i’ve recently moved away from openWRT to OpnSense, and so far it has been a very positive move. opnsense seems like its meant to do the things i’m asking, where openWRT was just a bunch of disperate settings.

one of the biggest things in helping me troubleshoot this was the way that opnsense exposes the logs for wireguard, i can actually get some feedback on this OS.

so having gone through all that, i’ll try to recreate my steps, as a document for my reference and hopefully it can help someone understand the complete set of configuration needed for it.

while i understand that wireguard is a peer-to-peer service and there tehnically isnt’ a “server-side”, i’m going to act as if it is, because in practice, that’s how it plays out with all the firewall settings and setting up instances. Something has to initiate the handshake — and that’s the client.

as always, my ‘documentation’ is a working document in progress, so it’s probably not going to be complete here for a while.

TOC:

• create wireguard instance (or several)
• create interfaces for the wireguard instances.
• create wireguard peer (do it now, so we understand our goal better)
• set up firewall:
  • NAT section:
    • port forwarding
    • outbound
  • rules section:
    • wan interface rules
    • wg interface rules