HowTo: OPNsense using Wireguard with IPv6 support

[OPN-UserGuide 2]

This will be an updated Guide of this guide. I do not have permissions to write into the HowTo Forum, so any mod, please move this guide. Thanks.
Furthermore, this is work in progress. Not sure how long it will take me to finish this guide, might be a few Hours or days... who knows
 

Disclaimer

In general, DO NOT TRUST ME! I'm not a security expert. I do not know what I'm doing here! 

This guide is based on:

• OPNsense 24.7.12_4-amd64

• FreeBSD 14.1-RELEASE-p6

• OpenSSL 3.0.15

It should work in previous and future versions of OPNsense, but I can't guarantee it

This guide is based on the official Instructions but requires modification: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

1. Preparation (not required if you access the firewall from LAN)

Some advice here… Opening the WAN interface to allow administration is not good! I am doing this because the firewall sits in my private LAN, and I'm not doing any port forwarding on my main router ! If your firewall is connected directly to the internet, do not do this!
Again, in general, DO NOT TRUST ME! I'm not a security expert. I do not know what I'm doing here!

Now that you know it…

1.1 Deselect "Block private networks" and "Block bogon networks" in Interfaces → WAN. After doing so: hit save and “Apply changes”.


1.2 Select "Disable reply-to" in Firewall → Settings → Advanced. Hit save at the end.


1.3 Add incoming WAN rule to allow administration. Go to Firewall → Rules → WAN

Add a TCP rule from "WAN net" to "This Firewall" on HTTPs.

2. Information gathering.

We'll grab some info that we need to configure the WireGuard Tunnel.
 

2.1 Login to the AirVPN Website.
2.2 Got to VPN Devices.
2.3 Add a new device.
2.4 Go to Config Generator.
2.5 In "Choose your OS" select "router".
2.6 In "Choose protocols" select "WireGuard.
2.7 In "Choose your device/connection" Select the device you have created in 2.3
2.8 Select your country under "By Countries". I selected Germany this time.
2.9 Scroll way down and download your config.

This is an example of a WireGuard config:
(the keys and IP are random and will not work, use your own)

[Interface]
Address = 10.10.10.10/32
PrivateKey = X72xgdx23XDomnSXmcy#S4Jc#9Y5G*vU$wg^n499yn6
MTU = 1320
DNS = 10.128.0.1

[Peer]
PublicKey = VTSQ77Uk4^&RY4h%S$#9h8PR2T&xyya&yPTtk6oD^m$
PresharedKey = b7&&7bntmCS5q%&4J*mSKBAUvV4XEqHerwscvbappXQ
Endpoint = nl3.vpn.airdns.org:1637
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15

 

3. Setup IPv6 base configuration on your LAN.

We need to ensure that IPv6 communication is working on your LAN interface before we establish the VPN tunnel. Please note that I do not have an IPv6 address configured on my WAN interface to be distributed to LAN for security. Instead, I use a ULA address on the LAN network. For those who do not know what ULA addresses are, these are the IPv6 equvalent to IPv4 private addresses like 10.x or 192.168.x. They are only routable on the LAN, and you will not be able to use them to reach a IPv6 destination on the internet.

3.1 WAN

3.1.1 Go to Interfaces → WAN

The WAN interface looks like this:

3.2 LAN

3.2.1 Go to Interfaces → LAN

The LAN interface looks like this in the upper section:


Now we set up the IPv6 Configuration.

3.2.2 generate yourself a ULA address using this site: https://unique-local-ipv6.com/
3.2.3 Enter the IPv6 network you have generated into the “IPv6 address” field and add “::1” at the end.


Hit Save.

3.3 LAN DHCP IPv6

3.3.1 Go to Services → ISC DHCPv6 → LAN
3.3.2 In the Range section under from add your IPv6 network address from 3.2.2 and add a “::1000” to the end. In the to section, add your IPv6 network address again and this time add a “::2000” to the end.



Hit Save at the bottom of the page.

3.4 Router advertisement

3.4.1 Go to Services → Router Advertisement → LAN
3.4.2 Set Router Advertisements to Managed



Hit Save at the bottom of the page.
 

3.5 Test IPv6 configuration

Now you should test if you can ping the OPNsense firewall IPv6 address from the LAN.

3.5.1 Connect a client to the LAN
3.5.2 On Linux or Windows, open a terminal and type ping -6 and the IPv6 from 3.2.1 ending with ::1 like “ping -6 fd2d:7173:d519::1”.

This needs to be successful! If this is not successful, fix it! Only continue once this is successful!!!
 

4. Create the Tunnel configuration.

In the current Version of OPNsense you do not need to install the WireGuard plugin, this is already installed.

Instance configuration:

The “Instance” is the tunnel to the AirVPN Service. Let's configure it.

In OPNsense go to VPN → Wireguard → Settings → Instances
Create an instance with the following information:

3.1 Enable Advanced Mode. (upper left corner)
3.2 Name: <Endpoint Name i.e. nl.vpn.airdns.org>
3.3 Public Key: <Public Key as noted with step 1.4>
3.4 Private Key: <PrivateKey under heading [Interface] of your generated WG Config>
3.5 Listen Port: 1637
3.6 MTU: 1320
3.7 Tunnel Address: <Address including /32 under harding [Interface] of your generated WG Config>
3.8 Peers: <select peer that you created with step 2.2>
3.9 Disable routes: Enabled.


 

Rest is coming soon....