WireGuard VPN
VPN server using Cloudflare DDNS and WireGuard
Cloudflare DDNS
If you have a Dynamic WAN IP, you'll need to set up some sort of DDNS client. Most ISPs use Dynamic IPs with residential customers, so this is pretty common and there are multiple options for working around this. I currently manage my domains with Cloudflare, so I'll be using their DDNS so I can have all my management under 1 provider. Setting this up is fairly simple!
First, make sure the os-ddclient plugin is installed on your OPNsense firewall. Once installed, navigate to Services ---> Dynamic DNS ---> Settings:
Next, select the "+" icon to add an account.
Open up a web browser and create an A Record with your domain registrar for a subdomain. On Clouflare its fairly simple. Navigate to your DNS records, and create a new record:
- Enter a name for your subdomain, and any IP address. The IP you enter doesn't matter as this record will be updated with your WAN IP automatically.
- Make sure you turn Proxy off
Your final settings should look like this:
With this record saved, navigate to your API tokens and generate a new API token. Navigate to Overview in Cloudflare, then scroll down and select "Get API token". On the next page, select create token:
Use the "Edit zone DNS" template and configure the following:
- Enter a name for the token
- Add another permission as Zone - DNS - Read
- Under zone resrouces configure Include - Specific Zone - Select the domain you have the A Record configured with
- After creating the token, save it somewhere! You will not be able to view this token again!
With your A Record configured, and API token in hand, you can now go back to the OPNsense Page:
- Enable the account
- Give it a Description or name
- Select Cloudflare under Service
- Keep username blank
- Enter your API token as the password
- For zone, enter your domain name
- example.com
- For Hostname, enter your FQDN
- vpn.example.com
- For Check IP method, select ip4only.me
- Force SSL, then save configurations
Save your settings and apply the new configurations. Select the refresh icon and your WAN IP should now be updated!
Check your DNS A Record to see if your WAN IP has updated. It should automatically update. You can now get your WAN IP from this subdomain, as it'll automatically update. To ensure it automatically updates, I've created a cron job in my router to check for changes in my IP every 6 hours and update if necessary.
OPNsense Local Configuration
To get started with WireGuard in OPNsense, download & install the plug-in available by naviagting through the Web GUI @ System ---> Firmware ---> Plugins:
Instance/Peer
Next, find Wireguard under the VPN tab in the menu and select WireGuard. Navigate to "Instances" to create and set up an instance. Select the "+" icon and edit your instance:
- Name your instance
- WireGuard uses port 51820 by default, use this port or a higher unique port
- Identify subnets and/or IPs you want accessible through the tunnels
- Generate your public and private keys by clicking the Gear Icon. Save these as you'll need it when setting up your peer
- Here, you'll want to create a name. I used Austin-laptop as I'll be configuring my laptop for connection
- Next, take the public key generated from you client tunnel configuration and input it here
- For endpoint address, input the domain or WAN IP you'll be using. If you've set up a cloudfare ddns subdomain with OPNsense client, you can do as I did:
- I entered vpn.example.com as that was the subdomain I've configured with cloudflare to automatically be updated with my WAN IP
- For allowed IPs, give your machine a designated IP address in CIDR notation in the subnet. I've established in my Instance that the tunnel will be using the 10.10.10.1/24 subnet, so I've given the peer an address of 10.10.10.2/32
Client
On your laptop or WireGuard client that will be connecting to this network, you'll need to set up a config file.
Install the WireGuard client by downloading it from their website - WireGuard
Launch the client on your laptop, and select add tunnel:
Next, you be able to configure your tunnel
- When configuring your client, add the Address line and use your AllowedIP that you entered in your OPNsense Peer configuration
- For DNS, enter your gateway, or a specific DNS server you use
- For PublicKey, enter the Public Key of the instance that was created in OPNsense
- For AllowedIPs, enter the subnets or specific IPs you'd like to access
- For endpoint, enter your WAN IP & port#. If you're using a subdomain with Cloudflare DDNS, enter your.subdomain.com:portnumber
With OPNsense configured and your client configured, you'll just need to configure some firewall rules to let your computer access local devices. Check out the next page to see how!
Firewall Rules
The last step of your WireGuard set up involved creating 2 firewall rules. One for your WAN firewall, and one for your Tunnel.
If you haven't done so already, assign your WireGuard VPN as an interface. To do so, navigate to Interfaces ---> Assignments:
Select your Interface in the sidebar menu:
- Enable the interface
- Lock to prevent removal
- No other configs need to be done, save changes and apply settings.
WAN Rule
Select the following settings for the rule:
- Action = Pass
- Quick - checked
- Interface = WAN
- Direction = In
- TCP/IP Version = IPv4 + IPv6
- Protocol = UDP
- Source = ANY
- Destination = WAN Address
- Destination Port Range = Enter your Port Number you designated earlier
- Default WireGuard port is 51820
- Save and apply rules
WireGuard Interface Rule
This rule will allow your client to access any device on the local network. Configure the following settings:
- Action = Pass
- Quick = Checked
- Interface = WireGuard Interface
- Direction = In
- TCP/IP Version = IPv4 + IPv6
- Protocol = any
- Source = Select your WireGuard Interface Net as source
- Destination = Any
- Save and apply rules.
Your configuration should now be all set. Check out the next page to view results!
Connection Results
To test this, I went to a library and tried connecting to my network via my WireGuard Client:
- You can see my connection status is active
- My latest handshake was 2 seconds ago
- I can connect to local devices when trying to ping or through accessing their Web GUIs at their local IPs and was able to manage my services remotely.