OPNsense WireGuard VPN for Road Warrior configuration

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

The Open Source Firewall OPNsense supports several technologies for setting up VPN (Virtual Private Network) connections. In addition to IPsec and OpenVPN, OPNsense version 19.7 offers the possibility to set up a VPN with WireGuard. In this article we show the configuration of the WireGuard VPN service on an OPNsense firewall, so that a roadwarrior user can access the internal (company) network behind the OPNsense firewall.

Note: This manual was created with an older version of OPNsense, it may be that some menus and settings are now done differently.

Prepare OPNsense for Wireguard VPN

The following steps are described in this section for setting up the VPN:

  1. Installing the WireGuard Plugin
  2. Configuration of WireGuard to OPNsense
  3. Firewall rules WAN connection
  4. Firewall rules WireGuard connection

Installation of the WireGuard Plugin

The installation of the WireGuard plugin is done conveniently via the integrated plugin management.

  • Click on System -> Firmware -> Plugins.

    Click on System -> Firmware -> Plugins.

  • In the row os-wireguard, click on the + symbol.

    In the row os-wireguard, click on the + symbol.

  • The installation is started.

    The installation is started.

  • The installation was successful.

    The installation was successful.

  • The plugin is now installed, the entry is os-wireguard (installed).

    The plugin is now installed, the entry is os-wireguard (installed).

Configuration of WireGuard to OPNsense

The following screenshots show the configuration of WireGuard:

  • Click on VPN -> WireGuard.

    Click on VPN -> WireGuard.

  • Click on the tab Local.

    Click on the tab Local.

  • This is the configuration for the OPNsense endpoint. Click on the + symbol.

    This is the configuration for the OPNsense endpoint. Click on the + symbol.

  • Enter a name, optionally a port (alternatively created randomly) and the tunnel address of the OPNsense endpoint. Then click on Save.

    Enter a name, optionally a port (alternatively created randomly) and the tunnel address of the OPNsense endpoint. Then click on Save.

  • The endpoint was created and Private Key and Public Key was created. Now click on the pen symbol.

    The endpoint was created and Private Key and Public Key was created. Now click on the pen symbol.

  • Private Key and Public Key are now displayed here. Click on Cancel.

    Private Key and Public Key are now displayed here. Click on Cancel.

Firewall rule for WAN

The following screenshots show the configuration of a firewall rule that allows access to the WireGuard VPN service on the OPNsense firewall:

  • Click on Firewall -> Rules -> WAN and then on the orange button + ADD in the upper right corner.

    Click on Firewall -> Rules -> WAN and then on the orange button + ADD in the upper right corner.

  • Select Protocol UDP' and enter the Destination Port Range in the fields from: and to:. Scroll down.

    Select Protocol UDP' and enter the Destination Port Range in the fields from: and to:. Scroll down.

  • Enter a name for the rule in the Description field and click on Save.

    Enter a name for the rule in the Description field and click on Save.

  • Click on "Apply".

    Click on "Apply".

  • The new firewall rule is configured and active.

    The new firewall rule is configured and active.

Firewall rule for WireGuard

The following new rule allows the connected VPN peer ("client") complete access to the networks of OPNsense:

  • Click on Firewall -> Rules -> WireGuard and then on the orange button + ADD.

    Click on Firewall -> Rules -> WireGuard and then on the orange button + ADD.

  • Select 'Single host or Network as source and enter the IP range of the WireGuard VPN network and its subnet mask below. Scroll down.

    Select 'Single host or Network as source and enter the IP range of the WireGuard VPN network and its subnet mask below. Scroll down.

  • Enter a name for the rule in the Description field and click on Save.

    Enter a name for the rule in the Description field and click on Save.

  • Click on "Apply". The firewall rules will now be reloaded.

    Click on "Apply". The firewall rules will now be reloaded.

  • The new firewall rule is configured and active.

    The new firewall rule is configured and active.

Configure endpoint ("client")

The following screenshots show an example of the configuration of an endpoint that is allowed to connect to the OPNsense system via WireGuard. The configuration of the remote terminal (in this example a Ubuntu system) can be found in the article Ubuntu 18.04 as WireGuard VPN client configuration.

  • Click on VPN -> WireGuard, then on Endpoints and then on the + icon.

    Click on VPN -> WireGuard, then on Endpoints and then on the + icon.

  • Enter the name of the endpoint and copy the public key generated during configuration on the client system. Assign an IP address from the WireGuard IP range to the client. Using the suffix /32, the client will always be assigned exactly this IP address. Then click on Save.

    Enter the name of the endpoint and copy the public key generated during configuration on the client system. Assign an IP address from the WireGuard IP range to the client. Using the suffix /32, the client will always be assigned exactly this IP address. Then click on Save.

  • Change to the tab Local and click on the button to edit the entry.

    Change to the tab Local and click on the button to edit the entry.

  • In the drop-down menu Peers you can now select the configured endpoint. Of course, you can also select multiple client configurations (if available).

    In the drop-down menu Peers you can now select the configured endpoint. Of course, you can also select multiple client configurations (if available).

  • Click on Save.

    Click on Save.

  • Click on Save again.

    Click on Save again.

  • In the General tab, check whether the check mark at Enable WireGuard is set and then click on Save.

    In the General tab, check whether the check mark at Enable WireGuard is set and then click on Save.

  • In the dashboard view (Lobby -> Dashboard) there is now an entry WireGuard-go.

    In the dashboard view (Lobby -> Dashboard) there is now an entry WireGuard-go.

Test connection

Start the Connect from client device.

You can then also check the status of a connection on the OPNsense firewall:

  • Go to the menu VPN -> WireGuard and then to the tab List Configuration. Here you can see the connection data of a successful client connection as well as an entry latest handshake.

    Go to the menu VPN -> WireGuard and then to the tab List Configuration. Here you can see the connection data of a successful client connection as well as an entry latest handshake.

  • The Handshakes tab shows the handshakes that have been performed.

    The Handshakes tab shows the handshakes that have been performed.


Foto Thomas Niedermeier.jpg

Author: Thomas Niedermeier

Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.


Related articles

OPNsense LTE connection
Show article
OPNsense OpenVPN performance tests and results
Show article
OPNsense WireGuard VPN Site-to-Site configuration
Show article