OPNsense & WireGuard: Tunnel Devices through VPN
This page guides step by step how you can force local devices to be routed through a remote VPN server.
I'm a customer of Njalla VPN, but this should work with all WireGuard VPN providers.
I added a lot of screenshots, but this should only take about 15 minutes.
Requirements / Details
- OPNsense 21.1.2
- os-wireguard 1.4_1 (OPNsense plugin)
- A wireguard config file from your VPN provider
- Configure & Enable WireGuard
- Assign the WireGuard interface
- Tweak WireGuard Gateway settings
- Add firewall rules to route certain devices to the WireGuard Gateway
- Add manual NAT rule for the WireGuard Interface
Target end result
. ┌──────────────────────────┐ │ WWW │ └─────▲─────────────▲──────┘ │ │ │ ┌──────┴─────┐ │ │ Njalla VPN │ │ └──────┬─────┘ │ │ │ │ <--------- Encrypted WireGuard Tunnel ┌──┴─┐ ┌──────┴────┐ ┌──┤WLAN├────┤WLAN_NJALLA├─┐ │ └──┬─┘ └──────┬────┘ │ │ │ │ │ │ └──┐OPNsense┌─┘ │ │ │ │ │ │ ┌─┴────────┴─┐ │ └──────┤ LAN ├──────┘ <-- Devices are all connected to same LAN interface └─┬────────┬─┘ │ │ ┌─────┘ └────┐ │ │ ┌───────┴────────┐ ┌────────┴───────┐ │ Regular Devices│ │ VPNed Devices │ <--- Specific devices will be tunneled, │ (No VPN) │ │ (VPN_HOSTS) │ routing is based on Source IP. └────────────────┘ └────────────────┘
1. Configure & Enable WireGuard
The Njalla website provides the following details in a
OPNsense cannot import tunnels from a conf file so we will enter it manually.
[Interface] PrivateKey = uPRhasdWDxE12343qwagfasdfFeN66Pwuz7n0= Address = fd03:1337::156/64, 10.13.37.156/24 DNS = 184.108.40.206, 2001:67c:2354:2::53 MTU = 1420 [Peer] PublicKey = abc123uzZwKqkNkxP1P9A2Zw9H79cRjTZZlXL8+PrVM= Endpoint = wg006.njalla.no:51820 PersistentKeepalive = 25 AllowedIPs = 0.0.0.0/0, ::/0
1.1 Add Remote Endpoint
Head over to VPN > WireGuard > Endpoints and add your provider's endpoint.
These are the settings from the
[Peer] segment. You can chose your own name.
!!! Make sure to click Save again below the Endpoint list.
1.2 Add Local Configuration
Go to VPN > WireGard > Local and set the local WireGuard Configuration based on the
- The Peers option will auto-complete with the Name from the previous step.
- Enable advanced mode
- Tick Disable Routes
- For Gateway, I chose an IP in the same subnet as the Tunnel Address.
*Remember this Gateway IP for step 3.*
!!! Make sure to click Save again below the Local list.
1.3 Enable WireGuard
Go to VPN > WireGard > General, tick Enable WireGuard and click Save
The List Configuration tab should now show something like this:
interface: wg0 public key: uTfdV9DzjSyH3zth10qYVA82SV4FuITg/CGQ1fQOTw0= private key: (hidden) listening port: 51820 peer: abc123uzZwKqkNkxP1P9A2Zw9H79cRjTZZlXL8+PrVM= endpoint: 220.127.116.11:51820 allowed ips: 0.0.0.0/0, ::/0 transfer: 0 B received, 4.62 KiB sent persistent keepalive: every 25 seconds
Note that the WireGuard interface is called
2. Assign the WireGuard interface
Go to Interfaces > Assignments and assign the
I named mine WAN_NJALLA
Then open the interface page and configure:
- Tick Enable Interface
- Tick Dynamic gateway policy
- The other settings will be automatically configured by WireGuard
Click Save and Apply Changes
To make sure the Address and Gateway gets pushed to the interface, I had to restart WireGuard by disabling & enabling it again in VPN > WireGuard.
The address & gateway should then be visible under Interfaces > Overview like so:
3. Tweak WireGuard Gateway settings
Go to System > Gateways > Single and you will spot a new Gateway.
In my case it's called WAN_NJALLA_GW, named after the interface. Click edit.
- Change IP address from dynamic to the IP you entered in step 1.2
- Tick Far Gateway
- Untick Disable Gateway Monitoring
- Enter a Monitor IP, OPNsense will ICMP/ping to this IP to monitor health.
Some easy to remember IPs you can use: Google:
Restart WireGuard and try again if you receive the following error:
Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface.
4. Add firewall rules to route certain devices to the WireGuard Gateway
4.1 Create an Alias for devices to be tunnelled
Go to Firewall > Aliases and create a Hosts or Network alias for the devices you want to be tunneled through WireGuard.
I named my Alias VPN_HOSTS and entered a few hosts:
4.2 Create Firewall Rule to enforce tunneling
Go to Firewall > Rules > LAN and add a new rule:
- Change Source to your alias (in my case: VPN_HOSTS)
- Change Gateway to the VPN Gateway (in my case: WAN_NJALLA_GW)
Make sure this Rule sits before the "Default allow LAN to any rule" rule.
Note: If your OPNsense is your DNS server, add a Rule for that traffic before the Tunnel rule as I did.
You should be used to clicking Save and Apply changes by now 😉.
5. Add manual NAT rule for the WireGuard Interface
- Go to Firewall > NAT > Outbound.
- Select Hybrid outbound NAT rule generation at the top.
- Click Save and then click Apply changes.
- Click Add (top right)
- Change Interface to your WireGuard VPN Interface name. (In my case: WAN_NJALLA)
- Click Save
- Click Apply changes
🎉 Boom! Your devices are now going through your WireGuard VPN!
- Enforce a "kill-switch" so VPN_HOST devices don't fall back on WLAN gateway in case the WireGuard tunnel goes down.
- Make Unbound use the VPN connection (change Outgoing Network Interfaces option in Unbound)
Questions or Comments can be sent to [email protected]