# OPNsense Configuration

[OPNsense®](https://opnsense.org/) is an open source, feature rich firewall and routing platform, offering cutting-edge network protection.

## Defguard Gateway Configuration

This instruction helps configure Defguard Gateway in OPNsense. This is based on [WireGuard Road Warrior Setup](https://docs.opnsense.org/manual/how-tos/wireguard-client.html) from OPNsense documentation.

### Configure Defguard Gateway plugin

1. Go to **VPN → Defguard Gateway**
2. Fill out the appropriate values in the form. You can read more about the available configuration options here: [#gateway-configuration](https://docs.defguard.net/deployment-strategies/configuration#gateway-configuration "mention")
3. Eventually, **Start/Restart** the service.

<figure><img src="https://3466771104-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe86iamwJVSYnIRsyVEAV%2Fuploads%2Fgit-blob-9a2f89076d509383361d32a0ad6f6461ce490d0b%2FOPNSense%20Plugin.png?alt=media" alt="OPNSense plugin"><figcaption></figcaption></figure>

{% hint style="info" %}
Defguard Gateway will create the given network interface automatically (for example *wg0*). The interface must be named accoring to FreeBSD [WireGuard protocol driver](https://man.freebsd.org/cgi/man.cgi?query=wg\&sektion=4).
{% endhint %}

### Assign a network interface to Defguard

A quote from [WireGuard Road Warrior Setup](https://docs.opnsense.org/manual/how-tos/wireguard-client.html):

{% hint style="info" %}
This step is not strictly necessary in any circumstances for a road warrior setup. However, it is useful to implement, for several reasons: First, it generates an alias for the tunnel subnet(s) that can be used in firewall rules. Otherwise you will need to define your own alias or at least manually specify the subnet(s). Second, it automatically adds an IPv4 outbound NAT rule, which will allow the tunnel to access IPv4 IPs outside of the local network (if that is desired), without needing to manually add a rule. Finally, it allows separation of the firewall rules of each WireGuard instance (each *wgX* device). Otherwise they all need to be configured on the default WireGuard group that OPNsense creates. This is more an organisational aesthetic, rather than an issue of substance.
{% endhint %}

1. Go to **Interfaces → Assignments**
2. Under **Assign a new interface**, select the Defguard Gateway network interface (e.g. *wg0*)
3. Add a description, for example *ParisOfficeVPN*
4. Click **Add**

<figure><img src="https://3466771104-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe86iamwJVSYnIRsyVEAV%2Fuploads%2Fgit-blob-c4808269bc6282874364271405af6679096d598c%2FOPNSense-interface-assignments.png?alt=media" alt="Interface Assignments"><figcaption></figcaption></figure>

5. Select the newly create interface by clicking on its name (in this example *\[ParisOfficeVPN]*).
6. Select **Enable Interface**
7. Select **Prevent interface removal**
8. Click **Save**, and then **Apply changes**

### Create an outbound NAT rule

1. Go to **Firewall → NAT → Outbound**
2. Make sure the selected **Mode** is **Hybrid outbound NAT rule generation**; if it wasn't selected, click **Save** and then **Apply changes**
3. Under **Manual rules**, add a new rule by clicking **+**.
4. Select **Interface** – this should be either WAN or LAN, depending on the needs.
5. Select **TCP/IP version** – either IPv4 or IPv6.
6. Select **Source address** – this should be interface name assigned above plus *net*, e.g. *ParisOfficeVPN net*.
7. Click **Save**, and then **Apply changes**

<figure><img src="https://3466771104-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe86iamwJVSYnIRsyVEAV%2Fuploads%2Fgit-blob-ca4725a37bcc9e44a759744d9abd5be662aaca6c%2FOPNSense-outbound-nat-rule.png?alt=media" alt="Outbound NAT rule"><figcaption></figcaption></figure>

### Add firewall rules to allow WireGuard traffic in

1. Go to **Firewall → Rules → WAN**
2. Click **+** (plus) to add a new rule
3. The rule should *Pass* the traffic *in* with *quick* option enabled
4. Select **WAN** interface
5. Choose **TCP/IP version** of your desire
6. Select **UDP** protocol.
7. Set **Destination** to **WAN address** and port to the port number provided in Defguard Core: *Location configuration → Gateway port*
8. Click **Save**, and then **Apply changes**

<figure><img src="https://3466771104-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe86iamwJVSYnIRsyVEAV%2Fuploads%2Fgit-blob-e678208f4cfe3e5b88853ab0e78dcf8e47ef0020%2FOPNSense-firewall-rule.png?alt=media" alt="Firewall rule"><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.defguard.net/features/gateway.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.