Router Setup
OPNSense WireGuard Setup Guide
Configure Your Environment
-
Navigate to the home page of your router - By default
192.168.1.1. -
Install system updates:
System > Firmware > Updates -
Install the WireGuard plugin via
System > Firmware > Pluginsand scroll down to os-wireguard, then click the+to install. Reboot viaPower > Rebootto make sure WireGuard is applied to the system.
Add an Endpoint (Server Location /Peer)
-
Log in to the IVPN Client Area.
-
Choose a WireGuard server to connect to from our Server Status page. Make note of the hostname and the public key of the server.
-
In the OPNSense web interface, go to
VPN > WireGuard > Endpointsand click the+to add a VPN server location (Endpoint/Peer):Name: A short interface name, like ivpnJapan or ivpnSeattle.
Public Key: The server public key is available from the server list in the step above.
Shared Secret: Leave it blank.
Alloweb IPs: 0.0.0.0/0
Endpoint Address: The server hostname is available from the server list in the step above.
Endpoint Port: IVPN offers different ports to connect on: 53, 80, 443, 1194, 2049, 2050, 30587, 41893, 48574, and 58237
Keepalive: 25
-
Click the
Savebutton to add the Endpoint to your OPNSense system.
Add a Local Interface
-
In the OPNSense web interface, go to
VPN > WireGuard > Localand click the+to add a local interface and enter the following:Name: A short interface name, like ivpn.
Listen Port: Default value is likely fine.
DNS Server: The DNS server can be one of three options:
172.16.0.1 = regular DNS with no blocking
10.0.254.2 = standard AntiTracker to block advertising and malware domains
10.0.254.3 = Hardcore Mode AntiTracker to also block Google and Facebook domains
Tunnel Address: Enter a temporary placeholder address, like 10.9.9.9
Peers: Choose the Endpoint (VPN server location) you created in the previous step.Click the
Savebutton to generate your Public and Private keys. -
Click the pencil icon to edit the local interface you created in the previous step and make note of your Public Key.
-
On the
VPN Accountspage in the Client Area on our website, click theWireGuardtab. Go toWireGuard Key Managementlocated under Tools. Click theAdd New Keybutton. Copy the contents of the Public Key from OPNSense and paste them into the Public Key: field. Add a comment, like OPNSense if you prefer, and click theAdd Key button.Be sure to copy the Public Key and not the Private Key. The Private Key must always be kept a carefully guarded secret. -
Make note of the IPv4 Address beside your newly added public key on the WireGuard tab in the Client Area. This is the IP address your computer system will have on our internal network. It will be in the form 172.x.y.z.
-
Go back to the OPNSense web interface and the local interface that is being edited. Remove the temporary placeholder from the Tunnel Address field and enter the IP address from the step above plus the /32 netmask (172.x.y.z/32).
-
Click the
Savebutton.
Connecting
-
Go to the
VPN > WireGuard > Generaltab and put a check mark beside Enable WireGuard on the General tab, then click theSavebutton. -
Check the
VPN > WireGuard > List ConfigurationandHandshakestabs to see connection details. -
Go to the
Interfaces > LANpage and set theMSSvalue to1412. Click theSavebutton at the bottom of the page, then click theApply changesbutton at the top of the page. -
To let you internal network clients go through the tunnel, add a NAT entry. Go to
Firewall > NAT > Outboundand click+Addto add a rule. Check that rule generation is set to Manual or Hybrid. Add a rule and select Wireguard asInterface.Source Addressshould be LAN net and setTranslation / targetto Interface address.
-
Click the
Savebutton, click theApply Changesbutton, then reboot the OPNSense router. -
Run a leak test at https://www.dnsleaktest.com via one of the internal network clients attached to your OPNSense router.
Please note: If you plan to use a Multi-hop setup please see this guide and make the required changes to the Endpoint Address port and Peer Public Key.