Securely Access Your Home Network with WireGuard VPN on OPNsense

Подписаться 9 тыс.

Просмотров 8 тыс.

50% 1

If you wish to access apps, services, and other devices on your home network remotely, you may set up a VPN server on your network.
#OPNsense includes options for IPsec, OpenVPN, and WireGuard VPN. In this video, I will be demonstrating how to set up Wireguard VPN using the latest version of OPNsense and WireGuard. I will also show how to access a hosted web app behind the virtualized instance of OPNsense I am running, which should mimic accessing your home network remotely.
Since OPNsense has updated its WireGuard web interfaces to include a peer generator, setting up WireGuard on OPNsense has never been easier!
For a written version of this guide, please visit:
homenetworkguy...
Chapters:
00:52 Set up the WireGuard VPN instance
03:05 Adding peers/clients via the peer generator
06:48 Set up a Linux WireGuard client
10:57 Save the generated peer configuration
12:16 Enable WireGuard instance
12:38 Assign WireGuard interface
13:53 Creating firewall rules for the WireGuard interface
16:44 Create firewall rule on the WAN interface
18:41 Testing the WireGuard client connection
22:00 Creating a firewall rule for an example hosted web app
EP52

Опубликовано:

15 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 62

@J_xoshh Месяц назад

I just wanted to say thank you for the OPNSense videos. I've been getting more involved with getting my home network more complex and you've been a huge help, I haven't had any hiccups *yet*

@homenetworkguy Месяц назад

You’re welcome! Glad it has helped in your journey! Also it goes beyond just making things more complex (making things more complex without good reason is not always very helpful). Gradually increasing overall complexity while also attempting to minimize complexity where it’s not necessary can be tough to balance. If you work to slowly improve upon it over time, it can be both stable and relatively easy to maintain.

@LtColDavenport Месяц назад

One of the videos I was still waiting! Already set it up on my own, but I will gladly watch this in order to see if I did make it right!!

@homenetworkguy Месяц назад

I'm glad the wait is over! haha. I've been wanting to do a video on it for a while and thought it was a good time to do one since I updated the written version of my guide not long ago to get it up to date with the latest updates to WireGuard in OPNsense. Hopefully the demonstration on accessing an internal web app externally via the WireGuard VPN is useful since it shows a bit more of what you can do once you have the VPN configured.

@gamegoose1 27 дней назад

What a video man 👏 I've been trying to set up my OPNsense vault and both your videos and written guides have been a life saver. Thanks!

@homenetworkguy 27 дней назад

Thanks! I’m glad it was helpful!

@intangiblesloth Месяц назад

Thanks for all your videos. Helped my partner and I setup our badass network 😎

@homenetworkguy Месяц назад

You’re welcome! I’m glad it helped you create an awesome network! Haha

@JasonsLabVideos Месяц назад

NICE! I see qr code now for easy fast setup on mobile devices !! Nice work sir !

@homenetworkguy Месяц назад

Thanks! I updated my written guide a while ago but hadn't done any WG videos on OPNsense yet so I figured it would be a good time to do one since they now include the peer generator which makes things much easier to set up.

@TheRealSebastian583 19 дней назад

Thumbs up! Great video. One thing you could also mention is the NAT. I have manual NAT rule creation - everything in my local network worked but getting out to the internet did not. Then I remembered that I had this on manual and added a matichng rule there. Just in case anybode else stumbles across that..

@homenetworkguy 19 дней назад

Thanks! Yeah, I didn’t think about if you changed the default settings. I have more info about outbound NAT on my website guide. You could probably use Hybrid for outbound NAT so it would still generate the interface NAT rules but you can still create your own NAT rules. However, you may have a good reason to manually define all of your outbound NAT rules.

@kronosg13 Месяц назад

Tailscale wins for me but its great to have a video for Wireguard anyway! great job!

@homenetworkguy Месяц назад

Thanks! I mostly only connect my phone to my home network via WireGuard so it's not a lot of effort to set up WG so I can connect directly to my home network. I know a lot of people love the ease of use of Tailscale.

@dustarian Месяц назад

Somehow I had a ton of issues with Tailscale on my NAS, so I switched to WireGuard on my UDM SE, never encountered any problems since... I'm not saying that Tailscale is bad, loved it while it worked but once there's a problem, it's kinda hard to fix...

@homenetworkguy Месяц назад

Yeah, I just like the simplicity of connecting a small number of clients directly to my home network. Once I got WG set up, it always just works.

@d4n3sh 21 день назад

Good walkthrough. Thanks

@homenetworkguy 21 день назад

Thanks!

@tx_slim_tx Месяц назад

Is it possible to get a Full Tutorial on OPNsense Dynamic ISP Network (bare metal) with server (bare metal) Proxmox - Ubuntu(VM) - Docker/Portainer, Cloudflare DDNS, Wireguard, Nextcloud secure installation/setup? I might not be able to fund the video but would definitely donate a handful of coffees. I get lost trying to combine all of your videos together 😂.

@homenetworkguy Месяц назад

Haha no problem! I understand. It’s hard to find a good balance of real world examples that fit in a reasonable amount of time for a video (sometimes I get criticized for including too many details/caveats/tangents so I have been trying to minimize that- it’s difficult to avoid). I definitely prefer to do real world homelab examples rather than short one off guides because you can see many concepts come together and can help make the concepts click. I have more of those type of videos planned (various OPNsense builds along with some switch/AP configurations) so I’m thinking maybe I could sneak some Proxmox in there as well since I have yet to combine my full network builds with a Proxmox server build in the same videos (or written content).

@JoJ0TheHoBo 25 дней назад

Quick question, if I was wanting to connect over WG to my Jellyfin server could I just add a rule above the privatenetwork invert that allows connections from WG Net to the specific Jellyfin IP and be generally okay security wise?

@homenetworkguy 25 дней назад

Absolutely! Once you’re connected securely via WG, you can safely connect to anything on your network! On my network I can connect to my IP cameras that are on an isolated VLAN that doesn’t allow access to the Internet and it works great!

@ZombieLurker Месяц назад

I need some more ideas of what to setup in my Proxmox lab. I'm the only one on my network, so haven't really had any reason to need a separated lab network yet, besides VLANs. I'm caught up on all my smaller projects and want to start learning more security related things, so a separate network for that would probably be smart. Have you done an overview video on everything you have set up in your own lab yet? That would be cool to see, so I can steal some of your ideas. Haha.

@homenetworkguy Месяц назад

Haha yeah that could be interesting, but the funny thing is that I still have a lot of things in flux on my LAB VLAN because that’s where I try out several things. I’ve been meaning to establish a few things to be a more permanent fixtures for that network. I’m working on building 2 test rackmount clients for speed testing devices, for instance. I do have one of my Proxmox nodes dedicated to testing as well. It has some OPNsense VMs as well as a few Linux VMs I can use as clients for testing. I have a few other containers I use to demonstrate setting up example apps/services on the network. I do have some more project ideas I’m working on for some videos soon too. I think I’m going to focus more on those type of videos than a basic setup of a specific feature because I like showing real world examples (likely more useful for learning and idea purposes).

@frankenjeda Месяц назад

Thank you so much for this video, Please could you also make a video for OpenVPN on Opensense?

@homenetworkguy Месяц назад

Glad you enjoyed the video! It would be possible to OpenVPN but not sure when I would get to it because I have a lot of other project videos I want to do soon. It means more OPNsense builds to show different types of configurations!

@Kyonkun77 Месяц назад

Thank you very much for the video. I followed the steps and, after adding a rule in the firewall for WireGuard -> WAN, I was able to connect to internet. Now, this afternoon, I've tried again and no internet and looks like no handshake. There has not been any changes since this morning and suddenly it has stopped working. Any idea why?

@homenetworkguy Месяц назад

The only thing I can think of is that your WAN IP address has changed since you first set up your WG connection. Once I have mine set up, I’ve never have issues connecting to it after that unless my public IP address is out of date.

@YasarHabib 11 дней назад

Is there a way to use WireGuard on the same network to access the management vlan? I have my laptop connected to the AP (USER VLAN 20) - but I can't access the opnsense webgui since that is on a separate management vlan

@homenetworkguy 10 дней назад

Are you trying to use WireGuard on your internal network to access your OPNsense web UI on the management VLAN? Or do you mean when you connect remotely to your network via WireGuard? If you’re connected to your local network on VLAN 20, you just need to create a firewall rule on the VLAN 20 interface in OPNsense to allow access to your OPNsense web UI.

@YasarHabib 10 дней назад

@@homenetworkguy Thanks for the quick response! I'm connected to my local network on VLAN20 and trying to access the Management VLAN for network infrastructure. I was able to do this with Firewall Rules, but want to be able to do it with WireGuard (on my local network) so I don't allow the VLAN20 untethered access to the management vlan.

@homenetworkguy 10 дней назад

If you only want a single device on VLAN20 to access your management network, you should use a static IP address for that device and make the source for the firewall rule only allow that single IP. That’s what I used to do for one of my PCs until I dedicated a Raspberry Pi (and soon to be a Radxa X4 instead) to manage devices on my management network (so I don’t have to open holes into my management network). That solution is more simple that using WireGuard on your internal network. I’ve had trouble using WireGuard on internal networks (for testing purposes) because you have to be careful how you route traffic

@YasarHabib 10 дней назад

@@homenetworkguy That makes a lot of sense. Even though this is for my home network, I want to learn and follow best practices. Looks like I have use for my old Raspberry Pi 3B! Do you run the dedicated Raspberry Pi headless and remote into it? Do you have a video I can refer to setting that up?

@homenetworkguy 10 дней назад

I have a Raspberry Pi 5 and run Ubuntu desktop on it because most of my management interfaces have web UIs. I do use SSH to get into all my servers as well. Performance of the 3B for a desktop environment will be more limited. I have the RPi connected to a KVM so I can switch between my main desktop PC and my RPi when I want to manage my network. I haven’t done anything special on the Raspberry Pi other than set up a few web browser bookmarks. I’m working on setting up a Homepage dashboard to have all the links I typically access but on a nicely organized web interface. It keeps getting put on the back burner though. Haha.

@deniswalks Месяц назад

Is it possible to make a WG connection to OPNsense, that’s connected via WG to another site?

@homenetworkguy Месяц назад

Ohh yeah. Site to site WG. I haven’t tried that yet but I would like to demonstrate how at some point.

@deniswalks Месяц назад

@@homenetworkguy hope to see it in your way!

@christianhoffmeister8959 27 дней назад

Hi i have configure my opnsense and wireguard from your video, but i have some issue. i have 2 internel dns Server 10.1.10.252 and 10.1.10.251. I can ping both but i cant resolve the names and i cant connect to the internal server by the dns name. Can you tell me what i make wrong or what i have to do ?

@homenetworkguy 27 дней назад

Did you configure your WireGuard peers to use those internal DNS servers? You also need to make sure your firewall rules allow access to the DNS servers for your WireGuard network.

@christianhoffmeister8959 23 дня назад

@@homenetworkguy i have configure the clients to use it like this : [Interface] PrivateKey = IBUjY/fzuec6xxxxxxxxxxxxxxxx Address = 10.10.10.7/32 DNS = 10.1.10.251,10.1.10.252 [Peer] PublicKey = zgcYen5mPNXXexxxxxxxxxxxx AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = xxx.xxx.xxx.xxx:51820 For testing i have create the roles with any to any I can brows in internet but internal dns lookup dont work

@SonicNinja6600 Месяц назад

After following a bunch of guides, this was the one that worked for me. Thanks for the guide. Only issue I'm running into is trying to access my TrueNAS SMB share from the Wireguard connection. I made a rule to allow access to it's IP but it keeps failing to connect. Do I need to do something different to get an SMB share to work?

@homenetworkguy Месяц назад

I’m glad my guide worked! It’s good confirmation I didn’t accidentally miss any steps in the video. As for SMB, did you allow specific ports for SMB or all ports? Also in TrueNAS, make sure you don’t have the share limited to specific IP/network address ranges (or update them to include the WireGuard network IPs).

@SonicNinja6600 Месяц назад

@@homenetworkguy I haven't mess with any network settings in TrueNAS other than setting a static IP and made 2 SMB shares. I looked at Network

@homenetworkguy Месяц назад

What ports did you allow in the firewall rules? TCP or UDP or both? “Any” would work but it’s better to use specific ports. Typically there is more than one port that needs opened for SMB/NFS shares. I’d have to look up the port numbers and protocol for each port for SMB. Don’t have it memorized off the top of my head.

@SonicNinja6600 Месяц назад

@@homenetworkguy I have it set for both TCP/UDP and "any" for ports. I have the same setup for another rule for my Docker IP and can access services like Jellyfin and Dashboard just fine.

@alexzan1858 Месяц назад

@@SonicNinja6600 "any" ... ooof

@Ykhavari Месяц назад

What would be the difference between this and tailscale? I currently use tailscale

@homenetworkguy Месяц назад

I haven't used Tailscale but I have looked into it briefly a few times. I believe some differences are you have to create a cloud account and use their Tailscale coordination server that all of the nodes communicate with. I believe it can be self-hosted. I realize Tailscale makes the process easy because it can traverse through NAT firewalls easier, etc. For my needs, connecting 3-4 devices to my OPNsense WireGuard VPN is easy enough especially once it is set up because I never have to touch it. 99% of the time I only connect to my home network with my phone so I only really need that one connection set up. I have other devices like iPads set up with WireGuard so if I am traveling, I can connect back home when I need to be on an untrusted network.

@slybunda 22 дня назад

way overly complicated to get wg working

@homenetworkguy 22 дня назад

Why is that? I’m showing more than just setting up WG itself. I’m showing how to open up access to internal parts of your network so you can remotely access anything on your network when you are away from home.

@tjjenkin42 16 дней назад

@@homenetworkguythat is exactly what I need and I have bookmarked this video !! I have tried and failed many times to make this work and I appreciate this !!!