IT BlogOPNsense Setup: Basic Guide
OPNsense is a powerful open-source firewall and routing platform based on FreeBSD.
1.1 Installing as VM
Download the ISO
- Architecture: amd64
- Image type: DVD ISO
General VM Settings
- OS Type โ FreeBSD (64-bit)
| Option | Minimum | My conf | Recommended |
|---|---|---|---|
| CPU | 1 cores | 2 cores | multi core |
| Memory | 512 MB | 2 GB | โฅ 4 GB |
| Disk Size | 8 GB | 16 GB | 120 GB |
First-time login credentials:
- Username:
installer - Password:
opnsense
After logging in, the system will automatically launch the text-based installer.
- Accept license and keyboard layout
- Choose Install (UFS) or (ZFS)
- Select target disk
- Set a new password for the root user
- Wait for installation to complete
- Remove the ISO and reboot
1.2 First Login to OPNsense
After reboot, you can log:
- From LAN network: https://opnsense.localdomain or https://192.168.1.1
- From WAN we need disable Firewall (Shell):
pfctl -d
Default credentials:
- Username:
root - Password:
opnsense
๐ System > Wizard
-
General Setup
- Set hostname, domain (optional), and DNS servers.
- Select your time zone.
- Configure interfaces (WAN / LAN).
- Set a new root password.
1.3 Configure WEB access from WAN
๐ Firewall > Rules > WAN
- add new Rule
- Protocol: TCP
- Destination: WAN address
- Destination port range
- From: (other) 8080
- To: (other) 8080
๐ System > Settings > Administration
- Protocol: HTTPS access
- TCP Port: 8080
๐ System > Firmware > Plugins
- Install os-vmware
1.4 System Updates and Backup Configuration
๐ System > Firmware > Status
Click Check for updates โ then Apply updates.
๐ System > Configuration > Backups
Download a local .xml backup of your configuration.
You can also enable automatic backups to cloud services like Google Drive, Nextcloud, etc.
Useful Resources
2.1 WireGuard Site-to-Site VPN Setup
WireGuard is a fast and modern VPN solution known for its simplicity and performance.
โ What Youโll Need
- Two OPNsense firewalls with internet access (Site A and Site B)
- Static or dynamic public IPs (DDNS works)
- Site A -> WAN IP 203.0.113.1 and LAN IP 192.168.1.1/24
- Site B -> WAN IP 203.0.113.2 and LAN IP 192.168.2.1/24
- WireGuard plugin installed (os-wireguard)
2.2 Create WireGuard Instance
๐ VPN > WireGuard > Instances
- Click + Add to create a new instance.
- Enabled
- Name: site-a on Site A / site-b on Site B
- Click โ๏ธ
Generate new keypair - Listen Port 51820
- Tunnel Address
- Site A: 10.2.2.1/24
- Site B: 10.2.2.2/24
- Peers: it will be needed after peer created
๐พ Press Save and Apply
โ ๏ธ After saving, copy the Public Key. You’ll need it on the remote site.
2.3 Configure Peer
๐ VPN > WireGuard > Peers
- Click + Add to create a new peer.
- Enabled
- Name: site-b on Site A / site-a on Site B
Public Keyof the remote site- Allowed IPs: remote local subnet and Instance IP
- On Site A: 10.2.2.2/32 192.168.2.0/24
- On Site B: 10.2.2.1/32 192.168.1.0/24
- Endpoint Address: remote WAN IP (or DDNS)
- On Site A: 203.0.113.2
- On Site B: 203.0.113.1
- Endpoint Port: 51820
๐พ Press Save and Apply
โ ๏ธ Now go back to Instances, edit your instance, and add this peer to Peers.
๐พ Press Save and Apply
- Enable WireGuard and ๐พ Press Apply
2.4 Create Interfaces
๐ Interfaces > Assignments
- Assign the new WireGuard interface (wg0)
- Enable it:
- Set name: WG_SITEA / WG_SITEB
๐พ Press Save and Apply
2.5 Set Up Firewall Rules
๐ Firewall > Settings > Normalization
- Interface: WireGuard (Group)
- Direction: Any
- Protocol: any
- Source: any
- Destination: any
- Destination port: any
- Description: Wireguard MSS Clamping
- Max mss: 1380 or lower, subtract at least 40 bytes from the Wireguard MTU
๐ Firewall > Rules > WAN
- Action: Pass
- Interface: WAN
- Direction: In
- TCP/IP Version: IPv4
- Protocol: UDP
- Source: Remote WAN IP
- On Site A: 203.0.113.1
- On Site B: 203.0.113.2
- Destination: WAN address
- Destination port: 51820
- Description:
- On Site A: Allow Wireguard from Site B to Site A
- On Site B: Allow Wireguard from Site A to Site B
๐ Firewall > Rules > LAN
- Action: Pass
- Interface: LAN
- Direction: In
- TCP/IP Version: IPv4
- Protocol: Any
- Source: Remote LAN IP
- On Site A: 192.168.2.0/24
- On Site B: 192.168.1.0/24
- Destination: LAN net
- Destination port: 51820
- Description:
- On Site A: Allow LAN Site B to LAN Site A
- On Site B: Allow LAN Site A to LAN Site B
๐ Firewall > Rules > Wireguard (Group)
- Action: Pass
- Interface: Wireguard (Group)
- Direction: In
- TCP/IP Version: IPv4
- Protocol: Any
- Source: Remote LAN IP
- On Site A: 192.168.2.0/24
- On Site B: 192.168.1.0/24
- Destination: LAN net
- Destination port: 51820
- Description:
- On Site A: Allow LAN Site B to LAN Site A
- On Site B: Allow LAN Site A to LAN Site B
๐ VPN > WireGuard > Status
โ Check for handshake and endpoint status.
๐ Interfaces > Diagnostics > Ping
- Try pinging remote LAN IP (e.g., from 192.168.1.1 โ 192.168.2.1)
Useful Resources
3.1 IPsec VPN for iOS and macOS
This guide walks you through the setup of an IPsec VPN server on OPNsense that works with iOS and macOS devices.
Tested with:
- OPNsense 23.1.7_3 โ 24.7.5_3
- iOS 16+
- macOS Monterey+
๐ฅ 3.1 (Optional) Create a VPN Group
System โ Access โ Groups โ Add
- Group name: VPN
- Description: VPN users
๐ค 3.2 Create a VPN User
System โ Access โ Users โ Add
- Username: vpnuser
- Password: [secure password]
- Member Of: VPN (optional, if you created the group)
๐ 3.3 Configure IPsec Mobile Clients
VPN โ IPsec โ Mobile Clients
- โ Enable IPsec Mobile Client Support
- Backend for authentication: Local Database
- Enforce local group: VPN (optional)
IP Address Pool
- โ Provide a virtual IPv4 address
- Address Pool: 192.168.2.0/24
DNS Servers
-
โ Provide DNS server list
- Server 1: 192.168.1.1 (local router IP)
- Server 2: 8.8.8.8
- Server 3: 8.8.4.4
-
Phase 2 PFS Group: Off
-
Save and Apply changes
๐ 3.4 Create Phase 1
Click “Create Phase1” at the top blue bar.
- Connection method: default
- Key Exchange version: auto
- Interface: WAN
- Description: Mobile VPN
- Authentication: Mutual PSK + Xauth
- My identifier: My IP address
- Pre-Shared Key: [store securely]
Algorithms
- AES 256
- Hash: SHA256, SHA384, SHA512
- DH group: 2, 5, 14โ18
- โ Install policy
- NAT Traversal: Enable
- Lifetime: 28800
- Save and Apply changes
๐ 3.5 Create Phase 2
VPN โ IPsec โ Tunnel Settings
Click โ in Commands column of Phase 1 row.
- Mode: Tunnel IPv4
- Type: Network
- Address: 0.0.0.0/0
- Protocol: ESP
- Encryption: AES128, AES192, AES256
- Hash: SHA256, SHA384, SHA512
- PFS: Off
- Lifetime: 3600
- Save and Apply
โ 3.6 Enable IPsec
VPN โ IPsec โ Tunnel Settings
- โ Enable IPsec (bottom of page)
- Apply changes
๐ฅ 3.7 Configure Firewall: WAN Rules
Firewall โ Rules โ WAN โ Add 3 rules:
- Protocol: ESP โ Destination: WAN โ Description: IPsec ESP
- Protocol: TCP/UDP โ Port: ISAKMP (500) โ Description: IPsec ISAKMP
- Protocol: UDP โ Port: NAT-T (4500) โ Description: IPsec NAT-T
โ Apply changes
๐ 3.8 Configure Firewall: IPsec Rules
Firewall โ Rules โ IPsec
- Protocol: Any
- Source: Any
- Destination: Any
โ Apply changes
๐ 3.9 Outbound NAT
Firewall โ NAT โ Outbound
- Mode: Automatic outbound NAT
- Confirm
192.168.2.0/24is listed
๐ก 3.10 Allow DNS from VPN
Services โ Unbound DNS โ Access Lists โ Add
- Access List name: 192.168.2.0/24
- Action: Allow
- Network: 192.168.2.0/24
- Description: VPN DNS access
- Save and Apply
๐ 3.11 (Optional) Allow Multi-Device Connections
In Phase 1, set:
- Unique ID:
no
This allows one user to connect from multiple devices.
๐ฒ 3.12 iPhone VPN Configuration
Settings โ VPN โ Add VPN Configurationโฆ
- Type: IPsec
- Server: [OPNsense public IP]
- Account: vpnuser
- Password: [user password]
- Secret: [Pre-Shared Key]
- Leave “Group Name” empty
๐ป 3.13 macOS VPN Configuration
System Preferences โ Network โ + โ Interface: VPN
- VPN Type: Cisco IPSec
- Server Address: [OPNsense public IP]
- Account Name: vpnuser
- Password: [user password]
- Shared Secret: [Pre-Shared Key]
โ Save and Connect
๐ก Troubleshooting
- If DNS doesnโt work โ try restarting the router
- Double-check firewall and mobile client settings
- Use strong, unique Pre-Shared Keys and passwords
๐ Published on blog.topli.ch