- Repeat this Step 3 for as many clients as you wish to configure
----------------------------------
Step 4 - Turn on/restart WireGuard
Step 3 - Turn on/restart WireGuard
----------------------------------
- Turn on WireGuard under :menuselection:`VPN --> WireGuard --> General` if it is not already on (click **Apply** after checking the checkbox)
- Otherwise, restart WireGuard - you can do this by turning it off and on under :menuselection:`VPN --> WireGuard --> General` (click **Apply** after both unchecking and checking the checkbox)
--------------------------------
Step 5 - Assignments and routing
Step 4 - Assignments and routing
--------------------------------
..Note::
@ -89,7 +83,7 @@ Step 5 - Assignments and routing
**However**, it is useful to complete Step 5(a) anyway, for the reasons explained in that step
Step 5(a) - Assign an interface to WireGuard (recommended)
Step 4(a) - Assign an interface to WireGuard (recommended)
@ -132,7 +126,7 @@ Step 5(a) - Assign an interface to WireGuard (recommended)
If Unbound DNS is configured with all interfaces registered it requires a reload of Unbound DNS to get the new Wireguard interface added. This is necessary to get DNS working through the VPN tunnel.
If you didn't assign an interface as suggested in Step 5(a), then you will need to manually specify the source IPs/subnet(s) for the tunnel (for example, 10.10.10.0/24). It's probably easiest to define an alias (via :menuselection:`Firewall --> Aliases`) for those IPs/subnet(s) and use that. If you have only one WireGuard Instance and only one WireGuard Peer configured, you can use the default :code:`WireGuard net`, although this is generally not recommended due to unexpected behaviour
------------------------------
Step 6 - Create firewall rules
Step 5 - Create firewall rules
------------------------------
This will involve two steps - first creating a firewall rule on the WAN interface to allow clients to connect to the OPNsense WireGuard server, and then creating a firewall rule to allow access by the clients to whatever IPs they are intended to have access to.
@ -217,7 +211,7 @@ This will involve two steps - first creating a firewall rule on the WAN interfac
If you didn't assign an interface as suggested in Step 5(a), then the second firewall rule outlined above will need to be configured on the automatically created :code:`WireGuard` group that appears once the Instance configuration is enabled and WireGuard is started. You will also need to manually specify the source IPs/subnet(s) for the tunnel. It's probably easiest to define an alias (via :menuselection:`Firewall --> Aliases`) for those IPs/subnet(s) and use that. If you have only one WireGuard Instance and only one WireGuard Peer configured, you can use the default :code:`WireGuard net`, although this is generally not recommended due to unexpected behaviour
------------------------------------
Step 6a - Create normalization rules
Step 5a - Create normalization rules
------------------------------------
- Go to :menuselection:`Firewall --> Settings -> Normalization` and press **+** to create **one** new normalization rule.
By creating the normalization rules, you ensure that IPv4 TCP and IPv6 TCP can pass through the Wireguard tunnel without being fragmented. Otherwise you could get working ICMP and UDP, but some encrypted TCP sessions will refuse to work.
Ad Schellevis
2 months ago