Manually Generate Wireguard Peer in OPNsense
This guide details how to manually (not using the Peer Generator) generate a new Wireguard peer in OPNsense.
Requirements
The wireguard-tools package must be installed to generate the public and private keys.
1. Create a Peer
-
Generate a new public and private key with
wg genkey | tee privatekey | wg pubkey > publickey
This will create two files in the current directory with the public and private key. Save these for later.
-
In the OPNsense UI go to VPN > Wireguard > Peers, and click the + to add a new peer
-
Fill in the details:
- Name: Enter a name for the peer
- Public key: Paste the public key you generated earlier
- Pre-shared key: Generate a key if desired and save it for later
- Allowed IPs: Specify the IP address or subnet that this peer is allowed to use (e.g., 10.0.60.2/32). Check your existing peers to ensure it is not already used
- Endpoint address: Leave blank if the client will be roaming
- Endpoint port: Leave blank
- Instances Choose appropriate instance
- Keepalive: Can be left blank
-
Save the Configuration
2. Create the Wireguard Config File
- Create a new file called
<NAME>.conf. You can choose the name.
- Copy and paste the contents from below into the file and update the values:
Replace private-key, opnsense-public-key, preshared-key, and opnsense-public-ip with the appropriate values.
For AllowedIPs, setting 0.0.0.0/0 will route all IPv4 addresses via the VPN connection. If only access to resources and no internet connection is required, the subnets can be added here i.e. 10.0.60.0/24, 10.0.70.0/24
- Import the
.conf file into the VPN connection settings on the client device and test the connection.