ViveSigma

How to connect back to your home network using WireGuard on OPNsense

Written by

Wen

in

Introduction

This guide explains how to connect your iPhone to your home network securely using WireGuard on OPNsense.

Diagram

Mobile connects back home using OPNsense WireGuard

Settings

WireGuard settings

OPNsense WireGuard Instance Settings

In OPNsense, go to VPN -> WireGuard -> Instances -> + Add

  • Public key and Private key can be generated by clicking the “cog” icon button (next to Public key).
  • Listen port: port WireGuard listens to at public IP address.
    • 32767 in this example.
  • Tunnel address: WireGuard interface address
    • 192.168.200.1/24 in this example.
  • Peers: peer name linked with this WireGuard instance.
OPNsense VPN WireGuard Instance

Mobile WireGuard App Settings

In Mobile WireGuard App, click + to add.

  • You could choose “Create from QR code” and scan the QR code on OPNsense Peer generator page (VPN -> WireGuard -> Peer generator). I had error saying invalid QR code. So I had to choose “Create from scratch”.
  • The ‘Create from Scratch’ option.
    • Click “Generate kaypair” to generate Public and Private keys.
    • Addresses: iPhone WireGuard interface address for this tunnel.
      • 192.168.200.2/32 in this example.
    • Listen port: 32767 in this example.
    • DNS Server: DNS server in your LAN
      • 192.168.200.1 in this example.
    • Click “Add peer” to setup OPNsense WireGuard peer
    • Public Key: OPNsense WireGuard Instance Public key
    • Endpoint: public IP address of OPNsense WAN interface and WireGuard listen port number.
      • 101.97.60.121:32767 in this example.
    • Allowed IPs: IP range you want WireGuard app to forward to OPNsense.
      • 192.168.200.0/24, 192.168.0.0/24, 192.168.1.0/24 means forward LAN traffic all traffic to OPNsense WireGuard. (Assuming LAN network addresses are 192.168.0.0/24, 192.168.1.0/24)
      • If you want to redirect all your data traffic from your iPhone to OPNsense WireGuard, put 0.0.0.0/0 here. But it requires OPNsense NAT setup to work.
Add a new connection in Mobile WireGuard App

OPNsense WireGuard Peer Settings

In OPNsense, go to VPN -> WireGuard -> Peers -> + Add

  • Public key: iPhone WireGuard Public key
  • Allowed IPs: WireGuard Tunnel IP address ranges coming from iphone
    • 192.168.200.0/24 in this example.
  • Endpoint port: Listen port number.
    • 32767 in this example.
  • Instances: WireGuard Instance name linked with this WireGuard peer.
OPNsense VPN WireGuard Peer

OPNsense Firewall Rule

Without this rule, WireGuard traffic cannot pass through the WAN interface to establish a connection.

In OPNsense, go to Firewall -> Rules -> WAN -> + Add

  • Action: Pass
  • Interface: WAN
    • WAN interface on OPNsense router
  • Direction: in
    • From Internet To WAN interface on OPNsense router
  • TCP/IP version: IPv4
  • Protocol: UDP
    • WireGuard uses UDP
  • Source: any
    • any means anywhere from Internet
  • Destination: WAN address
    • WAN interface on OPNsense router
  • Destination port range: from: to:
    • Port number is the listen port of WAN interface on OPNsense router.
    • 32767 in this example.

Remember to save and apply the rule after the change.

OPNsense Firewall Rule

Troubleshoot

  • Checking if WireGuard traffic is blocked by firewall.
    • In OPNsense, go to Firewall -> Log Files -> Live View

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts