leave it as the default):
  • Save
  • Apply

2. The second rule to allow access by the clients to whatever IPs they are intended to have access to.

  • Go to Firewall ‣ Rules ‣ [Name of interface assigned in Step 6]
  • Click Add to add a new rule
  • Configure the rule as follows (if an option is not mentioned below, leave it as the default):
  • Destination: Specify the IPs that client peers should be able to access, eg. “any” or specific IPs/subnets
  • Save
  • Apply changes
Step 6 – Create normalization rules
  • The header size for IPv4 is usually 20 bytes, and for TCP, it is 20. In total, that’s 40 bytes for IPv4 TCP.
  • IPv6 has a larger header size of 40 bytes. That increases the total to 60 bytes for IPv6 TCP.
  • By creating the normalization rules, you ensure that IPv4 TCP and IPv6 TCP can pass through the Wireguard tunnel without being fragmented. Otherwise, you could get working ICMP and UDP, but some encrypted TCP sessions will refuse to work.
  • Go to Firewall ‣ Settings -> Normalization and press + to create one new normalization rule.
  • If you only pass IPv4 traffic through the wireguard tunnel, create the following rule (Skip to IPv6 rule if you pass both IPv4 + IPv6 traffic):
  • If you pass IPv4+IPv6 – or only IPv6 traffic – through the wireguard tunnel, create the following rule (skip the IPv4 rule):
  • Save and Apply changes.
Ways to support my channel

If you think this tutorial is helpful, please support my channel by subscribing to my YouTube channel or using the affiliated links below (Full Disclaimer). I will get a small commission from your purchase to grow my channel:
🚀 NextDNS: https://nextdns.io/?from=btsm4vsx 
🚀 Things I used for my server: https://amzn.to/3hudohP
🚀 Tools I used: https://amzn.to/3uXaSUr
🚀 Devices I used: https://amzn.to/3FYlfxk
🚀 Networking/Cybersecurity/Programming Books: https://amzn.to/3HEYwb0
🚀 TrueNAS HBA SAS controller IT Mode from the Art of Server: https://ebay.us/cBWEvJ

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »