Leaderboard

SUPERSEDED BY: THIS THREAD WILL BE REMOVED - SUPERSEDED BY This HOWTO describes how to connect to AirVPN with a Wireguard VPN tunnel from OPNsense. This is the first draft of this howto, i might add (more) screenshots later on. Version: 0.1 Date: 20231029 What we are going to achieve We'll create a single Wireguard VPN Tunnel, IPv4 Only. Traffic to the tunnel will be NATted Requirements OPNsense firewall is up-and-running and updated. This howto is based on version 23.7.7_1 You have basic knowledge on using OPNsense i.e. firewall rules, NAT, routing, gateways and aliases. AirVPN Premium Access Step 1. Information gathering We'll grab some info that we need to configure the Wireguard Tunnel. Go to the Client Area. Got to VPN Devices. Add a device or edit your existing device. Note your Public Key and IPv4 under the heading "Wireguard" Go back to the Client Aerea. Go to Config Generator Select "router" under "Choose your OS" Select "Wireguard under "Choose protocols" Select your country under "By Countries". I selected Netherlands Scroll way down and download your config. This is an example of a Wireguard config: (the keys and IP are random and will not work, use your own) [Interface] Address = 10.45.95.123/32 PrivateKey = X72xgdx23XDomnSXmcy#S4Jc#9Y5G*vU$wg^n499yn6 MTU = 1320 DNS = 10.128.0.1 [Peer] PublicKey = VTSQ77Uk4^&RY4h%S$#9h8PR2T&xyya&yPTtk6oD^m$ PresharedKey = b7&&7bntmCS5q%&4J*mSKBAUvV4XEqHerwscvbappXQ Endpoint = nl3.vpn.airdns.org:1637 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 15 Step 2. Create the Tunnel configuration Peer configuration: in OPNsense go to VPN|Wireguard|Settings|Peers. Create a peer with the following information: Name: wg_airvpn_<country code>. mine is called wg_airvpn_nl Public key: <PublicKey under heading [Peer] of your generated WG Config> Pre-shared key <presharedKey under heading [Peer] of your generated WG Config> Allowed IP's: 0.0.0.0/0 Endpoint Address: <Endpoint under heading [Peer] of your generated WG Config> Endpoint port: 1637 (default port) Keepalive interval: 15 (default interval) Instance configuration: in OPNsense go to VPN|Wireguard|Settings|Instances Create an instance with the following information: Enable Advanced Mode. Name: <Endpoint Name i.e. nl.vpn.airdns.org> Public Key: <Public Key as noted with step 1.4> Private Key: <PrivateKey under heading [Interface] of your generated WG Config> Listen Port: 1637 MTU: 1320 Tunnel Address: <Address including /32 under harding [Interface] of your generated WG Config> Peers: <select peer that you created with step 2.2> Disable routes: Enabled. Step 3. Make an exception on your WAN interface in OPNsense go to Firewall|Rules Select your WAN interface, mine is called WAN_PPPOE Create a Pass rule for IPv4/UDP port 1647 to your WAN-address. Step 4. Assign Wireguard Interface in OPNsense go to Interfaces|Assignments You'll find a "wg1(Wireguard - nl.vpn.airdns.org)" (or similiar) interface. bind it to an interface with a name of your choice. mine is called WAN_WG1 as is is the first site-to-site Wireguard tunnel on my WAN interface. Step 5. Create a gateway. Remember we disabled the routes for the WG instance configuration? Because of that we need to create a gateway. In OPNsense go to System|Gateways|Single Add a Gateway with the following information: Name: WAN_WG_GW Description: Interface WAN_WG1 Gateway Interface: Select WAN_WG1 as created in step 4. Address Family: IPv4 IP address: Dynamic (leave empty) Far Gateway: Enabled (this i am not sure of but for now i'm happy it works) Disable Gateway Monitoring: enabled Step 6. Aliases We set up some aliases. This will make it more easy to redirect some hosts or networks to the Wireguard tunnel. in OPNsense, go to Firewall|Aliases Create host entries for the specific hosts you'll redirect Create network entries for the specific network(s) you'll redirect. Create a Network Group Entry with the host and network entries to group them together. My alias is called networkgroup_wireguard Step 7. Create Outbound NAT for Wireguard. (In my setup, i use Manual Outbound Rule Generation because i like to have control) In OPNsense go to Firewall|NAT|Outbound Create a new Outbound NAT rule with the following information: Interface: WAN_WG1 TCP/IP version: IPv4 Protocol: Any Source Address: <alias networkgroup_wireguard from step 6> Translation /target WAN_WG1 address Description: Wireguard VPN Outbound NAT rule Step 8. Create Outbound Redirect rule. In this example we create 2 rules on our LAN interface, one for redirecting to WG, the other to prevent leaks. In OPNsense go to Firewall|Rules Select your LAN interface add an outbound Pass rule: Action: Pass Source: Networkgroup_wireguard Destination: Any (in my case i use an inverted network group called networkgroup_local where all my local vlans are grouped together) Gateway: WAN_WG1_GW (the gateway you created in step 5.) Add an outbound block rule below that: Action: Block Source: Networkgroup_wireguard Destination: Any Gateway: default Your WG VPN tunnel should now work. Test with https://ipleak.net The following steps are more advanced and i'm still finetuning/experimenting with the settings. your experience may vary. Step 9. Prevent VPN leakage I'm new to OPNsense and i am not sure what the default setting is, but from my pfSense experience i know the following setting is important when you want to make sure your VPN does not leak when for instance the tunnel is down. In OPNsense go to Firewall|Settings|Advanced Under "Gateway Monitoring" enable "Skip Rules when gateway is down" Step 10. MTU/MSS optimization For now i have set thte MTU according to the default setting of AirVPN. I want it to be higher but for now i'm just happy it works. My settings are as follows: In the properties of the WAN_WG1 interface i set the MTU to 1320 and the MSS to 1280. I created a normalize rule (Firewall|Settings|Normalization) with the following settings. this should enable me to clamp the MSS to 1280 for the wireguard group but leave the MSS to the desired setting (1452) as defined on my LAN interface for the rest of the hosts on my LAN; Interface: LAN Direction, Protocol: Any Source: networkgroup_wireguard Max MSS: 1280

No problems for me from the Netherlands, residential landline. Today I am in Belgium, different mobile ISP, no probs. No problems from my VPS in Ireland (AWS).

This guide is outdated, please consider using this guide:

I also use this script I made for wireguard automation.. might help somebody, this automatically 'randomizes' (gets new) IP and randomizes exposed port (from list of ports you define in variable and of course you have reserved in your account) This should be in (docker-compose related) `.env` file AIRVPN_WG_PRIVATE_KEY=xxxxxxxxxxxxxxxxxxxx AIRVPN_WG_PRESHARED_KEY=xxxxxxxxxxxxxxxxxxxxxx AIRVPN_WG_ADDRESSES=x.x.x.x/32,x:x:x:x:x:x:x:x/128 AIRVPN_PEER_PORT=xxxxx AIRVPN_DEVICE_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx AIRVPN_SERVER_NAMES=xxxxx xxxxx AIRVPN_COUNTRIES=xxxxx AIRVPN_CUNTRY_CODE=xx AIRVPN_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx AIRVPN_PORTS=xxxx xxxx xxxxx xxxxx xxxxx xxxxx xxxx xxxx xxxx xxxx xxxx xxxxx And this is `docker-compose.yml` part: gluetun: image: qmcgaw/gluetun container_name: gluetun ports: - 8888:8888/tcp # HTTPPROXY sysctls: - net.ipv6.conf.all.disable_ipv6=0 cap_add: - NET_ADMIN environment: - TZ=Europe/Amsterdam - HTTPPROXY=on - HTTPPROXY_STEALTH=on - VPN_TYPE=wireguard - VPN_SERVICE_PROVIDER=airvpn - SERVER_NAMES=${AIRVPN_SERVER_NAMES} - SERVER_COUNTRIES=${AIRVPN_COUNTRIES} - FIREWALL_VPN_INPUT_PORTS=${AIRVPN_PEER_PORT} - WIREGUARD_ADDRESSES=${AIRVPN_WG_ADDRESSES} - WIREGUARD_PRIVATE_KEY=${AIRVPN_WG_PRIVATE_KEY} - WIREGUARD_PRESHARED_KEY=${AIRVPN_WG_PRESHARED_KEY} volumes: - /volume1/docker/gluetun:/gluetun devices: - /dev/net/tun:/dev/net/tun restart: always mem_limit: 1024m memswap_limit: 1024m Finally put this part to `.bashrc` (or alternative), `source .bashrc` then execute 'rand' function (change path to your env file as well as docker compose file) * you should have `jq`, `awk`, `sed`, `curl` and `shuf` binaries available. export DOCKER_ENV_FILE=/volume1/docker/.env export DOCKER_COMPOSE_FILE=/volume1/docker/docker-compose.yml rand () { CURRENT_DEVICE_ID=$(awk -F '=' '/AIRVPN_DEVICE_ID/ {print $2}' $DOCKER_ENV_FILE) AIRVPN_API_KEY=$(awk -F '=' '/AIRVPN_API_KEY/ {print $2}' $DOCKER_ENV_FILE) AIRVPN_CUNTRY_CODE=$(awk -F '=' '/AIRVPN_CUNTRY_CODE/ {print $2}' $DOCKER_ENV_FILE) AIRVPN_PORTS=$(awk -F '=' '/AIRVPN_PORTS/ {print $2}' $DOCKER_ENV_FILE) [ ! -f $CURRENT_DEVICE_ID ] && \ curl -s -H "API-KEY:$AIRVPN_API_KEY" "https://airvpn.org/api/disconnect/?device=$CURRENT_DEVICE_ID" && sleep 1 && \ curl -s -H "API-KEY:$AIRVPN_API_KEY" "https://airvpn.org/api/devices/?action=delete&id=$CURRENT_DEVICE_ID" && sleep 1 AIRVPN_DEVICE_ID=$(curl -s -H "API-KEY:$AIRVPN_API_KEY" "https://airvpn.org/api/devices/?action=add" | jq -r .id[0:50]) && sleep 10 CONFIG_FILE=$(curl -s -H "API-KEY:$AIRVPN_API_KEY" "https://airvpn.org/api/generator/?protocols=wireguard_3_udp_1637&servers=${AIRVPN_CUNTRY_CODE}&system=linux&device_id=New%20device") AIRVPN_WG_ADDRESSES=$(awk '/Address/ {print $3$4}' <<<$CONFIG_FILE) AIRVPN_WG_PRESHARED_KEY=$(awk '/PresharedKey/ {print $3}' <<<$CONFIG_FILE) AIRVPN_WG_PRIVATE_KEY=$(awk '/PrivateKey/ {print $3}' <<<$CONFIG_FILE) AIRVPN_PEER_PORT=$(shuf -n1 -e $AIRVPN_PORTS) sed -i 's#^AIRVPN_WG_ADDRESSES=.*$#AIRVPN_WG_ADDRESSES='"$AIRVPN_WG_ADDRESSES"'#g' $DOCKER_ENV_FILE sed -i 's#^AIRVPN_WG_PRESHARED_KEY=.*$#AIRVPN_WG_PRESHARED_KEY='"$AIRVPN_WG_PRESHARED_KEY"'#g' $DOCKER_ENV_FILE sed -i 's#^AIRVPN_WG_PRIVATE_KEY=.*$#AIRVPN_WG_PRIVATE_KEY='"$AIRVPN_WG_PRIVATE_KEY"'#g' $DOCKER_ENV_FILE sed -i 's#^AIRVPN_PEER_PORT=.*$#AIRVPN_PEER_PORT='"$AIRVPN_PEER_PORT"'#g' $DOCKER_ENV_FILE sed -i 's#^AIRVPN_DEVICE_ID=.*$#AIRVPN_DEVICE_ID='"$AIRVPN_DEVICE_ID"'#g' $DOCKER_ENV_FILE docker-compose --env-file $DOCKER_ENV_FILE -f $DOCKER_COMPOSE_FILE up --detach --quiet-pull --remove-orphans } There is a single limitation, you can only have a single "New device" named device on your account, this gets re-cycled (current deleted and new created) by the script. This is because we can't set device name via API so I am forced to use the default "New device" name while calling API to generate a new config. Oh and the api calls must go without using VPN, because understandably, its killing the connection so you'd be unable to finish the process.