The Open Source Firewall OPNsense supports several technologies for setting up VPN (Virtual Private Network) connections.
In addition to IPsec and OpenVPN, OPNsense version 19.7 offers the possibility to set up a VPN with WireGuard. In this article we show the configuration of the WireGuard VPN service on an OPNsense firewall, so that a roadwarrior user can access the internal (company) network behind the OPNsense firewall.
Note: This manual was created with an older version of OPNsense, it may be that some menus and settings are now done differently.
Prepare OPNsense for Wireguard VPN
The following steps are described in this section for setting up the VPN:
- Installing the WireGuard Plugin
- Configuration of WireGuard to OPNsense
- Firewall rules WAN connection
- Firewall rules WireGuard connection
Installation of the WireGuard Plugin
The installation of the WireGuard plugin is done conveniently via the integrated plugin management.
Click on System -> Firmware -> Plugins.
In the row os-wireguard, click on the + symbol.
The installation is started.
The installation was successful.
The plugin is now installed, the entry is os-wireguard (installed).
Configuration of WireGuard to OPNsense
The following screenshots show the configuration of WireGuard:
Click on VPN -> WireGuard.
This is the configuration for the OPNsense endpoint. Click on the + symbol.
Enter a name, optionally a port (alternatively created randomly) and the tunnel address of the OPNsense endpoint. Then click on Save.
The endpoint was created and Private Key and Public Key was created. Now click on the pen symbol.
Private Key and Public Key are now displayed here. Click on Cancel.
Firewall rule for WAN
The following screenshots show the configuration of a firewall rule that allows access to the WireGuard VPN service on the OPNsense firewall:
Click on Firewall -> Rules -> WAN and then on the orange button + ADD in the upper right corner.
Select Protocol UDP' and enter the Destination Port Range in the fields from: and to:. Scroll down.
Enter a name for the rule in the Description field and click on Save.
The new firewall rule is configured and active.
Firewall rule for WireGuard
The following new rule allows the connected VPN peer ("client") complete access to the networks of OPNsense:
Click on Firewall -> Rules -> WireGuard and then on the orange button + ADD.
Select 'Single host or Network as source and enter the IP range of the WireGuard VPN network and its subnet mask below. Scroll down.
Enter a name for the rule in the Description field and click on Save.
Click on "Apply". The firewall rules will now be reloaded.
The new firewall rule is configured and active.
Configure endpoint ("client")
The following screenshots show an example of the configuration of an endpoint that is allowed to connect to the OPNsense system via WireGuard. The configuration of the remote terminal (in this example a Ubuntu system) can be found in the article Ubuntu 18.04 as WireGuard VPN client configuration.
Click on VPN -> WireGuard, then on Endpoints and then on the + icon.
Enter the name of the endpoint and copy the public key generated during configuration on the client system. Assign an IP address from the WireGuard IP range to the client. Using the suffix /32, the client will always be assigned exactly this IP address. Then click on Save.
Change to the tab Local and click on the button to edit the entry.
In the drop-down menu Peers you can now select the configured endpoint. Of course, you can also select multiple client configurations (if available).
In the General tab, check whether the check mark at Enable WireGuard is set and then click on Save.
In the dashboard view (Lobby -> Dashboard) there is now an entry WireGuard-go.
Test connection
Start the Connect from client device.
You can then also check the status of a connection on the OPNsense firewall:
Go to the menu VPN -> WireGuard and then to the tab List Configuration. Here you can see the connection data of a successful client connection as well as an entry latest handshake.
The Handshakes tab shows the handshakes that have been performed.
|
Author: Thomas Niedermeier
Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.
|