Setting up Wireguard on OpnSense - Roadwarrior

While Wireguard will install on almost all the main Operating systems out there if you're not familiar with the command line it can be a little difficult to setup. In this guide, I will go over how to use OpnSense and its WebGUI to setup a Homelab Wireguard VPN.

Setting up Wireguard on OpnSense - Roadwarrior

Wireguard is the new kid on the block when it comes to VPN's, its been created to be cryptographically stronger than other offerings, its faster than OpenVPN and its actually (once you get your head around it) quite simple to setup.

Disclaimer

There will be spelling mistakes, grammar errors and various other issues within this post. I write them as howto guides for me, and post them because they might help someone.
I make no profit from this blog, i make no money, I take nothing from vendors.

While Wireguard will install on almost all the main Operating systems out there, if you're not familiar with the command line it can be a little difficult to setup. In this guide I will go over how to use OpnSense and its WebGUI to setup a Homelab Wireguard VPN.

So what is OpnSense?

OPNsense is an open source, FreeBSD-based firewall and routing software developed by Deciso, a company in the Netherlands that makes hardware and sells support packages for OPNsense. It is a fork of pfSense, which in turn was forked from m0n0wall, which was built on FreeBSD. It was launched in January 2015
OPNsense

What is a "RoadWarrior" VPN?

A roadwarrior VPN for this blogs purpose is one where multiple end point devices can connect to a single VPN Server to gain access to services inside a LAN. This tutrial doesn't cover connecting a site to site Wireguard VPN, however if you would like to know how to do that there are links at the end of the post.

Setting up OpnSense

The assumption for the installation is that you'd be testing this out in a virtual machine however it is possible to download a .img file to create a usb stick instller (use etcher.io)

Downloading OpnSense

To download OpnSense head over to https://opnsense.org/download/

This will bring you up a fairly simple download screen

Select the correct Architecture, leave as VGA if you are going to try and write this to a USB and boot from that or DVD is you'd like an ISO to boot a virtual machine from and choose a local mirror this will then download a bz file

Confirm the Download

If recent supply chain issues with Linux Mint and Solarwinds have taught us anything its that its worth checking that what has been downloaded is what was uploaded.

the confirmation steps are optional, however recommended if you are going into production type environment. they are outlined here

Initial Installation & Configuration — OPNsense documentation

The OpenSSL tool is used for file verification. 4 files are needed for verification:

  • The bzip compressed ISO file (<filename>.iso.bz2)
  • The SHA-256 checksum file (<filename>.sha256)
  • The signature file (<filename>.sig)
  • The openssl public key (<filename>.pub)

These files can be downloaded from one of the download mirrors. To download them:

  1. Go to the OPNSense download page.
  2. After selecting a mirror, right click the download button and click “open in new tab”.
  3. A popup will appear asking if you want to download the image. Say “no” for now.
  4. Remove the file name after the last slash in the URL bar, and press enter. This will take you to the directory listing for that mirror.

I.e. If you wanted to download from the US East Coast mirror:

Opening the link in a new tab would take you to this link:

mirror.wdc1.us.leaseweb.net/opnsense/releases/18.7/OPNsense-18.7-OpenSSL-dvd-amd64.iso.bz2

You should take off the file name at the end, like this:

mirror.wdc1.us.leaseweb.net/opnsense/releases/18.7/

The OpenSSL public key is required to verify against. This file is also on the mirror directory listing page, however you should not trust the copy there. Download it, open it up, and verify that the public key matches the one from other sources. If it does not, the mirror may have been hacked, or you may be the victim of a man-in-the-middle attack. Some other sources to get the public key from include:

Note that only release announcements with images (typically all major releases) contain the public key. I.e. 18.7 would have a copy of the public key in the release announcement, but 18.7.9 would not.

Once you have downloaded all the required files and a copy of the public key, and verified that the public key matches the public key from the alternate sources listed above, you can be relatively certain that the key has not been tampered with. To verify the downloaded image, run the following commands (substituting the names in brackets for the files you downloaded):

openssl base64 -d -in <filename>.sig -out /tmp/image.sig

openssl dgst -sha256 -verify <key>.pub -signature /tmp/image.sig <image>.img.bz2

Make sure to change the “img” to “iso” in the second line if you downloaded a different installer type.

If the output of the second command is “Verified OK”, your image was verified successfully, and you can install it. If it has any other output, you may have made an error using the commands, or the image may have been compromised.

Installing OpnSense

As stated above this guide assumes that the install would be done within Virtualbox. this guide covers how to do that. I would strongly suggest for testing ensuring that the Virtual machine you create is in Bridged Networking mode and able to pick up an IP from your local lan.

How to Install OPNsense on VirtualBox - kifarunix.com
In this tutorial, we are going to learn how to install OPNsense on VirtualBox.

Once installed the web interface should be available for the rest of this tutorial the Wireguard servers IP will be 192.168.1.10/24 your IP WILL be different.

The IP can be a DHCP IP, however it will need to remain the same IP Across reboots or the Wireguard client won't be able to attach.

Logging into OpnSense

From a browser open

https://192.168.1.10

There may be a cert error, accept that its using an internal certificate.

A login screen will be presented and you should login with root and the password you setup during the install.

Initial Setup

After installation, you can easily configure OPNsense via a web browser:

Log into the web interface (user name root, password you selected previously).

Setup Wizard is started.

Click on Next.

Make General Settings.

Configure NTP time server.

Configure WAN interface (upper part).

Configure WAN interface (lower part). If a private IP is used as WAN IP, deactivate the option RFC1918.

Configure LAN interface.

Set new password.

Reload configuration.

The configuration is complete.

Dashboard view after configuration.

Update OpnSense

The last part of the installation is to pull down upadest from the internet.

In the Dashboard Lobby area click on Click to check for Updates or Head to System -> Firmware in the side menu

Once you enter the Updates screen it will start checking the internet repos for updates. I've noted that pkg usually needs updating. Click on Launch update to update the pkg binary (and any others listed)

Its possible there is then a major update where you are presented with a screen like this. Scroll to the bottom of the message and click on close

Click on Launch Update

A major update will require the rebooting of the box.

Click OK

The update will then commence and reboot

The update cycle is complete.

Setup Wireguard

Wireguid needs to be installed for the service to work, in order to do this follow this process.

The Wireguard network needs its own network to segregate it from the core 192.168.1.0/24 lan the OpnSense server sits on.

IP Subnet

  • Network - 10.10.100.0
  • Gateway - 10.10.100.1

Install Wireguard.

In the left hand menu click on System -> Firmware -> Plugins

This will display a list of of available plugins, searc for and install Wireguard.

Once the plugin is installed, refresh the page and you will find the WireGuard configuration menu via VPN ‣ WireGuard.

Setup the Wireguard Server

Create a WireGuard VPN server via VPN ‣ WireGuard under the Local tab.

Create a new instance using the + button and customizing the following values as neccessary:

The data in these fields referes to the following table:

Enabled

Checked

Check to enable the server

Name

WireGuard

The name of the server instance

Instance

(auto populated)

Automatically generated server instance number

Public Key

(empty)

Leave empty, keys will be automatically generated

Private key

(empty)

Leave empty, keys will be automatically generated

Listen Port

51820

Server listen port. If multiple servers exist, this port must be unique

DNS Server

192.168.1.254

Populate as required with DNS server

Tunnel Address

10.10.10.1/24

Use CIDR notation and avoid subnet overlap with regularly used networks

Peers

(empty)

List of peers for this server, leave blank on initial configuration

Disable Routes

Unchecked

This will prevent installing routes

As an example the page should look as follows, the keys will be autogenerated andunless you have a very specific reason, let this happen.

Ensure that Tunnel Address is a /24 or the desired CIDR notated subnet mask, do not use /32.

Click on Save

Reopen the newly created instance and take note of the public key that was just generated. This key will be required when setting up any client that wishes to connect to this server.

Make sure to protect it and use secure transmission methods to clients (e.g. PGP encrypted or via SMS).

The Server portion is now complete and should look something like this.

Setup the Wireguard Endpoints

In order for a device to connect to the wireguard server the device has to be explicitly listed as an enspoiint on the server.

To do this right each endpoint must have its own cryptography so if it is compromised then you can kill a listed endpoint and not all the endpoints.

Lets have the endpoint be an android device.

Click on the Endpoints tab

Click on the + button to add a new Endpoint

The Edit Endpoint screen will appear

The fields relate as follows:

Enabled

Checked

Check to enable the server

Name

client1

The name of the client

Public Key

PubKey

Provide public key from client

Shared Secret

(empty)

optional - shared secret (PSK) for this peer

AllowedIPs

10.10.10.2/32

IP address of client (peer) - ensure to use /32 with multiple clients

Endpoint Address

(empty)

Not required for inbound connections - dynamic

Endpoint Port

(empty)

Not required for inbound connections - dynamic

Keepalive

(empty)

optional - sets persistent keepalive interval

At this point there is not much to setup in this section

The Public key is the one from the client which has not been setup yet.

Click Save

Setup the Client

There are clients for most of the major OS in this example we are going to setup an Android client

Install it on your phone and click on the blue + icon

Select Create From Scratch

The following screen sets up the phone

Enter the following:

  • Name - Freeform descriptinve name (I uusually match this with the name of the endpoint on the server)
  • Addresses - This is the endpoint address entered on the server
  • DNS Servers (Optional) - Add if you have an internal DNS Server setup
  • Keypair - Click on the circle arrows on the Private key to generate a random public and private key pair.

Click on Add Peer

Here we enter

Public Key

On Opnsense go back to VPN - Wireguard and edit the server you setup under the local tab

Copy the public key here and paste it into the Android app (Google Keep or a cloud sync tool works well here)

Endpoint - the IP Address of the server, in this example 192.168.1.10:51820 in the real world this would be a public IP Address this will be in the format <IP>:<PORT>

Allowed IPs = 0.0.0.0/0

Click Save in the top right

Update the Endpoint

We have copied the public key from the server over to the Application, finally the public key from the Android app needs to be copied to the server so  there is a communicating keypair for both sides.

Open the Android Wireguard App and edit the Wireguard config which was just setup

copy the Public key (Again something like Google keep helps here)

Head back to VPN - Wireguard on the OpnSense server and the Endpoints tab

Edit the Endpoint which was setup earlier and add the Public Key from the Adroid App to the Public Key section in your endpoint.

Save

At this point the server is setup, and a client is setu

Restart the Service

To have any new endpoint bind to the server, i've found the service needs to be restart. the easiest way to do this is

Under VPN - WireGuard -> General

Untick Enable Wireguard and click save

Then Tick enable Wireguard and click save

Check the Logs

Once Wireguard has been restarted head over to VPN -> Wireguard -> List Configuration.

If the Endpoints are setup right they will be listed here

VPN -> Wireguard -> Handshakes will show if there are connected Peers to the defined endpoints.

Routing

At this point Wireguard is setup as expected and the setup documented here permits your clients to reach the internal networks configured via Allowed IPs.

10.10.100.0/24

However, a common use case is that users wish to push all traffic through a VPN tunnel. To do this assign WireGuard an interface

Interfaces ‣ Assignments and select the wgX instance from the New interface dropdown menu.

Click + to assign the interface. Once assigned, click Save.

Rename the interface as required and select Prevent Interface Removal by selecting the interface from the Interfaces -> [wgX] list. Do not assign the interface an IP address.

The next step is to configure Outbound NAT.

Go to Firewall ‣ NAT ‣ Outbound and add a rule.

First, ensure that rule generation is set to manual or hybrid (if unsure, select hybrid). Add a rule (via +Add in the top right) with the following values (unless explictly mentioned below, leave as default):

Interface

WAN

The interface the rule applies to

Source address

wg0 net

Tunnel Network configured previously

Translation / target

WAN address

Packets matching this rule will be mapped to the IP address given here

To reach the Internet from a client via the VPN configure configure AllowedIPs to 0.0.0.0/0.

When assigning interfaces, gateways can be added to them. This is useful if balancing traffic across multiple VPNs is required or in more complex routing scenarios.

To do this, go to System ‣ Gateways ‣ Single and add a new gateway. Choose the relevant WireGuard interface and set the Gateway to dynamic.


Done

At this point you have a Wireguard VPN setup, with a web GUI for editing, ans should be able to connect an Android device to the desrobed End point uwing the Wireguard Client.

Other Information

Example Configuration File

The WebGui is nice however on larger rollout you may want to use text files

Do not reuse these example keys!

An example Client configuration file:

[Interface] 
PrivateKey = 8GboYh0YF3q/hJhoPFoL3HM/ObgOuC8YI6UXWsgWL2M= 
Address = 10.10.10.2/32 
DNS = 192.168.1.254 
[Peer] 
PublicKey = OwdegSTyhlpw7Dbpg8VSUBKXF9CxoQp2gAOdwgqtPVI= 
AllowedIPs = 0.0.0.0/0 
Endpoint = vpn.example.com:51820

An example Server configuration file:

[Interface] 
Address = 10.10.10.1/24 
DNS = 192.168.1.254 
ListenPort = 51820 
PrivateKey = YNqHwpcAmVj0lVzPSt3oUnL7cRPKB/geVxccs0C0kk0= 
[Peer] 
PublicKey = CLnGaiAfyf6kTBJKh0M529MnlqfFqoWJ5K4IAJ2+X08= 
AllowedIPs = 10.10.10.2/32

The files you create in the Opnsense WebGui are found in /etc/wireguard and its not a huge amount of effort to script a client config generator in bash, inser the public and private keys and then import the client config file.

External Access

This post doesn't cover how you'd access this externally, at its basic its having a static IP externally facing and port forwarding to the server.

Final Thoughts

Having found Guides to setup Wireguard in many different guises, this was the setup I ended up going with. I like Opnsense as a product and there are many other useful features in it.

Further Reading

WireGuard Road Warrior Setup — OPNsense documentation
WireGuard Site-to-Site Setup — OPNsense documentation
How to Configure the WireGuard VPN Server in OPNsense
Introduction WireGuard is a modern designed VPN that uses the latest cryptography for stronger security, is very lightweight, and is relatively easy to set up (mostly). I say ‘mostly’ because I found setting up WireGuard in OPNsense to be more difficult than I anticipated. The basic setup of the Wir…
Initial Installation & Configuration — OPNsense documentation
How to Install OPNsense on VirtualBox - kifarunix.com
In this tutorial, we are going to learn how to install OPNsense on VirtualBox.
Install OPNsense - Thomas-Krenn-Wiki
OPNsense is an Open Source Firewall Distribution based on the FreeBSD operating system and its packet filter pf. In this article we will show you how to install OPNsense and perform an initial configuration.

Share Tweet Send
0 Comments
Loading...
You've successfully subscribed to Tech Blog Posts - David Field
Great! Next, complete checkout for full access to Tech Blog Posts - David Field
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.