How to set up a Road Warrior VPN with WireGuard in OPNsense

OPNsense and pfSense share many of their features and functionality with one another. Aside from them being based on FreeBSD, OPNsense is actually a fork of pfSense. So their similarities should come as no surprise.

Netgate, the company behind pfSense’s development, recently changed its business model. It now develops and distributes a premium version of pfSense (pfSense Plus) that includes extra proprietary features alongside the fully open-source version (pfSense Community Edition). Because of that, many pfSense users fear pfSense CE will slowly be abandoned.

And that has caused many pfSense users to jump ship (or to consider switching) to OPNsense. But while they’re very similar to one another, and you can achieve most of the same things on both systems, their configurations have diverged quite a bit by now. And many new OPNsense users coming from pfSense, are wondering how to reproduce the functionality they relied on in pfSense.

This post will explain how to configure a road warrior VPN using WireGuard in OPNsense. This guide assumes you have a working OPNsense configuration with working WAN and LAN interfaces and are using the Unbound DNS Resolver for DNS resolution.

Let’s get started.

Installing WireGuard

WireGuard is an add-on package (called a plugin) in OPNsense . So we first need to install the WireGuard plugin.

1. From the side menu, select System > Firmware > Plugins. The Plugins page is displayed.
2. Scroll down the page until you see os-wireguard, and click the + sign to its right. The installation begins.
3. Once the installation is complete, you should see ***DONE*** at the bottom of the installation window.

Configuring the WireGuard package

Before we get into our configuration, it’s important to understand that WireGuard doesn’t use the typical server/client dichotomy used with both IPsec and OpenVPN. With WireGuard, every participant in the network is a node that may communicate with the other nodes according to its access control list (ACL). Despite that, we’re going to treat the “OPNsense node” as our server because this makes sense – particularly in a road warrior setup.

Setting up the OPNsense node/server

1. From the side menus, select VPN > WireGuard. The main WireGuard settings page is displayed.
2. By default, we are on the General page. Select the Local tab. The Local Tunnel page is displayed.
3. Click the + sign to add a new WireGuard tunnel. The Tunnel Configuration page is displayed.
4. Enter a name for your local tunnel in the Name field.
5. Leave the Public Key and Private Key fields blank. The keys will be automatically generated upon saving.
6. Enter a port in the Listen Port field. The default is 51820.
7. Enter 1420 in the MTU field. This setting is required becauseWireGuard has a maximum transmission unit (MTU) of 1420. So, as you send and receive data over the connection, if a datagram exceeds 1420 bytes, it will be fragmented, which can break the connection.
8. Leave the DNS Server field empty. The DNS server will be set on our client.
9. In the Tunnel Address field, enter the IP address of the “server node.” Make sure to use a subnet that’s not already in use on your system and give it a /24 subnet mask. I will use 10.15.10.1/24.
10. Click Save. You’re taken back to the main WireGuard settings page.
11. We can see our tunnel has been created. Click Apply.

Generating our peer’s WireGuard key pair & PSK

Each peer needs to have its own public/private key pair. We auto-generated a key pair for the “server” node when we saved the tunnel. But because there’s no key generation mechanism in the peer settings, we’re going to perform a small hack to generate our peer’s key pair. We will download the official WireGuard client app and create a dummy configuration just for key generation. Once we copy the keys, we simply delete the configuration.

1. From the WireGuard client app, click the + sign on the bottom left.
2. Select Add Empty Tunnel… to create a new configuration. This automatically generates a new key pair.
3. Copy and paste the public and private keys into a text file and discard the configuration.

Generating a pre-shared key (PSK)

For added security, we will configure our peer to use a PSK.  To do that, we are going to need to access the OPNsense Shell, So we’ll start by enabling SSH access in OPNsense.

1. From the side menus, select System > Settings > Administration.
2. Scroll down to the Secure Shell section.
3. Tick Enable Secure Shell. Because this is a test system, I will simply be using password login for the root user. But I would strongly recommend you create another user with fewer privileges for shell access and would also recommend using SSH keys to log in rather than a password. Were this not a test system, I would follow the above advice and not tick the Permit root user login and the Permit password login boxes.
4. Click Save at the bottom of the page.
5. Launch a Shell on the computer through which you’re accessing the OPNsense GUI.
6. Type: root@<your OPNsense IP address>. If you’re using SSH keys to login, you should login automatically. If not, you will be prompted for your password. The OPNsense console menu is displayed.
7. Type 8 (Shell) for ssh access.
8. Type: wg genpsk. Your PSK is displayed below the command. Copy and paste it to the same text file as the WireGuard key pair.Your text file should now contain your public and private keys as well as your PSK. We will use these in the next step.

Creating a remote peer

Now that we have our keys, we can go ahead and create our peer (called Endpoints in OPNsense).

1. Select the Endpoints tab. The Endpoints page is displayed.
2. Click the + sign. The Endpoint Configuration page is displayed.
3. Tick the Enabled box.
4. Enter a name for your peer in the Name field.
5. Paste the public key from the public/private key pair we generated earlier in the Public Key field.
6. Paste the third key we generated as a PSK in the Shared Secret field.
7. Enter your peer’s WireGuard IP address. It should be in the same subnet as our local tunnel (the “server” node) and should have a /32 subnet mask. I will use 10.15.10.5/32.
8. Enter the IP address of the local tunnel (the “server” node) in the Endpoint Address field.
9. Enter 50821 in the Endpoint Port
10. Enter 25 in the Keepalive Interval field.
11. Click Save. You’re taken back to the main Endpoints settings page.
12. We can see our peer/endpoint has been created. Click Apply.

Linking our remote peer to the local tunnel

While we’ve created our local tunnel and our peer, we still need to link them so they can work together.

1. Select the Local tab. The Local main settings page is displayed.
2. Click the pencil icon to edit the tunnel. The Local tunnel configuration page is displayed.
3. From the Peers drop-down menu, select iPhone_Peer (or whatever name you provided your peer).
4. Click Save. You’re taken back to the Local main settings page.
5. We can see our peer has been added to the tunnel configuration. Click Apply.

Starting the WireGuard service

Now that our local tunnel and remote peer are properly configured, we need to start the WireGuard service.

1. Select the General tab.
2. Tick the Enable WireGuard box and click Apply.

Checking the status of our WireGuard tunnel

Now that we’ve started the WireGuard service let’s make sure it’s running properly.

1. Select the Status tab. The WireGuard Status page is displayed.
2. We can see that our tunnel is up and running. But there are still a few steps to complete before we can actually start passing traffic through our WireGuard tunnel.

The next thing we will do is configure DNS.

Configuring DNS access

We will be using the built-in DNS Resolver (Unbound) for DNS. Because we didn’t create an explicit interface for WireGuard, we can’t set Unbound to bind to that interface. Instead, we will create an ACL allowing our WireGuard subnet to use the DNS Resolver. And we will set our client app to use OPNsense itself as its DNS server.

1. From the side menus, select Services > Unbound DNS > Access Lists. The DNS Resolver’s Access Lists settings page is displayed.
2. Click the + sign to add a new access list. The Access List configuration page is displayed.
3. Enter a name for your access list in the Access List name field.
4. Make sure the Action drop-down menu is set to Allow.
5. In the Networks fields, enter your WireGuard subnet with a /24 subnet mask. You can optionally add a description.
6. Optionally add a description in the Description field.
7. Click Save. You’re taken back to the main Access List settings page.
8. We can see our access list has been created. Click Apply Changes.

Enabling port forwarding and firewall rules

Our next step is configuring OPNsense to allow our remote peer to connect and for its traffic to be allowed through the firewall. We’re going to add some port forwarding rules to enable this.

1. From the side menus, select Firewall > NAT > Port Forward. The main NAT Port Forwarding settings page is displayed.
2. Click the + sign. The Port Forwarding rule configuration page is displayed.
3. From the Interface drop-down menu, select WAN.
4. From the TCP/IP Version drop-down menu, select IPv4.
5. From the Protocol drop-down menu, select UDP.
6. From the Destination drop-down menu, select WAN address.
7. From the Destination port range drop-down menus, select Other and enter 51820 in both port fields.
8. From the Redirect target IP drop-down menu, select Single host and enter the WireGuard node/server’s interface address (10.15.10.1).
9. From the Redirect target port drop-down menu, select Other and enter 51820 in the port field.
10. Enter a description in the Description field.
11. Make sure that the Filter rule association drop-down menu is set to Add associated filter rule. This will create a corresponding rule on our WAN interface automatically.
12. Click Save at the bottom of the page. You’re taken back to the main NAT Port Forward configuration page.
13. We can see that our port forward rule has been created. Click Apply Changes.
14. Our port forward rule has been applied. Let’s now make sure our WAN rule has been automatically added.
15. From the side menus, select Rules > WAN (we’re already in the Firewall section.) The main WAN Firewall rules page is displayed.
16. We can see that our WAN rule has indeed been added.
17. From the side menus, select WireGuard (Group) (we’re already in the Firewall > Rules section.)
18. The WireGuard (Group) firewall entry is automatically generated as soon as you create a WireGuard interface. The rules in this tab apply to all WireGuard interfaces you add to your system. It is distinct from the standalone interface tab you would have if you had assigned the WireGuard interface on the system, like the LAN interface. If we wanted to use the WireGuard interface as a gateway, this would have been useful. But because we’re going to be using the OPNsense WAN interface as our gateway, there’s no need to assign the interface, we can use the grouped WireGuard entry to allow traffic on our WireGuard interface. Click the + sign to add a new firewall rule. The FIrewall Rule configuration page is displayed.
19. Make sure the Action drop-down menu is set to Pass.
20. Make sure the Interface drop-down menu is set to WireGuard.
21. Make sure the Address Family drop-down is set to IPv4.
22. From the Protocol drop-down menu, select Any.
23. From the Source drop-down menu, select Network and enter your WireGuard subnet and a /24 subnet mask. In my case, this is 10.15.10.0/24.
24. From the Destination drop-down menu, select Any.
25. Click Save at the bottom of the page.
26. You’re taken back to the main Firewall Rules configuration page and we can see our firewall rule has been created. Click Apply Changes.
27. Our firewall rule has been applied, and our remote peer should be allowed to connect, and its traffic should be allowed through the firewall. Our next step will be to configure our remote peer (client). We’ll be doing this in the official WireGuard app for iPhone.

Configuring our remote peer (client app)

1. Download and install the WireGuard app for your device. I’ll be using an iPhone for this tutorial.
2. From the app’s main screen, click Add Tunnel. A pop-up menu appears.
3. Select Create from scratch.
4. Under Interface, enter a name for your connection in the Name field.
5. Copy and paste the peer’s private key in the Private Key field. The public key will be populated automatically.
6. Enter the peer’s IP address in the Address field. This is 10.15.10.5/32 in my case.
7. Enter the port number in the Port field. In my case, this is 51820.
8. Enter your OPNsense box’s IP address in the DNS field. This is 10.15.1.1 in my case.
9. Under Peer, enter the “server” node’s public key in the Public key field.. You can copy it from the Tunnels tab.
10. Enter the peer’s pre-shared key in the Preshared key field.
11. Enter 0.0.0.0/0 in the Allowed IPs field. This will pass all traffic through the WireGuard tunnel.
12. In the Persistent Keepalive field, enter 25.
13. Click Save at the top.
14. All that’s left is to enable our connection and see if it works.

Checking the status of our connection

Now that our remote node is connected let’s check the WireGuard service’s status in OPNsense to make sure everything is working properly.

1. From the side menus, select VPN > WireGuard. You’re taken to the WireGuard main settings page.
2. Select the Status tab.
3. We can see that our tunnel is up, and our remote peer is connected.
4. To make sure the WireGuard tunnel is using your OPNsense WAN as its gateway, you can check your IP online. The IP address displayed should be your WAN IP address.

Adding a WireGuard widget to the OPNsense dashboard

You can add a WireGuard widget to your OPNsense dashboard to be able to quickly glean information on your WireGuard connections from the OPNsense dashboard

1. From the Dashboard, click Add Widget at the top right of the page. The Available Widgets window is displayed.
2. Select WireGuard from the list and click Close.
3. Click Save Settings at the top right of the page to load the widget.
4. Once loaded, the widget displays the name of your local peer (our WireGuard “client”), the interface, the endpoint name (our WireGuard “server”), the endpoint’s public key, and the time the latest handshake occurred.

Wrap Up

So we successfully set up a road warrior VPN with WireGuard in OPNsense. That allows you to browse the internet through your home connection from anywhere. And you can also access your home network and any of the resources sitting behind it (servers, databases, other computers) from anywhere.

Enjoy, and stay safe.

See also:

• How to set up a WireGuard connection to a VPN provider in OPNsense
• How to reproduce pfBlockerNG functionality in OPNsense
• How to configure 2FA for GUI access in OPNsense