Configure Wireguard

Lightweight VPN

Install packages

Fully update OpnSense and install the os-Wireguard package. You'll find the packages in System->Firmware->Plugins

Configure the WireGuard server

Reload the web interface and open VPN->WireGuard
In the General tab, enable wireguard
In the Local tab, add a server. Set a Listen Port - The port your incoming UDP connections, e.g. 51820. Also set a DNS Server e.g.
The Tunnel Address is a network you select, e.g.
They public and private keys will be generated automatically once you save.
(return once you have configured the clients to add them to the Peers field).

Configure the WireGuard client list

Go to the Endpoints tab and add your first Endpoint/client.
Select a Name and configure the port you use as listen port - e.g. 51820.
Configure an allowed IP in the range you configured earlier, e.g.
They public key is the one you generate on the client device.

Configuring Client device (android used here)

Install the official WireGuard client.
Click the plus and Create from scratch
First, configure the interface section (this is the client info)
Set a Name and auto-generate a Public key (you need this on the server's client configuration)
Select the address you configured on the server's client config e.g. Set a DNS like
Set the listen port - e.g. 51820.

Now add a peer (this is the server you are connecting to)
In Public Key you should enter the public key generated on the entry in the Local tab in OpnSense - your server's public key.
Allowed IPs can be set to, ::/0 if you don't want to restrict what IPs should be reachable via the connection.
The Endpoint is where you want to connect to - e.g. or

Open the UDP port and forward to the server

Go to Firewall->NAT->Port Forward and add a rule to allow traffic to your WireGuard server from the internet.

  1. Select the WAN interface
  2. Select UDP
  3. Destination IP: your WAN IP
  4. Destination port: 51820 or whatever you use
  5. Redirect target IP: Your OpnSense LAN ip - or whatever it is set to
  6. Description: Just call it WireGuard or something

Allow traffic from WireGuard LAN to LAN

Go to Firewall->Rules->Wireguard->Add

  1. Source: Wireguard Net
  2. Description: WG something something...

Save and apply.

Go to Firewall->NAT->Outbound

  1. Set the mode to Hybrid outbound NAT rule generation (save and apply)
  2. Add a manual rule
  3. Set interface to WAN
  4. Set Source Address to WG net

Allow traffic from WireGuard LAN to WAN

Go to Interfaces->Assignments and select the wg0 in the New Interface dropdown and add it. Press Save.
Open the interface, rename it from OPT1 to WG, enable and tick Prevent interface removal. Save and apply changes.

Restart OpnSense if no traffic is flowing.