tech:opnsense-wireguard [Laxwiki]

Laxwiki

Tech for the Homelab

User Tools

Site Tools


tech:opnsense-wireguard

OPNSense on WireGuard and Peer Setup

Overview

Wireguard does not function quite like OpenVPN, but it can be made to work similarly. A VPN is essentially a tunnel that is created between a client and another network where the server is located. In wireguard, there is not technically a server, each device is a peer and they connect amongst themselves. That being said, it's useful to designate one device as a 'server' where it will always have the same external IP address. That way you can have devices that are anywhere in the world that can connect via the 'server' given it's fixed IP (the IP addresses of the mobile devices around the world can then change at anytime).

Wireguard works by each device having a private and public key. You then exchange the public keys with each device you want to connect to and that's pretty much it.

The general steps to setting up wireguard:

1. Install Wireguard on OPNSense

You must have OPNSense 19.7 or above. System → firmware → plugins. Scroll down and find os-wireguard, hit the + button to install it.

You may need to refresh the webpage by logging out and back in but I did not.

2. Setup Wireguard Local Settings

Go to wireguard settings, VPN → Wireguard. Go to the Local Tab. Hit the + sign to add a wireguard configuration. Give it any name you want, listen port should be set automatically to 51820 (you can change it to anything you want that is not in use). Enter a DNS server, in my case I have a pi-hole as 192.168.1.22 and I also have unbound on OPNSense itself as backup (192.168.1.1) so I added both. This is the DNS that other peers will use when they connect. The tunnel address is the address that this device (OPNSense) will use when connecting to wireguard peers. It can be any subnet that is not being used and should end in /24 or /32. Leave peers, public key and private key blank. When you hit save it will automatically create a public and private key for you (you can hit edit on the new configuration to see them). You will need to send the public key to your other device in the next steps.

3. OPNSense Firewall Rules

In general we need one NAT Rule to allow wireguard traffic into the network (port forwarding). One NAT rule to allow traffic to leave the network (internet access via outbound NAT). And finally you need another rule to allow wireguard peers to communicate with the other devices on your network (firewall rule), assuming you actually want to do that, this is not required.

Port Forward

For port forwarding, Firewall → NAT → Port Forwarding. Create a new rule, interface WAN, protocol UDP, destination WAN Address, port range is what you set above (51820), redirect to the router itself where wireguard is running (192.168.1.1) on the same port 51820. Put something in the description so that you know what this rule does, 'wireguard port forward'

Allow Internet Access for Wireguard Peers

This is what many people who want to use wireguard as a VPN will want to do. This allows a peer device anywhere in the world to connect to your home internet (where OPNSense is located) and use that internet. This prevents packet sniffing at shady wifi spots and also makes your device appear as though it is your home.

Firewall → NAT → Outbound. There will be rules that are automatically created, for most people you will want to select hybrid at the top so that the automatic rules remain and it will allow you to add manual rules as well. Hit save and the ADD button will appear at the top to create a manual rule.

Basically you want anything from source wireguard to be able to access anything on the internet. The target is whatever your WAN (interface address) is.

Allow Wireguard Peers to see Other Devices on Your Network

This step is not needed, but you you want devices from wireguard to see your local LAN devices like a windows share or anything else then you need to add a firewall rule to allow it

Firewall → rules → wireguard. There should be no rules on this interface by default. Press Add. Interface wireguard, protocol any to allow all traffic, source any, destination any, give it a description. This rules allows wireguard full access to your entire network. Feel free to limit what access it has with this rule if you want. Like this, it is similar to OpenVPN in the sense that the peer essentially becomes a full part of your network as if it were a local device.

4. Setup Client Device

This step will vary for everyone based on what device they are trying to install it on. I'm using a laptop with Kubuntu 18.10 on it. There are wireguard versions for windows, mac, android phones and pretty much everything at this point.

In kubuntu, the network manager does have an option for a wireguard connection, just like you would add OpenVPN connection, however I couldn't get it to work (the log was saying wireguard for network manager is not installed) but also the host IP address GUI did not let me fill in letter, only numbers for the IP. This is bad because I want to use a DDNS service like duckDNS so that I can connect to my home even if my IP changes. I ended up just installing it and running it from command line which works perfectly fine. The general step for setup will be the same on any client after you have the software installed.

Official instructions are here: https://www.wireguard.com/install/ . Once that is done, you need to open the console and create a private key for your device using

$wg genkey

you will need to copy and past this later, so open a new terminal window so that you can create the config file and come back to this later.

For the config file use any text editor you want but the file should be root owned with only root being able to read it:

$cd /etc/wireguard
$sudo nano wg0.conf

The actual config file is pretty straight forward:

[Interface]
PrivateKey = 'paste private key from earlier here'
Address = 10.0.7.2/24

[Peer]
PublicKey = 'public key from OPNsense settings that you created previously'
Endpoint = externalIP:port
AllowedIPs = 0.0.0.0/0

The interface part defines this specific device (peer). The address should be on the same subnet as what you set on opensense, 10.0.7.x.

Under Peer, you need to put settings for the OPNSense server, copy and paste the OPNSense server's public key which you created previously (from the OPNsense web GUI). The endpoint is the external address (WAN) of your OPNsense server, you can type in the actual IP address, or if you have a DDNS setup, you can just put the URL into there, add a colon then enter the port from earlier (51820).

Example:

201.123.45.27:51820
or
myaccount.duckdns.com:51820

The AllowedIPs 0.0.0.0/0 will forward all traffic from your laptop to wireguard, including the DNS, this is similar to creating a OpenVPN tunnel and sending all the traffic from your laptop through it to your home connection.

Save the file (CTRL-O on nano) and then exit (CTRL-E). For security reasons, set permissions on the file because it has the private key

$chown root:root wg0.conf
$chmod 600 wg0.conf

Now run wireguard for the first time to create the public key.

$wg-quick up wg0

The output will show all the links and rules that are being created. To get your public key for this device:

$sudo wg show

sudo required because it shows your key. The first line should be the public key which is unique to this specific device (laptop). You need to put this key in the OPNSense wireguard settings.

VPN → wireguard. Endpoints tab. Hit the + to add. Give it the name of the device (laptop) then copy and paste the public key you got from the previous step. Allowed IPs should be the IP you set on your laptop (10.0.7.2/32). Hit save and that is pretty much it.

First Connection

Now both OPNSense and the laptop have each other's public key. You will need to reset the connection on both sides once to make the first connection. On OPNSense, VPN → Wireguard. On the general tab, uncheck enable and then hit save. On the laptop, stop the service

$wg-quick down wg0

Now bring it back up

$wg-quick up wg0

Reenable wireguard on OPNSense and hit save. Wait a few seconds then the go to List Configurations tab, you should see the connection with a successful handshake (the dialog is blank at first then it appears after a few moments).

On the laptop you can see the same with

$sudo wg show

I tested this on my laptop by created a hotspot on my cell phone and connected my laptop to it via hotspot. First disable wireguard `wg-quick down wg0'. Check your external IP, (google what's my IP), should be the same as your cell phone but different then your home IP address. Also, of course, I can't ping anything on my local network because I'm not connected to it. Once you enable wireguard with 'wg-quick up wg0' and the handshake is done, you should be able to ping local devices like 192.168.1.1 which is my router, 192.168.1.22 which is my pihole, etc. This simulated being somewhere else in the world and still being able to connect to your local network using wireguard.

I also tried a windows file share by opening the file manager and in the address bar type:

smb://ipaddress

it worked no problem and I was able to see all my files. You can try copying a file as a speed test but in my case I'm limited by my cell phone's hotspot speed so not sure useful.

Conclusion

After this, the laptop should be able to connect to any device on your network, see any windows file shares or essentially do anything that you would normally do as if you were connected directly to your local network. You can add as many peers as you like to connect to your network from anywhere. Wireguard creates a secure peer to peer network over the internet but configured like I did above, it can be used similarly to a VPN tunnel to allow full access into your local network. If you setup a DDNS, then you can connect to your home network even if the IP address changes.

tech/opnsense-wireguard.txt · Last modified: 2020/02/23 19:43 by lax