These steps allow you to install an Opnsense system from scratch and connect it to ProtonVPN using Wireguard.


1. Download Opnsense

Download opnsense. Select image type DVD.

Extract to bz2 to obtain the iso file.

Burn isoto a USB drive (if needed). For this, I use ether, as it’s an AppImage that doesn’t require any installation. It might give a warning saying that the image might not be bootable (you can ignore that).

2. Boot ISO

Boot opnsense ISO and login with with user installer password opnsense to start installation process.

Select the filesystem:

3. Initial configuration

Once Opnsense is install login as root with password opnsense.

Select 2 the enter your desired interface IP address.

4. Login with browser

Login with the browser to your new IP address.

On the first login you will be asked tostart the General Setup Wizard

5. Add gateway so opnsense has Internet access

Go to System > Gateways > Single and click Add.

I added a name, ip address and enabled “upstream gateway”.

Click on Save and then Apply changes.

6. update system

Now that my OpnSense has Internet I can update my system.

System –> Firmware –> Updates

7. Install os-wireguard plugin

system-firmware-plugins. Install os-wireguard

8. Go to ProtonVPN

Generate a wireguard config file from my Proton VPN account.

9. Add new endpoint

Go to VPN > Firewall > WireGuard > Endpoints and click Add

And enter:

Name:               <whatever you want>
Public Key:         <The PublicKey in the Peer section of the ProtonVPN config file>
Shared Secret:      <empty>
Allowed IPs:
Endpoint Address:   <The Endpoing IP in the Peer section of the ProtonVPN config file>
Endpoint Port:      <The Endpoing Port in the Peer section of the ProtonVPN config file>

10. Login the shell

You can do this remotely by first enabling Secure Shell in System > Settings > Administration, and activating the checkboxes Enable Secure Shell, Permit lroot user login and Permit password login that are disabled by default. Highly recommended to disable them this.

You can also login locally with the root user and enter option 8 Shell:

The ProtonVPN config file you generated in the previous step will contain a Private Key of the Interface and Public Key of the Peer. We need to obtain the Public Key of the Interface that can be obtained from the Private Key of the Interface.

For this, in the shell enter:

echo PrivateKeyofInterface | wg pubkey

11. Add Local

Click on VPN–> Wireguard -> Local –> Add

Enable Advanced mode the view more config options.

And fill out:

Name:                <whatever you want>
Public Key:          <empty>
Private Key:         <empty>
Listen Port:         <Select a unique port for each tunnel>
MTU:                 1412
DNS Server:          <empty>
Tunnel Address:
Peers:               <Endpoint we just created>
Disable Routes:      Checked
Gateway:             <Select a unique IP for each tunnel>

When we leave the Public Key and Private Key fields empty, wireguard will generate them automatically (we will change them later).

The tunnel address mask provided by ProtonVPN is /32, which should also work, but if we want to use multiple tunnels we need a more open range like /28

12. Enable Wireguard

Con VPN > Wireguard > General activate Enable WireGuard and click Apply.

If you then go to VPN > Wireguard > Status and Handshake you should see the connection and data being sent and received.

13. Edit Local Configuration

Go again to VPN > Wireguard > Local , edit the tunnel.

You will see that Wireguard created a Public Key and Private Key.

Replace them with the Private Key in the Interface section of the ProtonVPN config file and Public Key we generated in the console earlier.

14. Create Interface

Go to `Interfaces > Assignments

Select the new interface that will appear and click Add and then Save.

15. Enable Interface

Go to Interfaces > MynewInterface (for example OPT1)

Enable the new interface and click Save and then Apply changes.

16. Add Gateway

Go to System > Gateways > Single, click Add.

Enter the following settings:

Name:               <Your choice>
Interface:          <The newly created Interface, like OPT1>
Address Family:     IPv4
IP address:         <The Peer Endpoint in my Proton config file>
Upstream Gateway:   Unchecked
Far Gateway:        Checked
Disable Gateway Monitoring: Unchecked

Save and apply changes.

17. Firewall Aliases

Go to Firewall > Aliases

Add a new alias with the following:

Add a new alias to the group of IPs that will use this gateway.

18. Configure NAT

Go to Firewall > NAT > Outbound and select Hybrid outbout NAT rule generation, click Save and Apply changes.

Add a new rule with:

Interface:      <Your new Wireguard Interface>
Source Address: <The Alias you wish to route>

Save and Apply.

19. Firewall rule for local IPs

Go to Firewall > Rules > LAN

More info

More info in Opnsense docs

Official docs still don’t have the steps needed for Opnsense, but can help you for troubleshooting and more info.

Appendix. Adding a second Wireguard Endpoint

You can add multiple wireguard endpoints. So for example, some of your hosts can use a VPN in one country and other on another country.

For this:

  1. Generate a new config file for your desired configuration.
  2. Add the new endpoint on VPN > Wireguard > Endpoints
  3. Add the new local on VPN > Wireguard > Local
  4. For the hosts you want to connect to the secondary VPN edit the Firewall > Rules > LAN and the Firewall > NAT > Outbound