Skip to content

OPNsense: A wireguard interface and BuyVM

  • by

This guide will show you how to setup an interface will be routed through Wireguard (which is then routed through your primary internet connection). With DHCP, you can auto-assign IP addresses even though the gateway has a static IP address. You can even setup IPv6 without NAT so your IPv6 addresses are public facing and routed IP addresses, which means connections to IPv6 addresses from your VPS will be able to connect directly to the systems on your VPN interface. By extension, this can be translated into a VLAN, however that will not be shown in this guide.

Let’s get started.

Setup your BuyVM Slice with Wireguard and IPv6

Follow this guide here.

Setup OPNsense

Some of the instruction here can be followed from this guide, however there are some key differences. The most significant difference is that we are using policy based routing, which on OPNsense is implemented with Firewall rules.

Configure Wireguard

VPN > Wireguard > Instances. Click the + to add a new instance. Your tunnel should have both an IPv4 and IPv6 address. Make sure you have configured your Wireguard server to allow an entire subnet (preferably a /64 subnet) so that when you assign IPs from your DHCPv6 server, they are routeable. Also, disable routes should be checked. Make sure you click advanced and specify a gateway IP. This gateway IP can be any IP address, so long as it doesn’t conflict with another address (although it will still work).

Configure your peer. This is standard. Allowed IPs is “0.0.0.0/0” and “::/0” for everything. You can change what is routed by configuring the policy based routing instead, so there shouldn’t be a need to change this.

Interfaces > Assignments. Assign a new interface. Select your Wireguard interface. Click add. The interface should be set to enabled. It does not need any other configuration such as an IP address.

Configure Gateways

System > Configuration > Gateways. Click the +. Setup an IPv4 gateway for the VPN Interface. Interface will be the Wireguard interface created above (the assigned name). The gateway IP address is the same IP address that you gave the gateway IP when you created the instance. Select “Far gateway” since this gateway is not immediately reachable via the local routeable network. I do not recommend using gateway monitoring as it can cause problems. Do the same for an IPv6 gateway.

Create a bridge

Devices > Bridge. Click +. Create a bridge between your Wireguard interface and your assigned ethernet interface (which I assume is already assigned and enabled). Do not give the bridge an IP address. I gave my bridge a link-local address, but one should not be necessary. The bridge is a dumb device which simply cascades traffic between the VPN and the ethernet interface (or a VLAN).

Configure your ethernet/VLAN interface

Your ethernet interface should be configured with a static IPv4 and static IPv6 address. These should be be within the allowedIPs of the Wireguard server peer configuration. Make sure that your IPv4 subnet and IPv6 subnet match. If you have a routed /64 subnet, use a /64 static IP. Save the configuration and apply the changes.

Configure a Firewall Alias for RFC Networks

Firewall > Aliases. Click the +. Call your alias something like “RFC1918_Networks”, and set it to type “Networks” with content of “192.168.0.0/16”, “10.0.0.0/8”, and “172.16.0.0/12”. Click save.

Configure Firewall Rules (Policy Routing)

Firewall > Rules > <Interface>, where interface is the interface of your ethernet or VLAN interface that you wish to attach to your VPN. Create a new IPv4 inbound pass rule. Destination should be inverted and should be set to “RFC1918_Networks” (or whatever you called your alias). The gateway should be set to the IPv4 Wireguard gateway you created earlier. Save this rule. Do the same for IPv6, except this time destination should not be inverted and should be set to “any”.

Now you have to create a floating rule for the outbound traffic from the gateway. Firewall > Rules > Floating. Create two new rules, one for IPv4 and one for IPv6. The source is “VPN Address” (or the address of your VPN interface). The destination is inverted and is set to your VPN attached interfaces network (such as “VPN_VLAN net”). Specify the v4 or v6 gateway for each rule accordingly. Remember these floating rules are outbound rules.

The ordering of the rules is important. For VPN traffic to pass out of the interface, it must precede any other rules in the firewall tables, so for any traffic egressing that interface the VPN rule must be above the other rules. To filter traffic flowing out of the interface into the VPN, you can use the source of the rule as a filter and an alias to specify networks or host addresses.

Make sure to apply and enable your firewall rules.

Setup DHCP

Settings > ISC DHCPv4 > <Interface>, where interface is the ethernet or VLAN interface attached to the VPN interface via the bridge. Configure your DHCPv4 range and DNS servers, enable the server, and save the configuration.

Settings > ISC DHCPv6 > <Interface>, same thing as above. Enable and save the configuration to start the server.

Router Advertisements > <Interface>. Select “Managed”, and I recommend setting “Do not send DNS configuration of the DHCP server” option, or else your DNS servers may be sent twice. Click save to start the server.

That’s pretty much it, you can now give it a go. Please let me know if there are any issues with this guide.

Leave a Reply

Your email address will not be published. Required fields are marked *