Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.
Edit

OPNSense Configuration

OPNsense® is an open source, feature rich firewall and routing platform, offering cutting-edge network protection.

Installing OPNsense plugin

To start Defguard Gateway as OPNsense plugin:

  1. On the release page find and download OPNsense package which will be named: defguard-gateway_VERSION_x86_64-unknown-opnsense.pkg – this package includes both Defguard Gateway and OPNsense plugin.

  2. Install the package:

pkg add defguard-gateway_VERSION_x86_64-unknown-opnsense.pkg

  1. Refresh OPNsense user interface by running command below:

opnsense-patch

  1. In a web-browser, open OPNsense user interface and navigate to VPN → Defguard Gateway.

Defguard Gateway Configuration

This instruction helps configure Defguard Gateway in OPNsense. This is based on WireGuard Road Warrior Setup from OPNsense documentation.

Configure Defguard Gateway plugin

  1. Go to VPN → Defguard Gateway

  2. Fill out the appropriate values in the form. You can read more about the available configuration options here: Configuration

  3. Eventually, Start/Restart the service.

Assign a network interface to Defguard

  1. Go to Interfaces → Assignments

  2. Under Assign a new interface, select the Defguard Gateway network interface (e.g. wg0)

  3. Add a description, for example ParisOfficeVPN

  4. Click Add

Interface Assignments

  1. Select the newly create interface by clicking on its name (in this example [ParisOfficeVPN]).

  2. Select Enable Interface

  3. Select Prevent interface removal

  4. Click Save, and then Apply changes

Create an outbound NAT rule

  1. Go to Firewall → NAT → Outbound

  2. Make sure the selected Mode is Hybrid outbound NAT rule generation; if it wasn't selected, click Save and then Apply changes

  3. Under Manual rules, add a new rule by clicking +.

  4. Select Interface – this should be either WAN or LAN, depending on the needs.

  5. Select TCP/IP version – either IPv4 or IPv6.

  6. Select Source address – this should be interface name assigned above plus net, e.g. ParisOfficeVPN net.

  7. Click Save, and then Apply changes

Outbound NAT rule

Add firewall rules to allow WireGuard traffic in

  1. Go to Firewall → Rules → WAN

  2. Click + (plus) to add a new rule

  3. The rule should Pass the traffic in with quick option enabled

  4. Select WAN interface

  5. Choose TCP/IP version of your desire

  6. Select UDP protocol.

  7. Set Destination to WAN address and port to the port number provided in Defguard Core: Location configuration → Gateway port

  8. Click Save, and then Apply changes

PreviousREST APINextSSH Authentication

Last updated

Was this helpful?