PART 1 — Set Up WireGuard on OPNsense
- Enable WireGuard Globally
- Go to VPN → WireGuard → Instances
- Scroll to the bottom
- Check Enable WireGuard
- Click Apply
- Create the WireGuard Instance
- Go to VPN → WireGuard → Instances
- Click Add
- Fill in:
Name:wg0
Listen Port:51820
Tunnel Address:10.100.100.1/24 - Click Generate new keypair
- Click Save
- Assign & Enable the Interface
- Go to Interfaces → Assignments
- In + Assign a new interface
Fill in:
Device: wg0
Description: WG_VPN - Click Add
- Go to Interfaces → WG_VPN
- Check Enable Interface
- Save & Apply
- Add Firewall Rules
- Go to Firewall → Rules → WG_VPN
- Click Add
- Fill in:
Source:10.100.100.0/24
Destination: any
Action: Pass
Description: Allow VPN client traffic
Save & Apply - Go to Firewall → Rules → WAN
- Click Add
- Fill in:
Protocol: UDP
Port:51820
Action: Pass
Description: Allow WireGuard
Save & Apply
PART 2 — Generate Client Key Pair & Config (Using OPNsense Peer Generator)
- Use Peer Generator to Create Client Key + Config
- Go to VPN → WireGuard → Peer Generator
- Fill in:
Instance: wg0
Name: windows-client
IP Address: 10.100.100.2/32
Allowed IPs: 10.100.100.1/32 (the WireGuard interface on OPNsense), 10.0.128.0/20 (my AWS private subnet), 10.0.0.0/20 (my AWS public subnet)
DNS Servers: 10.100.100.1
Keepalive Interval: 25 (keeps the tunnel alive by sending periodic packets) - Copy the config, you will use it later
- Click Store and Generate Next
PART 3 — Use the Config on Your Client
On Windows
- Install WireGuard from https://www.wireguard.com/install
- Click Add Tunnel → Add empty tunnel and then paste the config you copied in step 5
- Save