Hi all@Community,
I'm quite newbie with Wireguard + OPNSense, but my first setups are working fine (for the moment, only in Roadwarrior Tunnel Mode). I can reach the Endpoint, use all devices allowed from the tunnel to the destination LAN, etc...
My question is about Peer Generator : I've been able to generate some peers, copy/paste the configuration at the Roadwarrior Side to use the VPN;
But OPNSense + Wireguard has not any Export Function, like we have with OpenVPN.
I dealt a little with a IA to have opinions, recommended solution is using API + shell script : my customers are relatively small companies, my intend is not to use API.
For sure, I can copy/paste each generated Peer configuration manually in some .conf files (not so much time consuming), but an Export function will be a nice feature ;-)
Any feedback will be appreciated.
I mean you could use OpenVPN instead, in the business edition its even integrated into a user portal and you can optionally use ldap authentication and 2FA.
https://docs.opnsense.org/vendor/deciso/userportal.html
Comparing to wireguard, openvpn just fits more for business oriented roadwarrior setups.
I don't understand why there isn't an export button for the conf files. If you don't copy/paste during peer creation, you're out of luck.
You can't even build the conf file from the information in the peer details. No access to the Private Key
Quote from: JMini on December 11, 2025, 05:12:46 AMYou can't even build the conf file from the information in the peer details. No access to the Private Key
The private key should be created on the peer and never leave the peer. That's why it's called "private". The instance on OPNsense only needs the public key of every peer so that's what is saved in the configuration.
There are no clients and servers in WireGuard. It's all peers.
Wireguard - the simple alternative to IPsec and OpenVPN, until it isn't TM
Quote from: Monviech (Cedrik) on December 11, 2025, 09:39:16 AMWireguard - the simple alternative to IPsec and OpenVPN
Oh, it absolutely is for gateway to gateway setups. I love it.
Quote from: Monviech (Cedrik) on December 11, 2025, 09:39:16 AMuntil it isn't TM
It does not scale well for road warrior use. That's why we keep OpenVPN.
Yeah the slab is at the usecase. If you just need a tunnel its awesome, if you need roadwarrior setup for even 10+ users that is also not a security risk when the WG profile is extracted, OpenVPN or IPsec are the way. It's also a management nightmare at anything than a few users.
It's only a few (6 max) remote users.
The Private key appears in the conf file on peer creation, Once you leave that screen, it's found nowhere else. So it's not just on the server (instance)
You should create the private/public key pair on the "client" and the private key should never leave the client. That's how WireGuard is intended to be set up. I don't understand why OPNsense provides a "peer generator" at all.
Quote from: Patrick M. Hausen on December 11, 2025, 07:46:47 PMYou should create the private/public key pair on the "client" and the private key should never leave the client. That's how WireGuard is intended to be set up. I don't understand why OPNsense provides a "peer generator" at all.
Ohhh. I see.
So the config file could use any Private Key Just the Public Keys in the conf file need match up. Is that right?
Looks like I need to do some reading.
Quote from: JMini on December 12, 2025, 03:56:11 PMSo the config file could use any Private Key Just the Public Keys in the conf file need match up. Is that right?
Correct.
That is the whole point here:
1. The best / most secure way to do it is to create a client configuration on the client itself. You need the server ip, port, public key and optionally, the shared secret for that. Then you would have to import the client's public key into the server and use that as the key (not the other way around). If you do that, the peer generator does not help, either way.
2. If you trust OpnSense to create a private key, you can use the peer generator and import the generated secrets - including the private key - into your client. That works best with the QR code, which you can directly scan from the screen if your device supports it. You can also copy & paste the text and transfer it some other way to your client. However, since you probably lack a secure way to do that, it is debatable if you should. If there was a way to download the config directly, many people would not notice what security problem they are about to create just now.
3. Lastly, if you want to use the peer generator regardless - do not complain that you cannot export the client configuration after the fact. Actually, it is a sign of security that the client's private key is not stored on the server. Also, if you need to export the peer config later on, you can always delete that peer configuration and create a new config with a new key instead - it will work just as well and nobody has the old key, anyway - this being the very reason why you need that config again.
Gotcha. Without understanding the presence of the keys, I thought the export was more important. I guess it isn't
Thanks for the information, guys