Router Setup

OPNSense WireGuard Setup Guide

This guide was produced using OPNSense 20.1.

Configure Your Environment

  1. Navigate to the home page of your router - By default

  2. Install system updates: System > Firmware > Updates

  3. Install the WireGuard plugin via System > Firmware > Plugins and scroll down to os-wireguard, then click the + to install. Reboot via Power > Reboot to make sure WireGuard is applied to the system.

Add an Endpoint (Server Location /Peer)

  1. Log in to the IVPN Client Area.

  2. Choose a WireGuard server to connect to from our Server Status page. Make note of the hostname and the public key of the server.

  3. In the OPNSense web interface, go to VPN > WireGuard > Endpoints and click the + to add a VPN server location (Endpoint/Peer):

    Name: A short interface name, like ivpnJapan or ivpnSeattle.
    Public Key: The server public key is available from the server list in the step above.
    Shared Secret: Leave it blank.
    Alloweb IPs:
    Endpoint Address: The server hostname is available from the server list in the step above.
    Endpoint Port: IVPN offers different ports to connect on: 53, 80, 443, 1194, 2049, 2050, 30587, 41893, 48574, and 58237
    Keepalive: 25

  4. Click the Save button to add the Endpoint to your OPNSense system.

Add a Local Interface

  1. In the OPNSense web interface, go to VPN > WireGuard > Local and click the + to add a local interface and enter the following:

    Name: A short interface name, like ivpn.
    Listen Port: Default value is likely fine.
    DNS Server: The DNS server can be one of three options: = regular DNS with no blocking = standard AntiTracker to block advertising and malware domains = Hardcore Mode AntiTracker to also block Google and Facebook domains

    Tunnel Address: Enter a temporary placeholder address, like
    Peers: Choose the Endpoint (VPN server location) you created in the previous step.

    Click the Save button to generate your Public and Private keys.

  2. Click the pencil icon to edit the local interface you created in the previous step and make note of your Public Key.

  3. On the VPN Accounts page in the Client Area on our website, click the WireGuard tab. Go to WireGuard Key Management located under Tools. Click the Add New Key button. Copy the contents of the Public Key from OPNSense and paste them into the Public Key: field. Add a comment, like OPNSense if you prefer, and click the Add Key button.

    Be sure to copy the Public Key and not the Private Key. The Private Key must always be kept a carefully guarded secret.
  4. Make note of the IPv4 Address beside your newly added public key on the WireGuard tab in the Client Area. This is the IP address your computer system will have on our internal network. It will be in the form 172.x.y.z.

  5. Go back to the OPNSense web interface and the local interface that is being edited. Remove the temporary placeholder from the Tunnel Address field and enter the IP address from the step above plus the /32 netmask (172.x.y.z/32).

  6. Click the Save button.


  1. Go to the VPN > WireGuard > General tab and put a check mark beside Enable WireGuard on the General tab, then click the Save button.

  2. Check the VPN > WireGuard > List Configuration and Handshakes tabs to see connection details.

  3. Go to the Interfaces > LAN page and set the MSS value to 1412. Click the Save button at the bottom of the page, then click the Apply changes button at the top of the page.

  4. To let you internal network clients go through the tunnel, add a NAT entry. Go to Firewall > NAT > Outbound and click +Add to add a rule. Check that rule generation is set to Manual or Hybrid. Add a rule and select Wireguard as Interface. Source Address should be LAN net and set Translation / target to Interface address.

  5. Click the Save button, click the Apply Changes button, then reboot the OPNSense router.

  6. Run a leak test at via one of the internal network clients attached to your OPNSense router.

Please note: If you plan to use a Multi-hop setup please see this guide and make the required changes to the Endpoint Address port and Peer Public Key.

Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.