search

OPNsense Configuration

OPNsense®arrow-up-right is an open source, feature rich firewall and routing platform, offering cutting-edge network protection.

hashtag
Defguard Gateway Configuration

This instruction helps configure Defguard Gateway in OPNsense. This is based on WireGuard Road Warrior Setuparrow-up-right from OPNsense documentation.

hashtag
Configure Defguard Gateway plugin

  1. Go to VPN → Defguard Gateway

  2. Fill out the appropriate values in the form. You can read more about the available configuration options here: Gateway Configuration

  3. Eventually, Start/Restart the service.

OPNSense plugin
circle-info

Defguard Gateway will create the given network interface automatically (for example wg0). The interface must be named accoring to FreeBSD WireGuard protocol driverarrow-up-right.

hashtag
Assign a network interface to Defguard

A quote from WireGuard Road Warrior Setuparrow-up-right:

circle-info

This step is not strictly necessary in any circumstances for a road warrior setup. However, it is useful to implement, for several reasons: First, it generates an alias for the tunnel subnet(s) that can be used in firewall rules. Otherwise you will need to define your own alias or at least manually specify the subnet(s). Second, it automatically adds an IPv4 outbound NAT rule, which will allow the tunnel to access IPv4 IPs outside of the local network (if that is desired), without needing to manually add a rule. Finally, it allows separation of the firewall rules of each WireGuard instance (each wgX device). Otherwise they all need to be configured on the default WireGuard group that OPNsense creates. This is more an organisational aesthetic, rather than an issue of substance.

  1. Go to Interfaces → Assignments

  2. Under Assign a new interface, select the Defguard Gateway network interface (e.g. wg0)

  3. Add a description, for example ParisOfficeVPN

  4. Click Add

Interface Assignments

  1. Select the newly create interface by clicking on its name (in this example [ParisOfficeVPN]).

  2. Select Enable Interface

  3. Select Prevent interface removal

  4. Click Save, and then Apply changes

hashtag
Create an outbound NAT rule

  1. Go to Firewall → NAT → Outbound

  2. Make sure the selected Mode is Hybrid outbound NAT rule generation; if it wasn't selected, click Save and then Apply changes

  3. Under Manual rules, add a new rule by clicking +.

  4. Select Interface – this should be either WAN or LAN, depending on the needs.

  5. Select TCP/IP version – either IPv4 or IPv6.

  6. Select Source address – this should be interface name assigned above plus net, e.g. ParisOfficeVPN net.

  7. Click Save, and then Apply changes

Outbound NAT rule

hashtag
Add firewall rules to allow WireGuard traffic in

  1. Go to Firewall → Rules → WAN

  2. Click + (plus) to add a new rule

  3. The rule should Pass the traffic in with quick option enabled

  4. Select WAN interface

  5. Choose TCP/IP version of your desire

  6. Select UDP protocol.

  7. Set Destination to WAN address and port to the port number provided in Defguard Core: Location configuration → Gateway port

  8. Click Save, and then Apply changes

Firewall rule
PreviousREST APINextSSH Authentication

Last updated

Was this helpful?