I have a Debian linode box acting as a wireguard server. I wanted to join my opnsense firewall to it to allow devices behind it to access the box through the wireguard tunnel. It was not as straightforward as I had hoped, but thankfully I got it all working.
Install wireguard via GUI
Install the os-wireguard package. Manually drop to the CLI and install the wireguard package as well:
sudo pkg install wireguard
Configure Local instance
- Name and listen port can be random. Tunnel address is the subnet you wish to expose to the other end (the subnet you wish to have access to the tunnel.)
- Leave everything else blank and hit save
- Edit your new connection and copy the Public key, this will need to be sent to the Debian server
- Name: hostname of Debian server
- Public Key: Public key of server (can be obtained by running
wg showon the server)
- Shared Secret: blank (unless you’ve configured it on the server)
- Allowed IPs: IPs or subnets on the Debian server you wish to expose to the client side (the OPNSense box)
- Endpoint address: DNS name of Debian server
- Endpoint port: Port Debian wireguard instance is listening on
Enable the VPN
General tab / Enable wireguard checkbox and hit apply.
Take down the tunnel
sudo wg-quick down wg0
Edit wireguard config to add peer
sudo vim /etc/wireguard/wg0.conf
PublicKey = <PUBLIC_KEY_YOU_COPIED_IN_LOCAL_INSTANCE_STEP>
AllowedIPs = <IPs or Subnets behind the OPNSense side you wish to be exposed to the Debian side>
sudo wg-quick up wg0
Example wg show output below with dummy IPs:
sudo wg show interface: wg0 public key: f+/J4JO0aL6kwOaudAvZVa1H2mDzR8Nh3Vfeqq+anF8= private key: (hidden) listening port: 12345 peer: TuUW7diXcWlaV97z3cQ1/92Zal2Pm9Qz/W2OMN+v20g= endpoint: 10.0.0.1:54137 allowed ips: 10.0.0.2/32 latest handshake: 17 seconds ago transfer: 5.14 KiB received, 3.81 KiB sent peer: CZuC/+wxvzj9+TiGeyZtcT/lMGZnXsfSs/h5Jtw2VSE= endpoint: 126.96.36.199:12345 allowed ips: 192.168.1.1/32 latest handshake: 7 minutes, 8 seconds ago transfer: 5.89 MiB received, 952.20 MiB sent
The endpoint: line gets populated when a successful VPN connection is made. If it’s missing, the tunnel was not established.
Nothing happens after saving information and enabling tunnel
Make sure latest wireguard package is installed
sudo pkg install wireguard
Get more log output by opening a shell on your OPNSense box and running
sudo /usr/local/etc/rc.d/wireguard start
In my case I was getting this interesting message
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation. [#] wireguard-go wg0 ┌──────────────────────────────────────────────────────┐ │ │ │ Running wireguard-go is not required because this │ │ kernel has first class support for WireGuard. For │ │ information on installing the kernel module, │ │ please visit │ │ https://www.wireguard.com/install/ │ └──────────────────────────────────────────────────────┘
I fixed this problem by manually installing wireguard with the pkg install command above.
Wireguard config not saving
make sure to stop the tunnel first, otherwise your changes get overwritten by the daemon.
sudo wg-quick down wg0 <make changes> sudo wg-quick up wg0