opnsense wireguard setup a secure connection to your homelab

Introduction

In today’s interconnected world, securely accessing your homelab from remote locations is crucial. OPNsense, an open-source firewall and routing platform, paired with WireGuard, a modern VPN solution, provides a robust and secure method to connect to your homelab. This guide will walk you through the detailed steps to set up OPNsense with WireGuard, ensuring a secure and encrypted connection to your private network.

Whether you’re a beginner or an advanced user, this comprehensive guide will cover everything from installation to advanced configurations. By the end, you’ll have a reliable and secure connection to your homelab, making remote management and access seamless and safe.

Installation Instructions

Before we dive into the installation, let’s outline the prerequisites and provide a step-by-step guide to set up OPNsense and WireGuard.

Prerequisites

  • A dedicated machine or virtual machine for OPNsense.
  • OPNsense ISO file, available from the OPNsense download page.
  • Basic understanding of networking concepts.
  • Internet connectivity for downloading packages and updates.

Installing OPNsense

  1. Download OPNsense: Get the ISO file from the official OPNsense website.
  2. Create a Bootable USB: Use tools like Rufus (Windows) or Etcher (macOS/Linux) to create a bootable USB drive with the OPNsense ISO.
  3. Boot from USB: Insert the USB drive into your dedicated machine and boot from it. Select the default installation option.
  4. Follow Installation Prompts: Proceed with the installation by following the on-screen prompts. Make sure to configure your network interfaces (WAN and LAN) during this process.
  5. Initial Setup: Once installed, access the OPNsense web interface by navigating to the LAN IP address (usually 192.168.1.1). The default username is root and the password is opnsense. Change the default password immediately for security reasons.

Installing WireGuard on OPNsense

  1. Access OPNsense Dashboard: Log in to the OPNsense web interface.
  2. Navigate to Plugins: Go to System > Firmware > Plugins.
  3. Install WireGuard Plugin: Find the WireGuard plugin in the list and click the Install button. This will install WireGuard on your OPNsense system.
  4. Enable WireGuard: Once installed, go to VPN > WireGuard and enable the service.

Configuring WireGuard on OPNsense

With WireGuard installed, it’s time to configure it for secure remote access.

Creating WireGuard Interface

  1. Add a New Instance: In the WireGuard settings, click Add to create a new WireGuard instance.
  2. Configure General Settings: Provide a name for the instance and select the appropriate interface (e.g., wg0).
  3. Generate Keys: Click the Generate button to create a new private and public key pair for the server.
  4. Listen Port: Set the listen port (default: 51820).
  5. Save Configuration: Click Save to apply the settings.

Adding Peers (Clients)

  1. Add a Peer: In the WireGuard instance, click Add Peer.
  2. Peer Settings: Provide a name for the peer and generate or input the peer’s public key. Configure other settings such as allowed IPs (e.g., 10.0.0.2/32 for the peer).
  3. Save Peer: Click Save to add the peer.

Firewall Rules

To allow WireGuard traffic, you need to configure firewall rules:

  1. Navigate to Firewall Rules: Go to Firewall > Rules > WAN.
  2. Add New Rule: Click Add to create a new rule allowing traffic on the WireGuard port (default: 51820).
  3. Save and Apply: Save the rule and apply the changes.

Connecting to WireGuard from a Client

Now that WireGuard is configured on OPNsense, let’s connect a client device.

Client Configuration

  1. Install WireGuard: Install the WireGuard client on your device (available for Windows, macOS, Linux, iOS, and Android).
  2. Create a New Tunnel: Open the WireGuard client and add a new tunnel.
  3. Configure Client: Input the following settings:
  • Private Key: Generate a private key for the client.
  • Address: Set an IP address for the client (e.g., 10.0.0.2/32).
  • DNS: Optionally set a DNS server (e.g., 8.8.8.8).
  • Peer Settings: Add the server’s public key, endpoint (WAN IP and port), and allowed IPs (e.g., 0.0.0.0/0 for full tunnel).

 

  • Save and Connect: Save the configuration and connect to the WireGuard server.

 

Advanced Configuration and Tips

Now that you have a basic setup, let’s explore some advanced configurations and tips for optimizing your WireGuard connection.

Routing and NAT

Ensure that traffic from WireGuard clients is properly routed and NATed:

  1. Outbound NAT: Go to Firewall > NAT > Outbound. Set the mode to Hybrid and add a rule for WireGuard interface with the source network as the WireGuard subnet (e.g., 10.0.0.0/24).
  2. LAN Rules: Add a rule in Firewall > Rules > LAN to allow traffic from the WireGuard subnet.

Monitoring and Maintenance

  • Monitor Traffic: Use OPNsense’s built-in traffic monitoring tools to keep an eye on VPN usage.
  • Regular Updates: Ensure that both OPNsense and WireGuard are kept up to date with the latest security patches and updates.

Conclusion

Setting up OPNsense with WireGuard provides a secure and efficient way to connect to your homelab from anywhere. The combination of OPNsense’s robust firewall capabilities and WireGuard’s modern VPN technology ensures that your remote connections are secure and performant. By following this guide, you now have a reliable setup that can be expanded and customized to fit your specific needs.

We encourage you to explore additional features and configurations within OPNsense and WireGuard to further enhance your network security and functionality.

Additional Resources

Frequently Asked Questions (FAQs)

What is the default OPNsense login?

The default username is root and the password is opnsense. It is highly recommended to change the default password immediately after the first login.

What port does WireGuard use?

By default, WireGuard uses UDP port 51820. This can be changed in the WireGuard configuration if needed.

Can I use WireGuard with dynamic IP addresses?

Yes, you can use a dynamic DNS service to keep track of your WAN IP address if it changes frequently.

Troubleshooting Guide

Here are some common issues and their solutions:

WireGuard Connection Issues

  • Check Firewall Rules: Ensure that the firewall rules on OPNsense allow WireGuard traffic on the specified port.
  • Verify Keys: Make sure that the public and private keys are correctly configured on both the server and client.
  • Check Routing: Ensure that the routing and NAT settings are properly configured to allow traffic through the WireGuard tunnel.

Client Cannot Access Local Network

  • Allowed IPs: Verify that the allowed IPs on the client configuration include the local network (e.g., 192.168.1.0/24).
  • LAN Rules: Ensure there are appropriate firewall rules on the LAN interface to allow traffic from the WireGuard subnet.

By following this guide and addressing common issues, you can establish a secure and reliable connection to your homelab using OPNsense and WireGuard. Happy networking!

2 Comments

  1. Hi,
    This is somewhat outdated. Wireguard is no longer installed as a plugin. It can also now generate a QR code for easy client setup

Leave a Reply

Your email address will not be published. Required fields are marked *