AmneziaWG on OPNsense and routing

Started by phprus, February 16, 2026, 04:11:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 16, 2026, 04:11:17 PM
Hello!

I'm installing AmneziaWG on OPNsense.

I've compiled the AmneziaWG packages for OPNsense:

https://www.freshports.org/net/amnezia-tools/
https://www.freshports.org/net/amnezia-kmod/
https://www.freshports.org/net/amneziawg-go/

With some modifications, I've compiled a plugin package:
https://github.com/antspopov/opnsense_amnezia_plugin

I plan to create a PR for this in opnsense/plugins in the future.

I'm currently experiencing a routing issue.
If the VPN server doesn't provide the gateway IP (meaning we only know the IP on the interface), then the standard routing mechanism of adding routes and/or setting the gateway in firewall rules stops working.

I decided to try using a second routing table.

I set net.fibs=2, configured AmneziaWG to use routing table 1, and got the following routes:

Code Select
# netstat -rn -F 1
Routing tables (fib: 1)

Internet:
Destination        Gateway            Flags         Netif Expire
default            link#7             US            awg0

Internet6:
Destination        Gateway            Flags         Netif Expire
default            link#7             US            awg0


To test, I configured the LAN interface to use fib 1:

Code Select
ifconfig em1 fib 1

All LAN traffic is correctly routed through the tunnel.

Next, I tried to replicate this using pf, manually adding a rule immediately after "# [prio: 1]":

Code Select
pass in log on em1 inet from {(em1:network)} to $to_awg no state rtable 1

I loaded all the rules into pf, but the new rule didn't work. Traffic isn't being redirected. I don't see the captured packets in the log. I can't figure out what the problem is.

pf sees the following rule:

Code Select
# pfctl -s rules | grep rtable
pass in log on em1 inet from (em1:network) to <to_awg> no state rtable 1

Please tell me how to use pf to capture traffic based on the "to $to_awg" condition so that it sets rtable to 1. I want to capture both LAN traffic and OPNsense process traffic, such as Unbound.
February 16, 2026, 09:54:13 PM #1
> With some modifications, I've compiled a plugin package:
> https://github.com/antspopov/opnsense_amnezia_plugin

I applaud your efforts but I think we have enough WG implementations in the plugin system now.


Cheers,
Franco
February 22, 2026, 10:13:58 PM #2
It is simply perfect that you are working on AmneziaWG on OPNsense, currently I'm using this VPN protocol through desktop apps and since I have to connect a few devices at a time, it is only logical to seek to install it in the Firewall. :)

I'm looking very forward to your news about it.
March 12, 2026, 07:54:31 PM #3
+1 i'm curious about the developments also. This is very useful when using an open wifi, e.g. at the airport, and not being able to use a vpn on it to securely connect to your home devices, email etc. 
Deciso DEC850v2
Today at 07:20:25 PM #4 Last Edit: Today at 07:26:02 PM by unholy_saint
AmneziaWG protocol support is not just yet another WireGguard plugin implementation. While originally based on WireGuard, Amnezia is modified to be very resistant to the centralized DPI filtering efforts in countries like Russia. This however makes it even more valuable for people, who live in the DPI wild west of EU, where there are just to many countries with to many authorities that currently play with Internet censorship where and as they manage, while also being responsible for maintaining the official stance that "no such thing exists in The Civilized World". This results in total anarchy and constantly increasing amount of random hits on various types of traffic, including wireguard VPN's.
My job is related to a vast network of WG interconnections in many EU countries. It started to experience random DPI hits around 12.2025 and things are only getting worse since, with at least 1 hit per 2 days in March. Blocking generally targets specific protocol/port combination between specific IP's, although some filters seem to be adaptive and detect port changes very fast. Usually blocking lasts few hours to few days, but several IP/UDP port combinations remain blocked for months now.
Seeking support from ISP or hosting is usually meaningless in this situation, as they are not in position to do anything, while managing to find the authority, responsible for each specific misbehaving filter you hit... They are sure to employ thousands of professionals in proving that you are extremist per each subcontracted tech that can actually solve the issue. And it won't be a hard job, as stating that you have issue with Something that does not existtm is the exact type of extremism they are responsible to counter.
So switching from plain WG to AmneziaWG 2.0 with QUIC or DNS obfuscation right now seems to be the best solution for someone in EU, even if AWG is much less mobile device friendly. And for Opnsense AWG support is something that should not simply be discarded as useless double of WG, especially by somebody who actually lives in EU.
Today at 11:42:16 PM #5
Quote from: unholy_saint on Today at 07:20:25 PMespecially by somebody who actually lives in EU.
Europe area in general or one of the countries that are part of the European Union ?!
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Print
Go Up Pages1
User actions