# OPSense Configuartion

[OPNsense®](https://opnsense.org/) is an open source, feature rich firewall and routing platform, offering cutting-edge network protection.

## Defguard Gateway Configuration

This instruction helps configure Defguard Gateway in OPNsense. This is based on [WireGuard Road Warrior Setup](https://docs.opnsense.org/manual/how-tos/wireguard-client.html) from OPNsense documentation.

### Configure Defguard Gateway plugin

1. Go to **VPN → Defguard Gateway**
2. Fill out the appropriate values in the form. You can read more about the available configuration options here: [Configuration](/1.4/deployment-strategies/configuration.md#gateway-configuration)
3. Eventually, **Start/Restart** the service.

<figure><img src="/files/3BLwWdtocrFSSnMkVLgd" alt="OPNSense plugin"><figcaption></figcaption></figure>

### Assign a network interface to Defguard

1. Go to **Interfaces → Assignments**
2. Under **Assign a new interface**, select the Defguard Gateway network interface (e.g. *wg0*)
3. Add a description, for example *ParisOfficeVPN*
4. Click **Add**

<figure><img src="/files/EBZ4iojfoc6qUyeQSyhs" alt="Interface Assignments"><figcaption></figcaption></figure>

5. Select the newly create interface by clicking on its name (in this example *\[ParisOfficeVPN]*).
6. Select **Enable Interface**
7. Select **Prevent interface removal**
8. Click **Save**, and then **Apply changes**

### Create an outbound NAT rule

1. Go to **Firewall → NAT → Outbound**
2. Make sure the selected **Mode** is **Hybrid outbound NAT rule generation**; if it wasn't selected, click **Save** and then **Apply changes**
3. Under **Manual rules**, add a new rule by clicking **+**.
4. Select **Interface** – this should be either WAN or LAN, depending on the needs.
5. Select **TCP/IP version** – either IPv4 or IPv6.
6. Select **Source address** – this should be interface name assigned above plus *net*, e.g. *ParisOfficeVPN net*.
7. Click **Save**, and then **Apply changes**

<figure><img src="/files/BJ0zJaN7Q4MS6WX905Ha" alt="Outbound NAT rule"><figcaption></figcaption></figure>

### Add firewall rules to allow WireGuard traffic in

1. Go to **Firewall → Rules → WAN**
2. Click **+** (plus) to add a new rule
3. The rule should *Pass* the traffic *in* with *quick* option enabled
4. Select **WAN** interface
5. Choose **TCP/IP version** of your desire
6. Select **UDP** protocol.
7. Set **Destination** to **WAN address** and port to the port number provided in Defguard Core: *Location configuration → Gateway port*
8. Click **Save**, and then **Apply changes**

<figure><img src="/files/Tm4aGV0cGLVAzJ288Hxp" alt="Firewall rule"><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.defguard.net/1.4/features/gateway.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.