Posted inTutorial-Network

WireGuard OPNsense Setup: Step-by-Step VPN Guide

No CommentsPosted inTutorial-Network
WireGuard super fast VPN for your Homelab
"Disclaimer: This image was generated using AI technology. It is intended for illustrative purposes only and may not accurately represent real-life scenarios or products."

The WireGuard OPNsense Setup is an efficient way to secure your network with a modern, high-speed VPN protocol. Known for its simplicity and performance, WireGuard can be easily integrated into OPNsense to enhance your network’s security. In this guide, we’ll walk you through each step of the WireGuard OPNsense setup, helping you configure WireGuard VPN on OPNsense for secure, high-speed connections.

Why Choose WireGuard for Your OPNsense Setup?

The WireGuard OPNsense setup is ideal for those looking to improve security and speed. WireGuard uses a streamlined codebase, which makes it faster and less prone to vulnerabilities than traditional VPN protocols. Setting up WireGuard in OPNsense is perfect for Homelabs, small businesses, and anyone wanting a simple, efficient VPN solution.

Step 1: Install the WireGuard Plugin

  1. Log in to OPNsense: Access the OPNsense dashboard.
  2. Go to Plugins: Navigate to System > Firmware > Plugins.
  3. Install WireGuard Plugin: In the search bar, type os-wireguard. Click Install next to the WireGuard plugin.

Note: Once installed, you will see a new option for WireGuard under the VPN menu. In newer OPNsense versions Wireguard is already installed.

Step 2: Enable WireGuard and Create a Configuration

  1. Navigate to WireGuard Settings: Go to VPN > WireGuard.
  2. Add a new Instance:
    • Click on the Intances tab.
    • Click + Add to create a new WireGuard configuration for your server.
    • Name: Choose a descriptive name, such as WireGuard-Server.
    • Public Key: Use the Generate button to create a Public Key for the server. Copy this key for later use.
    • Private Key: This key is generated automatically. Keep it secure and do not share it.
    • Listen Port: Set the port number for WireGuard (default is 51820).
    • Tunnel Address: Enter an IP address range for the VPN tunnel (e.g., 10.10.0.1/24).
  3. Save: Click Save to store the configuration.

HUNSN Micro Firewall Appliance

Super fast and cheap hardware appliance for your Homelab or small business. Works great with OPNsense

Step 3: Configure the Peer (Client) Settings

  1. Go to the Peers Tab: Under VPN > WireGuard, open the Peers generator tab.
  2. Select Instance: Choose the WireGuard instance you created (e.g., WG0) from the Instance dropdown.
  3. Enter Endpoint Information: Fill in the endpoint if your client device has a static IP, or leave it blank for a dynamic IP setup. If you have a dynamic public IP address, you need a DynDNS service like noip.com.
  4. Set Peer Name: Enter a name for your client peer, such as Client1, for easy identification.
  5. Generate Public and Private Keys: Click on Generate to automatically create the client’s public and private keys. These keys are necessary for secure communication between the server and client.
  6. Assign IP Address: In Address, enter the client’s IP address within the VPN range you set earlier, such as 10.10.0.2/32.
  7. Configure Pre-shared Key (Optional): Add a pre-shared key if you want additional encryption between the server and client.
  8. Set Allowed IPs: Define the IP range that this client will have access to within the network. For a standard configuration, enter 0.0.0.0/0,::/0 to allow access to all network routes through the VPN.
  9. Keepalive Interval (Optional): Set a keepalive interval to maintain the connection active, particularly if you’re behind a NAT.
  10. Add DNS Servers (Optional): If needed, enter DNS servers for the client to use while connected, such as 1.1.1.1 for Cloudflare DNS or 8.8.8.8 for Google DNS.
  11. Store and generate next: To save your Peer Settings click the hook.
  12. QR-Code (Optional): Scan the QR-Code with the WireGuard App on your iOS or Android device. Fore more information see Step 6.
  13. Navigate to Lobby: Navigate to Lobby to restart your WireGuard Instance under Services.

Tip: Each client should have a unique IP for proper segmentation.

Step 4: Set Up Firewall Rules for WireGuard

  1. Open Firewall Settings: Navigate to Firewall > Rules.
  2. Create a New Rule for your WireGuard Interface:
    • Go to the your WireGuard Interfacename e.g. wg0.
    • Click + Add to create a new rule.
    • Action: Set to Pass.
    • Interface: Choose WireGuard.
    • Protocol: Select UDP (as WireGuard uses UDP).
    • Source: Set to WireGuard net.
    • Destination: Set to Any if you want to allow access to all destinations.
    • Description: Enter a description like “Allow WireGuard traffic”.
  3. Save and Apply: After configuring the rule, click Save and then Apply Changes to enable it.

Note: This firewall rule is essential to allow WireGuard traffic through the OPNsense firewall.

Step 5: Open the UDP Port on the WAN Interface

To allow incoming VPN connections from external networks, the chosen WireGuard Listen Port must be open on the WAN interface.

  1. Go to Firewall Rules for WAN: Navigate to Firewall > Rules > WAN.
  2. Add a New Rule:
    • Click + Add to create a new rule.
    • Action: Set to Pass.
    • Protocol: Select UDP.
    • Destination Port Range: Enter the Listen Port you configured in Step 2 (default is 51820).
    • Source: Leave as Any if you want to allow connections from any source IP.
    • Description: Add a description like “Allow WireGuard VPN on WAN”.
  3. Save and Apply Changes: Click Save and then Apply Changes.

Important: Opening the WireGuard port on the WAN interface is essential to allow external VPN clients to connect to your OPNsense server.

Step 6: Set Up WireGuard on the Client Device

  1. Install the WireGuard Application: Download and install the WireGuard app on your client device (available on Windows, macOS, iOS, Android, and Linux).
  2. Create a New Tunnel on the Client:
    • Open the WireGuard app and create a new tunnel.
    • Private Key: Generate and save the private key on the client.
    • Public Key: Copy this public key to the Public Key field in OPNsense’s peer configuration (Step 3).
    • Address: Set the client’s VPN IP within the VPN range (e.g., 10.10.0.2/32).
    • Allowed IPs: Set to 0.0.0.0/0 for full traffic or specify IPs to limit access.
    • Endpoint: Add your OPNsense WAN IP and WireGuard Listen Port (e.g., your-wan-ip:51820).
  3. Save and Activate: Save the tunnel configuration on the client device and activate the connection.

Step 6: Test the WireGuard OPNsense Setup

  1. Check Connection Status: Go to VPN > WireGuard > Status on OPNsense to verify the client connection.
  2. Verify Access: On the client device, try to access network resources through the VPN to ensure everything is functioning properly.

Conclusion: WireGuard OPNsense Setup Complete

Setting up WireGuard on OPNsense with these steps provides a secure, high-speed VPN connection. Whether you’re using it for Homelabs or remote access, WireGuard’s simplicity and efficiency make it an ideal solution for enhancing network security.

HUNSN Micro Firewall Appliance

Super fast and cheap hardware appliance for your Homelab or small business. Works great with OPNsense

Pros

  • 4 x 2.5GbE I226-V
  • Intel Alder Lake-N 12th Gen N100
  • Low engery cost

Cons

  • External power supply
Tags:
Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    Your email address will not be published. Required fields are marked *