Install WireGuard VPN on OPNsense Firewall (2024)

If you are using an OPNsense firewall, you can configure WireGuard as a VPN server instead of OpenVPN. There are clients available for all major operating systems. Additionally, it is very fast and lightweight. You can easily install it as an OPNsense extension and configure it through the web console.

Installing a VPN infrastructure with WireGuard on OPNsense requires several steps:

1. Install WireGuard
2. Create and configure a WireGuard instance
3. Configure a network interface for the VPN server
4. Create a firewall rule for VPN
5. Install and adjust WireGuard client
6. Register clients on the VPN server
7. Test the connection to the WireGuard server

Adding WireGuard as an extension

WireGuard VPN must first be installed under System => Firmware => Extensions. The label is os-wireguard. After the installation, a new menu item, WireGuard, can be found under VPN. If it does not appear, refreshing the browser window can help.

Creating a new WireGuard instance

First, create a new WireGuard server on the Instances tab under VPN => WireGuard by clicking the plus sign. Like OpenVPN, multiple servers can be operated on an OPNsense firewall with WireGuard. First, assign a name for the new server, which should appear on the interface.

For Listen Port, specify the TCP port on which the VPN server will listen for requests. This must also be unlocked in the firewall later. For Tunnel address, enter the subnet where the VPN interface and the clients will be located.

In our example, we work with the subnet 172.16.2.1/24, where the VPN interface receives the IP address 172.16.2.1.

All other fields do not need to be filled. You can disable routes here if you want to create the routing rules yourself. After saving the server's configuration in OPNsense, click Apply.

OPNsense automatically generates a public key for the VPN server. The key is later needed for the handshake with the clients.

If you open the server's configuration again, the public key and private key fields are automatically filled in. Copy the key to a text file because we will need it later.

Then, you can activate WireGuard under General, which must be confirmed again by applying.

Configuring network interfaces for WireGuard

To connect the VPN with OPNsense, the configuration of the VPN interface is required under Interfaces. Under Assignments, the existing interfaces are visible. Here, create the new interface and assign it to the WireGuard VPN.

By clicking on the new interface, the window with its configuration opens. Here, activate it via the respective checkbox. Moreover, I recommend setting Prevent interface removal to avoid accidental deletion.

Unbound DNS can be set up on OPNsense for name resolution in the internal network.

Creating firewall rules for WireGuard VPN

Next, create a rule under Firewall => Rules => WAN that allows access to the VPN server over the internet.

Select the action Allow and the interface WANwhen defining a new rule. For Destination, choose the option in; for TCP/IP Version, select IPv4; for Protocol, select UDP; and for Source, select Any.

It is crucial to select the Destination port range under from and for to to set the port number given during the server's creation. The setting can be found under VPN => WireGuard. At this point, you can also activate the option Log packets that are handled by this rule.

With another rule, you specify how the traffic of the VPN clients is forwarded to the internal network. When clients connect via VPN, they are initially in the VPN network, whose IP range was specified during the server's creation.

From there, they need to reach the respective applications in the local network. Configure these rules via Firewall => Rules => <WireGuard Interface>. It is advisable to design the rules so VPN clients can only access the necessary devices.

For this, when creating a new rule, select the action Allow and the interface of WireGuard. For Direction, choose in, and for Protocol, choose any. For Source and Destination, you can select any if you want to allow access to all resources in the network.

Installing and adjusting WireGuard clients

Afterward, install the WireGuard client, for example, on Windows. Then, you can configure a new connection by adding a tunnel.

In the first step, assign a name for the VPN connection. Save the value for Public Key again in a text file, as it needs to be entered on the server later.

Under Interface, enter the IP address of the client in the VPN subnet. This was already determined when creating the VPN server. In our example, we assign the IP address 172.16.2.11 to the Windows PC. For DNS, enter either an internal DNS server or the IP address of the VPN server.

Under PEER, enter the name or IP address of the VPN server, including the port under Endpoint. For AllowedIPs, specify which IP addresses the traffic should run through the VPN tunnel. In this example, the subnet 10.0.0.0/16 belongs to the OPNsense firewall's LAN.

If all traffic should go through the VPN after a connection, including to the internet, you have to set 0.0.0.0/0 here.

Enter the public key of the WireGuard VPN server, which you saved in a text file earlier, for PublicKey. Enter the client's public key into the configuration of the WireGuard server.

Configuring VPN clients in WireGuard

Configure the VPN clients on the OPNsense web interface on the Peers tab under VPN => WireGuard => Settings. Create a new client by clicking the plus sign and setting its name.

Copy the client's public key into the Public Key field. For Allowed IPs, enter the IP address assigned to the client in its configuration.

A pre-shared key can be helpful in a production environment, but we omit it in the test environment. Save to create the client.

Then, switch to Instances and open the settings of the WireGuard server. Under Peers, check the new client so the server accepts it upon connection.

Afterward, I recommend restarting the WireGuard service via Lobby => Dashboard.

Establishing a connection with the VPN client

You can now test a connection on the client. The value for received and sent data should increase. If it remains at 0, the handshake did not work.

In this case, check if the server and client's public key have been configured correctly. Also, the client must be entered in the server's settings under Peers.

The protocol shows information about the connection, and the OPNsense firewall displays the connections under VPN => WireGuard => Diagnostics. Here, all active clients are visible.

Summary

To install WireGuard on OPNsense, you need to add an extension. After configuring its interface, the name resolution is handled with Unbound DNS, another OPNsense service.

Subscribe to 4sysops newsletter!

Firewall rules determine which resources the clients can access. Finally, the VPN clients are set up, for which the server's public keys and clients must be entered into each other's configuration.

Guest usage limit. 4sysops members have free access to ChatGPT 4.