020 3034 0116

24/7 Remote Support

Mon - Fri: 9:00 - 18:00

Office hours

OPNSense WireGuard VPN Server Setup

Author: Yaroslav Koisa

Created on 23 November 2020

Last edit commited on 6 January 2021

Table of Contents

1. Install the WireGuard package

System -> Firmware -> Plugins -> os-wireguard

2. Enable the service

VPN -> WireGuard -> Enable WireGuard. Then just hit save to apply the changes.

3. Add new server configuration

VPN -> WireGuard -> Local -> Add.

4. Add new endpoint

VPN -> WireGuard -> Endpoints -> Add.

5. Configure your endpoint

I will demonstrate the process of adding new peer on my android phone. Please follow the instructions below. After pressing “Add Peer”, feel free to minimise the App on your phone in order to receive and copy a server public key. Process for that is described in the next step.

wireguard-client-android

5.1. Exchange public keys between the client and the server

VPN -> WireGuard -> Local -> Edit. Then copy the public key and send it over to your client. Fill in the information about the server address, port, and specify 0.0.0.0/0 as “Allowed IPs”. On the OPNSense side, choose your client (peer) or multiple peers if there is a need and click “Save”, on the client side tap “Save” icon.

NOTE! Allowed IPs section adds routing tables to your client, so in case of a split-tunnel type of setup, specify all of the allowed internal CIDRs separated by comma.

After saving the config on your phone, go back to the list of servers, tap on the server name (not the switch!), then tap once in the public key area to copy the key to clipboard and send it over to computer.

On the OPNSense go to VPN -> WireGuard -> Endpoints -> Edit. Paste in the public key from your phone in the “Public key” text area and hit “Save”.

6. Add a firewall rule on the WAN side to allow the WireGuard traffic in

Firewall -> Rules -> Floating -> Add

Action: Pass, Interface: WAN, Direction: Any, Protocol: UDP, Source: Any, Destination: This Firewall, Destination port range: 51820, Description: Allow WireGuard.
Enable logging if you want to.

7. Test the connectivity

Open up the WireGuard App and activate the connection. You should see the activity under the transfer.

Number of handshakes must not be equal to 0. Check this by going to VPN -> WireGuard -> Handshakes.

Go to Firewall -> Rules -> Floating and check if the traffic is coming in.

8. Final steps

8.1. Add new WG0 network interface

Interfaces -> Assignments -> Choose WG0 [or any number you may have in there] -> Plus

8.2. Edit newly created interface

Interfaces -> Assignments -> OPT1 [or any number you may have in there]

Enable the interface, prevent interface from removal, give it a description and hit “Save”.

8.3. Add a firewall rule to allow traffic out from our WG0 network

Firewall -> Rules -> WG0 -> Add new rule.

Action: Pass, Interface: WG0, Direction: In, Protocol: Any, Source: Any, Destination: Any, Description: Allow WireGuard OUT.
Enable logging if you want to.

Save and Apply changes. Everything should be working now.

8.5. Go to "ifconfig.me" or "dnsleaktest.com" to confirm that everything works as expected

Consider donating towards our project, to support a future content release

Scroll Up

Our website uses cookies to ensure you get the best experience.

Would like to find out more about our MSP services?
We are here to help.

Please fill in the form below and our company representative will be with you shortly.

Would like to find out more about our Remote IT support services?
We are here to help.

Please fill in the form below and our company representative will be with you shortly.

Would like to find out more about our on-site IT support services?
We are here to help.

Please fill in the form below and our company representative will be with you shortly.

Need urgent on-site support visit?
We are here to help.

Need urgent remote technical support?
We are here to help.

Call me back please!