Router Setup

OPNSense WireGuard Setup Guide

This guide was produced using OPNSense 24.1.6

Adding a WireGuard Peer

  1. Navigate to the Server Status page, select the WireGuard server you want to connect to and note its Hostname ( with the WireGuard Public Key.

  2. In your router’s webUI, navigate to VPN - WireGuard - Instances - Peers tab, click on the + button and fill in the following configuration:

    • Enabled - Checked
    • Name - give it any name, e.g. WG_Austria
    • Public key - the public key of the selected WireGuard server
    • Allowed IPs -, ::/0
    • Endpoint address - the hostname of the selected WireGuard server
    • Endpoint port - 2049 (available ports can be viewed here)
    • Keepalive interval - 25
  3. Click Save.

Creating a WireGuard Instance

  1. In the Instances tab, click on the + button.

  2. Toggle the Advanced mode switch on and hit the Gear icon next to the Public key to generate a new WireGuard keypair. Copy the Public key.

  3. Log in to your Account area, navigate to the WireGuard tab, click on the Add new public key button, paste the copied previously key into the Public key field, add any comment and click Add.

  4. Enter the assigned IPv4 and IPv6 IP addresses into your router’s WireGuard instance Tunnel address field and fill in the following fields:

    • Enabled - Checked
    • Name - give it any name, e.g. WG_Interface
    • Listen port - 51820
    • MTU - 1412
    • DNS servers - enter the WireGuard regular DNS server IP address ( or the one associated with the preferred AntiTracker list
    • Peers - select created previously WireGuard Peer
  5. Click Save.

  6. Have the Enable WireGuard checked and click Apply.

Configuring Interfaces

  1. Navigate to Interfaces - Assignments.

  2. Add any description to the WireGuard interface, e.g. WG and click Add

  3. Click on the newly added WireGuard interface, check the Enable Interface checkbox and click Save.

  4. Click on the LAN interface, set MSS to 1412 and click Save.

Configuring a Firewall

  1. Navigate to Firewall > NAT > Outbound, select Manual outbound NAT rule generation and click Save

  2. Click on the + button to add a new rule and fill in the following configuration:

    • Disabled - Unchecked
    • Interface - select the created earlier interface, i.e. WG
    • Source Address - LAN net
    • Translation / target - Interface address
  3. Delete the other rule(s) containing your local network subnet that exist via WAN. This will ensure that traffic does not leak if the VPN tunnel accidentally goes down.

  4. Click Save and Apply Changes.


  1. Navigate to Services > ISC DHCPv4 > [LAN]

  2. In the DNS servers field, enter the DNS server IP address specified in the created previously WireGuard Instance.

  3. Click Save.

Final Steps

  1. Restart your router and check the connection status of the WireGuard client in the VPN - WireGuard - Status area.

  2. Check the conenction status and the assigned public IP address on our website and run a leak test at from one of the devices connected to your OPNsense router.

Please note: If you plan to use a Multi-hop setup please see this guide and replace the port number in Adding a WireGuard Peer section, Endpoint port field with the chosen Exit-hop server Multi-hop port.

Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.