home network:
- opnsense router
- lan subnet: 192.168.101.0/24
- wireguard subnet: 192.168.102/24
vps:
- 1 public ip
sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install -y wireguard openresolv
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf > /dev/null
sudo sysctl -p
wg genkey | tee wg0.privatekey | wg pubkey > wg0.publickey
wg genkey | tee wg1.privatekey | wg pubkey > wg1.publickey
wg genkey | tee opnsense.privatekey | wg pubkey > opnsense.publickey
file: /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <server private key from file wg0.privatekey>
Address = 192.168.102.2/24
ListenPort = 51820
# ADJUST THE NETWORK INTERFANCE ens3 WITH YOUR VPS NETWORK INTERFACE
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
[Peer]
PublicKey = <client public key from file opnsense.publickey>
AllowedIPs = 192.168.102.1/32, 192.168.101.0/24
PersistentKeepalive = 10
[Peer]
PublicKey = <client public key from file wg1.publickey>
PersistentKeepalive = 10
file: /etc/wireguard/wg1.conf
[Interface]
Address = 192.168.102.3/32
PrivateKey = <client private key from file wg1.privatekey>
DNS = 192.168.101.1
[Peer]
PublicKey = <server public key from file wg0.publickey>
Endpoint = 127.0.0.1:51820
systemctl enable wg-quick@wg0
systemctl enable wg-quick@wg1
- install wireguard plugin
- go to vpn > wireguard
- go to endpoints tab, then create new endpoint
- name:
- public key:
- allowed IPs: 192.168.102.0/24
- endpoint address: vps public ip
- endpoint port: 51820
- keepalive: 10
- go to local tab, then create new local
- name:
- private key:
- tunnel address: 192.168.102.1
- peers:
- go to interfaces > assignments
- create new assignment for interface wg0 with name wg0
- ipv4 = none, ipv6 = none
- save
- go to system > gateways > single
- create new gateway
- name: wan_gw0
- interface: wg0
- ip address: 192.168.102.2
- go to vpn > wireguard
- go to general tab
- enable wireguard
- go to services > unbound dns, then restart the service
- go to firewall > rules > wg0
- add new rule
- action: pass
- protocol: tcp/udp
- destination: this firewall
- destination port: 53
- add new rule
- action: pass
- protocol: icmp
- source: wg0 net
- destination: this firewall
- add new rule
- action: pass
- source: wg0 net
- destination: lan net
- add new rule
- go to firewall > rules > lan
- add new rule (adjust the priority properly)
- action: pass
- source: lan net
- destination: wg0 net
- gateway: wan_wg0
- add new rule (adjust the priority properly)
- vps
- systemctl restart wg-quick@wg0
- systemctl restart wg-quick@wg1
- test ping to 192.168.101.1
- test ping to other lan devices
nc -zv 192.168.101.1 80
- lan devices
- test ping to 192.168.102.1
- test ping to 192.168.102.2
- test ping to 192.168.102.3
nc -zv 192.168.102.2 22