All tags RSS feed icon

How to Set Up a WireGuard Server on OPNsense

Published

A step-by-step technical guide for home lab and small business admins to deploy a WireGuard VPN server on OPNsense 25.7.6, including plugin installation, interface assignments, firewall tuning, and network best practices.

1. Introduction

When I built my OPNsense network, the next logical step was secure remote access. WireGuard provided the best balance of performance, simplicity, and security.

This guide covers how to install and configure a WireGuard VPN server on OPNsense 25.7.6, manage firewall rules, and understand how domain vs. IP endpoint configurations affect stability.

2. Installing the WireGuard Plugin

  1. Ensure OPNsense is updated to the latest patch level: System → Firmware → Updates → Check for updates

  2. Once updated, install the WireGuard plugin: System → Firmware → Plugins → os-wireguard

  3. After installation, reboot OPNsense. The WireGuard menu will appear under: VPN → WireGuard

3. Creating the WireGuard Server Instance

  1. Go to VPN → WireGuard → Instances and click Add.

  2. Configure as follows:

Setting Value Description
Name Main Name of the server instance
Listen Port 51820 Default WireGuard UDP port
Interface Keys Generate new keys Automatically creates private/public pair
Tunnel Address 10.10.0.1/24 Internal WireGuard subnet
Peers Leave empty Peers added later
  1. Enable the instance and click Apply to finalize.

4. Assigning and Configuring the Interface

When you create a WireGuard instance, OPNsense automatically generates a virtual interface (e.g., wg0).

  1. Go to Interfaces → Assignments.
  2. Add a new interface and select wg0.
  3. Rename it to WG_Main.
  4. Enable the interface and assign the IP 10.10.0.1/24.

This ensures WireGuard behaves like a physical interface, allowing you to apply firewall rules, NAT, and monitoring.

5. Adding a Peer (Client)

  1. Navigate to VPN → WireGuard → Peer generator. This creates an entry for a single client device that connects to your server.
Field Example Value Description
Instance Main The WireGuard instance to associate with
Endpoint vpn.example.net:51820 Your WAN domain or IP
Name Laptop Friendly identifier
Address 10.10.0.2/32 Peer IP within WG subnet (generated automatically)
Allowed IPs 0.0.0.0/0,::/0 IPs subnets that will go through the VPN on the client

Each peer must have a unique IP within the WireGuard network. The Allowed IPs field is very useful if you want to split-tunnel your connection.

For example, if you only need VPN access to internal resources, set Allowed IPs to 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.

With this configuration, traffic to public IP ranges (i.e., the internet) will bypass the VPN entirely. This approach reduces latency and improves performance since only traffic destined for your private networks is routed through the tunnel.

6. Domain vs. IP Endpoint — Which to Use

You can either use your public IP or a domain name for remote access:

Option Example Pros Cons
Domain vpn.mydomain.com Works with dynamic IPs, easier to remember Requires DNS or DDNS
Static IP 203.0.113.45 Simple if you have a fixed IP Breaks if WAN IP changes

If your ISP assigns dynamic IPs, configure Dynamic DNS directly on OPNsense (os-ddclient plugin) under Services → Dynamic DNS. Providers like Cloudflare, GoDaddy, or DuckDNS make this simple. In my setup, I use a static IP, but DuckDNS is a good free alternative if you don’t own a domain.

7. Creating an Alias for WireGuard Ports

If you plan to host multiple WireGuard instances (like a management tunnel or a separate access profile), create a port alias.

  1. Go to Firewall → Aliases → Add.
  2. Name it WG_PORTS.
  3. Type: Port(s).
  4. Enter: 51820.
  5. Description: WireGuard Ports.
  6. Save and apply.

Then, if you want to run more than one WireGuard server, just add more ports to this alias. This automatically updates the WAN rule without needing to edit it manually.

8. Configuring Firewall Rules

WireGuard won’t function until the firewall allows inbound traffic and defines what connected clients can access.

Step 1 — Open the WireGuard Port on WAN

  1. Go to Firewall → Rules → WAN → Add.
  2. Configure as follows:
Option Value
Action Pass
Interface WAN
Protocol UDP
Source Any
Destination This Firewall
Destination Port WG_PORTS (alias for 51820, etc.)
Description Allow WireGuard to OPNsense

This rule permits WireGuard traffic from the internet to reach your OPNsense firewall.

Step 2 — Allow Traffic on the WireGuard Interface

  1. Go to Firewall → Rules → WG_Main → Add.
  2. Configure as follows:
Option Value
Action Pass
Interface WG_Main
Protocol Any
Source WG_Main network
Destination Internal VLANs (10, 15, etc.)
Description Allow WireGuard clients to LAN/VLANs

This rule defines what remote clients can access inside your network. You can restrict access to specific VLANs or services depending on your security needs.

9. Restricting VPN Client Access

To prevent WireGuard clients from accessing sensitive subnets (like management VLANs), add targeted firewall rules on WG_Main.

Priority Action Source Destination Description
1 Pass 10.10.0.0/24 192.168.10.0/24 Allow access to Trusted VLAN
2 Block 10.10.0.0/24 192.168.5.0/24 Block Management VLAN
3 Pass 10.10.0.0/24 * Allow Internet (via NAT)

This approach ensures WireGuard users can only reach designated networks while maintaining isolation for administrative segments.

10. Creating an Alias for WireGuard Networks

If you plan to manage multiple WireGuard tunnels (for example, wg0 for main access and wg1 for management), create a network alias to simplify rules.

  1. Go to Firewall → Aliases → Add.
  2. Name it WG_Networks.
  3. Type: Network(s).
  4. Enter: 10.10.0.0/24
  5. Description: WireGuard Networks.
  6. Save and apply.

This alias groups all WireGuard subnets into a single reference, making it easier to manage multiple instances. It’s especially useful for NAT and firewall rules, allowing consistent policies across all VPN tunnels.

For example, when creating the NAT rule below, use WG_Networks instead of specifying a single subnet. If you later deploy another WireGuard server, simply add its subnet to this alias—your existing rules will automatically apply to it.

11. Outbound NAT and Internet Access

To allow VPN clients to reach the internet through OPNsense:

  1. Go to Firewall → NAT → Outbound.
  2. Select Hybrid Outbound NAT.
  3. Add a rule:
    • Interface: WAN
    • Source: WG_Networks
    • Translation: Interface Address
    • Description: NAT WireGuard clients

Without this rule, clients can connect but won’t reach the internet. This setup ensures any WireGuard subnet listed in your WG_Networks alias can route outbound properly.

12. Testing and Verification

After applying all rules:

  1. Connect your client (Windows, Linux, macOS, Android, etc.).
  2. On OPNsense, go to VPN → WireGuard → Status and confirm a successful handshake.
  3. If traffic fails, check:
    • Outbound NAT rules
    • WG_Main interface rules
    • WAN UDP port access
Symptom Likely Cause
No handshake UDP 51820 not open on WAN
Handshake, no traffic Missing outbound NAT or blocked rule
Unstable connection CGNAT or ISP UDP filtering

13. Final Thoughts

WireGuard’s native integration in OPNsense makes it an excellent choice for efficient, secure remote access. It runs well on low-power hardware and scales cleanly using aliases and VLAN-based rule separation.

For reference, review how VLANs and firewall isolation are structured in my related post: How I Built My Segmented OPNsense and UniFi Network

Tags: OPNsense WireGuard Firewall