OPNsense VPN Configuration 1 - VPN

This is the hardest part of the setup, there’s Youtube video’s out there if you prefer that can walk you through it all, however personally I prefer text.

Mullvad is used as the example here, however any provider that gives a wireguard configuration file will work pretty much the same way. The main point of note is whether they support IPv6 or not. If this isn’t supported, please see the Advanced section for some suggestions.

Assuming at this point you have a Mullvad account and nothing else, the steps are as follows:

Generate Private Key and Config File
Configuring the VPN on OPNsense:
1. Create a Wireguard Instance on OPNsense
2. Create a Wireguard Peer on OPNsense
3. Enable Wireguard and confirm the Tunnel is working
Configuring Traffic across the VPN
1. Creating the Aliases
2. Configuring the Firewall Rules

Generate your Private Key and Config File

Head over to the Mullvad Account Page
Press the Generate Key button and save the key that appears
Scroll down to the selection of endpoints
1. Pick and endpoint you want to appear from
2. Pick a city if offered
3. Pick one of the selected connections
4. Ignore the Content Blocking section
5. Click Download File

Open the file up and you’ll see settings like this:

During the setup, these will be referred to in the form “Instance.DNS from Wireguard File” etc. From the example here, “Instance.DNS from Wireguard File” would be 10.64.0.1

Note on “Endpoint”

There is only one part where you’ll need to use parts of the lines in the config file, during the Peer configuration, you will be asked for Endpoint and Endpoint Port.

These are obtained by splitting the “Peer.Endpoint” at the “:” symbol E.g: Peer.Endpoint of “111.222.333.444:51820” gives:

Endpoint: 111.222.333.444
Endpoint Port: 51820

Configuring the VPN on OPNsense

In this section Wireguard will be configured on OPNsense, and a peer configured for that instance to connect to, forming the VPN tunnel.

Create a Wireguard Instance

Log into OPNsense via the web interface
In the sections browse to VPN -> Wireguard -> Instances
Click + to configure a new Instance
Fill in the details as follows (anything not listed should be left blank)

Field	Value	Notes
Name	wg_mullvad_instance
Private Key	“Interface.PrivateKey from Wireguard file”
Tunnel Address	“Interface.Address from Wireguard file”	Boxes will appear around each IP when you click outside the box
Disable Routes	Ticked

Click Save to close the window, you should see the Instance Appear
Click Apply to load the instance into Wireguard

Create a Wireguard Peer

Here the target of the VPN will be configured for the instance to connect to

Ensure the Web Interface is at VPN -> Wireguard -> Instances
Select the Peers tab
Click “+” to configure the peer
Fill in details as follows:

Field	Value	Notes
Name	wg_mullvad_peer
Public Key	“Peer.PublicKey from Wireguard file”
Allowed IPs	“Peer.AllowedIPs from Wireguard file”
Endpoint	“IP address from Peer.AllowedIPs from Wireguard file”	e.g. 111.222.333.444
Endpoint Port	“Port from Peer.AllowedIPs from Wireguard file”	Most likely: 51820
Instance	wg_mullvad_instance

Click Save to close the window
Click Apply to load the peer into Wireguard

Enable Wireguard and confirm the Tunnel is working

Navigate to VPN -> Wireguard -> Instances
Tick the box next to Enable Wireguard
Click Apply
Navigate to VPN -> Wireguard -> Status
Confirm Status has green ticks next to the two lines for your peer and an interface with the same Device Name as your peer (e.g. “wg0”)

At this point, the VPN is configured, the tunnel is up, but no traffic is passing over it. This will be configured next

Troubleshooting

If you don’t have green ticks, have a look in VPN -> Wireguard -> Log File to see if there is more information as to what’s gone wrong, and double check the instance and peer configuration.

Configuring Traffic across the VPN 1. Creating the Aliases 2. Configuring the Firewall Rules

With all this complete, proceed to Part 2 - Interface and Gateways