I just wanted to say thank you for the OPNSense videos. I've been getting more involved with getting my home network more complex and you've been a huge help, I haven't had any hiccups *yet*
You’re welcome! Glad it has helped in your journey! Also it goes beyond just making things more complex (making things more complex without good reason is not always very helpful). Gradually increasing overall complexity while also attempting to minimize complexity where it’s not necessary can be tough to balance. If you work to slowly improve upon it over time, it can be both stable and relatively easy to maintain.
I'm glad the wait is over! haha. I've been wanting to do a video on it for a while and thought it was a good time to do one since I updated the written version of my guide not long ago to get it up to date with the latest updates to WireGuard in OPNsense. Hopefully the demonstration on accessing an internal web app externally via the WireGuard VPN is useful since it shows a bit more of what you can do once you have the VPN configured.
@@homenetworkguy Once I got everything working as intended with WireGuard, I noticed that my opensense box stop recieving update! I had to go to System > Settings > General and set the DNS server (pi-hole IP) manually. Weird because the LAN DHCP service is supposed to hand that out to LAN devices and all other VLAN devices. I'm fine with the change because it works, but I'd love to find out WHY this is happening.
Thumbs up! Great video. One thing you could also mention is the NAT. I have manual NAT rule creation - everything in my local network worked but getting out to the internet did not. Then I remembered that I had this on manual and added a matichng rule there. Just in case anybode else stumbles across that..
Thanks! Yeah, I didn’t think about if you changed the default settings. I have more info about outbound NAT on my website guide. You could probably use Hybrid for outbound NAT so it would still generate the interface NAT rules but you can still create your own NAT rules. However, you may have a good reason to manually define all of your outbound NAT rules.
Thank you a lot for your tutorial. Unfortunately, after following all the steps, including the rules for accessing the LAN, we can't access any of the devices on our LAN. Surprisingly, this only allows access to the administration tab of the OPnsense server on the LAN side, which was impossible before.
You're welcome! That's odd you can access the OPNsense web UI on the LAN but nothing else on the LAN network via firewall rules. I know that some users have issues configuring WireGuard due to various things and I haven't been able to pinpoint all of the reasons why. Some users stated they had to create the normalization rule described in the OPNsense documentation to prevent network packets from being fragmented on the WireGuard tunnel (I believe that is the problem), but other users (including myself) do not need to do that. It probably depends on the MTU used by the ISP when you are trying to connect remotely to your home network. Some users said they have to restart WireGuard or reboot OPNsense after adding peers (although it should work when you click the "Apply" button after adding new peers).
Thanks! I updated my written guide a while ago but hadn't done any WG videos on OPNsense yet so I figured it would be a good time to do one since they now include the peer generator which makes things much easier to set up.
Thanks! I mostly only connect my phone to my home network via WireGuard so it's not a lot of effort to set up WG so I can connect directly to my home network. I know a lot of people love the ease of use of Tailscale.
Somehow I had a ton of issues with Tailscale on my NAS, so I switched to WireGuard on my UDM SE, never encountered any problems since... I'm not saying that Tailscale is bad, loved it while it worked but once there's a problem, it's kinda hard to fix...
Thank you for this step by step tutorial! I had trouble applying the Wireguard config, but after rebooting opnsense, Wireguard is now running smoothly. One thing I'm trying to understand is the Allowed IPs fields. The one in peer generator gives the 0.0.0.0/0,::/0 to my wg-client. I click Store and generate next. Now under the Peers-tab, the same client is showing Allowed IPs 10.11.11.2/32. Are these two different options with the same name?
Yeah, that confused me too for a while. I believe the way you can look at it is this- it’s from 2 different perspectives. After saving the peer info, it is the allowed IPs of the peer connecting to the WireGuard server instance (it’s like a static IP address) but when you are creating the peer configuration, it essentially is the list of IPs that the peer is connecting to which are allowed through the WireGuard tunnel. The default of 0.0.0.0/0,::/0 means to tunnel all traffic from the peer through the WireGuard VPN. I used to do this on my phones but I noticed that on slow cellular connections, routing all traffic through my WireGuard VPN at home slows down the throughput that I could barely connect to anything unless I turned off connecting to the VPN. Now I just route my private IPs (10.1.1.1/24, 192.168.0.0/16) of my home network through the WG VPN so I can still connect back home securely but everything else uses the cellular connection. This is called split tunneling. It means that I won’t have the same network wide protections on my home network while I’m away but it helps with improving throughput while roaming. In this scenario you can decide to include your WG interface IPs (such as 10.1.1.1) or not for DNS resolution (you won’t be able to use hostnames on your home network via the WG tunnel if you don’t tunnel the WG interface IP running the DNS service).
@homenetworkguy Thank you for this explanation! After doing some testing with this in mind it all makes sense. Split tunneling really is very useful. And so easy to set up via the clients config. Cheers 🙏
Quick question, if I was wanting to connect over WG to my Jellyfin server could I just add a rule above the privatenetwork invert that allows connections from WG Net to the specific Jellyfin IP and be generally okay security wise?
Absolutely! Once you’re connected securely via WG, you can safely connect to anything on your network! On my network I can connect to my IP cameras that are on an isolated VLAN that doesn’t allow access to the Internet and it works great!
Just curious, any way to do this AND get the protection of Zen Armor on the go on your cell? When I followed the instructions the cellphone just shows up in the logs as "Device none" and there's no options in the ZA Device settings to add the phone.
Yes! On your Zenarmor configuration, you can have Zenarmor protect the WireGuard interface so all devices on that interface/network will be protected in the same way as the rest of your network. You shouldn't need to add it on a per device level. Although, I haven't tried using the devices section for WireGuard clients to do specific policies for different WireGuard clients (you could use the IP address instead since the IP addresses are static for each WireGuard client). I know some users have reported issues from time to time with the devices recognition. It may not be the most reliable way to create policies due to how the automatic device detection may not always be 100% accurate. Also keep in mind that on occasion after certain OPNsense updates, the Zenarmor plugin doesn't always protect the WireGuard interfaces until they can have some time to resolve any issues after upgrades. If you are using Zenarmor with OPNsense, I recommend waiting a few weeks before upgrading OPNsense to ensure there are no issues before upgrading. Often times, Zenarmor will announce when they have fixed issues due to OPNsense changes. This is a consequence of being a 3rd party plugin since OPNsense doesn't test (and isn't obligated to test) 3rd party plugins with version upgrades.
Great video, it indeed works! I was wondering if there is a way to allow all routes to my homelab but forbid peers from communicating with each other? If I do it in the firewall settings, will it be sufficient? Or it also has to be done on VPN level
I haven't tried this since I mostly just use my phone to connect back home but occasionally my iPads. However, I've seen where you can adjust the iptables on the server side to enable client side isolation (www.lautenbacher.io/en/lamp-en/wireguard-prohibit-communication-between-clients-client-isolation). That is for Linux. FreeBSD would be different since it doesn't have iptables like Linux. I'm not sure you would do this command line in FreeBSD or if it could be accomplished via certain firewall rules on the WG interface. Also you could create multiple instanced of WG and have clients connect to different instances (it may be possible to allow devices on different WG to communicate via firewall rules-- similar to how you would to allow traffic across VLANs). This would be an interesting area to explore. I have a lot of things on my todo list... a never-ending todo list (which is great for content creation).
I need some more ideas of what to setup in my Proxmox lab. I'm the only one on my network, so haven't really had any reason to need a separated lab network yet, besides VLANs. I'm caught up on all my smaller projects and want to start learning more security related things, so a separate network for that would probably be smart. Have you done an overview video on everything you have set up in your own lab yet? That would be cool to see, so I can steal some of your ideas. Haha.
Haha yeah that could be interesting, but the funny thing is that I still have a lot of things in flux on my LAB VLAN because that’s where I try out several things. I’ve been meaning to establish a few things to be a more permanent fixtures for that network. I’m working on building 2 test rackmount clients for speed testing devices, for instance. I do have one of my Proxmox nodes dedicated to testing as well. It has some OPNsense VMs as well as a few Linux VMs I can use as clients for testing. I have a few other containers I use to demonstrate setting up example apps/services on the network. I do have some more project ideas I’m working on for some videos soon too. I think I’m going to focus more on those type of videos than a basic setup of a specific feature because I like showing real world examples (likely more useful for learning and idea purposes).
Hello, thank you for your videos I have watch a couple to help me setup my opnsense setup. I recently tried setting up wireguard but have had no luck in getting a handshake. I have an ISP modem in bridgemode>opnsense>managed switch>ap...switch has a pc/tv/nas/plexpc/ap(asus router with openwrt in switch/ap mode). I disabled ipv6 in my opnsense setup and set it up with vlans for IOTs and guest, this works fine. But for some reason I am not getting a handshake at all. I don't have a domain but tried the ddns route and added that to opnsense too under services>dynamic DNS. Any tips on what I can troubleshoot? thank you
Sometimes ISPs block the 51820 port that WireGuard uses so you could try a different port number. Some users have stated they needed to create the normalization rule that is documented in OPNsense’s official WireGuard documentation. I haven’t found the need to do that. It probably depends if your ISP uses a non-standard MTU value. Some users have stated they needed to reboot OPNsense after setting up WG and/or clients. You do need to hit the Apply button when you add a new peer after you set up WG the first time. I forgot to mention that in the video because I set everything up before I enabled WireGuard.
@homenetworkguy I'm going to keep troubleshooting. I just thought of something tho. My opnsense internal network nomenclature is 10.xxx.xx.x/24. Does it matter if I'm trying to make the tunnel 10.xx.xx.x/24? Or should it be a different set? Thx
Yes it has to be a different network address range because it’s a virtual tunnel network. All VPNs need their own network address range just like any other physical or VLAN interface you are setting up in OPNsense. If you want WireGuard clients to access various parts of your network, you simply create firewall rules to allow access. I use nearly the same rules on my WG interface as I do the VLAN where my phone connects when I’m at home so that when I’m away from home, it feels like I’m still on my home network. It feels so seamless when you have WG connection automatically when your phone switches over to the cellular connection when you leave your house.
If you're using auto generated aliases, I believe they contain both IPv4 + IPv6 addresses so you can just create one rule for those. If you create your own aliases and include but IPv4 and IPv6 addresses in the alias, you can also use a single rule, which is nice to reduce duplication of rules to provide the same access with both protocols.
Thanks for the guide! I managed to set up all up, but I'm struggling with the hostname resolution. I have a pi-hole VM in the LAN network, and I set up the LAN DHCP server to use it, but obviously that doesn't affect clients that connect via wireguard. I understand for that I need to configure Unbound DNS, but I can't find how to do it. As in, how to forward DNS request from Unbound DNS to the pi-hole IP address so that wireguard clients can see the hostname aliases that I defined in pi-hole.
I haven’t tried using Pi-hole for DNS for WireGuard clients but you can specify the Pi-hole DNS server in the WG client DNS settings. You will need a firewall rule on the WG interface to allow access to the Pi-hole DNS server.
@@homenetworkguy Im curious about this as well. I dont use a pihole but cannot get to any of my systems by name through WG. When I am actually on the network everything is fine
I haven’t tried using Pi-hole with WireGuard in a long time but with using Unbound DNS without Pi-hole, DNS resolution with WireGuard works. I need to try this sometime with Pi-hole (on a lab network) to see if it works or if perhaps additional configuration is necessary.
So i have to create a peer for each device i want to use with wireguard off of the network? Like create a peer for my mobile phone, create another peer for my laptop, etc.?
Yes. You only need peers that you want to remotely connect to your WireGuard VPN. If you have a lot of devices, the first time setup can be time consuming. That's why other products which use WireGuard as the protocol exist-- to make it easier for peers to connect and propagate it to multiple WG sites, etc.
Spoke too soon. I can remote to devices on my home network from outside of my home network. But If I try to connect to the vpn and just try to search something on google then nothing loads
This could happen if you don’t have DNS or firewall rules configured properly. Also requires the WireGuard interface to be assigned so it gets automatic outbound NAT rules generated (as long as you don’t have it set to “manual” or “none” on the Outbound NAT page.
I feel hopeless. Have no idea what is wrong. I have handshake and see the device connected on Opnsense but I can't access local devices or browse the internet. I have only the WG rules for WAN and WG interfaces and also allow DNS 53 but nothing other than that. What I'm going wrong? the port is the default one 51820 not soothing special
Without seeing more specific configuration, it sounds like a firewall rule issue but I’ve seen some people have trouble getting network access even though they have a proper handshake, which always make me wonder what the issue(s) could be. When you say you have only the WG rules, what do you mean exactly? You can basically mimic your other rules for other network interfaces which allow access to the Internet assuming all of the other configuration is correct.
@@homenetworkguy Thanks for the reply man and sorry for late reply. To be honest, I leave everything as default except the 2 new rules I create for passing the port 51820 on the WAN and for the WG interface allowing the WG address. another rule I have is pass the DNS across the interfaces. the funny thing is that couple days before it was work perfectly and I have no idea what changed.
I haven't used Tailscale but I have looked into it briefly a few times. I believe some differences are you have to create a cloud account and use their Tailscale coordination server that all of the nodes communicate with. I believe it can be self-hosted. I realize Tailscale makes the process easy because it can traverse through NAT firewalls easier, etc. For my needs, connecting 3-4 devices to my OPNsense WireGuard VPN is easy enough especially once it is set up because I never have to touch it. 99% of the time I only connect to my home network with my phone so I only really need that one connection set up. I have other devices like iPads set up with WireGuard so if I am traveling, I can connect back home when I need to be on an untrusted network.
After following a bunch of guides, this was the one that worked for me. Thanks for the guide. Only issue I'm running into is trying to access my TrueNAS SMB share from the Wireguard connection. I made a rule to allow access to it's IP but it keeps failing to connect. Do I need to do something different to get an SMB share to work?
I’m glad my guide worked! It’s good confirmation I didn’t accidentally miss any steps in the video. As for SMB, did you allow specific ports for SMB or all ports? Also in TrueNAS, make sure you don’t have the share limited to specific IP/network address ranges (or update them to include the WireGuard network IPs).
What ports did you allow in the firewall rules? TCP or UDP or both? “Any” would work but it’s better to use specific ports. Typically there is more than one port that needs opened for SMB/NFS shares. I’d have to look up the port numbers and protocol for each port for SMB. Don’t have it memorized off the top of my head.
@@homenetworkguy I have it set for both TCP/UDP and "any" for ports. I have the same setup for another rule for my Docker IP and can access services like Jellyfin and Dashboard just fine.
Glad you enjoyed the video! It would be possible to OpenVPN but not sure when I would get to it because I have a lot of other project videos I want to do soon. It means more OPNsense builds to show different types of configurations!
Thank you very much for the video. I followed the steps and, after adding a rule in the firewall for WireGuard -> WAN, I was able to connect to internet. Now, this afternoon, I've tried again and no internet and looks like no handshake. There has not been any changes since this morning and suddenly it has stopped working. Any idea why?
The only thing I can think of is that your WAN IP address has changed since you first set up your WG connection. Once I have mine set up, I’ve never have issues connecting to it after that unless my public IP address is out of date.
Some users stated they needed to do the normalization rule from the official OPNsense documentation. I’m not sure why but perhaps it’s for those who have ISPs which use different MTU values. Also make sure that port 51820 is not blocked by your ISP. On one network I set up WireGuard, I simply changed the port yo 51821 and it worked just fine. It’s annoying when ISPs block incoming ports like that.
Is there a way to use WireGuard on the same network to access the management vlan? I have my laptop connected to the AP (USER VLAN 20) - but I can't access the opnsense webgui since that is on a separate management vlan
Are you trying to use WireGuard on your internal network to access your OPNsense web UI on the management VLAN? Or do you mean when you connect remotely to your network via WireGuard? If you’re connected to your local network on VLAN 20, you just need to create a firewall rule on the VLAN 20 interface in OPNsense to allow access to your OPNsense web UI.
@@homenetworkguy Thanks for the quick response! I'm connected to my local network on VLAN20 and trying to access the Management VLAN for network infrastructure. I was able to do this with Firewall Rules, but want to be able to do it with WireGuard (on my local network) so I don't allow the VLAN20 untethered access to the management vlan.
If you only want a single device on VLAN20 to access your management network, you should use a static IP address for that device and make the source for the firewall rule only allow that single IP. That’s what I used to do for one of my PCs until I dedicated a Raspberry Pi (and soon to be a Radxa X4 instead) to manage devices on my management network (so I don’t have to open holes into my management network). That solution is more simple that using WireGuard on your internal network. I’ve had trouble using WireGuard on internal networks (for testing purposes) because you have to be careful how you route traffic
@@homenetworkguy That makes a lot of sense. Even though this is for my home network, I want to learn and follow best practices. Looks like I have use for my old Raspberry Pi 3B! Do you run the dedicated Raspberry Pi headless and remote into it? Do you have a video I can refer to setting that up?
I have a Raspberry Pi 5 and run Ubuntu desktop on it because most of my management interfaces have web UIs. I do use SSH to get into all my servers as well. Performance of the 3B for a desktop environment will be more limited. I have the RPi connected to a KVM so I can switch between my main desktop PC and my RPi when I want to manage my network. I haven’t done anything special on the Raspberry Pi other than set up a few web browser bookmarks. I’m working on setting up a Homepage dashboard to have all the links I typically access but on a nicely organized web interface. It keeps getting put on the back burner though. Haha.
I’m not sure why but for some users WireGuard can be difficult to get set up. Sometimes the ISP blocks the default port 51820, some users say creating a normalization rule worked for them (while others say they don’t need it, like myself), sometimes restarting the WireGuard service needs restarted (some uses reboot OPNsense), and when adding new peers you have to click Apply Changes or the new peers can’t connect. If you are actually connecting to your WireGuard VPN remotely and are actually connected properly (it’s hard to tell with WireGuard client unless you can see the handshake in the logs in OPNsense), it should be a matter of configuring firewall rules (assuming the LAN IPs are in the allowed IPs of the WireGuard peer). There’s several things that can go wrong but once it’s up and running it’s pretty solid in my experience.
@@homenetworkguy I have the problem that @stephendetomasi1701. The only difference that i spot is that both of the interface of my opnsense are in private network. After having completed your tutorial, i was able to sucessfuly connect with wireguard VPN and it allow me to reach the LAN interface of the server in order to administrate it. However, i'm unable to ping my equipements that are in the same LAN network :(
Is it possible to get a Full Tutorial on OPNsense Dynamic ISP Network (bare metal) with server (bare metal) Proxmox - Ubuntu(VM) - Docker/Portainer, Cloudflare DDNS, Wireguard, Nextcloud secure installation/setup? I might not be able to fund the video but would definitely donate a handful of coffees. I get lost trying to combine all of your videos together 😂.
Haha no problem! I understand. It’s hard to find a good balance of real world examples that fit in a reasonable amount of time for a video (sometimes I get criticized for including too many details/caveats/tangents so I have been trying to minimize that- it’s difficult to avoid). I definitely prefer to do real world homelab examples rather than short one off guides because you can see many concepts come together and can help make the concepts click. I have more of those type of videos planned (various OPNsense builds along with some switch/AP configurations) so I’m thinking maybe I could sneak some Proxmox in there as well since I have yet to combine my full network builds with a Proxmox server build in the same videos (or written content).
Hi i have configure my opnsense and wireguard from your video, but i have some issue. i have 2 internel dns Server 10.1.10.252 and 10.1.10.251. I can ping both but i cant resolve the names and i cant connect to the internal server by the dns name. Can you tell me what i make wrong or what i have to do ?
Did you configure your WireGuard peers to use those internal DNS servers? You also need to make sure your firewall rules allow access to the DNS servers for your WireGuard network.
@@homenetworkguy i have configure the clients to use it like this : [Interface] PrivateKey = IBUjY/fzuec6xxxxxxxxxxxxxxxx Address = 10.10.10.7/32 DNS = 10.1.10.251,10.1.10.252 [Peer] PublicKey = zgcYen5mPNXXexxxxxxxxxxxx AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = xxx.xxx.xxx.xxx:51820 For testing i have create the roles with any to any I can brows in internet but internal dns lookup dont work
I have noticed that some users have a real struggle getting WG setup even with following the directions. I’ve tried to help with everything I can think of and sometimes the issue isn’t fully resolved. I am curious what is different for some users’ configuration that makes the WG VPN not work properly. Have you checked all of your firewall rules? If you can make a successful handshake, it should be a matter of setting up the proper rules on the WireGuard interface to allow the appropriate access.
Exactly. Everyone has their own set of firewall rules to allow the access they want on their own networks. I can’t show everyone how to create their exact rulesets. I can only provide examples. However there are some basic rules you will need to allow access to your network/Internet. I walked through each rule in the video but I have more detailed examples in my other guides. If you want your WireGuard clients to have exactly the same access as you have on your other networks, you can create similar rules or clone them so you don’t have to create them all from scratch. Creating rules for your WireGuard interface is exactly the same as any other network interface you have configured for your network.
Look for a video called "Beginner's Guide to Set up a Full Network using OPNsense" on his channel and skip to 18:33. Follow that section, and then come back here for rule cloning.
I had the default rules disabled (noticed they are grayed out) because I am no longer using the allow all rules to tighten up the rules (isolating the networks from one another).
Why is that? I’m showing more than just setting up WG itself. I’m showing how to open up access to internal parts of your network so you can remotely access anything on your network when you are away from home.
@@homenetworkguythat is exactly what I need and I have bookmarked this video !! I have tried and failed many times to make this work and I appreciate this !!!
Agreed this guide could have been simplified quite easily. Like why are we setting up peers before configuring firewall rules? Server setup and peer setup are two separate sections, mixing it up is just confusing
@@StephenDeTomasi Sorry the section ordering is confusing. Basically I was setting up everything before clicking enable on the WireGuard interface. You can do it in a different order and end up with the same outcome, of course. I know some users prefer things to be in a certain order while others said this was the only guide that seemed to work for them. I'm hoping to improve the video content over time. Thanks for your feedback!
I just wanted to say thank you for the OPNSense videos. I've been getting more involved with getting my home network more complex and you've been a huge help, I haven't had any hiccups *yet*
You’re welcome! Glad it has helped in your journey!
Also it goes beyond just making things more complex (making things more complex without good reason is not always very helpful). Gradually increasing overall complexity while also attempting to minimize complexity where it’s not necessary can be tough to balance. If you work to slowly improve upon it over time, it can be both stable and relatively easy to maintain.
Clear, understandable, easy to follow the logic and as you explain. Awesome! Thanks for the effort on the video!
Thanks! I appreciate it.
Thanks for all your videos. Helped my partner and I setup our badass network 😎
You’re welcome! I’m glad it helped you create an awesome network! Haha
One of the videos I was still waiting! Already set it up on my own, but I will gladly watch this in order to see if I did make it right!!
I'm glad the wait is over! haha. I've been wanting to do a video on it for a while and thought it was a good time to do one since I updated the written version of my guide not long ago to get it up to date with the latest updates to WireGuard in OPNsense. Hopefully the demonstration on accessing an internal web app externally via the WireGuard VPN is useful since it shows a bit more of what you can do once you have the VPN configured.
What a video man 👏 I've been trying to set up my OPNsense vault and both your videos and written guides have been a life saver. Thanks!
Thanks! I’m glad it was helpful!
Just wanted to say thank you! I am now able to connect to my home network and use DNS level add blocking using pi-hole from anywhere in the world!
You’re welcome! Glad it worked since some users report they have issues or have to do additional steps in order to get WireGuard to function properly.
@@homenetworkguy Once I got everything working as intended with WireGuard, I noticed that my opensense box stop recieving update! I had to go to System > Settings > General and set the DNS server (pi-hole IP) manually. Weird because the LAN DHCP service is supposed to hand that out to LAN devices and all other VLAN devices. I'm fine with the change because it works, but I'd love to find out WHY this is happening.
Thumbs up! Great video. One thing you could also mention is the NAT. I have manual NAT rule creation - everything in my local network worked but getting out to the internet did not. Then I remembered that I had this on manual and added a matichng rule there. Just in case anybode else stumbles across that..
Thanks! Yeah, I didn’t think about if you changed the default settings. I have more info about outbound NAT on my website guide.
You could probably use Hybrid for outbound NAT so it would still generate the interface NAT rules but you can still create your own NAT rules. However, you may have a good reason to manually define all of your outbound NAT rules.
Thank you a lot for your tutorial. Unfortunately, after following all the steps, including the rules for accessing the LAN, we can't access any of the devices on our LAN. Surprisingly, this only allows access to the administration tab of the OPnsense server on the LAN side, which was impossible before.
You're welcome! That's odd you can access the OPNsense web UI on the LAN but nothing else on the LAN network via firewall rules. I know that some users have issues configuring WireGuard due to various things and I haven't been able to pinpoint all of the reasons why.
Some users stated they had to create the normalization rule described in the OPNsense documentation to prevent network packets from being fragmented on the WireGuard tunnel (I believe that is the problem), but other users (including myself) do not need to do that. It probably depends on the MTU used by the ISP when you are trying to connect remotely to your home network.
Some users said they have to restart WireGuard or reboot OPNsense after adding peers (although it should work when you click the "Apply" button after adding new peers).
NICE! I see qr code now for easy fast setup on mobile devices !! Nice work sir !
Thanks! I updated my written guide a while ago but hadn't done any WG videos on OPNsense yet so I figured it would be a good time to do one since they now include the peer generator which makes things much easier to set up.
Very helpful. Thank you!
Tailscale wins for me but its great to have a video for Wireguard anyway! great job!
Thanks! I mostly only connect my phone to my home network via WireGuard so it's not a lot of effort to set up WG so I can connect directly to my home network. I know a lot of people love the ease of use of Tailscale.
Somehow I had a ton of issues with Tailscale on my NAS, so I switched to WireGuard on my UDM SE, never encountered any problems since... I'm not saying that Tailscale is bad, loved it while it worked but once there's a problem, it's kinda hard to fix...
Yeah, I just like the simplicity of connecting a small number of clients directly to my home network. Once I got WG set up, it always just works.
Thank you for this step by step tutorial! I had trouble applying the Wireguard config, but after rebooting opnsense, Wireguard is now running smoothly. One thing I'm trying to understand is the Allowed IPs fields. The one in peer generator gives the 0.0.0.0/0,::/0 to my wg-client. I click Store and generate next. Now under the Peers-tab, the same client is showing Allowed IPs 10.11.11.2/32. Are these two different options with the same name?
Yeah, that confused me too for a while. I believe the way you can look at it is this- it’s from 2 different perspectives. After saving the peer info, it is the allowed IPs of the peer connecting to the WireGuard server instance (it’s like a static IP address) but when you are creating the peer configuration, it essentially is the list of IPs that the peer is connecting to which are allowed through the WireGuard tunnel.
The default of 0.0.0.0/0,::/0 means to tunnel all traffic from the peer through the WireGuard VPN.
I used to do this on my phones but I noticed that on slow cellular connections, routing all traffic through my WireGuard VPN at home slows down the throughput that I could barely connect to anything unless I turned off connecting to the VPN.
Now I just route my private IPs (10.1.1.1/24, 192.168.0.0/16) of my home network through the WG VPN so I can still connect back home securely but everything else uses the cellular connection. This is called split tunneling.
It means that I won’t have the same network wide protections on my home network while I’m away but it helps with improving throughput while roaming.
In this scenario you can decide to include your WG interface IPs (such as 10.1.1.1) or not for DNS resolution (you won’t be able to use hostnames on your home network via the WG tunnel if you don’t tunnel the WG interface IP running the DNS service).
@homenetworkguy Thank you for this explanation! After doing some testing with this in mind it all makes sense. Split tunneling really is very useful. And so easy to set up via the clients config. Cheers 🙏
Quick question, if I was wanting to connect over WG to my Jellyfin server could I just add a rule above the privatenetwork invert that allows connections from WG Net to the specific Jellyfin IP and be generally okay security wise?
Absolutely! Once you’re connected securely via WG, you can safely connect to anything on your network! On my network I can connect to my IP cameras that are on an isolated VLAN that doesn’t allow access to the Internet and it works great!
Just curious, any way to do this AND get the protection of Zen Armor on the go on your cell? When I followed the instructions the cellphone just shows up in the logs as "Device none" and there's no options in the ZA Device settings to add the phone.
Yes! On your Zenarmor configuration, you can have Zenarmor protect the WireGuard interface so all devices on that interface/network will be protected in the same way as the rest of your network. You shouldn't need to add it on a per device level. Although, I haven't tried using the devices section for WireGuard clients to do specific policies for different WireGuard clients (you could use the IP address instead since the IP addresses are static for each WireGuard client). I know some users have reported issues from time to time with the devices recognition. It may not be the most reliable way to create policies due to how the automatic device detection may not always be 100% accurate.
Also keep in mind that on occasion after certain OPNsense updates, the Zenarmor plugin doesn't always protect the WireGuard interfaces until they can have some time to resolve any issues after upgrades. If you are using Zenarmor with OPNsense, I recommend waiting a few weeks before upgrading OPNsense to ensure there are no issues before upgrading. Often times, Zenarmor will announce when they have fixed issues due to OPNsense changes. This is a consequence of being a 3rd party plugin since OPNsense doesn't test (and isn't obligated to test) 3rd party plugins with version upgrades.
Great video, it indeed works! I was wondering if there is a way to allow all routes to my homelab but forbid peers from communicating with each other? If I do it in the firewall settings, will it be sufficient? Or it also has to be done on VPN level
I haven't tried this since I mostly just use my phone to connect back home but occasionally my iPads. However, I've seen where you can adjust the iptables on the server side to enable client side isolation (www.lautenbacher.io/en/lamp-en/wireguard-prohibit-communication-between-clients-client-isolation). That is for Linux. FreeBSD would be different since it doesn't have iptables like Linux. I'm not sure you would do this command line in FreeBSD or if it could be accomplished via certain firewall rules on the WG interface.
Also you could create multiple instanced of WG and have clients connect to different instances (it may be possible to allow devices on different WG to communicate via firewall rules-- similar to how you would to allow traffic across VLANs). This would be an interesting area to explore.
I have a lot of things on my todo list... a never-ending todo list (which is great for content creation).
I need some more ideas of what to setup in my Proxmox lab. I'm the only one on my network, so haven't really had any reason to need a separated lab network yet, besides VLANs. I'm caught up on all my smaller projects and want to start learning more security related things, so a separate network for that would probably be smart. Have you done an overview video on everything you have set up in your own lab yet? That would be cool to see, so I can steal some of your ideas. Haha.
Haha yeah that could be interesting, but the funny thing is that I still have a lot of things in flux on my LAB VLAN because that’s where I try out several things. I’ve been meaning to establish a few things to be a more permanent fixtures for that network. I’m working on building 2 test rackmount clients for speed testing devices, for instance. I do have one of my Proxmox nodes dedicated to testing as well. It has some OPNsense VMs as well as a few Linux VMs I can use as clients for testing. I have a few other containers I use to demonstrate setting up example apps/services on the network. I do have some more project ideas I’m working on for some videos soon too. I think I’m going to focus more on those type of videos than a basic setup of a specific feature because I like showing real world examples (likely more useful for learning and idea purposes).
Good walkthrough. Thanks
Thanks!
Hello, thank you for your videos I have watch a couple to help me setup my opnsense setup. I recently tried setting up wireguard but have had no luck in getting a handshake. I have an ISP modem in bridgemode>opnsense>managed switch>ap...switch has a pc/tv/nas/plexpc/ap(asus router with openwrt in switch/ap mode). I disabled ipv6 in my opnsense setup and set it up with vlans for IOTs and guest, this works fine. But for some reason I am not getting a handshake at all. I don't have a domain but tried the ddns route and added that to opnsense too under services>dynamic DNS. Any tips on what I can troubleshoot? thank you
Sometimes ISPs block the 51820 port that WireGuard uses so you could try a different port number. Some users have stated they needed to create the normalization rule that is documented in OPNsense’s official WireGuard documentation. I haven’t found the need to do that. It probably depends if your ISP uses a non-standard MTU value. Some users have stated they needed to reboot OPNsense after setting up WG and/or clients. You do need to hit the Apply button when you add a new peer after you set up WG the first time. I forgot to mention that in the video because I set everything up before I enabled WireGuard.
@homenetworkguy I'm going to keep troubleshooting. I just thought of something tho. My opnsense internal network nomenclature is 10.xxx.xx.x/24. Does it matter if I'm trying to make the tunnel 10.xx.xx.x/24? Or should it be a different set? Thx
Yes it has to be a different network address range because it’s a virtual tunnel network. All VPNs need their own network address range just like any other physical or VLAN interface you are setting up in OPNsense.
If you want WireGuard clients to access various parts of your network, you simply create firewall rules to allow access.
I use nearly the same rules on my WG interface as I do the VLAN where my phone connects when I’m at home so that when I’m away from home, it feels like I’m still on my home network. It feels so seamless when you have WG connection automatically when your phone switches over to the cellular connection when you leave your house.
If i am also using IPv6, would I make additional IPv6 rules? or can I just make these rules IPv4+IPv6?
If you're using auto generated aliases, I believe they contain both IPv4 + IPv6 addresses so you can just create one rule for those. If you create your own aliases and include but IPv4 and IPv6 addresses in the alias, you can also use a single rule, which is nice to reduce duplication of rules to provide the same access with both protocols.
Thanks for the guide! I managed to set up all up, but I'm struggling with the hostname resolution. I have a pi-hole VM in the LAN network, and I set up the LAN DHCP server to use it, but obviously that doesn't affect clients that connect via wireguard. I understand for that I need to configure Unbound DNS, but I can't find how to do it. As in, how to forward DNS request from Unbound DNS to the pi-hole IP address so that wireguard clients can see the hostname aliases that I defined in pi-hole.
I haven’t tried using Pi-hole for DNS for WireGuard clients but you can specify the Pi-hole DNS server in the WG client DNS settings. You will need a firewall rule on the WG interface to allow access to the Pi-hole DNS server.
@@homenetworkguy Im curious about this as well. I dont use a pihole but cannot get to any of my systems by name through WG. When I am actually on the network everything is fine
I haven’t tried using Pi-hole with WireGuard in a long time but with using Unbound DNS without Pi-hole, DNS resolution with WireGuard works. I need to try this sometime with Pi-hole (on a lab network) to see if it works or if perhaps additional configuration is necessary.
So i have to create a peer for each device i want to use with wireguard off of the network? Like create a peer for my mobile phone, create another peer for my laptop, etc.?
Yes. You only need peers that you want to remotely connect to your WireGuard VPN. If you have a lot of devices, the first time setup can be time consuming. That's why other products which use WireGuard as the protocol exist-- to make it easier for peers to connect and propagate it to multiple WG sites, etc.
@@homenetworkguy Thank you, got mine up and running using your tutorial
Spoke too soon. I can remote to devices on my home network from outside of my home network. But If I try to connect to the vpn and just try to search something on google then nothing loads
This could happen if you don’t have DNS or firewall rules configured properly. Also requires the WireGuard interface to be assigned so it gets automatic outbound NAT rules generated (as long as you don’t have it set to “manual” or “none” on the Outbound NAT page.
Please analyze such a product as defguard and its integration into opsense
Hmm I haven’t looked into defguard. Thanks for the suggestion.
I feel hopeless. Have no idea what is wrong. I have handshake and see the device connected on Opnsense but I can't access local devices or browse the internet. I have only the WG rules for WAN and WG interfaces and also allow DNS 53 but nothing other than that. What I'm going wrong? the port is the default one 51820 not soothing special
Without seeing more specific configuration, it sounds like a firewall rule issue but I’ve seen some people have trouble getting network access even though they have a proper handshake, which always make me wonder what the issue(s) could be.
When you say you have only the WG rules, what do you mean exactly? You can basically mimic your other rules for other network interfaces which allow access to the Internet assuming all of the other configuration is correct.
@@homenetworkguy Thanks for the reply man and sorry for late reply.
To be honest, I leave everything as default except the 2 new rules I create for passing the port 51820 on the WAN and for the WG interface allowing the WG address. another rule I have is pass the DNS across the interfaces. the funny thing is that couple days before it was work perfectly and I have no idea what changed.
What would be the difference between this and tailscale? I currently use tailscale
I haven't used Tailscale but I have looked into it briefly a few times. I believe some differences are you have to create a cloud account and use their Tailscale coordination server that all of the nodes communicate with. I believe it can be self-hosted. I realize Tailscale makes the process easy because it can traverse through NAT firewalls easier, etc.
For my needs, connecting 3-4 devices to my OPNsense WireGuard VPN is easy enough especially once it is set up because I never have to touch it. 99% of the time I only connect to my home network with my phone so I only really need that one connection set up. I have other devices like iPads set up with WireGuard so if I am traveling, I can connect back home when I need to be on an untrusted network.
After following a bunch of guides, this was the one that worked for me. Thanks for the guide. Only issue I'm running into is trying to access my TrueNAS SMB share from the Wireguard connection. I made a rule to allow access to it's IP but it keeps failing to connect. Do I need to do something different to get an SMB share to work?
I’m glad my guide worked! It’s good confirmation I didn’t accidentally miss any steps in the video.
As for SMB, did you allow specific ports for SMB or all ports? Also in TrueNAS, make sure you don’t have the share limited to specific IP/network address ranges (or update them to include the WireGuard network IPs).
@@homenetworkguy I haven't mess with any network settings in TrueNAS other than setting a static IP and made 2 SMB shares. I looked at Network
What ports did you allow in the firewall rules? TCP or UDP or both? “Any” would work but it’s better to use specific ports. Typically there is more than one port that needs opened for SMB/NFS shares. I’d have to look up the port numbers and protocol for each port for SMB. Don’t have it memorized off the top of my head.
@@homenetworkguy I have it set for both TCP/UDP and "any" for ports. I have the same setup for another rule for my Docker IP and can access services like Jellyfin and Dashboard just fine.
@@SonicNinja6600 "any" ... ooof
Thank you so much for this video, Please could you also make a video for OpenVPN on Opensense?
Glad you enjoyed the video! It would be possible to OpenVPN but not sure when I would get to it because I have a lot of other project videos I want to do soon. It means more OPNsense builds to show different types of configurations!
Thank you very much for the video. I followed the steps and, after adding a rule in the firewall for WireGuard -> WAN, I was able to connect to internet. Now, this afternoon, I've tried again and no internet and looks like no handshake. There has not been any changes since this morning and suddenly it has stopped working. Any idea why?
The only thing I can think of is that your WAN IP address has changed since you first set up your WG connection. Once I have mine set up, I’ve never have issues connecting to it after that unless my public IP address is out of date.
Is it possible to make a WG connection to OPNsense, that’s connected via WG to another site?
Ohh yeah. Site to site WG. I haven’t tried that yet but I would like to demonstrate how at some point.
@@homenetworkguy hope to see it in your way!
The handshake was not completed after I followed your guide. ZenArmor is running, but I don't think it affects the VPN. :(
Some users stated they needed to do the normalization rule from the official OPNsense documentation. I’m not sure why but perhaps it’s for those who have ISPs which use different MTU values.
Also make sure that port 51820 is not blocked by your ISP. On one network I set up WireGuard, I simply changed the port yo 51821 and it worked just fine. It’s annoying when ISPs block incoming ports like that.
@@homenetworkguy Thank you! :)
Is there a way to use WireGuard on the same network to access the management vlan?
I have my laptop connected to the AP (USER VLAN 20) - but I can't access the opnsense webgui since that is on a separate management vlan
Are you trying to use WireGuard on your internal network to access your OPNsense web UI on the management VLAN? Or do you mean when you connect remotely to your network via WireGuard? If you’re connected to your local network on VLAN 20, you just need to create a firewall rule on the VLAN 20 interface in OPNsense to allow access to your OPNsense web UI.
@@homenetworkguy
Thanks for the quick response! I'm connected to my local network on VLAN20 and trying to access the Management VLAN for network infrastructure. I was able to do this with Firewall Rules, but want to be able to do it with WireGuard (on my local network) so I don't allow the VLAN20 untethered access to the management vlan.
If you only want a single device on VLAN20 to access your management network, you should use a static IP address for that device and make the source for the firewall rule only allow that single IP. That’s what I used to do for one of my PCs until I dedicated a Raspberry Pi (and soon to be a Radxa X4 instead) to manage devices on my management network (so I don’t have to open holes into my management network). That solution is more simple that using WireGuard on your internal network. I’ve had trouble using WireGuard on internal networks (for testing purposes) because you have to be careful how you route traffic
@@homenetworkguy That makes a lot of sense. Even though this is for my home network, I want to learn and follow best practices. Looks like I have use for my old Raspberry Pi 3B!
Do you run the dedicated Raspberry Pi headless and remote into it? Do you have a video I can refer to setting that up?
I have a Raspberry Pi 5 and run Ubuntu desktop on it because most of my management interfaces have web UIs. I do use SSH to get into all my servers as well. Performance of the 3B for a desktop environment will be more limited. I have the RPi connected to a KVM so I can switch between my main desktop PC and my RPi when I want to manage my network. I haven’t done anything special on the Raspberry Pi other than set up a few web browser bookmarks. I’m working on setting up a Homepage dashboard to have all the links I typically access but on a nicely organized web interface. It keeps getting put on the back burner though. Haha.
Sadly this guide did not work well for me. Was able to connect but no access to my LAN. Frustrating.
I’m not sure why but for some users WireGuard can be difficult to get set up. Sometimes the ISP blocks the default port 51820, some users say creating a normalization rule worked for them (while others say they don’t need it, like myself), sometimes restarting the WireGuard service needs restarted (some uses reboot OPNsense), and when adding new peers you have to click Apply Changes or the new peers can’t connect.
If you are actually connecting to your WireGuard VPN remotely and are actually connected properly (it’s hard to tell with WireGuard client unless you can see the handshake in the logs in OPNsense), it should be a matter of configuring firewall rules (assuming the LAN IPs are in the allowed IPs of the WireGuard peer).
There’s several things that can go wrong but once it’s up and running it’s pretty solid in my experience.
@@homenetworkguy I have the problem that @stephendetomasi1701. The only difference that i spot is that both of the interface of my opnsense are in private network. After having completed your tutorial, i was able to sucessfuly connect with wireguard VPN and it allow me to reach the LAN interface of the server in order to administrate it. However, i'm unable to ping my equipements that are in the same LAN network :(
Is it possible to get a Full Tutorial on OPNsense Dynamic ISP Network (bare metal) with server (bare metal) Proxmox - Ubuntu(VM) - Docker/Portainer, Cloudflare DDNS, Wireguard, Nextcloud secure installation/setup? I might not be able to fund the video but would definitely donate a handful of coffees. I get lost trying to combine all of your videos together 😂.
Haha no problem! I understand. It’s hard to find a good balance of real world examples that fit in a reasonable amount of time for a video (sometimes I get criticized for including too many details/caveats/tangents so I have been trying to minimize that- it’s difficult to avoid). I definitely prefer to do real world homelab examples rather than short one off guides because you can see many concepts come together and can help make the concepts click.
I have more of those type of videos planned (various OPNsense builds along with some switch/AP configurations) so I’m thinking maybe I could sneak some Proxmox in there as well since I have yet to combine my full network builds with a Proxmox server build in the same videos (or written content).
Hi i have configure my opnsense and wireguard from your video, but i have some issue. i have 2 internel dns Server 10.1.10.252 and 10.1.10.251. I can ping both but i cant resolve the names and i cant connect to the internal server by the dns name.
Can you tell me what i make wrong or what i have to do ?
Did you configure your WireGuard peers to use those internal DNS servers? You also need to make sure your firewall rules allow access to the DNS servers for your WireGuard network.
@@homenetworkguy i have configure the clients to use it like this :
[Interface]
PrivateKey = IBUjY/fzuec6xxxxxxxxxxxxxxxx
Address = 10.10.10.7/32
DNS = 10.1.10.251,10.1.10.252
[Peer]
PublicKey = zgcYen5mPNXXexxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xxx.xxx.xxx.xxx:51820
For testing i have create the roles with any to any
I can brows in internet but internal dns lookup dont work
No idea what i'm doing wrong. The connected devices handshake with wireguard but i can't ping any local device or connect to the internet
I have noticed that some users have a real struggle getting WG setup even with following the directions. I’ve tried to help with everything I can think of and sometimes the issue isn’t fully resolved. I am curious what is different for some users’ configuration that makes the WG VPN not work properly.
Have you checked all of your firewall rules? If you can make a successful handshake, it should be a matter of setting up the proper rules on the WireGuard interface to allow the appropriate access.
I banged my head against the wall for an hour before I realized I had a typo in the WAN firewall rule and typed the port# for WG wrong.
once you starting cloning rules I don't have, I got lost, I have my own install
Exactly. Everyone has their own set of firewall rules to allow the access they want on their own networks. I can’t show everyone how to create their exact rulesets. I can only provide examples.
However there are some basic rules you will need to allow access to your network/Internet. I walked through each rule in the video but I have more detailed examples in my other guides.
If you want your WireGuard clients to have exactly the same access as you have on your other networks, you can create similar rules or clone them so you don’t have to create them all from scratch. Creating rules for your WireGuard interface is exactly the same as any other network interface you have configured for your network.
Look for a video called "Beginner's Guide to Set up a Full Network using OPNsense" on his channel and skip to 18:33. Follow that section, and then come back here for rule cloning.
I'm confused why you would need to allow access to dns if you have a default allow lan rule ? ua-cam.com/video/nlJTz2Am6lc/v-deo.html
I had the default rules disabled (noticed they are grayed out) because I am no longer using the allow all rules to tighten up the rules (isolating the networks from one another).
way overly complicated to get wg working
Why is that? I’m showing more than just setting up WG itself. I’m showing how to open up access to internal parts of your network so you can remotely access anything on your network when you are away from home.
@@homenetworkguythat is exactly what I need and I have bookmarked this video !! I have tried and failed many times to make this work and I appreciate this !!!
Agreed this guide could have been simplified quite easily. Like why are we setting up peers before configuring firewall rules? Server setup and peer setup are two separate sections, mixing it up is just confusing
@@StephenDeTomasi Sorry the section ordering is confusing. Basically I was setting up everything before clicking enable on the WireGuard interface. You can do it in a different order and end up with the same outcome, of course.
I know some users prefer things to be in a certain order while others said this was the only guide that seemed to work for them. I'm hoping to improve the video content over time.
Thanks for your feedback!