The title of this post is a bit vague, so let me explain more carefully what this post is about. With this guide, you will be able to setup OPNsense and a Wireguard client that will give you both IPv4 internet (via standard NAT) and IPv6 internet via public routed IPs. The magic is to use a bridge between your LAN interface and your Wireguard interface and then setup a DHCPv6 server to assign DHCP addresses with router advertisement. This guide assumes your Wireguard server is already setup and working. There is another guide in my blog which covers setting up the server, the process is no different. The only change you will have to make is to add an additional peer to the server which will give you access to a \64 subnet which you can then route within your network. With BuyVM as your VPS provider, you get an entire \48 subnet of IPv6 addresses, which means you can have more than enough \64 subnets, so you have no excuse to ever run out.
Let’s get started.
First Steps – Install and configure interfaces
To get started, you’ll need to setup your OPNsense router. I would recommend a fresh install, however if you can start without one that’s up to you, however the guide is based on a fresh install and may not with. For the purposes of this installation, I used a Nano installer with 24.7. The initial process consisted of installing my realtek NIC drivers and the live ISO to hard disk and then configuring the interfaces (which was quite a task, considering the interfaces are out of order from the ports on the quad port card). However, once that was setup, you can login to the router via the web interface and go from there.
Setup Wireguard
The next step in the process is to configure the peer and instance of the Wireguard VPN. Go to VPN > Wireguard > Instances and click the + to add a new instance. I recommend selecting the advanced mode at the top left of the popup so you can enter the MTU value. Enter all of your values. If you need keys, you can generate them here for entering into your servers configuration. For tunnel address, only set a /32 IPv4 address. Don’t worry about setting a peer, this will automatically set later. Make note of the name of the instance, you’ll need it later.
Next, configure the peer. Here, you’ll configure your public key from your server and endpoint address and port. I recommend not using a domain name for the server address, because if it has an IPv6 address, this will confuse the gateway later on. Select the instance. The keepalive interval should be at least 25 seconds and I recommend setting this value. Your allowed IPs value should be “0.0.0.0/0” and “::/0” for all network access routed through the Wireguard connection.
Configure the interfaces
Next, assign the interface for the Wireguard interface. Click interfaces > assignments. Under “assign a new interface” you should see a Wireguard interface. Click add, then click the name of the interface (something like “opt2” or so). Give the interface assignment a name that is recognizable (in my case I chose “VPN”). Save and apply the changes.
Go to System > Gateways > Configuration and click the + to add a gateway. I set my gateway to “WG_GW”. Your interface should be the interface name you just chose, and the IP address should be the IP address of the IPv4 address on your Wireguard server. Select “far gateway” and then click save and finally apply the change.
Go to System > Routes > Configuration and click the + to add a route. This will add a static route to your Wireguard server through the WAN interface, otherwise it will try to connect through the Wireguard interface itself. To do this, enter the network address (same as the endpoint address) with a /32 mask (i.e. CIDR notation xxx.xxx.xxx.xxx/32). Set your gateway to “WAN_DHCP” (unless you have some reason not to, such as if you use something other than DHCP to get an IP). If you don’t use DHCP, you’ll have to find the appropriate gateway some other way, but I’ll assume you can do that at this point :^).
Check Wireguard
Click VPN > Wireguard > Status. You should see a handshake with a recent timestamp and that network traffic is now flowing. At this point, you will NOT have internet access. Internet access will be blocked when the Wireguard link goes down, and AFAIK, while this can be fixed, for the purposes of the guide, this IS the intended behavior.
A bit of a bug
NOTE: On my Ubuntu 24.04.01 LTS server, I had an issue where the Wireguard link would drop and not reconnect. I’m not sure if this issue was caused by my development efforts to figure out how to get this implementation of the Wireguard client working, however it was a bug I found. The FIX was to install a cron job that I set to run every two minutes that restarts the wg-quick@wg0 service to restore the server. From what I can gather, this should only momentarily affect existing connections, and connections which have dropped will reconnect, so good enough for me.
The next part of the process is to setup the DHCPv6. Go to interfaces > Other Types > Bridge and click the + to create a new bridge. Select your LAN and Wireguard interfaces. Don’t worry about a link-local address. Click save. Now go to Interfaces > Assignments and create an assignment for the bridge. Make sure to give it a name you can recognize and enable it before you apply the changes.
Configure your LAN Interface
Go to Interfaces > [LAN]. Change IPv6 Configure type to “Static IPv6” and scroll to the bottom of the page. This is also where you can change your IPv4 address if you want to. In this case, the IPv6 static IP is the IP address of the subnet with the first IP (recommended) and a prefix of 64. Click Save but do NOT apply your changes yet.
Configure DHCPv6
Go to Servers > ISC DHCPv6 > [LAN]. Place a check next to “Enable DHCPv6 server on LAN interface” and set the prefix range of your subnet. In this case, I configured only one prefix, however you could have more than one if you wanted. Set your prefix delegation size to 64. Now configure your range. I recommend starting with the address a and working your way to the last IP. You want to enter the full address in both fields. Click save.
Configure Router Advertisement
Router advertisement is necessary for the gateway to be setup in the DHCP settings. Click Services > Router Advertisements > [LAN]. I recommend “Managed” mode for the advertisements (DHCPv6 only mode). Advertise default gateway should be checked. Under “Advertise routes” setup your gateway with your length of 64. I recommend setting “Use configuration of the DHCPv6 server” for ease of maintenance. Click save.
WAIT! YOU’RE NOT DONE YET!
Go back to Interfaces > [LAN] and click “Apply Changes”.
Final Steps!
Now, on your system, issue a refresh of your IP (“ipconfig /renew” on Windows). Make sure your IPs are acceptable and working and you should now have both an IPv4 and IPv6 address.
At this point, I recommend rebooting OPNsense and backing up your configuration.