How to set up a Road Warrior VPN with WireGuard in OPNsense

OPNsense and pfSense share many of their features and functionality with one another. Aside from them being based on FreeBSD, OPNsense is actually a fork of pfSense. So their similarities should come as no surprise.

Netgate, the company behind pfSense’s development, recently changed its business model. It now develops and distributes a premium version of pfSense (pfSense Plus) that includes extra proprietary features alongside the fully open-source version (pfSense Community Edition). Because of that, many pfSense users fear pfSense CE will slowly be abandoned.

And that has caused many pfSense users to jump ship (or to consider switching) to OPNsense. But while they’re very similar to one another, and you can achieve most of the same things on both systems, their configurations have diverged quite a bit by now. And many new OPNsense users coming from pfSense, are wondering how to reproduce the functionality they relied on in pfSense.

This post will explain how to configure a road warrior VPN using WireGuard in OPNsense. This guide assumes you have a working OPNsense configuration with working WAN and LAN interfaces and are using the Unbound DNS Resolver for DNS resolution.

OPNsense - WireGuard Road Warrior - Dashboard

Let’s get started.

Installing WireGuard

WireGuard is an add-on package (called a plugin) in OPNsense . So we first need to install the WireGuard plugin.

  1. From the side menu, select System > Firmware > Plugins. The Plugins page is displayed. OPNsense - WireGuard Road Warrior - System - Firmware - Plugins
  2. Scroll down the page until you see os-wireguard, and click the + sign to its right. The installation begins. OPNsense - WireGuard Road Warrior - WireGuard Plugin - Click Plus
  3. Once the installation is complete, you should see ***DONE*** at the bottom of the installation window. OPNsense - WireGuard Road Warrior - WireGuard Plugin Installed

Configuring the WireGuard package

Before we get into our configuration, it’s important to understand that WireGuard doesn’t use the typical server/client dichotomy used with both IPsec and OpenVPN. With WireGuard, every participant in the network is a node that may communicate with the other nodes according to its access control list (ACL). Despite that, we’re going to treat the “OPNsense node” as our server because this makes sense – particularly in a road warrior setup.

Setting up the OPNsense node/server

  1. From the side menus, select VPN > WireGuard. The main WireGuard settings page is displayed. OPNsense - WireGuard Road Warrior - VPN - WireGuard
  2. By default, we are on the General page. Select the Local tab. The Local Tunnel page is displayed. OPNsense - WireGuard Road Warrior - Select Local Tab
  3. Click the + sign to add a new WireGuard tunnel. The Tunnel Configuration page is displayed. OPNsense - WireGuard Road Warrior - Local Tab - Click Plus
  4. Enter a name for your local tunnel in the Name field.
  5. Leave the Public Key and Private Key fields blank. The keys will be automatically generated upon saving.
  6. Enter a port in the Listen Port field. The default is 51820.
  7. Enter 1420 in the MTU field. This setting is required becauseWireGuard has a maximum transmission unit (MTU) of 1420. So, as you send and receive data over the connection, if a datagram exceeds 1420 bytes, it will be fragmented, which can break the connection.
  8. Leave the DNS Server field empty. The DNS server will be set on our client.
  9. In the Tunnel Address field, enter the IP address of the “server node.” Make sure to use a subnet that’s not already in use on your system and give it a /24 subnet mask. I will use 10.15.10.1/24.
  10. Click Save. You’re taken back to the main WireGuard settings page. OPNsense - WireGuard Road Warrior - Local Tunnel Configuration
  11. We can see our tunnel has been created. Click Apply. OPNsense - WireGuard Road Warrior - Local Tunnel - Apply

Generating our peer’s WireGuard key pair & PSK

Each peer needs to have its own public/private key pair. We auto-generated a key pair for the “server” node when we saved the tunnel. But because there’s no key generation mechanism in the peer settings, we’re going to perform a small hack to generate our peer’s key pair. We will download the official WireGuard client app and create a dummy configuration just for key generation. Once we copy the keys, we simply delete the configuration.

  1. From the WireGuard client app, click the + sign on the bottom left. OPNsense - WireGuard Road Warrior - Client App - Click Plus
  2. Select Add Empty Tunnel… to create a new configuration. This automatically generates a new key pair. OPNsense - WireGuard Road Warrior - Client App - Add Empty Tunnel
  3. Copy and paste the public and private keys into a text file and discard the configuration. OPNsense - WireGuard Road Warrior - Client App - Copy Keys

Generating a pre-shared key (PSK)

For added security, we will configure our peer to use a PSK.  To do that, we are going to need to access the OPNsense Shell, So we’ll start by enabling SSH access in OPNsense.

  1. From the side menus, select System > Settings > Administration. OPNsense - WireGuard Road Warrior - System - Settings - Administration
  2. Scroll down to the Secure Shell section.
  3. Tick Enable Secure Shell. Because this is a test system, I will simply be using password login for the root user. But I would strongly recommend you create another user with fewer privileges for shell access and would also recommend using SSH keys to log in rather than a password. Were this not a test system, I would follow the above advice and not tick the Permit root user login and the Permit password login boxes. OPNsense - WireGuard Road Warrior - SSH Configuration
  4. Click Save at the bottom of the page.
  5. Launch a Shell on the computer through which you’re accessing the OPNsense GUI.
  6. Type: root@<your OPNsense IP address>. If you’re using SSH keys to login, you should login automatically. If not, you will be prompted for your password. The OPNsense console menu is displayed.
  7. Type 8 (Shell) for ssh access. OPNsense - WireGuard Road Warrior - Shell - Press 8
  8. Type: wg genpsk. Your PSK is displayed below the command. Copy and paste it to the same text file as the WireGuard key pair. OPNsense - WireGuard Road Warrior - Shell - PSK Your text file should now contain your public and private keys as well as your PSK. We will use these in the next step.

Creating a remote peer

Now that we have our keys, we can go ahead and create our peer (called Endpoints in OPNsense).

  1. Select the Endpoints tab. The Endpoints page is displayed. OPNsense - WireGuard Road Warrior - Select Endpoints Tab
  2. Click the + sign. The Endpoint Configuration page is displayed. OPNsense - WireGuard Road Warrior - Endpoints - Click Plus
  3. Tick the Enabled box.
  4. Enter a name for your peer in the Name field.
  5. Paste the public key from the public/private key pair we generated earlier in the Public Key field.
  6. Paste the third key we generated as a PSK in the Shared Secret field.
  7. Enter your peer’s WireGuard IP address. It should be in the same subnet as our local tunnel (the “server” node) and should have a /32 subnet mask. I will use 10.15.10.5/32.
  8. Enter the IP address of the local tunnel (the “server” node) in the Endpoint Address field.
  9. Enter 50821 in the Endpoint Port
  10. Enter 25 in the Keepalive Interval field.
  11. Click Save. You’re taken back to the main Endpoints settings page. OPNsense - WireGuard Road Warrior - Peer Configuration
  12. We can see our peer/endpoint has been created. Click Apply. OPNsense - WireGuard Road Warrior - Endpoint - Apply

Linking our remote peer to the local tunnel

While we’ve created our local tunnel and our peer, we still need to link them so they can work together.

  1. Select the Local tab. The Local main settings page is displayed. OPNsense - WireGuard Road Warrior - Go To Local Tab
  2. Click the pencil icon to edit the tunnel. The Local tunnel configuration page is displayed. OPNsense - WireGuard Road Warrior - Local Tunnel - Pencil
  3. From the Peers drop-down menu, select iPhone_Peer (or whatever name you provided your peer). OPNsense - WireGuard Road Warrior - Add Peer
  4. Click Save. You’re taken back to the Local main settings page. OPNsense - WireGuard Road Warrior - Peer Added - Save
  5. We can see our peer has been added to the tunnel configuration. Click Apply. OPNsense - WireGuard Road Warrior - Peer Added - Apply

Starting the WireGuard service

Now that our local tunnel and remote peer are properly configured, we need to start the WireGuard service.

  1. Select the General tab. OPNsense - WireGuard Road Warrior - General Tab
  2. Tick the Enable WireGuard box and click Apply. OPNsense - WireGuard Road Warrior - Enable Service - Apply

Checking the status of our WireGuard tunnel

Now that we’ve started the WireGuard service let’s make sure it’s running properly.

  1. Select the Status tab. The WireGuard Status page is displayed. OPNsense - WireGuard Road Warrior - Select Status Tab
  2. We can see that our tunnel is up and running. But there are still a few steps to complete before we can actually start passing traffic through our WireGuard tunnel. OPNsense - WireGuard Road Warrior - WireGuard Status

The next thing we will do is configure DNS.

Configuring DNS access

We will be using the built-in DNS Resolver (Unbound) for DNS. Because we didn’t create an explicit interface for WireGuard, we can’t set Unbound to bind to that interface. Instead, we will create an ACL allowing our WireGuard subnet to use the DNS Resolver. And we will set our client app to use OPNsense itself as its DNS server.

  1. From the side menus, select Services > Unbound DNS > Access Lists. The DNS Resolver’s Access Lists settings page is displayed. OPNsense - WireGuard Road Warrior - Services - Unbound - AccessLists
  2. Click the + sign to add a new access list. The Access List configuration page is displayed. OPNsense - WireGuard Road Warrior - ACL - Click Plus
  3. Enter a name for your access list in the Access List name field.
  4. Make sure the Action drop-down menu is set to Allow.
  5. In the Networks fields, enter your WireGuard subnet with a /24 subnet mask. You can optionally add a description.
  6. Optionally add a description in the Description field.
  7. Click Save. You’re taken back to the main Access List settings page. OPNsense - WireGuard Road Warrior - ACL Configuration - Save
  8. We can see our access list has been created. Click Apply Changes. OPNsense - WireGuard Road Warrior - ACL - Apply Changes

Enabling port forwarding and firewall rules

Our next step is configuring OPNsense to allow our remote peer to connect and for its traffic to be allowed through the firewall. We’re going to add some port forwarding rules to enable this.

  1. From the side menus, select Firewall > NAT > Port Forward. The main NAT Port Forwarding settings page is displayed. OPNsense - WireGuard Road Warrior - Firewall - NAT - Port Forward
  2. Click the + sign. The Port Forwarding rule configuration page is displayed. OPNsense - WireGuard Road Warrior - Port Forward - Click Plus
  3. From the Interface drop-down menu, select WAN.
  4. From the TCP/IP Version drop-down menu, select IPv4.
  5. From the Protocol drop-down menu, select UDP.
  6. From the Destination drop-down menu, select WAN address.
  7. From the Destination port range drop-down menus, select Other and enter 51820 in both port fields.
  8. From the Redirect target IP drop-down menu, select Single host and enter the WireGuard node/server’s interface address (10.15.10.1).
  9. From the Redirect target port drop-down menu, select Other and enter 51820 in the port field.
  10. Enter a description in the Description field.
  11. Make sure that the Filter rule association drop-down menu is set to Add associated filter rule. This will create a corresponding rule on our WAN interface automatically.
  12. Click Save at the bottom of the page. You’re taken back to the main NAT Port Forward configuration page. OPNsense - WireGuard Road Warrior - Port Forward Rule Configuration
  13. We can see that our port forward rule has been created. Click Apply Changes. OPNsense - WireGuard Road Warrior - Port Forward Rule - Apply Changes
  14. Our port forward rule has been applied. Let’s now make sure our WAN rule has been automatically added.
  15. From the side menus, select Rules > WAN (we’re already in the Firewall section.) The main WAN Firewall rules page is displayed. OPNsense - WireGuard Road Warrior - Firewall - Rules - WAN
  16. We can see that our WAN rule has indeed been added. OPNsense - WireGuard Road Warrior - Auto WAN Rule
  17. From the side menus, select WireGuard (Group) (we’re already in the Firewall > Rules section.) OPNsense - WireGuard Road Warrior - WireGuard (Group) Firewall Rules
  18. The WireGuard (Group) firewall entry is automatically generated as soon as you create a WireGuard interface. The rules in this tab apply to all WireGuard interfaces you add to your system. It is distinct from the standalone interface tab you would have if you had assigned the WireGuard interface on the system, like the LAN interface. If we wanted to use the WireGuard interface as a gateway, this would have been useful. But because we’re going to be using the OPNsense WAN interface as our gateway, there’s no need to assign the interface, we can use the grouped WireGuard entry to allow traffic on our WireGuard interface. Click the + sign to add a new firewall rule. The FIrewall Rule configuration page is displayed. OPNsense - WireGuard Road Warrior - WireGuard Rules - Click Plus
  19. Make sure the Action drop-down menu is set to Pass.
  20. Make sure the Interface drop-down menu is set to WireGuard.
  21. Make sure the Address Family drop-down is set to IPv4.
  22. From the Protocol drop-down menu, select Any.
  23. From the Source drop-down menu, select Network and enter your WireGuard subnet and a /24 subnet mask. In my case, this is 10.15.10.0/24.
  24. From the Destination drop-down menu, select Any.
  25. Click Save at the bottom of the page. OPNsense - WireGuard Road Warrior - WireGuard Rule - Click Save
  26. You’re taken back to the main Firewall Rules configuration page and we can see our firewall rule has been created. Click Apply Changes. OPNsense - WireGuard Road Warrior - WireGuard Rule - Apply Changes
  27. Our firewall rule has been applied, and our remote peer should be allowed to connect, and its traffic should be allowed through the firewall. Our next step will be to configure our remote peer (client). We’ll be doing this in the official WireGuard app for iPhone.

Configuring our remote peer (client app)

  1. Download and install the WireGuard app for your device. I’ll be using an iPhone for this tutorial.
  2. From the app’s main screen, click Add Tunnel. A pop-up menu appears. OPNsense - WireGuard Road Warrior - Client App - Click Plus
  3. Select Create from scratch. OPNsense - WireGuard Road Warrior - Client App - Create From Scratch
  4. Under Interface, enter a name for your connection in the Name field.
  5. Copy and paste the peer’s private key in the Private Key field. The public key will be populated automatically.
  6. Enter the peer’s IP address in the Address field. This is 10.15.10.5/32 in my case.
  7. Enter the port number in the Port field. In my case, this is 51820.
  8. Enter your OPNsense box’s IP address in the DNS field. This is 10.15.1.1 in my case.
  9. Under Peer, enter the “server” node’s public key in the Public key field.. You can copy it from the Tunnels tab.
  10. Enter the peer’s pre-shared key in the Preshared key field.
  11. Enter 0.0.0.0/0 in the Allowed IPs field. This will pass all traffic through the WireGuard tunnel.
  12. In the Persistent Keepalive field, enter 25.
  13. Click Save at the top. OPNsense - WireGuard Road Warrior - Client App Configuration
  14. All that’s left is to enable our connection and see if it works. OPNsense - WireGuard Road Warrior - Client App - Enabled

Checking the status of our connection

Now that our remote node is connected let’s check the WireGuard service’s status in OPNsense to make sure everything is working properly.

  1. From the side menus, select VPN > WireGuard. You’re taken to the WireGuard main settings page. OPNsense - WireGuard Road Warrior - VPN - WireGuard
  2. Select the Status tab. OPNsense - WireGuard Road Warrior - Status Tab
  3. We can see that our tunnel is up, and our remote peer is connected. OPNsense - WireGuard Road Warrior - Status
  4. To make sure the WireGuard tunnel is using your OPNsense WAN as its gateway, you can check your IP online. The IP address displayed should be your WAN IP address. OPNsense - WireGuard Road Warrior - Comparitech IP Check

Adding a WireGuard widget to the OPNsense dashboard

You can add a WireGuard widget to your OPNsense dashboard to be able to quickly glean information on your WireGuard connections from the OPNsense dashboard

  1. From the Dashboard, click Add Widget at the top right of the page. The Available Widgets window is displayed. OPNsense - WireGuard Road Warrior - Dashboard - Add Widget
  2. Select WireGuard from the list and click Close. OPNsense - WireGuard Road Warrior - Select WG Widget
  3. Click Save Settings at the top right of the page to load the widget. OPNsense - WireGuard Road Warrior - Save Widget
  4. Once loaded, the widget displays the name of your local peer (our WireGuard “client”), the interface, the endpoint name (our WireGuard “server”), the endpoint’s public key, and the time the latest handshake occurred. OPNsense - WireGuard Road Warrior - Widget Loaded

Wrap Up

So we successfully set up a road warrior VPN with WireGuard in OPNsense. That allows you to browse the internet through your home connection from anywhere. And you can also access your home network and any of the resources sitting behind it (servers, databases, other computers) from anywhere.

Enjoy, and stay safe.

See also: