OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: directnupe on July 11, 2019, 08:56:35 pm

Title: HOW TO WIREGUARD OPNsense CLIENT DEAD SIMPLE
Post by: directnupe on July 11, 2019, 08:56:35 pm
Dear Community,
And I quote " Jimi ": I see that we meet again hmmm " see here: https://youtu.be/gFAQWjdCO8o and for the purpose as stated by the leader of The Family Stone " I Want To Take You Higher - see here : https://www.youtube.com/watch?v=LQkdiJQIX5Y Now after the intro - let's get down to business. This tutorial guide details dead simple GUARANTEED method(s) to get WIREGUARD Client up and running on OPNsense Firewall. I will explore the one I prefer first. Some of you may remember my work with GETDNS and STUBBY. Please read Mimugmail's comments ( the developer and maintainer of os-wireguard-devel plugin ) below in the first reply to this tutorial. He was kind enough to inform me of a few points so no one does extra work. Specifically, Mimugmail details methods for easier OPNsense ports installation and / or easier method to install WireGuard and WireGuard-Go packages. This installation is for commercial WireGuard Clients ONLY ! - where creation of keys and how to exchange them is not needed. The keys are generated and managed by your WireGuard VPN service provider - in my case - TorGuard.

1 - As per Mimugmail's  advice you can choose to install WireGuard either through ports or pkg install method. From his reply : You can install wireguard just via # pkg install wireguard && pkg install wireguard-go. The pkg versions are always the latest which were available at the time of the release. The version you mention here is already in the ports tree but the pkg will be in the next minor release. To speed this up you could also do on your opnsense installation: # opnsense-code ports && cd /usr/ports/net/wireguard && make install - As I wanted the latest package ( I did not care to wait for pkg update on OPNsense and I do not like installing the entire OPNsense Ports collection on my OPNsnese Instance ) - I did the following and it worked out great.

2 -  First install the necessary packages which are in the OPNsense repository by default with the command : # pkg install wireguard && pkg install wireguard-go - As Mimugmail points out, this will install latest versions of these packages. Ready to get this going and up and running then follow steps below.

3 - To begin you need to get your WIREGUARD configuration files from the TORGUARD website. To do so login your TORGUARD account then go to Tools ( along the top of Login Page ) from drop Down Menu click on Enable WIREGUARD Access. You will then be in your TorGuard Account Area. You will see this message along the top : Below is a list of WireGuard VPN Servers, Please click enable in front of the servers you like to connect to, and use the returned keys shown to connect. Currently, TORGUARD offers WIREGUARD Servers in USA - New York ( quite actually situated in Clifton, New Jersey ), Asia - Singapore and Europe - UK. Click on your preferred Server - Enable WIREGUARD. This will result in a green box below the now grayed out box - which states now Disable WIREGUARD- naturally leave your server enabled as you want to connect to the now enabled server. Next, Download Config file as the box allows you to do now that you have enabled your WIREGUARD Server. You will also see in the adjoining box the following :

Location VPN Server Keys Manage
USA - New York 1 159.xx.xxx.xx:xxx Server Public key: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
Your Private Key: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
Your Address: 10.xx.x.xxx/24


4 - Now I used this guide as the template for my manual installation of WIREGUARD on OPNsense see here : https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/ I will make this simple for you step by step. You may sing and / or hum along as we proceed.
A- First - configure WireGuard Client. TorGuard, AzireVPN, VPN.ac, Mullvad, IVPN, are commercial VPN providers which offer LIVE ! WireGuard Services now. I use TorGuard here is a sample file. Keys are dummies - only used for illustrative purposes in this tutorial- Use your real WireGuard configuration file here: Create file by command line - # nano /usr/local/etc/wireguard/wg0.conf - and enter the configuration file below ( copy and paste ) - substitute your real one. Save and Close. Done with this file.

# TorGuard WireGuard Config
[Interface]
PrivateKey = cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
ListenPort = 51820
DNS = 104.223.91.210
Address = 10.xx.x.xxx/24

[Peer]
PublicKey = 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
AllowedIPs = 0.0.0.0/0
Endpoint = 159.xx.xx.xxx:xxx
PersistentKeepalive = 25


B - Secondly, run command via SSH # wg-quick up wg0 ( wireguard-go is in package and  this action creates wireguard interface ) You may also run # wireguard-go wg0 to create wg0 but I prefer the first method mentioned here.

5 - Configure WireGuard Service with rc.d - for automatic startup/shutdown of the tunnel. In order to achieve this there‚Äôs already an rc.d script /usr/local/etc/rc.d/wireguard which came with the wireguard package. You need to issue this command :  # mv /usr/local/etc/rc.d/wireguard /usr/local/etc/rc.d/wireguard.sh then enter the file - # nano /usr/local/etc/rc.d/wireguard.sh Then go to bottom of file - lines 46 and 47 - change : ${wireguard_enable="NO"} to : ${wireguard_enable="YES"} and then add wg0 on line 47
: ${wireguard_interfaces=""} to : ${wireguard_interfaces="wg0"} ( wgZero ) - Save and Close - Make it executable, I run two commands - it works for me: # chmod a+x /usr/local/etc/rc.d/wireguard.sh # chmod 744 /usr/local/etc/rc.d/wireguard.sh - Done with this file.

6 - In order to have OPNsense use default start up script ( /usr/local/etc/rc.d/wireguard.sh ) at boot time you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following :  # nano /etc/rc.conf.d/wireguard - in the new file enter the following two lines:
wireguard_enable="YES"
wireguard_bootup_run="/usr/local/etc/rc.d/wireguard.sh"
Save and Close - Make it executable- # chmod a+x /etc/rc.conf.d/wireguard # chmod 744 /etc/rc.conf.d/wireguard  / Done with this file.

7 - Now head to OPNsense WEBGUI in order to configure Wireguard Interface ( created earlier ) and FireWall Rule. First, on Left Side WebGui Column - go to Interfaces > Assignments -you will see wg0 interface - click (+) add button /symbol. Once the wg0 interface is listed as OPT ( 1 - 2 depending on your setup ) - Click underneath it - - enter checks in " Prevent interface removal' and " Enabled " - and enter description - I call mine " WIRE " - DO NOTHING ELSE HERE ! Save and Apply - Done with this phase.
Second - Firewall Rule - on Left Side WebGui Column - go to Firewall > NAT > Outbound > Once on this Landing Page put a Dot in radio button Hybrid outbound NAT rule generation - Click on Save - Do Not - Repeat Do Not Click Save and Apply At This Time - Instead Click on Add (+) Button on right side top of page - on the page which opens change Interface from WAN in drop down menu to your Wireguard ( wg0 ) Interface - in my case " WIRE " as I labeled it in the description of the interface I added earlier. Next - Change Source Address to " Lan net " and Translation/target to Interface address. Enter " Description -e.g. " Made For Wire "  now Click " Save " at bottom of page. You will be taken back to Firewall:Nat:Outbound Landing Page - Click on " Apply Changes " in right upper hand corner - Done with Firewall Rule for Lan. Repeat Firewall Rule Operation for all of your other Lan Interface Subnets if you choose to do so.

When using these updated packages as I did, in order to stop nagging messages to re-install outdated OPNsense wireguard and wireguard-go packages use FreeBSD pkg lock option. Issue commands in order : # pkg lock wireguard and # pkg lock wireguard-go It may be necessary to reboot OPNsense after locking wireguard and wireguard-go packages in order to restart WireGuard from command line. Your WireGuard Client is now installed and ready - you may enter command # /usr/local/etc/rc.d/wireguard.sh restart in order to start it up.  You may also reboot your OPNsense Router. Lastly, issue command  # wg show which prints out your WireGuard Connection statistics and configuration. I will install wireguard via # pkg install wireguard && pkg install wireguard-go as my go to method in the future.

Peace and Grace Be Unto All God's Creation
Title: Re: HOW TO WIREGUARD OPNsense CLIENT DEAD SIMPLE
Post by: mimugmail on July 11, 2019, 09:57:37 pm
Hi,

thanks for the guide! Just a few points so noone does extra work:

1. The plugin was done by me, there's currently no way to make it easier which is a lack of the framework itself (only if you do some heavy JS stuff)
2. You can install wireguard just via pkg install wireguard && pkg install wireguard-go. The pkg versions are always the latest which were available at the time of the release. The version you mention here is already in the ports tree but the pkg will be in the next minor release. To speed this up you could also do on your opnsense installation:
# opnsense-code ports && cd /usr/ports/net/wireguard && make install
3. Last and most important thing, you didn't cover the creation of keys and how to exchange them, this is the most annoying part of WireGuard and that's why the handling of the plugin is so hard to understand ;)
Title: Re: HOW TO WIREGUARD OPNsense CLIENT DEAD SIMPLE
Post by: directnupe on July 11, 2019, 11:00:16 pm
Dear mimugmail.
First of all - Hello !  :) Pleased to make your acquaintance - and by all means I do appreciate all the work that you have in the development of WireGuard on OPNsense. Further, I want to thank you for availing me of the knowledge that opnsense-code ports and pkg install wireguard and pkg install wireguard-go options are available. That saves me a ton of work. I will work up a new tutorial which reflects those methods of installation and configuration of WireGuard on OPNsense.
As far as your comment observation : Last and most important thing, you didn't cover the creation of keys and how to exchange them, this is the most annoying part of WireGuard and that's why the handling of the plugin is so hard to understand. Well, this is where a whole confusing kettle of fish opens up ( at least for me ) and many others I am sure. You see when one ( in this case me ) uses a commercial VPN provider for their WireGuard Service and configuration files- there is no need for the creation of keys and how to exchange them As you cite in your tutorial here: https://www.routerperformance.net/opnsense-wireguard-plugin-azirevpn/ and I quote : " Normally the creation of a new server instance would create a new keypair. Since the keys with Azire are managed by them you have to include the private key from the text file you downloaded and set as Tunnel Address the one in the config. " So - from what I can gather this is sort of like OPENVPN - you can run your server and connect clients OR  you can buy a subscription to a VPN Service Provider and connect to their servers ( using their keys and so on ) and run an OPENVPN Client solely.
I tried to make it clear in this tutorial that this is for commercial WireGuard Clients from providers which I listed in this guide - TorGuard, AzireVPN, VPN.ac, Mullvad, IVPN, are commercial VPN providers which offer LIVE ! WireGuard Services now. However, I can guarantee  that this configuration works without me having to generate or exchange keys - that process is taken care of ( as you stated in your guide ) by Azire or whatever VPN service. As I said - this is what had me pulling my hair out. I will try to more plainly and emphatically make it clear that this setup is for Commercial WireGuard Clients ONLY !
Once again, I wish to thank you for all of your work and the information that you imparted to me regarding the options for installing wireguard and wireguard-go without having to go through the arduous task of building a package from scratch using FreeBSD Build Server. Maybe - someday - somehow we can make it clear that there are different methods of setting up WIREGUARD  - this guy here even runs multiple instances of WIREGUARD : https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/ and I have seen others doing this as well in the OPNsense Forums - but all of this is way beyond me.
God Bless You and Yours Always In Peace and Grace,
directnupe