Portfolio
  • About me
  • Homelab
    • Overview
    • Backups Strategies
    • Network Segmentation
    • OPNsense Firewall & Router
    • WireGuard VPN
    • Pi-hole DNS sinkhole
    • Unbound as recursive DNS
    • Active Directory Domain Controller
      • AD Users and Computers
      • Group Policy Object
  • Documentation
    • Create Windows 2019 Server on Proxmox
Powered by GitBook
On this page
  • Objectives
  • Configure WireGuard server and client
  • Create an local instance
  • Add Peer/Client
  • Assign the WireGuard interface
  • Create rules on the firewall
  • Create new rule on WAN firewall
  • Add new rule to allow access to internal network
  • Check VPN connection
  • Checking handshake
  • Traceroute test
  • Conclusion
  1. Homelab

WireGuard VPN

PreviousOPNsense Firewall & RouterNextPi-hole DNS sinkhole

Last updated 8 months ago

I configured a VPN server in my homelab to allow secure remote access for maintaining my servers and internal networks, and to ensure safe internet browsing on public Wi-Fi with my mobile devices.

Objectives

  • Install and configure WireGuard as VPN server on my existing OPNsense firewall.

  • Install and configure WireGuard on my family mobile devices(smartphone, laptop) and add them to the VPN tunnel.

  • Configure firewall rules to allow VPN access to the internet and internal network.

Configure WireGuard server and client

Create an local instance

On main dashboard, I navigated to VPN > WireGuard > Instances.

Listen port by default is 51820, and I set 10.10.10.1/24 be the server IP address. I used private IP address to avoid any conflict.

By setting the range from 10.1.1.1 - 10.1.1.254, all of my future client/peer should be within this range.

Generate public and private key. I noted down the public key, so I could configure WireGuard tunnel on client device.

Add Peer/Client

Set up client tunnel

For DNS I put the static IP of my Pi-hole DNS.

On my laptop configuration, "peer" is now the server, so I enter a public key of the VPN server here, end point is <Public_Server_IP_address>:<port_number>.

And I enable "block untunneled traffic" because it would defeat the purpose of VPN if all traffic is allowed. By enabling it, WireGuard will adds rules that prevent accidentally sending IP packets outside the VPN.

Add new peer to the server

Enter the public key of my client interface, address and port number.

Selected WG01 instance and saved.

Assign the WireGuard interface

According to OPNsense documentation, there are three main reasons why it is recommended to create a WireGuard interface on OPNsense.

  1. It become an alias for tunnel subnet, which I can easily use in firewall without manually specify the subnet.

  2. It adds an IPv4 outbound NAT automatically

  3. Lastly, if I have multiple tunnels, I can enable each WireGuard instance's firewall rules.

Navigate to Interface > Assignments, OPNsense will have wg0 device ready once it is enabled.

Create new interface and select device wg0, I named this interface "WireGuard" and saved.

Then, WireGuard interface will appear below others.

I just needed to enable it and prevent it removal. I already configured everything else when creating the instance.

Create rules on the firewall

Create new rule on WAN firewall

WireGuard is running on OPNsense firewall system, so I do not need to create NAT rule to port forward. However, a WAN rule needs to be created.

Navigate to Firewall > Rules > WAN and create new rule.

“Action” set to "Pass" and “Protocol” is "UDP".

The “Source” set to “any” to allow any remote host to connect because I will mostly remote access from public WiFi.

The “Destination” needs to be the “WAN address”, which is your external IP address.

For the “Destination port range”, select “(other)” and enter the port 51820.

Add new rule to allow access to internal network

"Deny all" firewall will deny all access unless there is rule that allow so.

I navigated to Firewall > WG interface and create new rule.

First rule, I want to allow access to WireGuard DNS server.

Option
Value

Action

Pass

Interface

WG

TCP/IP version

IPv4

Protocol

TCP/UDP

Source

WG net

Source Port

Any

Destination

10.10.10.1

Destination Port

53

Second rule, allow access to Internet and access to all network.

Option
Value

Action

Pass

Interface

WG

TCP/IP version

IPv4

Protocol

Any

Source

WG net

Source Port

Any

Destination

Any

Destination Port

Any

Check VPN connection

Lastly, I activated the tunnel on clients and run some simple checks to verify my configuration is working as intended.

Checking handshake

Navigate to WireGuard > Status.

There should be successful handshakes and always show the latest handshake as well as sent and received data.

Moreover, in the main OPNsense dashboard, I could also see WireGuard interface statistics.

Traceroute test

On client device, I tried to traceroute 8.8.8.8 and succeed.

Since I set rule allowing access to any internal network, I should be able to ping internal devices and servers.

Conclusion

After all the configuration, I learned that WireGuard use the latest cryptography for stronger security, and only devices with their share key are able to communicate via an encrypted channel.

In addition, I used to setup OpenVPN on pfSense firewall, I found that WireGuard is simpler to configure. The concept behind them is the same but WireGuard is more friendly.

Lastly, what I learned during researching is that WireGuard uses term like peers and endpoint rather than client and server. It confused me at first. Many say WireGuard behave more like peer to peer, and each peer can act both as a client and a server.