Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: Jeannot on March 02, 2024, 03:53:29 PM

Title: Wireguard: better install it on opnsense or another server ?
Post by: Jeannot on March 02, 2024, 03:53:29 PM
Hello,

I have my opnsense running for a few week and I want to install wireguard to allow connection to my LAN from outside.

Now I'm wondering if it's best to install it directly on opnsense using the plugin or to install it on a server ( proxmox in my case) behind the firewall ? what are the pro and cons of each setup ?

thanks  :)

Title: Re: Wireguard: better install it on opnsense or another server ?
Post by: Patrick M. Hausen on March 02, 2024, 04:06:44 PM
It's a standard part of OPNsense, no need to install any plugin. So why even consider a different server?
Title: Re: Wireguard: better install it on opnsense or another server ?
Post by: LovelyCupOfTea on April 02, 2024, 10:14:12 PM
Good question, but I struggle to even get wireguard working on opnsense despite following guides, I have tried for so long, I am technically quite competent but really struggle with Opnsense wireguard. Ive had it working in pfsense, but with opnsense its just hit and miss.

Could you help advise where its going wrong or push for more clear guides from Opnsense on the configurations, maybe some with videos or screenshots?

https://forum.opnsense.org/index.php?topic=39783.0
Title: Re: Wireguard: better install it on opnsense or another server ?
Post by: Patrick M. Hausen on April 02, 2024, 11:45:24 PM
OK, although I personally think this is all rather trivial, I will write a walk-through for you.

So you want a road-warrior setup for you from anywhere on the Internet to reach your home LAN. OK.

VPN > WireGuard > Settings > General - enable (obviously)
VPN > WireGuard > Settings > Instances

Add a new instance. Name it e.g. "mobile" or whatever.

Public Key/Private Key - use the cogwheel to generate a pair.
Listen Port: 51820
MTU: 1412 if your uplink uses PPPoE, 1420 if it doesn't
Tunnel Address: 192.168.255.1/24

Save and apply.

Go to VPN > WireGuard > Settings > Peers and add a peer.

Name: your choice
Public Key: the key you generated for your client
Allowed IPs: 192.168.255.2/32 - if that is the tunnel address you configured on your client. I suggest you do so.
Keepalive Interval: I pick 30 but if your OPNsense is behind another NAT gateway you might want to change that to 25

Go back to PN > WireGuard > Settings > Instances and add the peer to the instance you previously created.

In Firewall > Rules > WAN configure:

In, IPv4, UDP allow, WAN address, Destination Port range: 51820, allow

In Firewall > Rules > WireGuard (group) configure:

In, IPv4, allow everything

That's it on the OPNsense side. You need a dedicated network different from your LAN for the WireGuard network. And then everything "just works".


On the client side - I use the WireGuard client on a Mac:

Code Select
[Interface]
PrivateKey = ****
Address = 192.168.255.2/24
DNS = 192.168.255.1
MTU = 1280

[Peer]
PublicKey = ****
AllowedIPs = 192.168.255.0/24, plus comma separated add your LAN network and all other networks here
Endpoint = public ip address of your OPNsense:51820



HTH, kind regards,
Patrick
Text only | Text with Images