Securing remote access to your home or server network is essential, and WireGuard VPN offers a robust, high-speed, and easy-to-configure solution. In this guide, we’ll walk through setting up a WireGuard VPN server on OPNSense, and configuring clients (peers) on Android, iOS, and Linux. Additionally, we’ll discuss how to use WireGuard for securing a server environment versus remote user connections.

Overview

We’ll cover:

• Installing and configuring WireGuard VPN on OPNSense.

• Configuring peers for remote access from Android, iOS, and Linux.

• Differentiating between WireGuard use cases for securing servers versus remote client access.

Prerequisites

Before we dive in, you will need the following:

• A running OPNSense firewall.

• Administrative access to the OPNSense web interface.

• A basic understanding of networking and firewalls.

• Access to the terminal for running commands, if necessary.

Step One - Installing WireGuard on OPNSense

• Create a WireGuard Instance Go to VPN > WireGuard > Local and click the + button to create a new WireGuard instance.

• Enabled: Check this box to enable the instance.

• Name: Give your WireGuard instance a descriptive name (e.g., “Home VPN”).

• Private Key: Click the Generate button to create a new private key.

• Listen Port: This is the port WireGuard will use. The default is 51820, but you can choose any unused port.

Click Save once you’ve filled out these fields.

Step Two - Configuring WireGuard Peers on Android, iOS, and Linux

Android Peer Configuration

Step One Install WireGuard App Download the WireGuard app from an app store. I prefer to use fdroid, but it is available from the Google Play Store.

Step Two Generate Keys Once installed, open the app and tap the + button to create a new WireGuard tunnel. This will allow you to generate both a private and public key. These keys will be used to authenticate your Android device with your OPNSense WireGuard server. -Private Key: Automatically generated in the app (you can view it but keep it secure).

• Public Key: Copy the public key for later use in the OPNSense peer configuration.

Step Three Configure Tunnel In the WireGuard app, configure the VPN tunnel settings:

Interface:

Private Key: Use the generated private key.

Address: Use an IP from your WireGuard subnet (e.g., 10.10.10.2/32).

Peer (Server Side):

Public Key: Use the public key from the OPNSense server.

Endpoint: Specify the IP address or DNS name of your OPNSense server, followed by the port (e.g., vpn.example.com:51820).

Allowed IPs: Set this to 0.0.0.0/0 if you want to route all traffic through the VPN, or set it to specific subnets you need access to (e.g., 192.168.1.0/24 for local network access).

Persistent Keepalive: Set to 25 seconds to maintain the connection.

Step Four Add Peer to OPNSense In the OPNSense WireGuard peer configuration, add the Android device’s public key and assign it an IP address from the WireGuard subnet (e.g., 10.10.10.2/32).

Step Five Activate VPN Once configured, tap the Activate switch in the WireGuard app to establish a connection. Test by accessing home network resources or checking your IP using an external service like whatismyip.com.

iOS Peer Configuration

Step One Install WireGuard App Download the WireGuard app from the Apple App Store.

Step Two Generate Keys and Configure Tunnel

The process for iOS is nearly identical to the Android configuration:

Open the app, tap the + button, and generate your public and private keys.

Configure the tunnel by specifying the private key, IP address from the WireGuard subnet, and the peer information (server public key, endpoint, allowed IPs, and keepalive).

Step Three Add Peer to OPNSense Just like with Android, copy the public key generated on the iOS device into the WireGuard peer configuration in OPNSense.

Step Four Test Connection After saving the configuration, enable the VPN from the WireGuard app on your iPhone or iPad and confirm connectivity by pinging internal network resources or checking your public IP address.

Linux Peer Configuration

WireGuard is natively supported on Linux systems, making it a straightforward process to configure.

Step One Install WireGuard On most Linux distributions, WireGuard can be installed using the package manager:

Debian / Ubuntu:

sudo apt update

sudo apt install wireguard

Redhat / Fedora:

sudo dnf install wireguard-tools

Step Two Generate Keys On your Linux machine, generate your public and private keys using the following commands:

wg genkey | tee privatekey | wg pubkey > publickey

This will generate a private key and a public key. You’ll need to use the public key in your OPNSense peer configuration.

Step Three Configure WireGuard Client Create a configuration file for the WireGuard client, typically located at /etc/wireguard/wg0.conf:

`[Interface] = Address = 10.10.10.2/32

[Peer] PublicKey = Endpoint = vpn.example.com:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25`

Replace and with the respective keys.

Step Four Add Peer to OPNSense In OPNSense, add the Linux machine’s public key to the WireGuard peer configuration and assign an IP address from the VPN subnet (e.g., 10.10.10.2/32).

Step Five Start WireGuard Start the WireGuard interface using:

sudo wg-quick up wg0

Check the connection status with:

sudo wg

Securing a Server vs. Remote Connection with WireGuard

WireGuard can be used for two common scenarios: securing a server (point-to-site VPN) or enabling secure remote access for clients (site-to-site VPN).

Securing a Server (Point-to-Site VPN)

In a point-to-site setup, WireGuard can be used to secure a server, such as a web server or cloud instance, by limiting which IPs can access certain services or ports. This is ideal for servers hosting sensitive information, as the VPN can act as an additional security layer on top of firewalls.

Configuration: The server acts as a WireGuard endpoint, allowing only peers with known public keys to establish a VPN connection. Traffic can then be restricted to only necessary services, locking down SSH, HTTP, or database access to VPN users.

Advantages: This setup eliminates the need to expose services to the internet, reducing the attack surface and ensuring that only authenticated VPN users can access critical resources.

Remote Client Access (Site-to-Site VPN)

This configuration is ideal for users wanting to securely access home or business networks from remote locations. In this setup:

The Server: OPNSense acts as the VPN server, managing incoming VPN connections from clients. The VPN tunnel routes all traffic from the remote device through the secure connection, providing access to internal network resources like file shares, printers, or IoT devices.

Client Devices: The clients (Android, iOS, Linux, etc.) establish a secure connection using their WireGuard configuration and are assigned an IP from the VPN subnet, enabling them to communicate with devices on the home network as if they were physically connected.

Advantages: Site-to-site VPN ensures that the client’s traffic is encrypted when using public or untrusted networks (e.g., coffee shops, hotels). It also allows users to access resources securely without the risk of exposure over the internet.

Conclusion

WireGuard VPN on OPNSense provides a secure, lightweight, and fast solution for remote access and server protection. Whether you are securing a home network for remote users or safeguarding critical services on a server, WireGuard’s modern approach to VPN ensures strong encryption and seamless connectivity across a variety of devices.

By following these steps, you can confidently configure a WireGuard VPN for Android, iOS, Linux, and differentiate between securing a server or enabling remote access for users on the go.