Joris Vanhecke

OPNsense & WireGuard: Tunnel Devices through VPN

This page guides step by step how you can force local devices to be routed through a remote VPN server.
I'm a customer of Njalla VPN, but this should work with all WireGuard VPN providers.

I added a lot of screenshots, but this should only take about 15 minutes.

Requirements / Details


  1. Configure & Enable WireGuard
  2. Assign the WireGuard interface
  3. Tweak WireGuard Gateway settings
  4. Add firewall rules to route certain devices to the WireGuard Gateway
  5. Add manual NAT rule for the WireGuard Interface


Target end result

     β”‚          WWW             β”‚
           β”‚             β”‚
           β”‚      β”Œβ”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”
           β”‚      β”‚ Njalla VPN β”‚
           β”‚      β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜
           β”‚             β”‚
           β”‚             β”‚ <--------- Encrypted WireGuard Tunnel
        β”Œβ”€β”€β”΄β”€β”    β”Œβ”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”
     β”‚  β””β”€β”€β”¬β”€β”˜    β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜ β”‚
     β”‚     β”‚             β”‚      β”‚
     β”‚     └──┐OPNsenseβ”Œβ”€β”˜      β”‚
     β”‚        β”‚        β”‚        β”‚
     β”‚      β”Œβ”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”      β”‚
     └───────    LAN     β”œβ”€β”€β”€β”€β”€β”€β”˜ <-- Devices are all connected to same LAN interface
              β”‚        β”‚
        β”Œβ”€β”€β”€β”€β”€β”˜        └────┐                
        β”‚                   β”‚
β”Œβ”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β” 
β”‚ Regular Devicesβ”‚ β”‚ VPNed Devices  β”‚ <--- Specific devices will be tunneled,
β”‚ (No VPN)       β”‚ β”‚ (VPN_HOSTS)    β”‚      routing is based on Source IP.
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

1. Configure & Enable WireGuard

The Njalla website provides the following details in a wg-njalla.conf file.
OPNsense cannot import tunnels from a conf file so we will enter it manually.

PrivateKey = uPRhasdWDxE12343qwagfasdfFeN66Pwuz7n0=
Address = fd03:1337::156/64,
DNS =, 2001:67c:2354:2::53
MTU = 1420

PublicKey = abc123uzZwKqkNkxP1P9A2Zw9H79cRjTZZlXL8+PrVM=
Endpoint =
PersistentKeepalive = 25
AllowedIPs =, ::/0

1.1 Add Remote Endpoint

Head over to VPN > WireGuard > Endpoints and add your provider's endpoint.
These are the settings from the [Peer] segment. You can chose your own name.


!!! Make sure to click Save again below the Endpoint list.

1.2 Add Local Configuration

Go to VPN > WireGard > Local and set the local WireGuard Configuration based on the [Interface] block.


!!! Make sure to click Save again below the Local list.

1.3 Enable WireGuard

Go to VPN > WireGard > General, tick Enable WireGuard and click Save


The List Configuration tab should now show something like this:

interface: wg0
  public key: uTfdV9DzjSyH3zth10qYVA82SV4FuITg/CGQ1fQOTw0=
  private key: (hidden)
  listening port: 51820

peer: abc123uzZwKqkNkxP1P9A2Zw9H79cRjTZZlXL8+PrVM=
  allowed ips:, ::/0
  transfer: 0 B received, 4.62 KiB sent
  persistent keepalive: every 25 seconds

Note that the WireGuard interface is called wg0.

2. Assign the WireGuard interface

Go to Interfaces > Assignments and assign the wg0 interface.
I named mine WAN_NJALLA


Then open the interface page and configure:


Click Save and Apply Changes

To make sure the Address and Gateway gets pushed to the interface, I had to restart WireGuard by disabling & enabling it again in VPN > WireGuard.
The address & gateway should then be visible under Interfaces > Overview like so:


3. Tweak WireGuard Gateway settings

Go to System > Gateways > Single and you will spot a new Gateway.
In my case it's called WAN_NJALLA_GW, named after the interface. Click edit.


Restart WireGuard and try again if you receive the following error:

Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface.

4. Add firewall rules to route certain devices to the WireGuard Gateway

4.1 Create an Alias for devices to be tunnelled

Go to Firewall > Aliases and create a Hosts or Network alias for the devices you want to be tunneled through WireGuard.
I named my Alias VPN_HOSTS and entered a few hosts:


4.2 Create Firewall Rule to enforce tunneling

Go to Firewall > Rules > LAN and add a new rule:

Make sure this Rule sits before the "Default allow LAN to any rule" rule.

Rules Note: If your OPNsense is your DNS server, add a Rule for that traffic before the Tunnel rule as I did.

You should be used to clicking Save and Apply changes by now πŸ˜‰.

5. Add manual NAT rule for the WireGuard Interface

  1. Go to Firewall > NAT > Outbound.
  2. Select Hybrid outbound NAT rule generation at the top.
  3. Click Save and then click Apply changes.
  4. Click Add (top right)
  5. Change Interface to your WireGuard VPN Interface name. (In my case: WAN_NJALLA)
  6. Click Save
  7. Click Apply changes


πŸŽ‰ Boom! Your devices are now going through your WireGuard VPN!

Next steps

Questions or Comments can be sent to [email protected]

#opnsense #vpn #wireguard