Wireguard Puffy to OPNsense

Page content

WG Tunnel between OpenBSD and OPNsense

How to Setup an WG Tunnel between OpenBSD and OPNSense ? That’s quite simple …

OpenBSD

Install Packages

pkg_add wireguard-tools--

Build Interface

r=$(openssl rand -base64 32)
remote_ip="1.2.3.4"
remote_net="192.168.0.0/24"

cat << 'EOF' > /etc/hostname.wg0
# WG Tunnel to OPNsense
wgkey   ${r}
wgport  51820
wgpeer  xxxxx - PUBLIC-KEY-OF-REMOTE-HOST - xxxxx= wgendpoint ${remote_ip} 51820 wgaip ${remote_net}
inet    10.0.0.1/24
!route add ${remote_net} 10.0.0.2
up
EOF

sh /etc/netstart wg0
ifconfig wg0

update pf.conf

# skip on wg Interface
set skip on { lo0 wg0 }

# Wireguard
pass in log quick inet proto udp from ${remote_ip}/32 to (self) port 51820

OPNsense

Install Wireguard

Menu System -> Firmware -> Plugins -> Install Wireguard

Menu VPN -> Wireguard -> Enable Wireguard

Menu VPN -> Wireguard -> Local

  • add item
  • name: opnsense
  • listen port: 51820
  • tunnel address: 10.0.0.2/24
  • save

Menu VPN -> Wireguard -> Endpoints

  • add item
  • name: openbsd
  • public-key: public-key-of-wireguard-openbsd
  • allowed ip’s: Subnet of Remote Site
  • endpoint address: public-ip-of-openbsd
  • endpoint port: 51820
  • save

Menu VPN -> Wireguard -> Local

  • edit item: opnsense
  • peers: openbsd
  • save

Menu VPN -> Wireguard -> List Configuration

  • copy “public key” of wg0 to OPENBSD Host -> /etc/hostname.wg0 -> wgpeer: “xxxxx - PUBLIC-KEY-OF-REMOTE-HOST - xxxxx=”

Menu Firewall -> Rules -> WAN

  • add rule:
    • PASS / WAN / IN / IPv4 / UDP
    • SRC IP: WAN-IP-OPENBSD
    • DST IP: THIS-FIREWALL
    • DST PORT: 51820
    • LOG: YES
  • save

Menu Firewall -> Rules -> WireGuard

  • add rule:
    • PASS / WIREGUARD / IN / IPv4 / ANY / ANY / LOG

sha256: 958d775569de5e8f62e665bbfce95e79367ca310fe97514b4d4b9b1c9064a4f7