HowTo: OPNsense using Wireguard with IPv6 support

[OPN-UserGuide 2]

This will be an updated Guide of this guide. Once it's complete, it will be moved to the Guides forum.
Furthermore, this is work in progress. Not sure how long it will take me to finish this guide, might be a few Hours or days... who knows
 

Disclaimer

In general, DO NOT TRUST ME! I'm not a security expert. I do not know what I'm doing here! 

This guide is based on:

• OPNsense 24.7.12_4-amd64

• FreeBSD 14.1-RELEASE-p6

• OpenSSL 3.0.15

Update: 2025-02-27: I updated to the latest version and this Guide is still correct

 

• OPNsense 25.1.1-amd64

• FreeBSD 14.2-RELEASE-p1

• OpenSSL 3.0.16

It should work in previous and future versions of OPNsense, but I can't guarantee it

This guide is based on the official Instructions but requires modification: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

1. Preparation (not required if you access the firewall from LAN)

Some advice here… Opening the WAN interface to allow administration is not good! I am doing this because the firewall sits in my private LAN, and I'm not doing any port forwarding on my main router ! If your firewall is connected directly to the internet, do not do this!
Again, in general, DO NOT TRUST ME! I'm not a security expert. I do not know what I'm doing here!

Now that you know it…

1.1 Deselect "Block private networks" and "Block bogon networks" in Interfaces → WAN. After doing so: hit save and “Apply changes”.


1.2 Select "Disable reply-to" in Firewall → Settings → Advanced. Hit save at the end.


1.3 Add incoming WAN rule to allow administration. Go to Firewall → Rules → WAN

Add a TCP rule from "WAN net" to "This Firewall" on HTTPs.

2. Information gathering.

We'll grab some info that we need to configure the WireGuard Tunnel.
 

2.1 Login to the AirVPN Website.
2.2 Got to VPN Devices.
2.3 Add a new device.
2.4 Go to Config Generator.
2.5 In "Choose your OS" select "router".
2.6 In "Choose protocols" select "WireGuard.
2.7 In "Choose your device/connection" Select the device you have created in 2.3
2.8 Select your country under "By Countries". I selected Germany this time.
2.9 Scroll way down and download your config.

This is an example of a WireGuard config:
(the keys and IP are random and will not work, use your own)

[Interface]
Address = 10.10.10.10/32
PrivateKey = X72xgdx23XDomnSXmcy#S4Jc#9Y5G*vU$wg^n499yn6
MTU = 1320
DNS = 10.128.0.1

[Peer]
PublicKey = VTSQ77Uk4^&RY4h%S$#9h8PR2T&xyya&yPTtk6oD^m$
PresharedKey = b7&&7bntmCS5q%&4J*mSKBAUvV4XEqHerwscvbappXQ
Endpoint = nl3.vpn.airdns.org:1637
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15

 

3. Setup IPv6 base configuration on your LAN.

We need to ensure that IPv6 communication is working on your LAN interface before we establish the VPN tunnel. Please note that I do not have an IPv6 address configured on my WAN interface to be distributed to LAN for security. Instead, I use a ULA address on the LAN network. For those who do not know what ULA addresses are, these are the IPv6 equvalent to IPv4 private addresses like 10.x or 192.168.x. They are only routable on the LAN, and you will not be able to use them to reach a IPv6 destination on the internet.

3.1 WAN

3.1.1 Go to Interfaces → WAN

The WAN interface looks like this:

3.2 LAN

3.2.1 Go to Interfaces → LAN

The LAN interface looks like this in the upper section:


Now we set up the IPv6 Configuration.

3.2.2 generate yourself a ULA address using this site: https://unique-local-ipv6.com/
3.2.3 Enter the IPv6 network you have generated into the “IPv6 address” field and add “::1” at the end.


Hit Save.

3.3 LAN DHCP IPv6

3.3.1 Go to Services → ISC DHCPv6 → LAN
3.3.2 In the Range section under from add your IPv6 network address from 3.2.2 and add a “::1000” to the end. In the to section, add your IPv6 network address again and this time add a “::2000” to the end.



Hit Save at the bottom of the page.

3.4 Router advertisement

3.4.1 Go to Services → Router Advertisement → LAN
3.4.2 Set Router Advertisements to Managed



Hit Save at the bottom of the page.
 

3.5 Test IPv6 configuration

Now you should test if you can ping the OPNsense firewall IPv6 address from the LAN.

3.5.1 Connect a client to the LAN
3.5.2 On Linux or Windows, open a terminal and type ping -6 and the IPv6 from 3.2.1 ending with ::1 like “ping -6 fd2d:7173:d519::1”.

This needs to be successful! If this is not successful, fix it! Only continue once this is successful!!!
 

4. WireGuard configuration.

In the current Version of OPNsense you do not need to install the WireGuard plugin, this is already installed.

4.1 Peer configuration

 
4.1.1 in OPNsense go to VPN → WireGuard → Peers.
4.1.2 Create a peer with the following information:

4.1.3 Name: wg_airvpn_<country code>. Mine is called WG-AirVPN-DE
4.1.4 Public key: <PublicKey under heading [Peer] of your generated WG Config>
4.1.5 Pre-shared key <presharedKey under heading [Peer] of your generated WG Config>
4.1.6 Allowed IP's: 0.0.0.0/0 and ::/0 for IPv6 support
4.1.7 Endpoint Address: <Endpoint under heading [Peer] of your generated WG Config>
4.1.8 Endpoint port: 1637 (default port)
4.1.9 Keepalive interval: 15 (default interval)


 

4.2 Instance configuration

4.2.1 In OPNsense go to VPN → Wireguard → Settings → Instances
4.2.2 Create an instance with the following information:

4.2.3 Enable Advanced Mode. (upper left corner)
4.2.4 Name: <Endpoint Name i.e. WG-Inst-AirVPN-DE>
4.2.5 Private Key: <PrivateKey under heading [Interface] of your generated WG Config>
4.2.6 MTU: 1320
4.2.7 DNS servers <DNS Servers of your generated WG Config>
4.2.8 Tunnel Address: <Address including /32 under harding [Interface] of your generated WG Config>
Please review the screenshot below. For IPv6 add the given address and instead of /128 chose /64 to reach the gateway for gateway monitoring.
4.2.9 Peers: <select peer that you created with step 4.1>
4.2.10 Disable routes: Enabled.
4.2.11 Gateway: 10.128.0.1

Hit Save

4.3 Enable WireGuard configuration

Go to VPN → Wireguard → Instance and click on "Enable WireGuard"

 

4.4 Assign WireGuard Interface

 

4.4.1 in OPNsense go to Interfaces → Assignments
4.4.2 You'll find a “wg0(WireGuard - WG-Inst-AirVPN-DE)” (or similar) interface.
4.4.3 Type a Description, I've picked “[IntAirVPNDE]” and click Add.

4.5 Enable the Interface

4.5.1 Interfaces → Assignments → [IntAirVPNDE]

4.5.2 Enable: Enable the Interface.

No further configuration required. Ensure the “Block private networks” and “Block bogon networks” options are not selected, as shown below.

4.6 Create a gateway - IPv4

 

4.6.1 In OPNsense go to System → Gateways → Configuration
4.6.2 Add a Gateway with the following information:
4.6.3 Name: GW-AirVPN-DE-v4
4.6.4 Interface: Select IntAirVPNDE as created in step 4.4
4.6.5 Address Family: IPv4
4.6.6 IP address: Dynamic 10.128.0.1
4.6.7 Far Gateway: Enabled
4.6.8 Disable Gateway Monitoring: Disabled.
4.6.9 Monitor IP: 10.128.0.1

 

Rest is coming soon....

[OpenSourcerer 1453]

On 2/23/2025 at 6:07 PM, OPN-UserGuide said:

I do not have permissions to write into the HowTo Forum, so any mod, please move this guide. Thanks.
Furthermore, this is work in progress. Not sure how long it will take me to finish this guide, might be a few Hours or days... who knows

That forum is not for untested, WIP guides. Finish it, incorporate others' feedback, then it might get moved if verified to work.
Please also make it clear why you wish to write another guide if the existing one still works.

[OPN-UserGuide 2]

19 hours ago, OpenSourcerer said:

That forum is not for untested, WIP guides. Finish it, incorporate others' feedback, then it might get moved if verified to work.
Please also make it clear why you wish to write another guide if the existing one still works.

Sure, will complete it and let others test it.
It's a re-write of some areas to incorporate IPv6 support and correct the WireGuard setup, which was working but not optimal configured.
Also, one or two firewall rules were incorrect as pointed out by one user. The old guide can then be retired, but I let you know when this is the case.

[OpenSourcerer 1453]

Erm, are you the user @Sj0rs, or why are you writing as if the other guide lost its right of existence just because you're writing another? Seems cruel to me to spell it like that, to be honest with you.