OPNsense Config

• 1: VPN Part 1 - Preparation
• 2: VPN Part 2 - Wireguard Instance and Peers
• 3: VPN Part 3 - Interface and Gateway
• 4: VPN Part 4 - Aliases, NAT and Firewall

1 - VPN Part 1 - Preparation

Mullvad is used as the example here, however any provider that gives a wireguard configuration file will work pretty much the same way. The main point of note is whether they support IPv6 or not. If this isn’t supported, please see the Advanced section for some suggestions.

Assuming at this point you have a Mullvad account and nothing else, the steps are as follows:

1. Part 1 - Preparation
   1. Get the Config file for your VPN
   2. Edit the file slighty to put the data in the right format
   3. Work out the Gateways
2. Part 2 - Configuring the VPN on OPNsense:
   1. Create a Wireguard Instance on OPNsense
   2. Create a Wireguard Peer on OPNsense
   3. Confirm the Tunnel is working
3. Part 3 - Adding an Interface and Gateway
   1. Adding an Interface
   2. Adding Gateways
   3. Confirm the Gateways work
4. Part 4 - Configuring Traffic across the VPN
   1. Creating the Aliases
   2. Create NAT rules
   3. Create the Firewall Rules

Prep Work

Generate your Private Key and Config File

If you don’t have a Wireguard VPN config file, you’ll need to make one. For Mullvad the instructions to create one are as followsl

1. Head over to the Mullvad Account Page
2. Press the Generate Key button and save the key that appears
3. Scroll down to the selection of endpoints
   1. Pick and endpoint you want to appear from
   2. Pick a city if offered (Any is fine)
   3. Pick one of the selected connections (Any is fine)
   4. Ignore the Content Blocking section
   5. Click Download File

Open the file up and you’ll see settings like this:

Generating all the Info you need

This is the hard part. We’re going to do any working out that we need to do before we start touching the router.

Once this is done, everything else is copy/paste

First, make a copy of the file, we’ll need to edit some things to make the setup easier.

1. Change the Address Line /128 to /127

In the Address line, change /128 at the end of the address line to /127 :

Not doing this step will result in your router not knowing what to do with any traffic you want to send over the VPN

2. Split the Endpoint Line

The endpoint line will contain an IP address and a port, divided by a “:” sign

• Make a new line, and start it with “Endpoint_Port = "
• Copy the port number from the Endpoint line to the new line
• Delete the “:” from the Endpoint line

3. Calculate your Gateway IPs

Your config file may not contain an IPv6 address

Calculating Gateway Examples

Both IPv4 and IPv6 examples will use this line as their base:

Address = 10.444.555.91/32,ff00:ffff:ffff:bb01::1:11aa/127

IPv4 Gateway

Easy one - subtract 1 from the last number in the IPv4 address

Example - IPv4 address (10.444.555.91) gives the Gateway - 10.444.555.90

• Add a line to your config file:
  • Gateway_IPV4 = « Your calculated address »

IPv6 Gateway

IPv6 can be a little more complicated, but:

1. Take the full address, including the /127 (e.g.ff00:ffff:ffff:bb01::1:11aa/127)
2. Find a tool to calculate the subnet (e.g Subnetting Practice.com)
3. Paste in the full address and click calculate

4. In the Range section, you’ll see two IP addresses:
   • One is the IP address you pasted in (check the last digits here - “11aa”)
   • The other is your IPv6 Gateway - example: ff00:ffff:ffff:bb01:0:0:1:11ab
     • They may look a little different (extra 0’s and :’s), this is fine
     • If you only get one IP in “Range” - did you change the /128 to /127 as required ?
5. Add a line to your config file:
   • Gateway_IPV6 = « Paste your gateway in here »

You’ll end with a file that looks like this:

That’s it! The hard part’s over, get ready for some copy/paste

2 - VPN Part 2 - Wireguard Instance and Peers

Configuring the VPN on OPNsense

In this section a Wireguard Instance and Peer will be configured on OPNsense, This essentially forms a virtual cable from your router to VPN.

Create a Wireguard Instance

1. Log into OPNsense via the web interface
2. In the sections browse to VPN -> Wireguard -> Instances
3. Click + to configure a new Instance
4. Fill in the details as follows (anything not listed should be left blank)

Field	Value	Notes
Name	wg_mullvad_instance
Private Key	Interface.PrivateKey from Wireguard file
Tunnel Address	Interface.Address from Wireguard file	/127, not 128
Disable Routes	Ticked

5. Click Save to close the window, you should see the Instance appear
6. Click Apply to load the instance into Wireguard

Create a Wireguard Peer

Here the peer of the VPN will be configured for the instance to connect to.

1. Ensure the Web Interface is at VPN -> Wireguard -> Instances
2. Select the Peers tab
3. Click “+” to configure the peer
4. Fill in details as follows:

Field	Value	Notes
Name	wg_mullvad_peer
Public Key	Peer.PublicKey from Wireguard file
Allowed IPs	Peer.AllowedIPs from Wireguard file
Endpoint	Endpoint from Wireguard file	e.g. 333.111.222.47
Endpoint Port	Endpoint_Port from Wireguard file	Most likely: 51820
Instance	wg_mullvad_instance

5. Click Save to close the window
6. Click Apply to load the peer into Wireguard

Enable Wireguard and confirm the Tunnel is working

1. Navigate to VPN -> Wireguard -> Instances
2. Tick the box next to Enable Wireguard

3. Click Apply
4. Navigate to VPN -> Wireguard -> Status
5. Confirm Status has green ticks next to the two lines for your peer and an interface with the same Device Name as your peer (e.g. “wg0”, yours may differ)

At this point, the VPN is configured, the tunnel is up, we’ve essentially connected a cable from the router to the VPN provider. It can’t be used yet as the router doesn’t know what to do with your traffic.

Next step is to configure the Interface and Gateways.

Troubleshooting

If you don’t have green ticks:

• Have a look in VPN -> Wireguard -> Log File to see if there is more information as to what’s gone wrong, and double check the instance and peer configuration.
• Restart the Wireguard service:
  • Visit Lobby -> Dashboard
  • Scroll down to Services
  • Locate WireGuard wg_mullvad_instance
  • Click Restart next to it
• If you have one green tick and a grey question mark:
  • Check your Tunnel Address for the instance has “/127” in it and not “/128”

With all this complete, proceed to Part 3 - Interface and Gateways

3 - VPN Part 3 - Interface and Gateway

This is Part 3 of the VPN configuration.

Following the cable analogy, we now need to add the network card (Interface), and give it an IP address so we can talk to it (Gateway)

This section will:

1. Create an Interface for the VPN
2. Add Gateway(s) to the Interface to allow traffic routing

Create the Interface

1. Navigate to Interfaces -> Assignments
2. In the Assign a new Interface section ensure the wg_mullvad_instance is selected
3. Enter a Description e.g. - WG_MULLVAD

4. Click Add
5. [WG_MULLVAD] should appear in the left hand menu
6. Select the [WG_MULLVAD] interface
7. Tick Enable Interface

8. Set the MTU and MSS to 1420

9. Click Save
10. At the top of the screen a message will appear, click Apply Changes

Creating the IP Gateway(s)

Next, our Gateway IPs will be configured on the new Interface:

1. Navigate to Interfaces -> Gateway
2. Click + to add a new Gateway
3. Fill in the form as follows:

Field	Value	Notes
Name	MULL_IPV4_GW	Anything you prefer, but will be needed later
Interface	WG_MULLVAD
Address	Gateway_IPV4 from Wireguard config	Just the IP, no “/32”
Far Gateway	Checked
Disable Monitoring	Unchecked
Monitoring IP	4.2.2.2	Any IP on the internet to test with, suggest 4.2.2.2
Description	Mullvad IPv4 Gateway	Any description you like

4. Click Save
5. If you have an IPv6 in your config file, repeat the process to add another gateway, but this time: (Skip this step if there is no IPv6 in your config file)

Field	Value	Notes
Name	MULL_IPV6_GW	Same as above, but with IPv6
Interface	WG_MULLVAD
Address Family	IPv6
Address	Gateway_IPv6 from config file	No /127 or /128, just the IP
Far Gateway	Unchecked
Disable Monitoring	Unchecked
Monitor IP	2001:4860:4860::8888	Any IPv6 Address, example is Google DNS
Description	Mullvad IPv6 Gateway	Any description you like

6. Click Apply at the bottom of the screen
7. Wait at the Overview screen for about about 15-30 seconds to start monitoring
8. Click Refresh
9. You should see both new Gateways with a green Status, and a time in ms in the “RTT” column:

If the Status is fine, this section is complete. The VPN is connected and now has a way to send traffic over it.

The final part is to configure the firewall/NAT to allow and send traffic that way, which takes place in part 4.

4 - VPN Part 4 - Aliases, NAT and Firewall

At this point, the connection is up, there’s an IP address on it, this section will set up rules to allow traffic from internal networks to be sent across the VPN.

It will configure:

1. Alias group(s) that will hold the IP/Networks of servers to pass over the VPN
2. Outbound NAT rules to modify traffic so it can go over the VPN
3. Firewall rules to specify what traffic to configure

Creating the Aliases

1. Navigate the Web Interface to Firewall -> Aliases
2. Click + to add an Alias
3. Add an alias as follows:

Field	Value	Notes
Name	VPN_Websites	Can change, but this is highly recommended
Type	Networks
Description	VPN_Websites

3. Click Save
4. Click + to add a new Alias for IPv6 if needed:

Field	Value	Notes
Name	VPN_Websites_IPv6	Same comment about spaces as above
Type	Networks
Description	VPN_Websites_IPv6

5. Click Save
6. Click Apply

Creating a NAT Rule

These rules will inspect traffic coming into the router, and if it should be sent over the VPN, it will change the packet to suit to one of the VPN gateways that has been configured

Configure OPNsense to Allow Manual NAT Rules

1. Navigate to Firewall -> NAT -> Outbound
2. In the Mode section, select Hybrid outbound NAT rule generation
3. Click Save

Make the NAT Rules

1. Ensue the Web Interface is at Firewall -> NAT -> Outbound
2. In the Manual Rules section, click +
3. Create a rule for IPv4 as follows:

Field	Value	Notes
Interface	WG_MULLVAD
TCP/IP Version	IPv4
Source Address	Your Internal Network - LAN net/INT net etc
Destination Address	VPN_Websites
Translation/Target	WG_MULLVAD address

4. Click Save
5. Create another rule for IPv6 if using IPv6:

Field	Value
Interface	WG_MULLVAD
TCP/IP Version	IPv6
Source Address	Your Internal Network - LAN/INT etc
Destination Address	VPN_Websites_IPv6
Translation Target	WG_MULLVAD address

6. Click Save 7. Click Apply

Firewall Rules

If you have the default firewall rules deployed, traffic will be allowed from your LAN out by default, and no configuration will be required.

This section will set up rules to allow all traffic across the VPN, **you may wish to restrict it further, e.g port selection

This will configure a specific rule for the aliases, and assumes nothing else is in place. Please note: you will need to places these rules above any relevant denies, if you are running custom rules, knowledge of how to do this is assumed.

1. Navigate to Firewall -> Rules -> LAN
2. Click + to add a new rule
3. Add a Rule as follows:

Field	Value	Notes
Action	Pass
Quick	Checked
Interface	LAN
TCP/IP Version	IPv4
Source	LAN net
Destination	VPN_Websites
Gateway	MULL_IPV4_GW

4. Click Save
5. Repeat the process, but for IPv6:

Field	Value	Notes
Action	Pass
Quick	Checked
Interface	LAN
TCP/IP Version	IPv6
Source	LAN net
Destination	VPN_Websites_IPv6
Gateway	MULL_IPV6_GW

5. Click Save
6. Click Apply

That’s it, all the configuration is done for Synclias networking

Testing Connectivity before using Synclias

If you’d like to test the VPN connectivity, you can route all of your traffic over the VPN :

• Edit the NAT rules to remove the relevant “VPN_Websites” alias and apply your changes.
• Test with whatever “What is my IP address” site you like
• Remember to put the VPN Website alias back in when done!