Wireguard is the new kid on the block when it comes to VPN's, its been created to be cryptographically stronger than other offerings, its faster than OpenVPN and its actually (once you get your head around it) quite simple to setup.
There will be spelling mistakes, grammar errors and various other issues within this post. I write them as howto guides for me, and post them because they might help someone.
I make no profit from this blog, i make no money, I take nothing from vendors.
While Wireguard will install on almost all the main Operating systems out there, if you're not familiar with the command line it can be a little difficult to setup. In this guide I will go over how to use OpnSense and its WebGUI to setup a Homelab Wireguard VPN.
So what is OpnSense?
OPNsense is an open source, FreeBSD-based firewall and routing software developed by Deciso, a company in the Netherlands that makes hardware and sells support packages for OPNsense. It is a fork of pfSense, which in turn was forked from m0n0wall, which was built on FreeBSD. It was launched in January 2015
What is a "RoadWarrior" VPN?
A roadwarrior VPN for this blogs purpose is one where multiple end point devices can connect to a single VPN Server to gain access to services inside a LAN. This tutrial doesn't cover connecting a site to site Wireguard VPN, however if you would like to know how to do that there are links at the end of the post.
Setting up OpnSense
The assumption for the installation is that you'd be testing this out in a virtual machine however it is possible to download a .img file to create a usb stick instller (use etcher.io)
To download OpnSense head over to https://opnsense.org/download/
This will bring you up a fairly simple download screen
Select the correct Architecture, leave as VGA if you are going to try and write this to a USB and boot from that or DVD is you'd like an ISO to boot a virtual machine from and choose a local mirror this will then download a bz file
Confirm the Download
If recent supply chain issues with Linux Mint and Solarwinds have taught us anything its that its worth checking that what has been downloaded is what was uploaded.
the confirmation steps are optional, however recommended if you are going into production type environment. they are outlined here
The OpenSSL tool is used for file verification. 4 files are needed for verification:
- The bzip compressed ISO file (<filename>.iso.bz2)
- The SHA-256 checksum file (<filename>.sha256)
- The signature file (<filename>.sig)
- The openssl public key (<filename>.pub)
These files can be downloaded from one of the download mirrors. To download them:
- Go to the OPNSense download page.
- After selecting a mirror, right click the download button and click “open in new tab”.
- A popup will appear asking if you want to download the image. Say “no” for now.
- Remove the file name after the last slash in the URL bar, and press enter. This will take you to the directory listing for that mirror.
I.e. If you wanted to download from the US East Coast mirror:
Opening the link in a new tab would take you to this link:
You should take off the file name at the end, like this:
The OpenSSL public key is required to verify against. This file is also on the mirror directory listing page, however you should not trust the copy there. Download it, open it up, and verify that the public key matches the one from other sources. If it does not, the mirror may have been hacked, or you may be the victim of a man-in-the-middle attack. Some other sources to get the public key from include:
- https://pkg.opnsense.org (/<HardenedBSD version & architecture>/<release version>/sets/changelog.txz) (lands signed and verified in the GUI of the running software)
Note that only release announcements with images (typically all major releases) contain the public key. I.e. 18.7 would have a copy of the public key in the release announcement, but 18.7.9 would not.
Once you have downloaded all the required files and a copy of the public key, and verified that the public key matches the public key from the alternate sources listed above, you can be relatively certain that the key has not been tampered with. To verify the downloaded image, run the following commands (substituting the names in brackets for the files you downloaded):
openssl base64 -d -in <filename>.sig -out /tmp/image.sig
openssl dgst -sha256 -verify <key>.pub -signature /tmp/image.sig <image>.img.bz2
Make sure to change the “img” to “iso” in the second line if you downloaded a different installer type.
If the output of the second command is “Verified OK”, your image was verified successfully, and you can install it. If it has any other output, you may have made an error using the commands, or the image may have been compromised.
As stated above this guide assumes that the install would be done within Virtualbox. this guide covers how to do that. I would strongly suggest for testing ensuring that the Virtual machine you create is in Bridged Networking mode and able to pick up an IP from your local lan.
Once installed the web interface should be available for the rest of this tutorial the Wireguard servers IP will be 192.168.1.10/24 your IP WILL be different.
The IP can be a DHCP IP, however it will need to remain the same IP Across reboots or the Wireguard client won't be able to attach.
Logging into OpnSense
From a browser open
There may be a cert error, accept that its using an internal certificate.
A login screen will be presented and you should login with root and the password you setup during the install.
After installation, you can easily configure OPNsense via a web browser:
Log into the web interface (user name root, password you selected previously).
Setup Wizard is started.
Click on Next.
Make General Settings.
Configure NTP time server.
Configure WAN interface (upper part).
Configure WAN interface (lower part). If a private IP is used as WAN IP, deactivate the option RFC1918.
Configure LAN interface.
Set new password.
The configuration is complete.
Dashboard view after configuration.
The last part of the installation is to pull down upadest from the internet.
In the Dashboard Lobby area click on Click to check for Updates or Head to System -> Firmware in the side menu
Once you enter the Updates screen it will start checking the internet repos for updates. I've noted that pkg usually needs updating. Click on Launch update to update the pkg binary (and any others listed)
Its possible there is then a major update where you are presented with a screen like this. Scroll to the bottom of the message and click on close
Click on Launch Update
A major update will require the rebooting of the box.
The update will then commence and reboot
The update cycle is complete.
Wireguid needs to be installed for the service to work, in order to do this follow this process.
The Wireguard network needs its own network to segregate it from the core 192.168.1.0/24 lan the OpnSense server sits on.
- Network - 10.10.100.0
- Gateway - 10.10.100.1
In the left hand menu click on System -> Firmware -> Plugins
This will display a list of of available plugins, searc for and install Wireguard.
Once the plugin is installed, refresh the page and you will find the WireGuard configuration menu via VPN ‣ WireGuard.
Setup the Wireguard Server
Create a WireGuard VPN server via VPN ‣ WireGuard under the Local tab.
Create a new instance using the + button and customizing the following values as neccessary:
The data in these fields referes to the following table:
As an example the page should look as follows, the keys will be autogenerated andunless you have a very specific reason, let this happen.
Ensure that Tunnel Address is a /24 or the desired CIDR notated subnet mask, do not use /32.
Click on Save
Reopen the newly created instance and take note of the public key that was just generated. This key will be required when setting up any client that wishes to connect to this server.
Make sure to protect it and use secure transmission methods to clients (e.g. PGP encrypted or via SMS).
The Server portion is now complete and should look something like this.
Setup the Wireguard Endpoints
In order for a device to connect to the wireguard server the device has to be explicitly listed as an enspoiint on the server.
To do this right each endpoint must have its own cryptography so if it is compromised then you can kill a listed endpoint and not all the endpoints.
Lets have the endpoint be an android device.
Click on the Endpoints tab
Click on the + button to add a new Endpoint
The Edit Endpoint screen will appear
The fields relate as follows:
At this point there is not much to setup in this section
The Public key is the one from the client which has not been setup yet.
Setup the Client
There are clients for most of the major OS in this example we are going to setup an Android client
Install it on your phone and click on the blue + icon
Select Create From Scratch
The following screen sets up the phone
Enter the following:
- Name - Freeform descriptinve name (I uusually match this with the name of the endpoint on the server)
- Addresses - This is the endpoint address entered on the server
- DNS Servers (Optional) - Add if you have an internal DNS Server setup
- Keypair - Click on the circle arrows on the Private key to generate a random public and private key pair.
Click on Add Peer
Here we enter
On Opnsense go back to VPN - Wireguard and edit the server you setup under the local tab
Copy the public key here and paste it into the Android app (Google Keep or a cloud sync tool works well here)
Endpoint - the IP Address of the server, in this example 192.168.1.10:51820 in the real world this would be a public IP Address this will be in the format <IP>:<PORT>
Allowed IPs = 0.0.0.0/0
Click Save in the top right
Update the Endpoint
We have copied the public key from the server over to the Application, finally the public key from the Android app needs to be copied to the server so there is a communicating keypair for both sides.
Open the Android Wireguard App and edit the Wireguard config which was just setup
copy the Public key (Again something like Google keep helps here)
Head back to VPN - Wireguard on the OpnSense server and the Endpoints tab
Edit the Endpoint which was setup earlier and add the Public Key from the Adroid App to the Public Key section in your endpoint.
At this point the server is setup, and a client is setu
Restart the Service
To have any new endpoint bind to the server, i've found the service needs to be restart. the easiest way to do this is
Under VPN - WireGuard -> General
Untick Enable Wireguard and click save
Then Tick enable Wireguard and click save
Check the Logs
Once Wireguard has been restarted head over to VPN -> Wireguard -> List Configuration.
If the Endpoints are setup right they will be listed here
VPN -> Wireguard -> Handshakes will show if there are connected Peers to the defined endpoints.
At this point Wireguard is setup as expected and the setup documented here permits your clients to reach the internal networks configured via Allowed IPs.
However, a common use case is that users wish to push all traffic through a VPN tunnel. To do this assign WireGuard an interface
Interfaces ‣ Assignments and select the wgX instance from the New interface dropdown menu.
Click + to assign the interface. Once assigned, click Save.
Rename the interface as required and select Prevent Interface Removal by selecting the interface from the Interfaces -> [wgX] list. Do not assign the interface an IP address.
The next step is to configure Outbound NAT.
Go to Firewall ‣ NAT ‣ Outbound and add a rule.
First, ensure that rule generation is set to manual or hybrid (if unsure, select hybrid). Add a rule (via +Add in the top right) with the following values (unless explictly mentioned below, leave as default):
To reach the Internet from a client via the VPN configure configure AllowedIPs to 0.0.0.0/0.
When assigning interfaces, gateways can be added to them. This is useful if balancing traffic across multiple VPNs is required or in more complex routing scenarios.
To do this, go to System ‣ Gateways ‣ Single and add a new gateway. Choose the relevant WireGuard interface and set the Gateway to dynamic.
At this point you have a Wireguard VPN setup, with a web GUI for editing, ans should be able to connect an Android device to the desrobed End point uwing the Wireguard Client.
Example Configuration File
The WebGui is nice however on larger rollout you may want to use text files
Do not reuse these example keys!
An example Client configuration file:
[Interface] PrivateKey = 8GboYh0YF3q/hJhoPFoL3HM/ObgOuC8YI6UXWsgWL2M= Address = 10.10.10.2/32 DNS = 192.168.1.254 [Peer] PublicKey = OwdegSTyhlpw7Dbpg8VSUBKXF9CxoQp2gAOdwgqtPVI= AllowedIPs = 0.0.0.0/0 Endpoint = vpn.example.com:51820
An example Server configuration file:
[Interface] Address = 10.10.10.1/24 DNS = 192.168.1.254 ListenPort = 51820 PrivateKey = YNqHwpcAmVj0lVzPSt3oUnL7cRPKB/geVxccs0C0kk0= [Peer] PublicKey = CLnGaiAfyf6kTBJKh0M529MnlqfFqoWJ5K4IAJ2+X08= AllowedIPs = 10.10.10.2/32
The files you create in the Opnsense WebGui are found in /etc/wireguard and its not a huge amount of effort to script a client config generator in bash, inser the public and private keys and then import the client config file.
This post doesn't cover how you'd access this externally, at its basic its having a static IP externally facing and port forwarding to the server.
Having found Guides to setup Wireguard in many different guises, this was the setup I ended up going with. I like Opnsense as a product and there are many other useful features in it.