Trying to set up Wireguard on Opnsense

Hi there

Just to note. I am a complete n00b.

I’ve been trying to set up a home server and get things up and running on it. Just doing things one at a time. I just can’t get wireguard to work however. Been banging my head against a wall for nearly a week.

I currently have a setup that goes as follows

Australia NBN FTTP through WAN → PC running OpnSense through LAN → 5 Port Switch, the switch connects currently to my pc, my girlfriends pc, my home server, and my old router that I run as a wireless AP. Everything works as expected.

On my home server, I have set up Immich in Docker for all my photo backups currently. I have Immich set up on my and my girlfriends phones so that when we are on the home wifi, it automatically backs up these photos to Immich.

However to connect to Immich (and eventually anything else I add, Plex etc in the future) outside of the home server, I have heard you can do this through Wireguard. My parents live 3 hours away in the middle of buttfk nowhere. Having access to movies in the future would be nice. But one step at a time.

I have tried to set up Wireguard and start with connecting my phone. I’ll try list things in order.

I believe I have a Dynamic IP. This is based off ipconfig/all command. Based on this, I need Dynamic DNS something something. I saw people recommend cloudflare and setting up a domain, then setting up an API token through this domain. Then in Opnsense, linking that API Token through Dynamic DNS settings.

Then I need to set up wireguard. I’ve tried to watch various videos and written articles to set this up but it still doesn’t work. To note, I’m not sure if I need this somewhere but my IP I use to get into opnsense is 192.168.1.1.

I’ve started with creating a Wireguard Instance, running it through 172.16.16.0/24, standard listen port. Public and Private keys were created. I used this IP address as well as trying 192.168.1.x, 192.168.x.x, 10.x.x.xx, and now the 172.xx.xx.xx.

Ive enabled the interface under opt1.

I created a peer using the peer generator. For the endpoint, i used my public ip that i searched via whatever googled app, and then added :51820 as the listen port.

For the rules, I added one to WAN which is to allow Wireguard inbound for the port 51820 using the WAN address. I also have one under WireguardHome (what i called the Interface). Think the only thing this rule added was the Interface of WireguardHome.

I think this is everything. I honestly don’t know if all this information helps or not. I’m a complete n00b and diving head first into all of this to try and learn. So there is most likely stupid mistakes made as I don’t really know what im doing.

Thanks to anyone who manages to read all this and can help.

I’m running a similar setup. You’re on the right track, though I can’t say for sure what’s not right with your config.

I recommend following the “road warrior” example from OPNSense’s docs for remote access to the whole network:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html#wireguard-road-warrior-setup

If you have questions not answered there or just get stuck I’ll try to help.

edit: when you say “running it through 172.16.16.0/24”, do you mean the tunnel address? I have that set to a x.x.x.1/24.

“For the endpoint, i used my public ip that i searched via whatever googled app”
You should use the WAN interface address, unless you’re behind CGNAT, in which case you need an additional workaround. You can also use your dyn dns name once that’s set up.

“Think the only thing this rule added was the Interface of WireguardHome.”
You may just need to add a rule to allow traffic on the WireguardHome interface, check that one exists.

I haven’t had a chance to try it myself yet, but Home networking Guy had a YouTube video recently that may suggest config issues…and here is the text version that may be more useful for debugging.

Wireguard in OPNsense

I posted the video @Damage was talking about for the community members who wanted to view the video.

I just tried this a bit earlier - I would say the video is a bit clearer, but more cumbersome to apply the configuration while you are watching. I found the config changes to be a little slow - so be patient for a few more seconds before you try and troubleshoot.

Overall fairly easy.

Seems like you are mostly there. Some thoughts to follow:

In OPNsense when you create the “remote” peer it auto-populates the next available address in the subnet. So just leave it to choose.

For the WAN address, as you have the correct address on your domain name - I’ve had it not update once before and didn’t see any error warning me of the fact.

Beyond the WAN rule you need rules to allow the WG subnet to access your (probably LAN) subnet and access to internal DNS if that is how you want to access the internal resources.