OPNSense – WireGuard Road Warrior Setup

Author:
Introduction

This article aims to provide a comprehensive guide on configuring Wireguard on OPNSense. As a VPN solution, Wireguard is currently undergoing significant development and is widely acknowledged as the industry’s most secure, user-friendly, and uncomplicated option.

The instructions in this article will assist in setting up Wireguard on OPNSense, ensuring that the configuration process is both straightforward and secure. Following the steps outlined in this guide, you can be confident that your VPN solution is appropriately configured to maximize security while minimizing complexity.

Check out my YouTube channel if you prefer video content over written posts. Here’s the link to the video:

Skip plugin installation, OPNSense 24.1, and higher integrated Wireguard (updated 24Mar24)
  • Install the plugin via System ‣ Firmware ‣ Plugins, selecting os-wireguard.
  • Once the plugin is installed, refresh the browser page, and you will find the WireGuard configuration menu via VPN ‣ WireGuard.
  • os-wireguard plugin: At this time, this code is new, unvetted, possibly buggy, and should be considered “experimental”. It might contain security issues. So, some caution should be exercised for using it in mission-critical environments.
Step 1 – Configure the Wireguard Instance
  • Go to VPNWireGuardSettingsInstances
  • Click + to add a new Instance
  • Configure the Instance as follows (if an option is not mentioned below, leave it as the default):
  • Tunnel Address: Use Class A or Class B addresses:
    • Class A Private Range: 10.0.0.0 to 10.255.255.255
    • Class C Private Range: 192.168.0.0 to 192.168.255.255
    • Choose a unique one
    • Avoid using common default router IP addresses such as 10.0.0.1/24 or 192.168.1.1/24. VPN won’t know how to route packets between multiple sites if those sites don’t use a subnet which uniquely identifies them.
  • Generate new keypair.
  • Save.
Step 2 – Configure the client peer
  • Go to VPNWireGuardPeers
  • Click + to add a new Peer
  • Configure the Peer as follows (if an option is not mentioned below, leave it as the default):
  • Public Key: Obtain and insert this key from Step 4.
  • Allowed IPs: IP address will be assigned to you client. In this example, subnet is 10.3.2.0/24. We will assign 10.3.2.1/32 for the SYSADMIN102_Windows10.
  • Endpoint Address: If you have a Public Static IP address then use it. If not, you will need to setup DDNS. Follow this tutorial if you are using Cloudflare to setup DDNS: https://sysadmin102.com/2023/12/opnsense-dynamic-dns-with-cloudflare/
  • Endpoint Port: 51820 or whatever unused port you wish to use, just make sure it’s the same for the Instance and Firewall rules.
  • Instances: should be prefilled unless you have multiple instances, then select the correct one.
  • Save.
Step 3 – Configure the WireGuard clients

MacOS Client

  • Enter the Name for the new tunnel
  • Public Key (Insert to the Instance PublicKey from Step 3).
  • Add the following line:
Address = 
DNS = 

[Peer]
PublicKey = 
AllowedIPs = 0.0.0.0/0
Endpoint = 
  • Save

Windows Client

  • Enter the Name for the new tunnel
  • Public Key (Insert to the Instance PublicKey from Step 3).
  • Add the following line:
Address = 
DNS = 

[Peer]
PublicKey = 
AllowedIPs = 0.0.0.0/0
Endpoint = 
  • Block untunneled traffic (kill-switch): If the option is enabled the WireGuard client adds Windows Firewall rules to block all traffic that is neither to nor from the tunnel interface. So that it prevents accidentally sending IP packets outside the VPN.
  • Save
Step 4 – Turn on/restart WireGuard
  • Turn on WireGuard under VPNWireGuardGeneral if it is not already on (click Apply after checking the checkbox)
  • Otherwise, restart WireGuard – you can do this by turning it off and on under VPN ‣ WireGuard ‣ General (click Apply after both unchecking and checking the checkbox)
Step 5 – Assign an interface to WireGuard (required if not setting NAT rules)
  • Go to InterfacesAssignments
  • In the dropdown, select the WireGuard device (wg1 if this is your first one).
  • Add a description (ex WireGuardVPN).
  • Click + to add it, then click Save.
  • Then select your new interface under the Interfaces menu.
  • Configure it as follows (if an option is not mentioned below, leave it as the default):
  • Go to Interfaces ‣ SYSADMIN102_WireGuard (Name of interface assigned in the last step)
  • Enable Interface
  • Prevent interface removal
  • Save
  • Apply changes
Step 6 – Create firewall rules
  1. The first rule will allow clients to connect to the OPNsense WireGuard server
  • Go to Firewall ‣ Rules ‣ WAN
  • Click Add to add a new rule
  • Configure the rule as follows (if an option is not mentioned below, leave it as the default):
  • Save
  • Apply

2. The second rule to allow access by the clients to whatever IPs they are intended to have access to.

  • Go to Firewall ‣ Rules ‣ [Name of interface assigned in Step 6]
  • Click Add to add a new rule
  • Configure the rule as follows (if an option is not mentioned below, leave it as the default):
  • Destination: Specify the IPs that client peers should be able to access, eg. “any” or specific IPs/subnets
  • Save
  • Apply changes
Step 7 – Create normalization rules
  • The header size for IPv4 is usually 20 bytes, and for TCP, it is 20. In total, that’s 40 bytes for IPv4 TCP.
  • IPv6 has a larger header size of 40 bytes. That increases the total to 60 bytes for IPv6 TCP.
  • By creating the normalization rules, you ensure that IPv4 TCP and IPv6 TCP can pass through the Wireguard tunnel without being fragmented. Otherwise, you could get working ICMP and UDP, but some encrypted TCP sessions will refuse to work.
  • Go to Firewall ‣ Settings -> Normalization and press + to create one new normalization rule.
  • If you only pass IPv4 traffic through the wireguard tunnel, create the following rule (Skip to IPv6 rule if you pass both IPv4 + IPv6 traffic):
  • If you pass IPv4+IPv6 – or only IPv6 traffic – through the wireguard tunnel, create the following rule (skip the IPv4 rule):
  • Save and Apply changes.
Ways to support my channel

If you think this tutorial is helpful, please support my channel by subscribing to my YouTube channel or using the affiliated links below (Full Disclaimer). I will get a small commission from your purchase to grow my channel:
🚀 NextDNS: https://nextdns.io/?from=btsm4vsx 
🚀 Things I used for my server: https://amzn.to/3hudohP
🚀 Tools I used: https://amzn.to/3uXaSUr
🚀 Devices I used: https://amzn.to/3FYlfxk
🚀 Networking/Cybersecurity/Programming Books: https://amzn.to/3HEYwb0
🚀 TrueNAS HBA SAS controller IT Mode from the Art of Server: https://ebay.us/cBWEvJ

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »