OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: colourcode on February 02, 2024, 04:28:46 pm
-
Additional information and inspiration:
schnerring.net (https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/)
OPNsense Docs (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html)
About
This is basically the existing guide(s) without much explanation, straight to the point, for us who get cross eyed by walls of text. Don't expect to learn why it's working here.
This is the minimum needed to get it up and running on an unconfigured OPNsense host.
Tested with 24.1.1
Hopefully, it can be of help to someone and lets hope I never have to do BBcode formatting ever again 🤦
1. Install WireGuard
Navigate to: System > Firmware > Plugin- Install WireGuard
2. Download Mullvad config - I'll call it .conf
1. Login mullvad.net & go to wireguard-config
2. Generate Key
3. Scroll down and select server
4. Select IPv4
5. Select Only IPv4
6. Configure Content Blocking
- Personal preference, it changes the DNS server provided in .conf
7. Download .conf
Additional Mullvad info
These can be used as monitoring IP for gateway(s):
- Mullvad - How to set up ad-blocking in our app (https://mullvad.net/it/blog/2021/5/27/how-set-ad-blocking-our-app)
- 100.64.0.1 for Ad-blocking
- 100.64.0.2 for Tracker-blocking
- 100.64.0.3 for Ad- + Tracker-blocking.
- Mullvad - Adding another layer: malware DNS blocking (https://mullvad.net/en/blog/2022/3/16/adding-another-layer-malware-dns-blocking)
- 100.64.0.4 Malware blocking only
- 100.64.0.5 Ad and malware blocking, no tracker blocking
- 100.64.0.6 Tracker and malware blocking, no ad blocking
- 100.64.0.7 Ad, tracker and malware blocking (“everything”)
3. WireGuard Configuration
3.1 WireGuard INSTANCE - [interface] in .conf
Navigate to: VPN > WireGuard > Settings > Instances
Fields not mentioned = BLANK / Default
- ADD
| Field | Value |
| --------------- | ---------------------------- |
| Name | Instance Name |
| Pub Key | The one you generated |
| Priv Key | In downloaded .config |
| Port | 51820 |
| Tunnel Address | AddressInConf/32 |
| Disable Routes | CHECKED |
| Gateway | Tunnel_Address (-1)* |
* See note: OPnsense Docs - wireguard-selective-routing (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#step-2-configure-the-wireguard-instance)
- Save (don't apply yet)
3.2 WireGuard PEER - [peer] in .conf
Navigate to: VPN > WireGuard > Settings > Peers
- ADD
| Field | Value |
| ------------------- | ---------------------------- |
| Name | Peer Name |
| Pub Key | In downloaded .config |
| Allowed IPs | 0.0.0.0/0 |
| Endpoint Address | In downloaded .config |
| Endpoint Port | 51820 |
| Instance | The one you set up earlier |
| Keepalive internal | 25 |
- Save and hit apply
Navigate to: VPN > WireGuard > Settings > General- Enable WireGuard
- Verify tunnel is UP in VPN > WireGuard > Diagnostics
4. Add an interface
Navigate to: Interfaces > Assignments > Assign a new interface
- Expand list and select the WireGuard interface
- Device wg1
- ADD
- SAVE (above)
- Click on the new interface (above)
- Enable Interface: CHECKED
- SAVE
5. Add a gateway
Navigate to: System > Gateways > Configuration
- ADD
| Field | Value |
| ------------------------------- | ------------------------------------------------- |
| Name | GW name |
| Interface | wg1 |
| Address Family | IPv4 |
| IP Address | .conf > [interface] > address (-1)* |
| Far Gateway | CHECKED |
| Disable Gateway Monitoring | UNCHECKED |
| Monitor IP | 10.64.0.1 or one of the DNS servers |
* If .conf address is xx.xx.xx.10/32 you can use xx.xx.xx.9 - i.e. remove the subnet mask and subtract one from the last segment.
- SAVE
- APPLY
6. Firewall configuration
This configuration is as barebones as they come, modify it to your liking
Navigate to: Firewall > Aliases
- ADD
| Field | Value |
| ----------------- | ---------------------------------------------- |
| Name | [selected hosts] - any name you want |
| Type | Host(s) |
| Content | Add the IP of each device you want to use WireGuard
- SAVE
- APPLY
6.1 FIRST rule: Route [selected hosts] traffic through the tunnel
Navigate to: Firewall > Rules > Floating
- ADD
| Field | Value |
| -------------------- | ------------------------------ |
| Action | Pass |
| Quick | CHECKED |
| Interface | Interface(s) where your [selected hosts] live
| Direction | In |
| TCP/IP Version | IPv4 |
| Protocol | Any |
| Source | [selected hosts] |
| Destination | Any |
| Gateway | WG Gateway |
| Show Advanced Features |
| SET local tag | NO_WAN_EGRESS |
- SAVE
6.2 SECOND rule: Kill switch
May not be needed depending on your configuration, better safe than sorry?
- OPNsense Docs: Kill Switch (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#step-11-add-a-kill-switch-optional)
6.3 THIRD rule: Route DNS traffic for [selected hosts]
This rule is optional,use for troubleshooting or with port forwards.
- ADD
| Field | Value |
| -------------------- | ------------------------------ |
| Action | Pass |
| Quick | CHECKED |
| Interface | Interface(s) where your [selected hosts] live
| Direction | In |
| TCP/IP Version | IPv4 |
| Protocol | TCP/UDP |
| Source | [selected hosts] |
| Destination | A Mullvad DNS server: 100.64.0.X
| Dst Port Range | DNS |
| Gateway | WG Gateway |
- SAVE
6.4 NAT Rule: NAT WireGuard for [selected hosts]
Navigate to: Firewall > NAT > Outbound
- Change mode to Hybrid outbound NAT rule generation
- ADD
| Field | Value |
| ------------------------ | ---------------------------------------------- |
| Interface | WG interface |
| TCP/IP Version | IPv4 |
| Protocol | Any |
| Source | [selected hosts] |
| Src Port | Any |
| Destination | Any |
| Dst Port | Any |
| Translation / Target | Interface Address |
- SAVE
- APPLY to save all the firewall rules
7. Verify it's working as intended
- Add a device IP to the [selected hosts] Alias
- Use Mullvad Check (https://mullvad.net/en/check)
- All three should be green
- API, Powershell
(curl https://am.i.mullvad.net/json).Content | ConvertFrom-Json
Thanks for reading!
Please educate me where there are misstakes!