Wireguard: better install it on opnsense or another server ?

Started by Jeannot, March 02, 2024, 03:53:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 02, 2024, 03:53:29 PM
Hello,

I have my opnsense running for a few week and I want to install wireguard to allow connection to my LAN from outside.

Now I'm wondering if it's best to install it directly on opnsense using the plugin or to install it on a server ( proxmox in my case) behind the firewall ? what are the pro and cons of each setup ?

thanks  :)

March 02, 2024, 04:06:44 PM #1
It's a standard part of OPNsense, no need to install any plugin. So why even consider a different server?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 02, 2024, 10:14:12 PM #2
Good question, but I struggle to even get wireguard working on opnsense despite following guides, I have tried for so long, I am technically quite competent but really struggle with Opnsense wireguard. Ive had it working in pfsense, but with opnsense its just hit and miss.

Could you help advise where its going wrong or push for more clear guides from Opnsense on the configurations, maybe some with videos or screenshots?

https://forum.opnsense.org/index.php?topic=39783.0
April 02, 2024, 11:45:24 PM #3 Last Edit: April 02, 2024, 11:47:01 PM by Patrick M. Hausen
OK, although I personally think this is all rather trivial, I will write a walk-through for you.

So you want a road-warrior setup for you from anywhere on the Internet to reach your home LAN. OK.

VPN > WireGuard > Settings > General - enable (obviously)
VPN > WireGuard > Settings > Instances

Add a new instance. Name it e.g. "mobile" or whatever.

Public Key/Private Key - use the cogwheel to generate a pair.
Listen Port: 51820
MTU: 1412 if your uplink uses PPPoE, 1420 if it doesn't
Tunnel Address: 192.168.255.1/24

Save and apply.

Go to VPN > WireGuard > Settings > Peers and add a peer.

Name: your choice
Public Key: the key you generated for your client
Allowed IPs: 192.168.255.2/32 - if that is the tunnel address you configured on your client. I suggest you do so.
Keepalive Interval: I pick 30 but if your OPNsense is behind another NAT gateway you might want to change that to 25

Go back to PN > WireGuard > Settings > Instances and add the peer to the instance you previously created.

In Firewall > Rules > WAN configure:

In, IPv4, UDP allow, WAN address, Destination Port range: 51820, allow

In Firewall > Rules > WireGuard (group) configure:

In, IPv4, allow everything

That's it on the OPNsense side. You need a dedicated network different from your LAN for the WireGuard network. And then everything "just works".


On the client side - I use the WireGuard client on a Mac:

Code Select
[Interface]
PrivateKey = ****
Address = 192.168.255.2/24
DNS = 192.168.255.1
MTU = 1280

[Peer]
PublicKey = ****
AllowedIPs = 192.168.255.0/24, plus comma separated add your LAN network and all other networks here
Endpoint = public ip address of your OPNsense:51820



HTH, kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions