Joris' blog

OPNsense & WireGuard: Tunnel Devices through VPN

This page guides step by step how you can force local devices to be routed through a remote VPN server.
I'm a customer of Njalla VPN, but this should work with all WireGuard VPN providers.

I added a lot of screenshots, but this should only take about 15 minutes.

Requirements / Details

  • OPNsense 21.1.2
  • os-wireguard 1.4_1 (OPNsense plugin)
  • A wireguard config file from your VPN provider

Steps

  1. Configure & Enable WireGuard
  2. Assign the WireGuard interface
  3. Tweak WireGuard Gateway settings
  4. Add firewall rules to route certain devices to the WireGuard Gateway
  5. Add manual NAT rule for the WireGuard Interface

Credits

Target end result

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
     β”‚          WWW             β”‚
     β””β”€β”€β”€β”€β”€β–²β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–²β”€β”€β”€β”€β”€β”€β”˜
           β”‚             β”‚
           β”‚      β”Œβ”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”
           β”‚      β”‚ Njalla VPN β”‚
           β”‚      β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜
           β”‚             β”‚
           β”‚             β”‚ <--------- Encrypted WireGuard Tunnel
        β”Œβ”€β”€β”΄β”€β”    β”Œβ”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”
     β”Œβ”€β”€β”€WLANβ”œβ”€β”€β”€β”€β”€WLAN_NJALLAβ”œβ”€β”  
     β”‚  β””β”€β”€β”¬β”€β”˜    β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜ β”‚
     β”‚     β”‚             β”‚      β”‚
     β”‚     └──┐OPNsenseβ”Œβ”€β”˜      β”‚
     β”‚        β”‚        β”‚        β”‚
     β”‚      β”Œβ”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”      β”‚
     └───────    LAN     β”œβ”€β”€β”€β”€β”€β”€β”˜ <-- Devices are all connected to same LAN interface
            β””β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”˜
              β”‚        β”‚
        β”Œβ”€β”€β”€β”€β”€β”˜        └────┐                
        β”‚                   β”‚
β”Œβ”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β” 
β”‚ Regular Devicesβ”‚ β”‚ VPNed Devices  β”‚ <--- Specific devices will be tunneled,
β”‚ (No VPN)       β”‚ β”‚ (VPN_HOSTS)    β”‚      routing is based on Source IP.
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

1. Configure & Enable WireGuard

The Njalla website provides the following details in a wg-njalla.conf file.
OPNsense cannot import tunnels from a conf file so we will enter it manually.

[Interface]
PrivateKey = uPRhasdWDxE12343qwagfasdfFeN66Pwuz7n0=
Address = fd03:1337::156/64, 10.13.37.156/24
DNS = 95.215.19.53, 2001:67c:2354:2::53
MTU = 1420

[Peer]
PublicKey = abc123uzZwKqkNkxP1P9A2Zw9H79cRjTZZlXL8+PrVM=
Endpoint = wg006.njalla.no:51820
PersistentKeepalive = 25
AllowedIPs = 0.0.0.0/0, ::/0

1.1 Add Remote Endpoint

Head over to VPN > WireGuard > Endpoints and add your provider's endpoint.
These are the settings from the [Peer] segment. You can chose your own name.

AddEndpoint

!!! Make sure to click Save again below the Endpoint list.

1.2 Add Local Configuration

Go to VPN > WireGard > Local and set the local WireGuard Configuration based on the [Interface] block.

  • The Peers option will auto-complete with the Name from the previous step.
  • Enable advanced mode
  • Tick Disable Routes
  • For Gateway, I chose an IP in the same subnet as the Tunnel Address.
    *Remember this Gateway IP for step 3.*

AddLocalConfiguration

!!! Make sure to click Save again below the Local list.

1.3 Enable WireGuard

Go to VPN > WireGard > General, tick Enable WireGuard and click Save

GeneralEnableWG

The List Configuration tab should now show something like this:

interface: wg0
  public key: uTfdV9DzjSyH3zth10qYVA82SV4FuITg/CGQ1fQOTw0=
  private key: (hidden)
  listening port: 51820

peer: abc123uzZwKqkNkxP1P9A2Zw9H79cRjTZZlXL8+PrVM=
  endpoint: 198.167.192.11:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 4.62 KiB sent
  persistent keepalive: every 25 seconds

Note that the WireGuard interface is called wg0.


2. Assign the WireGuard interface

Go to Interfaces > Assignments and assign the wg0 interface.
I named mine WAN_NJALLA

AssignWGInterface

Then open the interface page and configure:

  • Tick Enable Interface
  • Tick Dynamic gateway policy
  • The other settings will be automatically configured by WireGuard

InterfaceSettings

Click Save and Apply Changes

To make sure the Address and Gateway gets pushed to the interface, I had to restart WireGuard by disabling & enabling it again in VPN > WireGuard.
The address & gateway should then be visible under Interfaces > Overview like so:

InterfaceOverview


3. Tweak WireGuard Gateway settings

Go to System > Gateways > Single and you will spot a new Gateway.
In my case it's called WAN_NJALLA_GW, named after the interface. Click edit.

  • Change IP address from dynamic to the IP you entered in step 1.2
  • Tick Far Gateway
  • Untick Disable Gateway Monitoring
  • Enter a Monitor IP, OPNsense will ICMP/ping to this IP to monitor health.
    Some easy to remember IPs you can use: Google: 8.8.8.8/8.8.4.4, CloudFlare: 1.1.1.1, Quad9: 9.9.9.9

GatewaySettings

Restart WireGuard and try again if you receive the following error:

Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface.


4. Add firewall rules to route certain devices to the WireGuard Gateway

4.1 Create an Alias for devices to be tunnelled

Go to Firewall > Aliases and create a Hosts or Network alias for the devices you want to be tunneled through WireGuard.
I named my Alias VPN_HOSTS and entered a few hosts:

Alias

4.2 Create Firewall Rule to enforce tunneling

Go to Firewall > Rules > LAN and add a new rule:

  • Change Source to your alias (in my case: VPN_HOSTS)
  • Change Gateway to the VPN Gateway (in my case: WAN_NJALLA_GW)

Make sure this Rule sits before the "Default allow LAN to any rule" rule.

Rules Note: If your OPNsense is your DNS server, add a Rule for that traffic before the Tunnel rule as I did.

You should be used to clicking Save and Apply changes by now πŸ˜‰.


5. Add manual NAT rule for the WireGuard Interface

  1. Go to Firewall > NAT > Outbound.
  2. Select Hybrid outbound NAT rule generation at the top.
  3. Click Save and then click Apply changes.
  4. Click Add (top right)
  5. Change Interface to your WireGuard VPN Interface name. (In my case: WAN_NJALLA)
  6. Click Save
  7. Click Apply changes

NAT



πŸŽ‰ Boom! Your devices are now going through your WireGuard VPN!

Next steps

  • Enforce a "kill-switch" so VPN_HOST devices don't fall back on WLAN gateway in case the WireGuard tunnel goes down.
  • Make Unbound use the VPN connection (change Outgoing Network Interfaces option in Unbound)

Questions or Comments can be sent to [email protected]

#vpn #wireguard #opnsense

- 6 toasts