This was a great tutorial, thanks a lot! For people with newer versions of Opnsense (Apr 2024), there are a few main differences: - There will be two wireguard plugins, use os-wireguard, not os-wireguard-go *. - "Local" tab is now called "Instances" tab - "Endpoints" tab is now called "Peers" tab - On the "Edit Instance" form, you will need to click the cog to generate the keypair. It does not auto-generate on save anymore as described in the video. Everything else is exactly the same (fields, buttons, configurations, etc); just follow the video. --- * As of October 2023, the "go" version is on a deprecation path and the code is being moved to the kernel version. According to Franco (core maintainer of Opnsense): "[...] the wireguard and wireguard-go plugins are no longer the same code base with go variant being old and deprecated [...]"
Great tutorial!! Windows client works great, connects and I can access my network... Android sending and receiving handshakes are fine... but cant access anything on my network. Anyone got any suggestions???
thanks great guide, i managed to sort everything as per your tutorial. however, i cannot ping any hosts on the LAN (192.168.1.x) my tunnel ip is 10.0.0.15/32 . am i missing something?
Followed step by step... I can establish a connection, I can ping and nslookup stuff with my pihole at the house showing as server... but I can't browse anything on the web.
Just wanted to say I tried this a few times and each time couldn't get it to work. Your video was so clear and concise I got it working on the first shot. Subscribed!
I agree with the rest of the comments. This is hands down the best video and explanation of setting up wireguard on OPNsense FW that I have ever seen. Thank you for taking the time to not only show us how to do the setup, but you explain why we set the things we need to and what the ramifications are. Thank you.
Thank you so much for the video! All of this still works, the only difference is now in OPNSense v23.7.7_3 the WireGuard tabs are "Instances" instead of "local" and "Peers" instead of "Endpoints".
this is great tutorial however i cannot ping any hosts behind the LAN from the wireguard VPN, everything checks out OK as per you guideline. Anything else i'm missing?
the best video. you're the only one that provides a short description of what each config field means in a practical sense, as well as the different results of different settings you could use. much better than blindly following someone's config, which leads to difficulties troubleshooting being a non-network person
I completely agree. This is the most direct and informative tutorial I've seen after watching many other. It even worked on v23, just a few menu differences in the wireguard config tabs.
Good sir - I recently discovered a problem where I don't have internet access when connected with either my laptop or iphone. I suspect its a firewall rule or nat configuration problem. There are only 100 different reddit posts about it but I can't seem to get it to work. Any insight is appreciated! Thanks!
I figured it out - i followed the doc from opnsense but in the process of reading other peoples problems I removed the DNS entry for the client. It not works properly! Thanks!
This video just helped me finally get WireGuard set up properly! I just started learning basic Linux and networking stuff about two weeks ago, and this was one of my goals - to set up my own VPN and cancel my SurfShark subscription. Thanks for the support in reaching this goal :)
Hi there - So Allowed IPs acts as a filter or access-list, which tells the wireguard config what IP addresses will be allowed over the tunnel. So on the firewall side, I set Allowed IPs to 10.50.50.15 for example - since that's the VPN address I am assigning to the client. On the client side, however, I set Allowed IPs to 0.0.0.0/0. This tells the client to forward ALL traffic to all destinations over the tunnel. The client DNS IP addresses are whichever DNS servers you would like the client to use when it's connected to the wireguard VPN. In my case, I have DNS servers that are hosted on the server side behind the firewall. So I wanted the clients to use those DNS servers once they connect to the VPN. For the client addresses, I used the 10.50.50.0/24 subnet. This can be any RFC1918 address space that you want it to be - so long as it doesn't overlap with anything used by the firewall. These addresses are only used to connect the client to the wireguard VPN server. Hope that helps!
Yeah by default it should be able to reach the LAN. Whatever the client has set for AllowedIPs is what will be forwarded over the VPN. So 0.0.0.0/0 would include everything, LAN too.
@@0x2142 ok thanks and i have also à site to site wireguard on Two opnsense is it possible with the client to cross the other vpn site to site and Connect to other site?
Just looking to set this up and came across this video. Main differences: There are two packages available to install - Wireguard and Wireguard GO. Installed the first only to get a warning that the software was deprecated and due to be discontinued after 2023. As its 2024 I installed the GO version. Both resulted in an interface with only 3 tabs instead of the 5 shown in this video.
Thank you for this very detailed video! Can this procedure also being extended to setup a WireGuard Site-to-Site connection with OPNsense? Or do i just have to perform the same interface and firewall settings on the "client OPNsense" device to make it work?
Yup - I haven't done that specific config yet, but my understanding is that you would just mirror the OPNsense config on both firewalls, then have each device add the other as a peer rather than the client devices.
Hey! So im running into a issue where the client can connect and access the firewall gui but nothing on lan, My clients are in fulltunel mode.. IN the wg logs I see this: "Error wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '10.59.59.1/24' -interface 'wg1'' returned exit code '1', the output was ''" Do you know what this could cause?
I had been trying to get WireGuard setup on my new install of opensense and it had been awhile since I had done it before. This video nailed it. Thanks.
can you make a client on your router use wireguard without installing the wireguard client? that was something you can do on consumer routers that i liked.
Hey! What a great tutorial, congrats on that. I have one question, Do you need to have a public IP from your ISP for this tutorial to work? Or Could I just use some DDNS service to bypass that? Currently I didn't have a public IP address from my ISP. TIA
Hey there, thanks for the comment! So to clarify - do you not have a public IP at all, or just not a static address? If you have a dynamic IP, then yeah you can use a DDNS service to update your public IP. That's how I've got mine set up now at home. If you don't have a public IP address at all, and you're getting a NAT from your ISP - then it may not work (or require a bit more setup).
@@0x2142 Thanks for the reply. I'm a network newbie, I tried with duckdns (it showed a cached IP sometimes green sometimes red) When I tried to connect from the wireguard app, it shows "sending handshake initiation" but has no response. When I'm in my house (same network) it connects succesfully, so the Wireguard tunnel is OK I think. Could you please guide me if I need to configure extra firewall rules or something else to achieve the connection via a DDNS server? How do I know if I have NAT from ISP or dynamic IP? Thanks!
Great video. thank you. Shouldn't there be a firewall rule on WG1 interface to allow traffic to Lan subnets? without it I couldn't even ping the VPN Headend IP.
Hello there - Thanks for the comment! Yes, there should be firewall rules on the WG1 interface - depending on what traffic you want to allow. In the video, I did create a rule to allow all traffic: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-b58PpuIsQ3A.html
I use my proxmox host and setup on this an Debian 11 Container with Wireguard. Now can access my home network behind CG-Nat with my smartphone that connect to LTE mobile network. Thx to IPv6
Hello! Thanks for your video!! But I had some problems... I followed your tutorial exactly, but the handshake on the client is not completed between OPNsense. Has this ever happened to you?
I want to use an ASUS router as server and OPNsense as client (P2P). I can't find any video on how to set this up. I have manage to make a connection between the routers. Now I need to set the correct rules and maybe even a gateway for it to work properly. Any suggestions?
Hmm not sure why this isn't working for me. For some reason the Wireguard service in OPNsense does not start? I've re-installed the Wireguard plugin and retried this guide many times but still no joy. Any suggestions? Thank you
Hello - It's kinda the same, just depending on what you intend to accomplish. Looks like mullvad is a generic VPN provider that focuses on securing your traffic to the internet - and they happen to use WireGuard to accomplish that. In my video, I focus on setting up WireGuard VPN to a firewall - primarily for remote access back to a home or corporate network. So if you're looking to access home network resources, then you might need to follow a similar process to what I shared. But if you are just looking to have secure / private internet access, then the mullvad VPN will work just fine. Hope that helps!!
Thank you for the tutorial. I had a Wireguard setup previously that used a duckdns domain name to update my public IP every time my ISP changed it. Do you know if that is possible with the OPNsense add-on as well? Cheers, Martin
Hello! Yes, my setup is fairly similar to that. I am using Wireguard on OPNSense, with a dynamic DNS entry for my public IP. OPNsense has a built-in dynamic DNS plugin, and it looks like it does support duckdns.
@@0x2142 Awesome. Thanks for the quick reply. I have set up the duckdns dynamic dns I just wasn't sure if that gets past on to the Wireguard add-on because no where in the setup there is a reference to the dynamic dns domain (or I missed it). Will do some playing around and see if it works. Thanks
Ahh okay. Yeah wireguard just gets enabled on the public-facing interface. It doesn't care about the IP or domain name, so there isn't anywhere to configure that in OPNsense.
The best way would be to adjust the client configuration. For example if you had a server at 10.10.10.2 - the client's allowedIPs field should be set to 10.10.10.2/32. This would mean only traffic to that one address would be sent over the VPN.
its hard to find good opnsense stuff im happy you did this id love to chat sometime as im new to wg myself and im trying to get a few things i cant find tuts for sset up like url > ip but internally only waf and hardening my security to host games and apps but not have to worry about bad guys as i have https and redirects
Hello. Thank you for this video. I've got one question: Is it possible to setup opnsense that it connects to an VPN Provider as client? So that all of my devices that are in my network will automaticly use the vpn connection? I've searched so many times, but I've only found tutorials how to setup opnsense's wireguard as a VPN Server but not as a Cient to an external VPN Server Provider
Hi there - In the video I do show configuration for the VPN server & VPN clients. If you were looking to connect to a different external VPN provider, they would need to support WireGuard - which is a different protocol than traditional IPSec VPNs. So there isn't any native compatibility there.
Thank you for this tutorial. It is very comprehensive and it worked at once. The only issue I am currently faceing in some Windows client(0.5.3) the wireguard client does not connect(handshake). I also tried wireshark to capture any packets but upon wireguard client activation, not a single packet is trasmitted. Any idea why is this happening?
Hmm - I haven't seen that on my Windows clients yet, and they are running the same version. With the pcap, I wonder if perhaps something else on the PC is blocking the traffic?
Amazing so unintuitive this is. Of cause anyone can follow the guide and get it running. But why not make is quick and easy to do. I have wireguard running in UNRAID. It´s literally 4-5 clicks in GUI to install and setup. Then download configuration file and import into windows client. Or scan a QR code if phone is the client. Thats all it takes!