OPNsense NAT Port ForwardingWireGuard works very well in OPNsense at least since version 25.7.3 (Sept 9, 2025). It may be that the problems described below when attempting to run WireGuard in 24.1.2 were fixed before September 9th. In any case, disreguard the main conclusion of this post about needing to wait for a fix to OPNsense in order to run its built-in WireGuard VPN service as long as a recent enough version of OPNsense is used.
Posts describing important changes made to the OPNsense firewall are slowly being added to the site. For the time being these are in French, but the browser translations are rather good. The status of these is available in Annonce de la revue du réseau (Network Review Announcement). One of the upcoming posts will be about enabling the built-in WireGuard server in OPNsense.A WireGuard VPN server has been running on our home network since June 2019. It was initially installed on a Rasberry Pi 3 B with Rasbian Stretch. Since that small computer hosted the home automation system it was on at all times and thus ensured that the VPN fulfilled its two tasks.
- The VPN must provide secure and encrypted unfettered access at all times to all the domestic network devices from the Internet.
- The VPN must provide a secure and encrypted first-hop IP link when using a public hot-spot. Basically, it provides increased protection from man-in-the-middle attacks that might occur in a cybercafe.
WireGuard has been updated many times in the last five years as chronicled here. Currently it is installed on a converted Android TV Box running Armbian 23.11.
In 2021, a backup WireGuard was installed in an OpenMediaVault 5.6 NAS box. The configuration was independent of OMV and done much like on the Pi. Now, the NAS is running OMV 7.2 with the openmediavault-wireguard 7.0 plugin. It is a backup VPN since the NAS is not necessarily always on.
In the last few weeks the local network has undergone major changes which included the addition , so I initially attributed that problem to a user error.of an OPNsense firewall. One of the features of the new infrastructure is that all home automation devices are in a segregated virtual local area network. As a consequence the WireGuard instance running on the home automation system no longer has access to the rest of the network which includes the NAS. Port forwarding to the two WireGuard servers has been implemented as explained in OPNsense NAT Port Forwarding. Nevertheless there is no VPN with access to the complete home network which is guaranteed to be available at all times.
The obvious solution, which was the goal from the beginning, is to install WireGuard on the OPNsense firewall. However all third party tutorials on setting up WireGuard found so far begin with an out-of-date reference to installing an os-wireguard plugin. It seems that the plugin was removed with version 24.1.2. because WireGuard was integrated into the core. It can be found by searching for "wireguard" or by going to VPN » WireGuard in the Web interface. I decided to follow OPNsense WireGuard Road Warrior Setup instructions. I am no warrior, road or otherwise, but the description is exactly what I want.
This how-to describes setting up a central WireGuard Instance (server) on OPNsense and configuring one or more client peers to create a tunnel to it.
I'll make a few observations about the procedure.
- The installation is considerably more complicated than any other I have seen, including the installation with a plugin in OMV 7.0 in a similar environment and the initial installation back in 2019 on a Raspberry Pi 1.2 that required compiling the WireGuard package.
- The process is not helped by the documentation which does not match the configuration options available in OPNsense 24.1.8.
- The undocumented (but see this video)
Peer generatoris similar to what is found in the OMV 7 WireGuard plugin and the faicker/Mihalko user management script I have been using with the single board computer installations of WireGuard. As far as I can make out, it only provides a snapshot of the "client" configuration without saving it. - Completing the process actually stopped all traffic through the firewall.
Of course, that last point was most disconcerting. There are many steps in the installation and hence opportunities for user errors. Indeed, careful verification of what had been done did turn up small errors but the corrections did not restore the firewall to a working state. It was getting quite late, I had to restore the system which was easy with OPNsense excellent capabilities in that respect.
This morning I found a reddit post by theseus1980 with a link to a OPNsense forum post by the same author. It contains the following statement.
I took the "WireGuard Road Warrior Setup" guide and followed the instructions. As it happened last time I tried to add a new Wireguard instance and interface, then my whole network went down.
It's good to see that I was not alone. theseus1980 goes on to describe his findings. The comments to the reddit post and the Wireguard point-to-site handshake broken due to route not added in routing table issue in the OPNsense core github are also fascinating reading even if it is mostly above my pay scale.
Reading all this confirmed that the WireGuard VPN is currently broken at least for some use cases. However the problem is known and knowledgeable people are working on finding a solution. It's probably best to wait a little while until the bugs are shaken out or my understanding of how OPNsense works improves before trying to configure WireGuard on the firewall again. In the meantime, I'll rely on the two instances of WireGuard already running on the local network.
Actually, 3 WireGuard servers are running on the system, but that's another story.