Router Setup
OPNSense WireGuard Setup Guide
Configure Your Environment
-
Navigate to the home page of your router - By default
192.168.1.1
. -
Install system updates:
System > Firmware > Updates
-
Install the WireGuard plugin via
System > Firmware > Plugins
and scroll down to os-wireguard, then click the+
to install. Reboot viaPower > Reboot
to make sure WireGuard is applied to the system.
Add an Endpoint (Server Location /Peer)
-
Log in to the IVPN Client Area.
-
Choose a WireGuard server to connect to from our Server Status page. Make note of the hostname and the public key of the server.
-
In the OPNSense web interface, go to
VPN > WireGuard > Endpoints
and click the+
to add a VPN server location (Endpoint/Peer):Name: A short interface name, like ivpnJapan or ivpnSeattle.
Public Key: The server public key is available from the server list in the step above.
Shared Secret: Leave it blank.
Alloweb IPs: 0.0.0.0/0
Endpoint Address: The server hostname is available from the server list in the step above.
Endpoint Port: IVPN offers different ports to connect on: 53, 80, 443, 1194, 2049, 2050, 30587, 41893, 48574, and 58237
Keepalive: 25 -
Click the
Save
button to add the Endpoint to your OPNSense system.
Add a Local Interface
-
In the OPNSense web interface, go to
VPN > WireGuard > Local
and click the+
to add a local interface and enter the following:Name: A short interface name, like ivpn.
Listen Port: Default value is likely fine.
DNS Server: The DNS server can be one of three options:
172.16.0.1 = regular DNS with no blocking
10.0.254.2 = standard AntiTracker to block advertising and malware domains
10.0.254.3 = Hardcore Mode AntiTracker to also block Google and Facebook domains
Tunnel Address: Enter a temporary placeholder address, like 10.9.9.9
Peers: Choose the Endpoint (VPN server location) you created in the previous step.Click the
Save
button to generate your Public and Private keys. -
Click the pencil icon to edit the local interface you created in the previous step and make note of your Public Key.
-
On the
VPN Accounts
page in the Client Area on our website, click theWireGuard
tab. Go toWireGuard Key Management
located under Tools. Click theAdd New Key
button. Copy the contents of the Public Key from OPNSense and paste them into the Public Key: field. Add a comment, like OPNSense if you prefer, and click theAdd Key button
.Be sure to copy the Public Key and not the Private Key. The Private Key must always be kept a carefully guarded secret. -
Make note of the IPv4 Address beside your newly added public key on the WireGuard tab in the Client Area. This is the IP address your computer system will have on our internal network. It will be in the form 172.x.y.z.
-
Go back to the OPNSense web interface and the local interface that is being edited. Remove the temporary placeholder from the Tunnel Address field and enter the IP address from the step above plus the /32 netmask (172.x.y.z/32).
-
Click the
Save
button.
Connecting
-
Go to the
VPN > WireGuard > General
tab and put a check mark beside Enable WireGuard on the General tab, then click theSave
button. -
Check the
VPN > WireGuard > List Configuration
andHandshakes
tabs to see connection details. -
Go to the
Interfaces > LAN
page and set theMSS
value to1412
. Click theSave
button at the bottom of the page, then click theApply changes
button at the top of the page. -
To let you internal network clients go through the tunnel, add a NAT entry. Go to
Firewall > NAT > Outbound
and click+Add
to add a rule. Check that rule generation is set to Manual or Hybrid. Add a rule and select Wireguard asInterface
.Source Address
should be LAN net and setTranslation / target
to Interface address. -
Click the
Save
button, click theApply Changes
button, then reboot the OPNSense router. -
Run a leak test at https://www.dnsleaktest.com via one of the internal network clients attached to your OPNSense router.
Please note: If you plan to use a Multi-hop setup please see this guide and make the required changes to the Endpoint Address
port and Peer Public Key
.