Jump to content


Rate this topic

Recommended Posts


Dear Community,
Original OPNsnese Forum Post Here : https://forum.opnsense.org/index.php?topic=13461.0
And I quote " Jimi ": I see that we meet again hmmm " see here: https://youtu.be/gFAQWjdCO8o and for the purpose as stated by the leader of The Family Stone " I Want To Take You Higher - see here : https://www.youtube.com/watch?v=LQkdiJQIX5Y Now after the intro - let's get down to business. This tutorial guide details dead simple GUARANTEED method(s) to get WIREGUARD Client up and running on OPNsense Firewall. I will explore the one I prefer first. Some of you may remember my work with GETDNS and STUBBY. Please read Mimugmail's comments ( the developer and maintainer of os-wireguard-devel plugin ) below in the first reply to this tutorial. He was kind enough to inform me of a few points so no one does extra work. Specifically, Mimugmail details methods for easier OPNsense ports installation and / or easier method to install WireGuard and WireGuard-Go packages. This installation is for commercial WireGuard Clients ONLY ! - where creation of keys and how to exchange them is not needed. The keys are generated and managed by your WireGuard VPN service provider - in my case - TorGuard.

1 - As per Mimugmail's  advice you can choose to install WireGuard either through ports or pkg install method. From his reply : You can install wireguard just via # pkg install wireguard && pkg install wireguard-go  The pkg versions are always the latest which were available at the time of the release. The version you mention here is already in the ports tree but the pkg will be in the next minor release. To speed this up you could also do on your opnsense installation: # opnsense-code ports && cd /usr/ports/net/wireguard && make install - As I wanted the latest package ( I did not care to wait for pkg update on OPNsense and I do not like installing the entire OPNsense Ports collection on my OPNsnese Instance ) - I did the following and it worked out great.

2 -  First install the necessary packages which are in the OPNsense repository by default with the command : # pkg install wireguard && pkg install wireguard-go - As Mimugmail points out, this will install latest versions of these packages. Ready to get this going and up and running then follow steps below.

3 - To begin you need to get your WIREGUARD configuration files from the TORGUARD website. To do so login your TORGUARD account then go to Tools ( along the top of Login Page ) from drop Down Menu click on Enable WIREGUARD Access. You will then be in your TorGuard Account Area. You will see this message along the top : Below is a list of WireGuard VPN Servers, Please click enable in front of the servers you like to connect to, and use the returned keys shown to connect. Currently, TORGUARD offers WIREGUARD Servers in USA - New York ( quite actually situated in Clifton, New Jersey ), Asia - Singapore and Europe - UK. Click on your preferred Server - Enable WIREGUARD. This will result in a green box below the now grayed out box - which states now Disable WIREGUARD - naturally leave your server enabled as you want to connect to the now enabled server. Next, .Download Config file as the box allows you to do now that you have enabled your WIREGUARD Server. You will also see in the adjoining box the following :

Location VPN Server Keys Manage
USA - New York 1 159.xx.xxx.xx:xxx Server Public key: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
Your Private Key: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
Your Address: 10.xx.x.xxx/24

4 - Now I used this guide as the template for my manual installation of WIREGUARD on OPNsense see here : https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/ I will make this simple for you step by step. You may sing and / or hum along as we proceed.
A- First - configure WireGuard Client. TorGuard, AzireVPN, VPN.ac, Mullvad, IVPN, are commercial VPN providers which offer LIVE ! WireGuard Services now. I use TorGuard here is a sample file. Keys are dummies - only used for illustrative purposes in this tutorial- Use your real WireGuard configuration file here: Create file by command line - # nano /usr/local/etc/wireguard/wg0.conf - and enter the configuration file below ( copy and paste ) - substitute your real one. Save and Close. Done with this file.

# TorGuard WireGuard Config
PrivateKey = cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
ListenPort = 51820
Address = 10.xx.x.xxx/24

PublicKey = 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
AllowedIPs =
Endpoint = 159.xx.xx.xxx:xxx
PersistentKeepalive = 25

B - Secondly, run command via SSH # wg-quick up wg0 ( wireguard-go is in package and  this action creates wireguard interface ) You may also run # wireguard-go wg0 to create wg0 but I prefer the first method mentioned here.

5 - Configure WireGuard Service with rc.d - for automatic startup/shutdown of the tunnel. In order to achieve this there’s already an rc.d script /usr/local/etc/rc.d/wireguard which came with the wireguard package. You need to issue this command :  # mv /usr/local/etc/rc.d/wireguard /usr/local/etc/rc.d/wireguard.sh then enter the file - # nano /usr/local/etc/rc.d/wireguard.sh Then go to bottom of file - lines 46 and 47 - change : ${wireguard_enable="NO"} to : ${wireguard_enable="YES"} and then add wg0 on line 47
: ${wireguard_interfaces=""} to : ${wireguard_interfaces="wg0"} ( wgZero ) - Save and Close - Make it executable, I run two commands - it works for me: # chmod a+x /usr/local/etc/rc.d/wireguard.sh # chmod 744 /usr/local/etc/rc.d/wireguard.sh - Done with this file.

6 - In order to have OPNsense use default start up script ( /usr/local/etc/rc.d/wireguard.sh ) at boot time you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following :  # nano /etc/rc.conf.d/wireguard - in the new file enter the following two lines:
Save and Close - Make it executable- # chmod a+x /etc/rc.conf.d/wireguard # chmod 744 /etc/rc.conf.d/wireguard  / Done with this file.

7 - Now head to OPNsense WEBGUI in order to configure Wireguard Interface ( created earlier ) and FireWall Rule. First, on Left Side WebGui Column - go to Interfaces > Assignments -you will see wg0 interface - click (+) add button /symbol. Once the wg0 interface is listed as OPT ( 1 - 2 depending on your setup ) - Click underneath it - - enter checks in " Prevent interface removal' and " Enabled " - and enter description - I call mine " WIRE " - DO NOTHING ELSE HERE ! Save and Apply - Done with this phase.
Second - Firewall Rule - on Left Side WebGui Column - go to Firewall > NAT > Outbound > Once on this Landing Page put a Dot in radio button Hybrid outbound NAT rule generation - Click on Save - Do Not - Repeat Do Not Click Save and Apply At This Time - Instead Click on Add (+) Button on right side top of page - on the page which opens change Interface from WAN in drop down menu to your Wireguard ( wg0 ) Interface - in my case " WIRE " as I labeled it in the description of the interface I added earlier. Next - Change Source Address to " Lan net " and Translation/target to Interface address. Enter " Description -e.g. " Made For Wire "  now Click " Save " at bottom of page. You will be taken back to Firewall:Nat:Outbound Landing Page - Click on " Apply Changes " in right upper hand corner - Done with Firewall Rule for Lan. Repeat Firewall Rule Operation for all of your other Lan Interface Subnets if you choose to do so.

When using these updated packages as I did, in order to stop nagging messages to re-install outdated OPNsense wireguard and wireguard-go packages use FreeBSD pkg lock option. Issue commands in order : # pkg lock wireguard and # pkg lock wireguard-go It may be necessary to reboot OPNsense after locking wireguard and wireguard-go packages in order to restart WireGuard from command line. Your WireGuard Client is now installed and ready - you may enter command # /usr/local/etc/rc.d/wireguard.sh restart in order to start it up.  You may also reboot your OPNsense Router. Lastly, issue command  # wg show which prints out your WireGuard Connection statistics and configuration. I will install wireguard via # pkg install wireguard && pkg install wireguard-go as my go to method in the future.

Peace and Grace Be Unto All God's Creation

Share this post

Link to post
Share on other sites

 Thank you for the guide 👍

Share this post

Link to post
Share on other sites
23 minutes ago, Support said:

 Thank you for the guide 👍

Dear Mike and The Staff,

Hello and I do appreciate your acknowledgement and gratitude for my efforts and forays into constructing these tutorials which center around

internet security deployment. If you would like - I also have a guide / tutorial for OPNSENSE (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY.

I you would like for me to post it here in the TorGuard Forum - let me know. I see that my ( From The DNS Privacy Project ) DNS-OVER-TLS on OpenWrt/LEDE FEATURING UNBOUND GETDNS and STUBBY has over 8K hits. However, I did not want to be off topic or overly intrusive. But if you do not mind I will put up the OPNSENSE (DNS Privacy Project) DNS OVER TLS today or tomorrow.

Peace - directnupe

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...