How to Set Up WireGuard in OPNsense

In this tutorial, we’re going to look at how to set up WireGuard in OPNsense.

WireGuard is a fairly new VPN protocol that is fast, simple, and lean when compared to something like OpenVPN. OpenVPN has the benefit of longevity, but WireGuard is the newer and faster protocol that many people are interested in using. I’ve been using WireGuard for a few years now (on various devices) and have been very happy with how it performs.

I also want to point out that if you’re running OPNsense, it makes sense to run WireGuard there. There are plenty of devices where you can run it, but generally, I find it best to run on a router.

How to Set Up WireGuard in OPNsense

We will take a look at how to set up WireGuard in OPNsense below.

Setup Process: How to Set Up WireGuard in OPNsense

1. Select System, then Firmware, and finally, Plugins.

displaying the system tab in opnsense.

2. Search for WireGuard, then install the os-wireguard plugin by selecting the + icon.

how to set up wireguard in opnsense - installing the wireguard plugin in opnsense.

3. After the WireGuard package finishes installing, refresh your web browser, select VPN, then WireGuard.

selecting the wireguard item in opnsense.

4. Select Local, then select the + icon to create a new local tunnel.

selecting the local tab in wireguard.

5. Enter the name as WireGuard VPN, set the Listen Port as 51820 (UDP), then enter a tunnel address. This can be whatever you want it to be, but make sure you set it as something that’s not currently in use, then save.

addinga  tunnel address and port for wireguard.

6. Now that the local tunnel has been created, edit it and you will see that the public key and private key will be populated. Copy the public key as we will need it for our client configuration.

adding a private and public key in wireguard.

7. For this last step, we will enable WireGuard by selecting General, checking off Enable WireGuard, then selecting Apply.

enabling the wireguard package in opnsense.

WireGuard Interface & Firewall: How to Set Up WireGuard in OPNsense

Now that the WireGuard tunnel has been configured, we need to shift our focus to the interface and firewall.

1. Select Interfaces, then Assignments.

selecting the assignments tab in opnsense

2. Select + next to the wg1 interface to add the new interface.

adding the wg1 interface in opnsense.

3. Select the interface name (in the example below, OPT1).

editing the OPT1 interface name.

4. Select the checkmark next to Enable and Lock to enable the interface and ensure it isn’t removed. Modify the description if you’d like. You can then save this interface, then apply the changes.

enabling the WG interface and giving it a name.

5. After the interface has been enabled, we’re going to create our WAN and WG firewall rule. Select Firewall, then Rules, and finally, WAN. Select the + symbol to create a new firewall rule.

creating the WAN and WG firewall rules.

6. Everything can stay as default other than these settings.

Protocol: UDP

setting the protocol as udp.

Destination: WAN Address

setting the destination as WAN address.

Destination Port Range: Other (51820)

changing the port range to 51820.

Description: WireGuard VPN

setting the description.

7. We have to create one more firewall rule which will allow traffic on the WG interface that we created above. Select WG under Rules (you may have named it something different), then the + icon to create a new rule.

adding the WG interface rules.

8. Set the description as Allow All – WG, and everything can stay as default (we are allowing all traffic to everything).

NOTE: If you do want to limit traffic, you can modify this firewall rule in any way that you’d like.

creating a pass rule for the WG interface.
creating a pass rule for the WG interface.

After making the changes above, you can save and apply the changes. The WireGuard server has been configured and all settings have been properly adjusted. At this point, you can move on to the peer configuration.

WireGuard Peer Configuration

The WireGuard peer configuration is the final step that we need to perform before our VPN server will be accessible. Peers are devices that you will be connecting from, meaning that you should create one for each device or user.

We will take a look at how to create one below, but you might have to follow this step multiple times. In my opinion, it’s easiest to set this up using a WireGuard application (to generate the keys), so I’ll be using the Windows version of WireGuard below, but all of the applications should be very similar.

1. After creating a new tunnel on the Windows WireGuard application, you’ll see that a Public and Private Key were automatically created. We will need to fill out all of the options below, but we will first focus on the public and private keys. Copy the Public Key, then head back to OPNsense.

creating a new tunnel in windows 10.

2. Select Endpoints, then select the + symbol to create a new endpoint.

creating a new endpoint in wireguard.

3. Enter the information below:

  • Name: Name for peer.
  • Public Key: Public Key from the Peer (our Windows Public Key above)
  • Allowed IPs: Individual IP address this peer will use on the subnet we defined above. This will be the IP address that will be assigned to this peer.

After editing all of the settings, you can save the endpoint.

adding the settings for the new endpoint.

4. After the configuration has been saved, edit the local configuration and add the peer we just created. Also, copy the Public Key as we will need it at the next step. When you’re done, save.

saving all the settings in wireguard.

5. Switch back to the peer to finish configuring the rest.

Interface Settings

  • Address: This is the address we defined in the OPNsense endpoint, but with /24 instead of /32.
  • DNS: The DNS server(s) you’d like to use (I am using Google in this example).

Peer Settings

  • PublicKey: The public key of our WireGuard Tunnel (Local > Public Key).
  • AllowedIPs: The IP Addresses you want to access on this tunnel (0.0.0.0/0 for full tunnel). Please refer to the split-tunnel vs. full-tunnel information below to modify the AllowedIPs if desired.
  • Endpoint: Your external IP address or DDNS hostname and port 51820.
modifying the windows 10 tunnel.

If you save this new tunnel and connect to the VPN using an external network (cell phone is perfect), you should be able to connect and access your local network! Please refer to the next step to understand the difference between a full tunnel and split tunnel VPN in the AllowedIPs section (as you might want to set up both) .

Full Tunnel & Split Tunnel VPNs – How to Set Up WireGuard in OPNsense

The example above is for a split tunnel VPN, meaning that only traffic for the 192.168.100.0/24 subnet will be routed over the VPN tunnel. You can add multiple subnets here, or you can use 0.0.0.0/0 for a full tunnel VPN.

  • Split-Tunnel VPN: Traffic is only sent through your network if it is attempting to access an internal resource (192.168.100.0/24 in my example). Your IP address when navigating to a site outside of your network will be the IP address of the network that you are currently on.
  • Full-Tunnel VPN: All traffic is sent through your VPN tunnel. Your IP address for internal and external requests will be the network that WireGuard is set up on. I created a very basic image below that explains this.

It’s important to understand that both VPN types will allow you to access your local network. This only shows how traffic is routed differently to external networks.

NOTE: This is not the exact network flow. I am simplifying the process as much as I can.

showing how a split-tunnel vpn routes only local traffic to the network while a full tunnel routes everything.

Conclusion – How to Set Up WireGuard in OPNsense

This tutorial looked at how to set up WireGuard in OPNsense. As someone who uses WireGuard in pfSense, it was significantly easier to set it up in OPNsense. Overall, the process is extremely straightforward and the settings all make sense. I am a huge fan of WireGuard and this is one of the easiest devices that you can set it up on.

Thanks for checking out the tutorial on how to set up WireGuard in OPNsense. If you have any questions on how to set up WireGuard in OPNsense, please leave them in the comments!