Great Blog

30 Mar 2021

OPNSense as wireguard client and route LAN split tunnel

Install and configure wireguard

  1. I use the Wireguard install script to create the config we import into the wireguard. That is located HERE

  2. Generate your first wireguard config. After running the script above it will ask you for a client name, I would name it something relating to opnsense

  3. Install Wireguard on OPNSense | System -> Firmware -> Plug-ins -> select and install ‘os-wireguard’

  4. Get to wireguard config | Refresh the page, then go to VPN -> Wireguard

  5. Create new wireguard local instance (This will be imported from you client config generated above) | VPN -> WireGuard -> Local. You can open the client file with a text editor such as Notepad++ or cat

    Name: localVPN Public Key: EMPTY Private Key: FROM_WG_CONFIG_FROM_ABOVE Listen Port: RANDOM DNS Server: EMPTY Tunnel Address: Address_FIELD_FROM_WG_CONFIG_FROM_ABOVE Peers: Leave blank for now

  6. Create new endpoint (this is the server created from the wireguard-install script) | Under VPN -> WireGuard -> Endpoints

    Name: vpn.domain.com Enabled: true Public Key: PEER_PUBLICKEY_FROM_WG_CONFIG_FROM_ABOVE Shared Secret: SHARED_SECRET_FROM_WG_CONFIG_FROM_ABOVE Allowed IPs: 0.0.0.0/0 (if you want everything), add individual IPs/networks if you want it to be split tunnel Endpoint Port: Endpoint_FROM_WG_CONFIG_FROM_ABOVE Keepalive: 15

  7. Now time to add Peers to local config | VPN -> WireGuard -> Local and select vpn.domain.com as your Peers

  8. You can now SSH into your opnsense server and ping any address within your “Allows IPs” but the LAN can’t. That will be done next

Time to allow the LAN to join

  1. Firewall -> NAT -> Outbound | Switch to “Hybrid outbound NAT rule generation”

  2. The above will add an “Add” button to the top right hand corner

  3. Click “add” and choose the following options. All you should to change is the Interface to WireGuard

    Interface: WireGuard Source Address: LAN net Translation / Target: Interface address

  4. You should now be able to ping any address within your “Allowed IPs”

I’m by no means a networking/opnsense expert, this worked for me, if you break you network by reading this I’m not responsible.