Sign in Subscribe
VPN

Implementing WireGuard with OPNsense: A Practical Guide

Implementing WireGuard with OPNsense: A Practical Guide
Photo by Privecstasy / Unsplash

WireGuard is a modern VPN solution known for its simplicity, high performance, and security. Integrating WireGuard with OPNsense, a robust open-source firewall and routing platform, provides a powerful solution for secure communications. This article demonstrates how to set up WireGuard on OPNsense using a practical example involving two on-premise devices: Host1 and Host2, each on different networks, with a WireGuard relay to facilitate secure communication.

Scenario Overview

  • Host1: 192.168.10.2/24
  • Host2: 192.168.20.2/24
  • OPNsense: Manages WireGuard configurations and routes traffic between the hosts.
  • WireGuard Port: 443/UDP Ensure that UDP is allowed on 443 !

Below is a text representation of the network setup for implementing WireGuard with OPNsense.

+------------+                        +------------+                        +------------+
|            |                        |            |                        |            |
|   Host1    | <------> (Network A) <-->  OPNsense  <------> (Network B) <-->   Host2    |
| 192.168.10.2/24 |                    | Firewall   |                        | 192.168.20.2/24 |
|            |                        |            |                        |            |
+------------+                        +------------+                        +------------+
  • Host1 and Host2 are on separate networks, each connected to OPNsense.
  • OPNsense manages the WireGuard VPN instance and routes traffic through the WG Relay.

This setup ensures secure and efficient communication between the two hosts using WireGuard with OPNsense.

Step 1: Setting Up OPNsense

Before proceeding with the installation and configuration of WireGuard on OPNsense, ensure that DNS resolution is working correctly and that the package manager is properly set up. These steps are crucial as they ensure that the OPNsense firewall can access the necessary repositories to download and install the WireGuard plugin.

  1. Verify DNS Resolution:
    • Go to System > Settings > General.
    • Ensure that the DNS Servers are correctly configured. You can use public DNS servers like:
      • Google DNS: 8.8.8.8, 8.8.4.4
      • Cloudflare DNS: 1.1.1.1, 1.0.0.1
    • Click Save and Apply.
  2. Check Package Manager Settings:
    • Navigate to System > Firmware > Settings.
    • Ensure that the Firmware Mirror is set to a reliable source. You can use the default or choose a closer mirror if available.
  3. Install WireGuard Plugin on OPNsense:
    • Navigate to System > Firmware > Plugins.
    • Search for os-wireguard and click + to install it.
  4. Enable WireGuard:
    • Go to VPN > WireGuard > General.
    • Check the Enable WireGuard option and save.

Step 2: Configure WireGuard Interfaces

  1. Create WireGuard Instance:
    • Navigate to VPN > WireGuard > Local.
    • Click + Add to create a new WireGuard instance.
    • Fill in the necessary details:
      • Name: WG_Instance
      • Listen Port: 443
      • Private Key: Generate and save the private key.
    • Save the configuration.
  2. Add Peers (Host1 and Host2):
    • In the same section, click on the Peers tab.
    • Add a new peer for Host1:
      • Public Key: (Host1’s public key)
      • Allowed IPs: 192.168.10.2/32
    • Add a new peer for Host2:
      • Public Key: (Host2’s public key)
      • Allowed IPs: 192.168.20.2/32
    • Save the configuration.

Step 3: Configure Firewall Rules

  1. Create WireGuard Interface:
    • Go to Interfaces > Assignments.
    • Add a new interface for wg0 and enable it.
    • Assign a static IP address (e.g., 10.0.0.1/24).
  2. Firewall Rules for WireGuard Interface:
    • Navigate to Firewall > Rules > WG_Instance.
    • Add a new rule to allow traffic:
      • Action: Pass
      • Interface: WG_Instance
      • Source: Any
      • Destination: Any
      • Protocol: Any
    • Save and apply changes.

Step 4: Configure Host1 and Host2

Install WireGuard on Host1 and Host2:

sudo apt install wireguard

Generate Keys:

wg genkey | tee privatekey | wg pubkey > publickey

Configure WireGuard on Host1:

Create a configuration file /etc/wireguard/wg0.conf:

[Interface]
Address = 192.168.10.2/24
PrivateKey = (Host1's private key)
DNS = 8.8.8.8

[Peer]
PublicKey = (OPNsense WireGuard instance public key)
Endpoint = (OPNsense Public IP):443
AllowedIPs = 192.168.20.0/24

Start WireGuard:

sudo wg-quick up wg0

Configure WireGuard on Host2:

Create a configuration file /etc/wireguard/wg0.conf:

[Interface]
Address = 192.168.20.2/24
PrivateKey = (Host2's private key)
DNS = 8.8.8.8

[Peer]
PublicKey = (OPNsense WireGuard instance public key)
Endpoint = (OPNsense Public IP):443
AllowedIPs = 192.168.10.0/24

Start WireGuard:

sudo wg-quick up wg0

Step 5: Verify the Setup

Check the Connection on OPNsense:

    • Navigate to VPN > WireGuard > Status.
    • Ensure that both peers (Host1 and Host2) are connected.

Ping test from Host1:

ping 192.168.20.2

Ping test from Host2:

ping 192.168.10.2

If the pings are successful, the setup is complete and Host1 and Host2 can securely communicate via the WireGuard VPN tunnel through OPNsense.

Troubleshooting VPN Connection Issues

If the VPN is not up, follow these straightforward steps to debug the issue on both OPNsense and the hosts (Host1 and Host2):

On OPNsense:

  • Check WireGuard Status:
    • Navigate to VPN > WireGuard > Status.
    • Ensure that the service is running and the peers are listed.
  • Verify Configuration:
    • Go to VPN > WireGuard > Local.
    • Ensure that the WireGuard instance is correctly configured with the proper keys and listen port (443).
  • Firewall Rules:
    • Navigate to Firewall > Rules > [Your WireGuard Interface].
    • Confirm that there are rules allowing traffic on the WireGuard interface.
    • Ensure there is a rule to pass traffic from any source to any destination.
  • Interface Assignment:
    • Go to Interfaces > Assignments.
    • Ensure the WireGuard interface (e.g., wg0) is correctly assigned and enabled.
  • Check Logs:
    • Navigate to System > Log Files > General.
    • Review logs for any errors related to WireGuard.

On Host1 and Host2:

  1. Verify WireGuard Service: Check if the WireGuard service is running:
sudo systemctl status wg-quick@wg0

Check Configuration File:

Review the WireGuard configuration file /etc/wireguard/wg0.conf to ensure it has the correct settings, including:

    • Private and public keys
    • Endpoint address and port
    • Allowed IPs

Test Connectivity: Ping the WireGuard interface IP of OPNsense from the host:

ping [OPNsense WireGuard IP]

Review WireGuard Interface: Check the WireGuard interface for any issues:

sudo wg show

Check Logs: Review system logs for WireGuard-related errors:

sudo journalctl -xe | grep wg-quick

Verify Routing: Ensure the routes are correctly set for the WireGuard traffic:

ip route

Additional Tips:

  • Ensure Time Synchronization: Make sure the system clocks on OPNsense, Host1, and Host2 are synchronized. Discrepancies can cause key expiration issues.
  • Check for Network Conflicts: Ensure there are no IP address conflicts within the network.
  • Review Firewall Settings on Hosts: Ensure that the host firewalls are not blocking WireGuard traffic.

Conclusion

By following this guide, you have successfully set up a secure WireGuard VPN with OPNsense, allowing two hosts on different networks to communicate securely. This configuration provides a robust, high-performance VPN solution suitable for various applications in on-premise environments.

Read next