Setting up WireGuard on OPNSense & Android

Started by chbmb, November 16, 2019, 09:34:00 PM

Previous topic - Next topic
Hey everyone, new to OPNsense, been wanting to try it out for a long time, but knowing I'd have to start from scratch after using Pfsense for a couple of years meant I had a degree of inertia.  WireGuard was the impetus I needed and I'm glad I jumped ship.

I've written a OPNsense WireGuard guide on the blog of an opensource docker group I belong to, figured it might be useful to some people here so here's a link.

Hope it helps one or two of you getting started with WireGuard.

Got another one in the pipeline to connect an Ubuntu laptop to OPNsense as well.

I know it might be easy to a lot of you, but a couple of things tripped me up, so I decided to write a guide.

Quote from: mimugmail on November 16, 2019, 09:49:46 PM
Really nice, I'll link it on my site

Oh wow, awesome, thanks! 

And your hard work is very much appreciated.

December 15, 2019, 11:13:56 AM #3 Last Edit: December 15, 2019, 11:31:53 AM by WhosTheBosch
Hi, thanks for this guide, it was quite helpful. I used it as well as the original to get this going for myself. It wasn't quite straight forward though, so I'm replying here with some info so hopefully both guides can be updated.
  • The public key needs to be entered for both local and endpoint. If you save either endpoint / local without entering it for both the WireGuard service will be unable to start.

    To troubleshoot from the CLI just run the command to start the WireGuard service and read the error message: /usr/local/etc/rc.d/wireguard start

    Bug? In the VPN > WireGuard > General page, enabled is checked even if service isn't running, this should be fixed to perhaps keep the check but display the error message from the CLI above if the service didn't start up correctly? This one had me scratching my head for a while.

  • DNS needs to be setup for the new WG interface or whatever you called the new interface you created. Go to Services > Unbound DNS > General > Network interfaces and select WG.
    Note: If the service is NOT running, you will NOT have the ability to add a new interface for WireGuard from the Interfaces menu.

    Note: This is NOT the WireGuard interface that is automatically created.

  • You need to create an incoming and outgoing IPv4 rule on the WG interface. You can restrict from there once it's working.

  • The rule created for WAN rule added to WAN is was created at the bottom so wouldn't allow traffic through. You need to ensure it's above any block rules. (I have default block everything rules at the bottom of my rule list for each interface.)

  • Please ensure that after the connection is setup the first time, for any additional changes within a sub screen of the WireGuard page i.e an local or endpoint page, you need to hit Save at the bottom of the page that lists all locals or endpoints since that restarts the service.

  • I'm not sure when setting up the local, if it matters if the network is listed as or as the official doc and this one differ on that point.

December 15, 2019, 11:19:43 AM #4 Last Edit: December 15, 2019, 11:31:15 AM by WhosTheBosch
chbmb, thanks for the work on this one. It helped me get it setup. I have a few suggestions specifically for your blog. Thanks for all the hard work!

  • Can you add more depth to the "Add Wireguard Interface" section? There's a lot of options that are glossed over.

  • Can you do screenshot for adding the Wireguard interface?

  • "add a new interface, selecting wg0", I'm not sure where to do that? wg0 wasn't mentioned elsewhere in the guide and when you click the Add button then one is automatically created.

  • Do you have to setup a network for your new interface and dhcp etc? (You don't, but just maybe mentioning that would be good for new comers).

  • Can you mention that the WireGuard service needs to be enabled from the main page via VPN > WireGuard. In the official document they mention "Now we can Enable the VPN in tab General and continue with the setup.".

  • Explain this: "Redirect target IP Enter the LAN IP address of your OPNsense install | We want the traffic to reach the WireGuard tunnel on OPNSense" if you're any good at drawing, an example would be great. Maybe explaining how the traffic will flow.

Not to threadcrap but I used this guide that got me going with step by step pictures and using OPNsense as the edge device rather than port forwarding as OP example shows.