Part 1 - Preparation

Categories:
Tags:

Mullvad is used as the example here, however any provider that gives a wireguard configuration file will work pretty much the same way. The main point of note is whether they support IPv6 or not. If this isn’t supported, please see the Advanced section for some suggestions.

Assuming at this point you have a Mullvad account and nothing else, the steps are as follows:

  1. Part 1 - Preparation
    1. Get the Config file for your VPN
    2. Edit the file slighty to put the data in the right format
    3. Work out the Gateways
  2. Part 2 - Configuring the VPN on OPNsense:
    1. Create a Wireguard Instance on OPNsense
    2. Create a Wireguard Peer on OPNsense
    3. Confirm the Tunnel is working
  3. Part 3 - Adding an Interface and Gateway
    1. Adding an Interface
    2. Adding Gateways
    3. Confirm the Gateways work
  4. Part 4 - Configuring Traffic across the VPN
    1. Creating the Aliases
    2. Create NAT rules
    3. Create the Firewall Rules

Prep Work

Generate your Private Key and Config File

If you don’t have a Wireguard VPN config file, you’ll need to make one. For Mullvad the instructions to create one are as followsl

  1. Head over to the Mullvad Account Page
  2. Press the Generate Key button and save the key that appears
  3. Scroll down to the selection of endpoints
    1. Pick and endpoint you want to appear from
    2. Pick a city if offered (Any is fine)
    3. Pick one of the selected connections (Any is fine)
    4. Ignore the Content Blocking section
    5. Click Download File

Open the file up and you’ll see settings like this:

Wireguard Config File

Generating all the Info you need

This is the hard part. We’re going to do any working out that we need to do before we start touching the router.

Once this is done, everything else is copy/paste

First, make a copy of the file, we’ll need to edit some things to make the setup easier.

1. Change the Address Line /128 to /127

In the Address line, change /128 at the end of the address line to /127 :

Changed Address Line

Not doing this step will result in your router not knowing what to do with any traffic you want to send over the VPN

2. Split the Endpoint Line

The endpoint line will contain an IP address and a port, divided by a “:” sign

  • Make a new line, and start it with “Endpoint_Port = "
  • Copy the port number from the Endpoint line to the new line
  • Delete the “:” from the Endpoint line

Split Endpoint Line

3. Calculate your Gateway IPs

Your config file may not contain an IPv6 address

Calculating Gateway Examples

Both IPv4 and IPv6 examples will use this line as their base:

Address = 10.444.555.91/32,ff00:ffff:ffff:bb01::1:11aa/127

IPv4 Gateway

Easy one - subtract 1 from the last number in the IPv4 address

Example - IPv4 address (10.444.555.91) gives the Gateway - 10.444.555.90

  • Add a line to your config file:
    • Gateway_IPV4 = « Your calculated address »

IPv6 Gateway

IPv6 can be a little more complicated, but:

  1. Take the full address, including the /127 (e.g.ff00:ffff:ffff:bb01::1:11aa/127)
  2. Find a tool to calculate the subnet (e.g Subnetting Practice.com)
  3. Paste in the full address and click calculate

Split Endpoint Line

  1. In the Range section, you’ll see two IP addresses:
    • One is the IP address you pasted in (check the last digits here - “11aa”)
    • The other is your IPv6 Gateway - example: ff00:ffff:ffff:bb01:0:0:1:11ab
      • They may look a little different (extra 0’s and :’s), this is fine
      • If you only get one IP in “Range” - did you change the /128 to /127 as required ?
  2. Add a line to your config file:
    • Gateway_IPV6 = « Paste your gateway in here »

You’ll end with a file that looks like this:

Split Endpoint Line

That’s it! The hard part’s over, get ready for some copy/paste