Wireguard Puffy to OPNsense
Page content
WG Tunnel between OpenBSD and OPNsense
How to Setup an WG Tunnel between OpenBSD and OPNSense ? That’s quite simple …
OpenBSD
Install Packages
pkg_add wireguard-tools--
Gen Key Onliner
wg genkey | tee privatekey | wg pubkey > publickey
Build Interface
r=$(openssl rand -base64 32)
remote_ip="1.2.3.4"
remote_net="192.168.0.0/24"
cat << 'EOF' > /etc/hostname.wg0
# WG Tunnel to OPNsense
wgkey ${r}
wgport 51820
wgpeer xxxxx - PUBLIC-KEY-OF-REMOTE-HOST - xxxxx= wgendpoint ${remote_ip} 51820 wgaip ${remote_net}
inet 10.0.0.1/24
!route add ${remote_net} 10.0.0.2
up
EOF
sh /etc/netstart wg0
ifconfig wg0
update pf.conf
# skip on wg Interface
set skip on { lo0 wg0 }
# Wireguard
pass in log quick inet proto udp from ${remote_ip}/32 to (self) port 51820
OPNsense
Install Wireguard
Menu System -> Firmware -> Plugins -> Install Wireguard
Menu VPN -> Wireguard -> Enable Wireguard
Menu VPN -> Wireguard -> Local
- add item
- name: opnsense
- listen port: 51820
- tunnel address: 10.0.0.2/24
- save
Menu VPN -> Wireguard -> Endpoints
- add item
- name: openbsd
- public-key: public-key-of-wireguard-openbsd
- allowed ip’s: Subnet of Remote Site
- endpoint address: public-ip-of-openbsd
- endpoint port: 51820
- save
Menu VPN -> Wireguard -> Local
- edit item: opnsense
- peers: openbsd
- save
Menu VPN -> Wireguard -> List Configuration
- copy “public key” of wg0 to OPENBSD Host -> /etc/hostname.wg0 -> wgpeer: “xxxxx - PUBLIC-KEY-OF-REMOTE-HOST - xxxxx=”
Menu Firewall -> Rules -> WAN
- add rule:
- PASS / WAN / IN / IPv4 / UDP
- SRC IP: WAN-IP-OPENBSD
- DST IP: THIS-FIREWALL
- DST PORT: 51820
- LOG: YES
- save
Menu Firewall -> Rules -> WireGuard
- add rule:
- PASS / WIREGUARD / IN / IPv4 / ANY / ANY / LOG
Any Comments ?
sha256: b5f7e8022db4a0dba4ca6cd95924d8343787d2a5b695433e1ba23c4594779a2c