VPN with WireGuard on OPNSense

1. Installing the WireGuard plugin on OPNSense

2. Adding the local endpoint

General panel

Local panel

+ — — — — — — — -+ — — — — — — — +
| SETTING | CONFIGURATION |
| Name | WGServer | Choose any name
| Public Key | Leave blank | Will be auto-generated
| Private Key | Leave blank | Will be auto-generated
| Listen Port | 51820 | Default port for WireGuard
| DNS Server | <OPNSense_IP> | IP of your fastest/closest DNS
| Tunnel Address | 10.10.10.1/24 | IP of OPNSense on this tunnel
| Peers | Leave blank |
| Disable Routes | Leave blank |
+ — — — — — — — -+ — — — — — — — +

3. Generating public/private key pairs

+ — — — — — — — -+ — — — — — — — +
| SETTING | CONFIGURATION |
| Enable | unchecked |
| Name | Dummy | We will delete it anyway
| Public Key | Leave blank | Will be auto-generated
| Private Key | Leave blank | Will be auto-generated
| Listen Port | Leave blank |
| DNS Server | Leave blank |
| Tunnel Address | 1.2.3.4/32 | dummy address (cannot be blank)
| Peers | Leave blank |
| Disable Routes | Leave blank |
+ — — — — — — — -+ — — — — — — — +

4. Adding a WireGuard remote endpoint

+ — — — — — — — — + — — — — — — — +
| SETTING | CONFIGURATION |
| Enabled | checked |
| Name | myMac | Name of remote VPN peer
| Public Key | <Public2> | paste from wireguard.keys
| Shared Secret | <Secret> | paste from wireguard.keys
| Allowed IPs | 10.10.10.0/24 | IP range of allowed peer IPs
| Endpoint Address| Leave blank |
| Endpoint Port | Leave blank |
| Keepalive | Leave blank |
+ — — — — — — — — + — — — — — — — +

5. Adding a WireGuard interface

6. Firewall and the WireGuard

+ — — — — — — — — — +
| CONFIGURATION |
| Disabled | unchecked
| Interface | WAN
| TCP/IP version | IPv4
| Protocol | UDP
| Destination | WAN address
| Dest port range | from: other-51820 to: other-51820
| Redirect target IP| Single host - 10.10.10.1
+ — — — — — — — — — +
+ — — — — — — — — — +
| CONFIGURATION |
| Disabled | unchecked
| Do not NAT | unchecked
| Interface | WAN
| TCP/IP version | IPv4
| Protocol | UDP
| Source address | WireGuard net
+ — — — — — — — — — +
+ — — — — — — — — — +
| CONFIGURATION |
| Action | Pass
| Disabled | unchecked
| Quick | checked
| interface | WireGuard
| Direction | in
| TCP/IP Version | IPv4
| Protocol | any
| Source | WireGuard net
+ — — — — — — — — —

7. Making Unbound listen to WireGuard interface

8. Creating a configuration file for WireGuard client

[Interface]
PrivateKey = <Private2 - from wireguard.keys>
Address = <10.10.10.2/32 - or any other IP within allowed range>
DNS = <10.10.10.1 - or any local/public DNS server>
[Peer]
PublicKey = <Public1 - from wireguard.keys>
PresharedKey = <Secret - from wireguard.keys>
AllowedIPs = 0.0.0.0/0
Endpoint = <OPNSense public IP>:51820

9. Configuring WireGuard client on Mac/Windows/Android

A cloud computing nerd, an expert in IT paleontology, purveyor of all geeky things. A very “ethical” advisor who is the first in line for any free food or swag.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store