Skip to main content

How Do I Set Up WireGuard for OPNsense?

WireGuard is a simple and fast VPN protocol that employs modern cryptography. It aims to be faster and less complicated than IPsec, as well as a significantly more performant alternative to OpenVPN. It also has a smaller codebase, which makes auditing and maintaining it easier. It was originally designed for the Linux kernel, but it is now cross-platform and widely deployed. For more information about WireGuard please refer to our WireGuard Guide.

This tutorial will walk you through the process of installing a central WireGuard server on OPNsense and configuring one or more clients to connect to it. We will configure a simple peer connection between an OPNsense 21.7.3 server and a client. The client can be either your local computer or a mobile device.

First, we will install and configure the WireGuard on OPNsense 21.7.3 as a VPN server. Then, we'll configure WireGuard as a client on both a desktop PC and an Android device. The Desktop PC may run Windows 7/10. The client's traffic will be routed through the Ubuntu 20.04 server.

WireGuard P2P VPN Topology (OPNsense WireGuard Server and Android/Windows Clients)

Figure 1. WireGuard P2P VPN Topology (OPNsense WireGuard Server and Android/Windows Clients)

You can use this WireGuard setup to securely access your company or home network from all over the world.

tip

It is strongly advised that you install the Sensei (Zenarmor) on your WireGuard VPN server to increase the security of your network. You can block security threats coming from your WireGuard tunnel interface by configuring the Sensei (Zenarmor), using web filtering, and applying application control. Please see Installing Sensei (Zenarmor) and Managing Policies for more information.

How to Configure the WireGuard VPN Server in OPNsense?#

OPNsense WireGuard configuration is straightforward and easy. You can start to use the WireGuard VPN tunnel by simply following the five main steps outlined below:

  • Download and install WireGuard for both server and clients
  • Generate cryptographic key pairs (public and private keys) for both server and clients
  • Configure WireGuard tunnel interfaces on both server and clients
  • Configure firewall rules on your OPNsense WireGuard VPN server
  • Enable WireGuard tunnel interfaces on both server and clients

To follow this OPNsense WireGuard installation guide, you will need to have the listed devices below:

  • OPNsense 21.7.3 Firewall which will be configured as a WireGuard VPN server.
  • Windows PC or an Android device will be configured as a WireGuard VPN client.

1. Installation of the WireGuard Plugin on OPNsense#

To install the WireGuard plugin on your OPNsense firewall, you may follow the next steps given below.

  • Navigate to the System -> Firmware -> Plugins.
  • Type os-wireguard in the search field.

WireGuard plugin installation on OPNsense

Figure 2. WireGuard plugin installation on OPNsense

  • Click the + icon at the right end of the os-wireguard to install the plugin.
  • After installing the plugin, refresh the browser page to access the WireGuard configuration menu via VPN -> WireGuard.

Figure 3. Installed os-wireguard plugin on OPNsense

2. WireGuard VPN Server(Local) Configuration on OPNsense#

After you've installed the WireGuard plugin on your OPNsense firewall, you may follow the steps below to further configure your server.

  • Navigate to VPN -> WireGuard -> General on OPNsense Web GUI.
  • Click the check box to enable the WireGuard.

Enabling WireGuard Server on OPNsense

Figure 4. Enabling WireGuard Server on OPNsense

  • Navigate to the Local tab and then Click + at the right bottom of the pane to add a new Local configuration.

Adding Local WireGuard configuration on OPNsense

Figure 5. Adding Local WireGuard configuration on OPNsense

  • Verify that the local configuration is enabled.
  • Set the Name of the WireGuard VPN server as you wish, such as MyWireGuard.
  • Set the Listen port to 51820 or a higher numbered unique port.
  • Set the Tunnel Address in CIDR notation, such as 10.0.0.1/24
info

Tunnel Address must be a unique IP address and subnet for your network. The subnet should be large enough to accommodate all of the client peers who will use the tunnel. In the case of IPv4, it should be a private (RFC1918) address, such as 10.0.0.1/24.

  • Leave other options as default.

Setting local WireGuard VPN server configuration on OPNsense

Figure 6. Setting local WireGuard VPN server configuration on OPNsense

  • Click Save at the bottom of the configuration window. This will automatically generate the Public and Private key pairs for the WireGuard VPN server.
info

One of the main advantages of the WireGuard is that it is based on cutting-edge cryptographic primitives. It provides you with a secure VPN tunnel by encrypting your connection with a pair of cryptographic keys. To ensure secure communication both ways, each peer must have their own private and public keys. Each server and client must generate their own key pair and then exchange public keys in order to use WireGuard.

Editing local WireGuard VPN server configuration on OPNsense

Figure 7. Editing local WireGuard VPN server configuration on OPNsense

  • Click the pencil icon to edit/view the MyWireGuard VPN local configuration.
  • Note the Public Key value which will be necessary for WireGuard VPN client configuration later.

Viewing the `Public Key` of the WireGuard VPN server

Figure 8. Viewing the Public Key of the WireGuard VPN server

  • Close the Edit Local Configuration window.

The configuration completed in this step will make your WireGuard server accept connections to 51820 and allow a client with the public key corresponding to the private key automatically generated.

3. WireGuard VPN Client Setup on Windows#

WireGuard for Windows supports Windows 7, 8, 8.1, 10, 2012, 2016, and 2019 and is available in a 64-bit and a 32-bit version. In this section, we will cover how to install the WireGuard Windows client and connect to a WireGuard Virtual Private Server(VPS) via VPN.

You may follow the steps below to install and configure WireGuard as a VPN client on a Windows platform:

3.1. Download and install Windows WireGuard Client#

Download and install the Windows installer from the WireGuard website. This option chooses the most recent version for your hardware, downloads it, and installs it.

Downloading WireGuard Windows installer

Figure 9. Downloading WireGuard Windows installer

After the installation, you should see the WireGuard icon in the notification area on the taskbar.

WireGuard icon on taskbar

Figure 10. WireGuard icon on taskbar

3.2. Configuring WireGuard Windows Client#

Launch the WireGuard application and click on the down arrow beside the button that says Add Tunnel in Tunnels Tab.

Configuring WireGuard on Windows Client

Figure 11. Configuring WireGuard on Windows Client

Click on Add empty tunnel as shown on the image below:

Adding empty tunnel

Figure 12. Adding empty tunnel

This will automatically create a public/private key pair and display them on the screen.

tip

Write down the public key which will be used for adding the WireGuard Windows client peer to the server later.

Creating new WireGuard tunnel on Windows client

Figure 13. Creating new WireGuard tunnel on Windows client

Enter a name with alphanumeric characters only (no spaces or punctuation)for the tunnel, such as MyWireGuard, and edit the configuration as follows:


[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.11/24
DNS = 10.0.0.1
  
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP_ADDRESS:51820
AllowedIPs = 0.0.0.0/0

Explanations of the fields in the interface section are given below:

  • PrivateKey: Private key of this Windows client.

  • PublicKey: Public key of this Windows client. The public key must then be copied into the Endpoint configuration on OPNsense for the relevant client peer

  • Address: VPN IP address of this client. It must be unique among all clients. Refers to the IP(s) specified as Allowed IPs in the Endpoint configuration on OPNsense.

  • DNS: IP address of a DNS server that the client should use for the tunnel. In this case, we use the DNS server running on the OPNsense WireGuard server.

Explanations of the fields in the peer section are given below:

  • PublicKey: The public key of the OPNsense WireGuard server (for our example it is fyKJ4c6sXTVRTJla6zQ9wi4okRPRd/GsMbTMszjhAgA=given in Figure 8).

  • Endpoint: The Public/Real IP address of the OPNsense server followed by a colon, and WireGuard port (51820).

  • AllowedIPs: 0.0.0.0/0 : Specifies what IP addresses should be routed over the VPN. 0.0.0.0/0 is a catch-all configuration and routes everything over the VPN.

3.3. Block untunneled traffic(kill switch) option#

In the Edit tunnel window, there is a Block untunneled traffic option. You can enable this option when your configuration has precisely one [Peer] section and AllowedIPs is set to a catch-all address.

If the option is enabled the WireGuard client adds Windows Firewall rules to block all traffic that is neither to nor from the tunnel interface. So that it prevents accidentally sending IP packets outside the VPN

WireGuard Tunnel configuration on Windows client

Figure 14. WireGuard Tunnel configuration on Windows client

Once done, click on the Save button.

4. Adding WireGuard Endpoint(Client Peer) Configuration to the Server#

To add the client's public key and IP address to the server, you can follow the given steps below:

  • Navigate to VPN -> WireGuard -> Endpoints on OPNsense Web UI.

Adding WireGuard endpoint configuration on OPNsense

Figure 15. Adding WireGuard endpoint configuration on OPNsense

  • Click + to add a new Endpoint
  • Enter the Name, such as MyWindows.
  • Enter the Public Key which was generated during the Windows WireGuard client configuration above, for our example it is HtuNHzBxW+ZcKMjOc5wbXZTFL4qKNbmzo/6XoR/cyEE=.
  • Set Allowed IPs to the same IP address with the Address field in the Windows WireGuard client configuration above using CIDR notation, for our example it is 10.0.0.11/32
  • Click Save.

Setting WireGuard Endpoint(Windows) configuration on OPNsense

Figure 16. Setting WireGuard Endpoint(Windows) configuration on OPNsense

5. Configuring WireGuard Android Client#

You can easily configure the WireGuard application on your mobile device to connect the VPN by following the steps outlined below

5.1. Download and install WireGuard Application on Android device#

You can get and install the official application from the Google Play Store on your Android device.

Installing WireGuard Android Application from Playstore

Figure 17. Installing WireGuard Android Application from Playstore

5.2. Configuring WireGuard Client on Android#

Once the WireGuard application is installed, we need to add a new configuration file for the VPN tunnel. Click on the blue button with the + icon.

Adding WireGuard tunnel for Android client

Figure 18. Adding WireGuard tunnel for Android client

This will open a new view on your device to configure the tunnel. Tab on the Creating From Scratch.

Creating tunnel configuration from scratch

Figure 19. Creating tunnel configuration from scratch

  • Set the Name, such as MyWireGuard.
  • To generate the Public/Private key pair click on the recycle icon at the right end of the Public key field.
  • Set the Address, such as 10.0.0.12.
  • Set the DNS, such as 10.0.0.1.
  • Tab on the Add Peer link at the bottom.

WireGuard client configuration on Android device

Figure 20. WireGuard client configuration on Android device

Adding peer configuration to WireGuard client on Android device

Figure 21. Adding peer configuration to WireGuard client on Android device

Explanations of the fields in the interface section are given below:

  • PrivateKey: Private key of this android client.
  • PublicKey: Publickey of this android client. The public key must then be copied into the Endpoint configuration on OPNsense for the relevant client peer
  • Address: IP address of this client. It must be unique among all clients. Refers to the IP(s) specified as Allowed IPs in the Endpoint configuration on OPNsense.
  • DNS: IP address of a DNS server that the client should use for the tunnel. In this case, we use the DNS server running on the OPNsense WireGuard server.

Explanations of the fields in the peer section are given below:

  • PublicKey: The public key of the OPNsense WireGuard server.
  • Endpoint: The Public/Real IP address of the OPNsense server followed by a colon :, and WireGuard port (51820).
  • AllowedIPs: 0.0.0.0/0: Specifies what IP addresses should be routed over the VPN. 0.0.0.0/0 is a catch-all configuration and routes everything over the VPN.
  • Copy the OPNsense WireGuard Server Public Key from the Local configuration on OPNsense to the Public Key field.
  • Set the Endpoint to OPNsense WireGuard Server Public IP address and WireGuard listen port.
  • Set the Allowed IPs to 0.0.0.0/0
  • Tab on the floppy disk icon at the top right of the screen to save the configuration.
note

If you have a Ubuntu desktop that needs a VPN connection, you may read the WireGuard Installation Guide for more information about configuring the Ubuntu WireGuard VPN client.

6. Adding WireGuard Endpoint(Client Peer) Configuration to the Server#

To add the Android client's public key and IP address to the server, you can follow the given steps below:

  • Navigate to VPN -> WireGuard -> Endpoints on OPNsense Web UI.
  • Click + to add a new Endpoint
  • Enter the Name, such as MyAndroid.
  • Enter the Public Key which was generated during the Android WireGuard client configuration above, for our example it is rQdjEcn7UMbIverQ4D0FKfz+fkGLxClArwDsXCNf+DE=.
  • Set Allowed IPs to the same IP address with the Address field in the Windows WireGuard client configuration above using CIDR notation, for our example, it is 10.0.0.12/32
  • Click Save.

Setting WireGuard Endpoint(Android) configuration on OPNsense

Figure 22. Setting WireGuard Endpoint(Android) configuration on OPNsense

Now, you may view all configured WireGuard VPN endpoints, MyWindows and MyAndroid, on your OPNsense under the VPN -> WireGuard -> Endpoints tab.

WireGuard endpoints list on OPNsense

Figure 23. WireGuard endpoints list on OPNsense

7. Adding Peers(VPN Clients) to Server Local Configuration on OPNsense#

After defining the endpoints on your OPNsense firewall, you should add each of the peers to the WireGuard VPN server local configuration by following the steps below.

  • Navigate to the VPN-> WireGuard -> Local tab on OPNsense GUI.
  • Edit the MyWireGuard vpn configuration by clicking on the pencil icon.
  • Select the newly created endpoints, for our example MyWindows and MyAndroid from the Peers dropdown menu.
  • Click Save.

Adding Peers(Endpoints) to WireGuard VPN Server local configuration

Figure 24. Adding Peers(Endpoints) to WireGuard VPN Server local configuration

  • Click Apply.

8. Enabling WireGuard Server on OPNsense#

To enable WireGuard Server on OPNsense,

  1. Navigate to VPN -> WireGuard -> General tab on OPNsense Web UI.
  2. Click on the Enable WireGuard check box.
  3. Click Apply.

Enabling WireGuard Server on OPNsense

Figure 25. Enabling WireGuard Server on OPNsense

9. Creating WireGuard Interface on OPNsense#

note

If you only need to access your LAN via WireGuard but not IPs outside of the local network, for example, the public internet, you may skip this step.

info

Although this step is not strictly necessary for a road warrior setup under any circumstances, it is beneficial to create a WireGuard interface on OPNsense for a number of reasons:

  • It creates an alias for the tunnel subnet(s), which can then be used in firewall rules. Otherwise, you'll have to create your own alias or manually specify the subnet (s).
  • It adds an IPv4 outbound NAT rule automatically, allowing the tunnel to access IPv4 IPs outside of the local network (if desired) without the need to manually add a rule.
  • It enables the separation of each WireGuard instance's firewall rules (each wgX device). Otherwise, they must all be configured on the default WireGuard group created by OPNsense.

To create the WireGuard interface, you may follow the next steps given below:

  • Navigate to Interfaces -> Assignments
  • Select the WireGuard device (wg0 if this is your first one) in the dropdown menu next to New interface:,
  • Add a description such as MyWireGuard
  • Click + to add it
  • Click Save

Creating WireGuard interface on OPNsense

Figure 26. Creating WireGuard interface on OPNsense

  • Select your new interface under the Interfaces menu by clicking on it for configuration.
  • Enable the interface by clicking on the check box.
  • Enable Prevent interface removal in the Lock option.
  • Leave other options as the default.

Configuring the WireGuard interface on OPNsense

Figure 27. Configuring the WireGuard interface on OPNsense

tip

It is not necessary to configure IP addresses on the WireGuard interface. Once the WireGuard service is restarted, the tunnel address(es) specified in the Local configuration of your WireGuard server will be automatically assigned to the interface.

  • Click Apply changes to activate the new interface settings.
  • Navigate to VPN -> WireGuard -> General tab on OPNsense Web UI.
  • Disable the WireGuard by unchecking the Enable WireGuard check box.
  • Enable the WireGuard by checking the Enable WireGuard check box

10. Creating Firewall Rules#

You may define the following two firewall rules on your OPNsense node.

  1. A firewall rule on the WAN interface to allow clients to connect to the OPNsense WireGuard server.
  2. A firewall rule to allow clients access to whatever IPs they are supposed to have access to. This rule is optional and you may not need to allow clients to access the internal networks.

10.1. Allowing VPN clients to access the OPNsense WireGuard Server#

You have installed and configured a WireGuard VPN server to access the internal home/company network remotely. However, your WireGuard VPN server should be accessible from the Internet. To allow access to the WireGuard/OpenVPN VPN service, please refer to the How to Configure OPNsense Firewall Rules article written by Sunny Valley Networks.

After defining this firewall rule, your WireGuard VPN clients should be able to connect to the WireGuard server and access the Internet through your OPNsense internet connection.

10.2. Allowing VPN clients to access the internal networks#

If you want your WireGuard VPN clients to be able to connect to any devices on your network, you must create additional firewall rules to allow such access. To define a firewall rule for allowing VPN clients access to any device in your LAN, you may follow the next steps given below.

  • Navigate to the WireGuard interface you created, such as MyWireGuard, on the Firewall Rules. Click the + icon to add a new rule to allow access anywhere.
OptionValue
ActionPass
InterfaceMyWireGuard
Protocolany
SourceMyWireGuard net
Source Portany
Destinationany
Destination Portany
DescriptionAllow WireGuard devices access to anywhere without any restriction
  • Select Pass for the allow rule.
  • Select MyWireGuard for Source.
  • Select any for Source port.

Defining firewall rule to allow all VPN clients to access anywhere-1

Figure 28. Defining firewall rule to allow all VPN clients to access anywhere-1

  • Select any for destination
  • Select any for destination port range.
  • You may leave other settings as default.
  • Click Save at the bottom of the page.

Defining firewall rule to allow all VPN clients to access anywhere-2

Figure 29. Defining firewall rule to allow all VPN clients to access anywhere-2

  • Click the Apply Changes button to activate the settings.

11. Verifying the WireGuard Setup on OPNsense#

WireGuard VPN server configuration and client configurations are completed. To test the configurations, you may follow the steps given below.

  1. Activating WireGuard Windows Client: To connect your Windows PC to the VPN server, open the WireGuard application and turn the MyWireGuard tunnel on by clicking on the Activate button. Once the peers are connected, the tunnel Status will change to Active.

Activating WireGuard tunnel on Windows client

Figure 30. Activating WireGuard tunnel on Windows client

  1. Activating WireGuard Android Client: To connect your Android device to the VPN server, launch the WireGuard application and turn the MyWireGuard tunnel on by clicking on the toggle button.

Activating WireGuard tunnel on Android client

Figure 31. Activating WireGuard tunnel on Android client

  1. Viewing VPN connections on OPNsense: Navigate to the VPN -> WireGuard -> List Configuration tab on your OPNsense web UI. You should be able to see information about the connected VPN clients. The following details are displayed:
  • peer (via its public key),
  • the IP address of the connected client,
  • the time since the last connection,
  • the amount of data transferred.

Connected WireGaurd VPN clients list configuration on OPNsense

Figure 32. Connected WireGaurd VPN clients list configuration on OPNsense

  1. Handshakes: Click on the Handshakes tab. The number of handshakes should not be equal to 0 and should increase continuously.

Viewing handshakes for WireGuard VPN connections on OPNsense

Figure 33. Viewing handshakes for WireGuard VPN connections on OPNsense

  1. Ping Test: You should be able to successfully ping your WireGuard server from the client and vice versa:

ping 10.0.0.1
  1. Public IP Control: To find out what your public IP address is, go to https://www.whatismyip.com on your client machine. If your WireGuard tunnel is functioning properly, you should see your VPN server's public IP address in the browser rather than your client computer's public IP address.
  2. Traceroute Test: The WireGuard Server VPN IP address should be displayed in the traceroute command output:


traceroute 8.8.8.8
1 10.0.0.1 (10.0.0.1) 0.391 ms 0.348 ms 0.349 ms
2 _gateway (192.168.0.1) 0.641 ms 0.606 ms 0.625 ms
3 * * *
15 * * *
16 142.250.212.20 (142.250.212.20) 27.320 ms 74.125.37.238 (74.125.37.238) 29.852 ms 216.239.49.198 (216.239.49.198) 30.107 ms
  
  1. Internal Networks Access Test: Since we allow VPN clients access to the internal networks behind the firewall without any restrictions, they should be able to access anywhere in your LAN. For example, you should be able to successfully ping a device on your LAN from the client and vice versa.