This guide was produced using OPNSense 20.1.
Configure Your Environment
- Navigate to the home page of your router - By default 192.168.1.1.
- Install system updates: System > Firmware > Updates
- Install the WireGuard plugin via System > Firmware > Plugins and scroll down to os-wireguard, then click the + to install. Reboot via Power > Reboot to make sure WireGuard is applied to the system.
Add an Endpoint (Server Location /Peer)
- Log in to the IVPN Client Area.
- Choose a WireGuard server to connect to from our list. To see our server list go to the VPN Accounts page in the Client Area, click the WireGuard tab. Go to WireGuard Server List, which is located under Tools. Make note of the hostname and the public key of the server.
- In the OPNSense web interface, go to VPN > WireGuard > Endpoints and click the + to add a VPN server location (Endpoint/Peer):
Name: A short interface name, like ivpnJapan or ivpnSeattle. Public Key: The server public key is available from the server list in the step above. Shared Secret: Leave it blank. Alloweb IPs: 0.0.0.0/0 Endpoint Address: The server IP address is available from the server list in the step above. Endpoint Port: IVPN offers different ports to connect on: 53, 2049, 2050, 30587, 41893, 48574, and 58237 Keepalive: 25
- Click the Save button to add the Endpoint to your OPNSense system.
Add a Local Interface
- In the OPNSense web interface, go to VPN > WireGuard > Local and click the + to add a local interface:
Name: A short interface name, like ivpn. Listen Port: Default value is likely fine. DNS Server: The DNS server can be one of three options: 172.16.0.1 = regular DNS with no blocking 10.0.254.2 = standard AntiTracker to block advertising and malware domains 10.0.254.3 = Hardcore Mode AntiTracker to also block Google and Facebook Tunnel Address: Enter a temporary placeholder address, like 10.9.9.9 Peers: Choose the Endpoint (VPN server location) you created in the previous step.Click the Save button to generate your Public and Private keys.
- Click the pencil icon to edit the local interface you created in the previous step and make note of your Public Key.
- On the VPN Accounts page in the Client Area on our website, click the WireGuard tab. Go to WireGuard Key Management located under Tools. Click the Add New Key button. Copy the contents of the Public Key from OPNSense and paste them into the Public Key: field. Add a comment, like OPNSense if you prefer, and click the Add Key button.
Be sure to copy the Public Key and not the Private Key. The Private Key must always be kept a carefully guarded secret.
- Make note of the IP Address beside your newly added public key on the WireGuard tab in the Client Area. This is the IP address your computer system will have on our internal network. It will be in the form 172.x.y.z.
- Go back to the OPNSense web interface and the local interface that is being edited. Remove the temporary placeholder from the Tunnel Address field and enter the IP address from the step above plus the /32 netmask (172.x.y.z/32).
- Click the Save button.
- Go to the VPN > WireGuard > General tab and put a check mark beside Enable WireGuard on the General tab, then click the Save button.
- Check the VPN > WireGuard > List Configuration and Handshakes tabs to see connection details.
- To let you internal network clients go through the tunnel, add a NAT entry. Go to Firewall > NAT > Outbound and click +Add to add a rule. Check that rule generation is set to Manual or Hybrid. Add a rule and select Wireguard as Interface. Source Address should be LAN net and set Translation / target to Interface address.
- Click the Save button, click the Apply Changes button, then reboot the OPNSense router.
- Run a leak test at https://www.dnsleaktest.com via one of the internal network clients attached to your OPNSense router.