This guide was created by a community member and reviewed by us. Firmware and router interfaces may change over time, so some steps may differ depending on your device or version.
Prerequisites:
- OPNsense version must be 26.1 or newer
- You will need a WireGuard config for the location you selected in the WireGuard generator
Setup
- Open OPNsense at "192.168.1.1" (by default)
- Log In (username is "root" and password is "opnsense" by default)
- Go to VPN → WireGuard → Peers
- Add a Peer
- Enter the name of your WireGuard configuration in the "Name" (for example: xeovo-fi)
- Open your WireGuard config (for example: xeovo-fi.conf)
- Copy and paste the Public Key (for example: xfh8/RmqPebvYvYmO89L9mR6X0Ff+bU4aE8Vb3XWlzA=)
- Copy and paste the Allowed IPs (0.0.0.0/0,::/0)
- Copy and paste the Endpoint address without the port (for example: fi.gw.xeovo.com)
- Copy and paste the Endpoint port (for example: 51820)
- Save the Peer
- Go to the "Instances" tab
- Add an Instance
- Click the "Advanced Mode"
- Enter the name of your WireGuard configuration in the "Name" (for example: xeovo-fi)
- Copy and paste the PrivateKey into the "Private Key" (for example: gA3Xb8mR9KeVbYv2Om89L9mR6X0Ff+bU4aE8Vb3XWlzA=)
- Enter "51820" in the "Listen Port"
- Copy and paste the DNS into the "DNS servers" (for example: 10.0.0.20,fd64:e20:68a2::20)
- Copy and paste the Address into the "Tunnel Address" (for example: 10.134.162.183,fd64:e20:68a3::6:a2b7)
- In Peers, select the previously created Peer (for example: xeovo-fi)
- Save the Instance
- Check the "Enable WireGuard" box, then click "Apply"
- Go to VPN → WireGuard → Status
- Connection status must be OK, check the "Handshake Age", it should show a value
- Go to Firewall → NAT → Outbound
- Select the "Hybrid outbound NAT rule generation" mode and click "Save"
- Add a Rule
- In Interface, select "WireGuard (Group)"
- In Source address, select "LAN net"
- In Translation / target, select "Interface Address"
- Save the Rule
- Apply changes
- Verify VPN connection, visit DoesMyVPN.work