OPNsense WireGuard VPN Site-to-Site configuration (2024)

The Open Source firewall OPNsense supports several technologies for setting up VPN (Virtual Private Network) connections.In addition to IPsec and OpenVPN, OPNsense version 19.7 offers the possibility to set up a VPN with WireGuard. In this article we show the configuration of the WireGuard VPN service to connect two OPNsense firewalls to a Site-to-Site VPN.

Note: This manual was created with an older version of OPNsense, it may be that some menus and settings are now done differently.

Contents

  • 1 Prepare OPNsense for Wireguard Site-to-Site VPN
  • 2 Configuration sequence of the two firewalls
    • 2.1 Configuration of the local endpoint on the firewall A
    • 2.2 Configuration of the local endpoint on the firewall B
    • 2.3 Configuration of the endpoint on firewall A
    • 2.4 Configuration of the endpoint on firewall B

Prepare OPNsense for Wireguard Site-to-Site VPN

To set up WireGuard VPN on both firewalls, follow the steps described in the article OPNsense WireGuard VPN for Road Warrior configuration in the section Prepare OPNsense for Wireguard VPN.

'Additional firewall rules for both firewalls

Configuration sequence of the two firewalls

The following section shows the configuration process for both firewalls of this WireGuard VPN Site-to-Site connection.

Configuration of the local endpoint on the firewall A

Endpoint Configuration for firewall B.

  1. Create Local Configuration:
    1. Click on VPN ‣ WireGuard.
    2. Click on the tab Local to configure the local WireGuard instance.
    3. Click on the + symbol and fill in the following fields:
      • Name: ThomasKrennWGSitetoSiteA
      • Listen Port: 51820 (is alternatively randomly created and then also starts at 51820)
      • Tunnel Address: 10.11.0.1/24
    4. Then click on Save.
      • The endpoint was created and Private Key and Public Key was created.
      • You can call up the menu again by clicking on the pen symbol, now the Private Key and the Public Key are displayed here. You will need the public key later for further configuration. Click on Cancel.

Configuration of the local endpoint on the firewall B

Completed Local Configuration of firewall A.

  1. Create Local Configuration:
    1. Click on VPN ‣ WireGuard.
    2. Click on the tab Local to configure the local WireGuard instance.
    3. Click on the + symbol and fill in the following fields:
      • Name: ThomasKrennWGSitetoSiteB
      • Listen Port: 51820 (is alternatively randomly created and then also starts at 51820)
      • Tunnel Address: 10.11.0.2/24
    4. Then click on Save.
      • The endpoint was created and Private Key and Public Key was created.
      • You can call up the menu again by clicking on the pen symbol, now the Private Key and the Public Key are displayed here. You will need the public key later for further configuration. Click on Cancel.

Configuration of the endpoint on firewall A

Endpoint Configuration for firewall A.

  1. Create endpoint for firewall B:
    1. Click on VPN ‣ WireGuard
    2. Then click on the tab Endpoints: Here you configure the remote WireGuard instance (firewall B).
    3. Click on the + icon and fill in the following fields:
      • Name: TKLESnetworkplus
      • Public Key: Copy the public key of the local configuration of firewall B and paste it here.
      • Shared Secret: (Optional) Specify Shared Secret.
      • Allowed IPs: 10.11.0.2/32 and 192.168.2.0/24 (LAN address range of firewall B)
      • Endpoint Address: 10.1.102.252 (Publicly accessible IP address)
      • Endpoint Port: 51820
  2. Add to Local Configuration:
    1. Switch to the Local tab.
    2. Click on the button to edit the entry.
      • In the dropdown menu Peers you can now select the configured endpoint (TKLESnetworkplus).
      • Click on Save.
      • Click on Save again.

Configuration of the endpoint on firewall B

Completed Local Configuration of firewall B.

  1. Create endpoint for firewall A:
    1. Click on VPN ‣ WireGuard
    2. Then click on the tab Endpoints: Here you configure the remote WireGuard instance (firewall A).
    3. Click on the + icon and fill in the following fields:
      • Name: TKX11SSHLN4F
      • Public Key: Copy the public key of the local configuration of firewall A and paste it here.
      • Shared Secret: (Optional) Specify Shared Secret.
      • Allowed IPs: 10.11.0.1/32 and 192.168.1.0/24 (LAN address range of firewall A)
      • Endpoint Address: 10.1.102.251 (Publicly accessible IP address)
      • Endpoint Port: 51820
  2. Add to Local Configuration:
    1. Switch to the Local tab.
    2. Click on the button to edit the entry.
      • In the dropdown menu Peers you can now select the configured endpoint (TKX11SSHLN4F).
      • Click on Save.
      • Click on Save again.

Author: Thomas Niedermeier

Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.

OPNsense WireGuard VPN Site-to-Site configuration (2024)

FAQs

How to setup site to site VPN with WireGuard? ›

First create the WireGuard tunnel on both sites:
  1. Navigate to VPN > WireGuard > Tunnels.
  2. Click Add Tunnel.
  3. Fill in the options using the information determined earlier, with variations noted for each site: Enabled: Checked. HQ Settings: Description: ...
  4. Copy the public key from each firewall and note which is which.
  5. Click Save.
Apr 3, 2024

Is WireGuard good for site to site? ›

If you're required to share information or resources between intranets from different locations, such as offices, chain stores, using site to site VPN with WireGuard® can quickly help you build up your private network to connect all these places.

Which is better site to site VPN WireGuard or OpenVPN? ›

The biggest notable differences between WireGuard and OpenVPN are speed and security. While WireGuard is generally faster, OpenVPN provides heavier security. The differences between these two protocols are also their defining features. We've taken a closer look at each so you can really understand how they work.

Where is WireGuard server config? ›

The config files are generally stored in the /etc/wireguard folder. Create a new configuration file called wg0. conf in that folder.

How to configure site-to-site VPN? ›

Tasks
  1. Prerequisites.
  2. Step 1: Create a customer gateway.
  3. Step 2: Create a target gateway.
  4. Step 3: Configure routing.
  5. Step 4: Update your security group.
  6. Step 5: Create a VPN connection.
  7. Step 6: Download the configuration file.
  8. Step 7: Configure the customer gateway device.

Which is better site-to-site WireGuard or IPsec? ›

Choose WireGuard if you prioritize simplicity, speed, and efficient resource usage. Opt for IPSec if you need extensive scalability, compatibility with existing infrastructure, and adherence to industry standards.

What is the most secure VPN site to site? ›

  • NordVPN.
  • Surfshark.
  • Private Internet Access VPN.
  • Hotspot Shield.
  • Norton Secure VPN.
  • IPVanish.
  • ExpressVPN.
  • CyberGhost.
4 days ago

Why not to use WireGuard? ›

Lack of Privacy: If you use your VPN specifically to keep your use of a VPN secret from your ISP or any other potentially prying eyes, WireGuard is likely not the right protocol for you. Because it uses UDP instead of TCP, the traffic itself can easily be detected as VPN traffic by anyone who's got an eye on the line.

Is site to site VPN faster than direct connect? ›

The key differences between AWS Direct Connect and VPN

Compared with Direct Connect, AWS VPN performance can reach 4 Gbps or less. The performance of Direct Connect starts from 50 Mbps and expands to 100 Gbps.

What is the most secure VPN configuration? ›

OpenVPN is the most secure VPN protocol and the safest choice thanks to its near-unbreakable encryption, which keeps users' data private even when using public Wi-Fi.

Why is WireGuard so much faster than OpenVPN? ›

WireGuard uses state-of-the-art cryptographic algorithms like ChaCha20 for encryption and Poly1305 for authentication, which are faster and more efficient than the older algorithms used by OpenVPN. This results in quicker connections and higher throughput.

What is the best port to run WireGuard on? ›

What ports do you use for WireGuard? UDP ports 53, 80, 443, 1194, 2049, 2050, 30587, 41893, 48574, 58237.

How to configure WireGuard in OPNsense? ›

WireGuard VPN Server(Local) Configuration on OPNsense​

Navigate to VPN → WireGuard → General on OPNsense Web GUI. Click the check box to enable the WireGuard. Navigate to the Local tab and then Click + at the right bottom of the pane to add a new Local configuration. Verify that the local configuration is enabled.

Does WireGuard need a static IP? ›

We recommend obtaining a static IP address from your ISP, or configuring a Dynamic DNS to avoid these interruptions."

How do I know if WireGuard server is working? ›

To check if WireGuard Server is working properly

The simpliest way is to use a cell phone with WireGuard official client app installed, turn off its Wi-Fi connection, and only connect to Internet via 3G/4G/5G.

How do I create a VPN on WireGuard? ›

Setting up a WireGuard VPN requires the following:
  1. A VPS (Virtual Private Server) or a server with a public IP address.
  2. Access to the server's command line (typically via SSH).
  3. WireGuard software installed on both the server and your local machine (client).
  4. Basic knowledge of networking and command-line tools.
Mar 14, 2024

How to setup a site-to-site VPN connection with Strongswan? ›

VPN Configuration on EC2-B
  1. SSH into EC2-B.
  2. Install strongSwan. sudo apt update. sudo apt install strongswan. sudo apt update sudo apt install strongswan. ...
  3. Configuring EC2-B to function as a router. Update /etc/sysctl.conf to have the following: net. ipv4. ...
  4. Configure an IPsec connection for the VPN tunnel.
Nov 19, 2023

How do I create a site-to-site VPN with OpenVPN? ›

Install the OpenVPN client software (VPN client) on a Linux server on the branch network. Connect the OpenVPN client to Access Server (VPN tunnel) to start an active tunnel for secure data communication. Allow traffic between the networks through each network's routers, firewalls, or internet gateways.

How do I connect to NordVPN with WireGuard? ›

  1. Log in the router's interface.
  2. Go to Internet > Permit Access > VPN (Wireguard)
  3. Click Add Connection and then click "Connect networks or establish special connections", then "Next"
  4. "Has this WireGuard connection already been set up at the remote connection?" ...
  5. Enter a name for the connection.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Ms. Lucile Johns

Last Updated:

Views: 6228

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Ms. Lucile Johns

Birthday: 1999-11-16

Address: Suite 237 56046 Walsh Coves, West Enid, VT 46557

Phone: +59115435987187

Job: Education Supervisor

Hobby: Genealogy, Stone skipping, Skydiving, Nordic skating, Couponing, Coloring, Gardening

Introduction: My name is Ms. Lucile Johns, I am a successful, friendly, friendly, homely, adventurous, handsome, delightful person who loves writing and wants to share my knowledge and understanding with you.