Private Internet Access (PIA) is the ideal choice for WireGuard on OPNsense, as it offers robust privacy, security, and performance. With a network of over 35,000 servers spanning 78 countries, PIA not only offers fast and reliable performance but also ensures unrestricted internet access. Its standout features include a no-logs policy, advanced encryption, and port forwarding capabilities. These attributes, combined with PIA’s global reach, make it a trusted choice for VPN users. Take advantage of this deal: Save 85% and get 3 months free with Private Internet Access.
This guide explains how to configure PIA WireGuard on OPNsense, while following the GitHub guide step by step.
Super fast and cheap hardware appliance for your Homelab or small business. Works great with OPNsense
Step 1: Create a User for API Access
- Navigate to System > Access > Users in OPNsense.
- Click Add to create a new user.
- Configure the user:
- Username: WireguardAPI
- Password: Leave empty.
- Tick Generate a scrambled password to prevent local database logins for this user.
- Scroll to the bottom and click Save.
Step 2: Assign Permissions and Generate API Key Pair
- Open the newly created user and scroll to Effective Privileges.
- Assign these permissions:
- Firewall: Alias: Edit
- Firewall: Aliases
- System: Static Routes
- VPN: WireGuard
- Scroll to API Keys and click + to generate an API key pair. Save the
apikeys.txtfile in a secure location to prevent unauthorized access. - Click Save.
Step 3: Download PIA WireGuard Tools for OPNsense
- SSH into your OPNsense router and select terminal option 8.
- Run these commands:
fetch -o /conf https://raw.githubusercontent.com/FingerlessGlov3s/OPNsensePIAWireguard/main/PIAWireguard.py fetch -o /conf https://raw.githubusercontent.com/FingerlessGlov3s/OPNsensePIAWireguard/main/ca.rsa.4096.crt fetch -o /usr/local/opnsense/service/conf/actions.d https://raw.githubusercontent.com/FingerlessGlov3s/OPNsensePIAWireguard/main/actions_piawireguard.conf- Download the latest release from GitHub Releases.
Step 4: Edit the Configuration File
- Open the
PIAWireguard.jsonfile in your preferred text editor. - Configure these variables:
opnsenseURL: Ensure this matches your OPNsense WebUI settings.opnsenseKey: Copy the key fromapikeys.txt.opnsenseSecret: Copy the secret fromapikeys.txt.piaUsername: Enter your PIA username.piaPassword: Enter your PIA password.instances: Define unique instances for each WireGuard tunnel, with a name and region ID. UseListRegions.pyto find IDs locally, or try an online Python tool. Alternatively, use the script with the--listregionsargument.regionId: Use the correct PIA region ID (e.g., setinstancenametolondonfor the UK London region).portForward: Set totrueto enable port forwarding for supported regions.opnsenseWGPort: Specify a unique outgoing port for WireGuard.
- Save the file.
Step 5: Transfer the Configuration File
- Use SCP (e.g., WinSCP for Windows) or FileZilla to upload the file to
/conf/on OPNsense. - Linux and Mac users, on the other hand, can use SCP directly from the terminal.
- Ensure root user access.
Offers 8 Gigabit ports with PoE+ support and seamless Omada integration for smart network management. Ideal for powering access points, IP cameras, and creating a reliable Homelab or business setup.
Step 6: Configure PIA WireGuard on OPNsense
- SSH into OPNsense and select terminal option 8.
- Run these commands to enable the script and integrate it with OPNsense:
chmod +x /conf/PIAWireguard.py service configd restart /conf/PIAWireguard.py --debugStep 7: Assign PIA WireGuard Interface on OPNsense
- Navigate to Interfaces > Assignments in the OPNsense WebUI.
- Select
wg0(or the next available interface) and click +. - Name the interface (e.g.,
WAN_PIAWG) and enable it. - Click Save and Apply Changes.
Step 8: Configure PIA WireGuard Gateway
- Go to System > Gateways > Single.
- Add a new gateway:
- Name: WAN_PIA_INSTANCENAME_IPv4
- Interface: Select the WireGuard interface.
- Far Gateway: Tick this option.
- Disable Gateway Monitoring: Untick this option.
- Disabled: Ensure this option is unchecked.
- Click Save and Apply Changes.
Step 9: Run the Debug Command
- Return to the SSH terminal and execute:
/conf/PIAWireguard.py --debug --changeserver instancename- This step updates the server configuration, thereby ensuring the connection is active.
Step 10: Set Up a Cron Job
- Navigate to System > Settings > Cron.
- Add a job with these settings:
- Minute:
*/5 - Hour:
* - Command: PIA WireGuard Monitor Tunnels
- Description: Monitor PIA WireGuard Tunnel
- Minute:
- Click Save.
Step 11: Adjust Firewall Settings
- Navigate to Firewall > Settings > Normalization.
- Adjust the Max MSS value to prevent packet fragmentation and improve connectivity:
- Interface: WAN_PIA_INSTANCENAME_IPv4
- Description: Maximum MSS for PIA WireGuard Tunnel
- Max MSS:
1380
- Click Save and Apply Changes.
Testing and Maintenance
- Verify the connection:
/conf/PIAWireguard.py --debug --changeserver instancename- Check the gateway in System > Gateways > Single to confirm the tunnel is active.
- Use the Cron job to maintain the tunnel and switch servers if needed.
Conclusion
Congratulations! You’ve successfully set up Private Internet Access with WireGuard on OPNsense. This setup ensures secure, high-performance VPN connectivity, leveraging PIA’s extensive server network. Take advantage of this exclusive deal right away: Get 85% off and enjoy 3 months free with Private Internet Access.
