WireGuard VPN

VPN server using Cloudflare DDNS and WireGuard

Cloudflare DDNS

If you have a Dynamic WAN IP, you'll need to set up some sort of DDNS client. Most ISPs use Dynamic IPs with residential customers, so this is pretty common and there are multiple options for working around this. I currently manage my domains with Cloudflare, so I'll be using their DDNS so I can have all my management under 1 provider. Setting this up is fairly simple! 

First, make sure the os-ddclient plugin is installed on your OPNsense firewall. Once installed, navigate to Services ---> Dynamic DNS ---> Settings:

image.png

Next, select the "+" icon to add an account. 

image.png

Open up a web browser and create an A Record with your domain registrar for a subdomain. On Clouflare its fairly simple. Navigate to your DNS records, and create a new record:

ddns a record.png

Your final settings should look like this:

ddns a record conf.png

With this record saved, navigate to your API tokens and generate a new API token. Navigate to Overview in Cloudflare, then scroll down and select "Get API token". On the next page, select create token:

image.png

Use the "Edit zone DNS" template and configure the following:

image.png

With your A Record configured, and API token in hand, you can now go back to the OPNsense Page:

image.png

opnsense ddns.png

Save your settings and apply the new configurations. Select the refresh icon and your WAN IP should now be updated! 

ddns.png

Check your DNS A Record to see if your WAN IP has updated. It should automatically update. You can now get your WAN IP from this subdomain, as it'll automatically update. To ensure it automatically updates, I've created a cron job in my router to check for changes in my IP every 6 hours and update if necessary. 

 

OPNsense Local Configuration

To get started with WireGuard in OPNsense, download & install the plug-in available by naviagting through the Web GUI @ System ---> Firmware ---> Plugins:

image.png

 

Instance/Peer

Next, find Wireguard under the VPN tab in the menu and select WireGuard. Navigate to "Instances" to create and set up an instance. Select the "+" icon and edit your instance:

instance config.png

Next, navigate to the "Peer" tab next to Instances, and select the "+" icon to add a new peer. Keep in mind, you'll need to be configuring your WireGuard Client simultaneously as you configure your peer, as you'll need you public key from your WireGuard client:

peer config.png

Client 

On your laptop or WireGuard client that will be connecting to this network, you'll need to set up a config file. 

Install the WireGuard client by downloading it from their website - WireGuard

Launch the client on your laptop, and select add tunnel:

add tunnel.png

Next, you be able to configure your tunnel

Tunnel config.png

With OPNsense configured and your client configured, you'll just need to configure some firewall rules to let your computer access local devices. Check out the next page to see how!

Firewall Rules

The last step of your WireGuard set up involved creating 2 firewall rules. One for your WAN firewall, and one for your Tunnel. 

If you haven't done so already, assign your WireGuard VPN as an interface. To do so, navigate to Interfaces ---> Assignments:

image.png

Select your Interface in the sidebar menu:

image.png

WAN Rule

Navigate to Firewall ---> Rules ---> WAN and create a new rule:

image.png

Select the following settings for the rule:

WireGuard Interface Rule

Navigate to your Firewall ---> Rules ---> Select your WireGuard Interface then click create:

image.png

This rule will allow your client to access any device on the local network. Configure the following settings:

Your configuration should now be all set. Check out the next page to view results!

 

Connection Results

To test this, I went to a library and tried connecting to my network via my WireGuard Client:

g6gtUocXzvzpDV53-image.png