Wireguard: better install it on opnsense or another server ?

[Jeannot]

Hello,

I have my opnsense running for a few week and I want to install wireguard to allow connection to my LAN from outside.

Now I'm wondering if it's best to install it directly on opnsense using the plugin or to install it on a server ( proxmox in my case) behind the firewall ? what are the pro and cons of each setup ?

thanks 

[Patrick M. Hausen]

It's a standard part of OPNsense, no need to install any plugin. So why even consider a different server?

[LovelyCupOfTea]

Good question, but I struggle to even get wireguard working on opnsense despite following guides, I have tried for so long, I am technically quite competent but really struggle with Opnsense wireguard. Ive had it working in pfsense, but with opnsense its just hit and miss.

Could you help advise where its going wrong or push for more clear guides from Opnsense on the configurations, maybe some with videos or screenshots?

https://forum.opnsense.org/index.php?topic=39783.0

[Patrick M. Hausen]

OK, although I personally think this is all rather trivial, I will write a walk-through for you.

So you want a road-warrior setup for you from anywhere on the Internet to reach your home LAN. OK.

VPN > WireGuard > Settings > General - enable (obviously)
VPN > WireGuard > Settings > Instances

Add a new instance. Name it e.g. "mobile" or whatever.

Public Key/Private Key - use the cogwheel to generate a pair.
Listen Port: 51820
MTU: 1412 if your uplink uses PPPoE, 1420 if it doesn't
Tunnel Address: 192.168.255.1/24

Save and apply.

Go to VPN > WireGuard > Settings > Peers and add a peer.

Name: your choice
Public Key: the key you generated for your client
Allowed IPs: 192.168.255.2/32 - if that is the tunnel address you configured on your client. I suggest you do so.
Keepalive Interval: I pick 30 but if your OPNsense is behind another NAT gateway you might want to change that to 25

Go back to PN > WireGuard > Settings > Instances and add the peer to the instance you previously created.

In Firewall > Rules > WAN configure:

In, IPv4, UDP allow, WAN address, Destination Port range: 51820, allow

In Firewall > Rules > WireGuard (group) configure:

In, IPv4, allow everything

That's it on the OPNsense side. You need a dedicated network different from your LAN for the WireGuard network. And then everything "just works".


On the client side - I use the WireGuard client on a Mac:

Code: [Select]

[Interface]
PrivateKey = ****
Address = 192.168.255.2/24
DNS = 192.168.255.1
MTU = 1280

[Peer]
PublicKey = ****
AllowedIPs = 192.168.255.0/24, plus comma separated add your LAN network and all other networks here
Endpoint = public ip address of your OPNsense:51820


HTH, kind regards,
Patrick