Opnsense - Configuring ProtonVPN with Wireguard
These steps allow you to install an Opnsense system from scratch and connect it to ProtonVPN using Wireguard.
- 1. Download Opnsense
- 2. Boot ISO
- 3. Initial configuration
- 4. Login with browser
- 5. Add gateway so opnsense has Internet access
- 6. update system
- 7. Install os-wireguard plugin
- 8. Go to ProtonVPN
- 9. Add new endpoint
- 10. Login the shell
- 11. Add Local
- 12. Enable Wireguard
- 13. Edit Local Configuration
- 14. Create Interface
- 15. Enable Interface
- 16. Add Gateway
- 17. Firewall Aliases
- 18. Configure NAT
- 19. Firewall rule for local IPs
- More info in Opnsense docs
- Appendix. Adding a second Wireguard Endpoint
1. Download Opnsense
Download opnsense. Select image type DVD.
bz2 to obtain the
isoto a USB drive (if needed). For this, I use ether, as it’s an AppImage that doesn’t require any installation. It might give a warning saying that the image might not be bootable (you can ignore that).
2. Boot ISO
Boot opnsense ISO and login with with user
opnsense to start installation process.
Select the filesystem:
3. Initial configuration
Once Opnsense is install login as
root with password
Select 2 the enter your desired interface IP address.
4. Login with browser
Login with the brower to your new IP address.
On the first login you will be asked tostart the General Setup Wizard
5. Add gateway so opnsense has Internet access
System > Gateways > Single and click Add.
I added a name, ip address and enabled “uptream gateway”.
Save and then
6. update system
Now that my OpnSense has Internet I can update my system.
System –> Firmware –> Updates
7. Install os-wireguard plugin
8. Go to ProtonVPN
Generate a wireguard config file from my Proton VPN account.
9. Add new endpoint
VPN > Firewall > WireGuard > Endpoints and click
Name: <whatever you want> Public Key: <The PublicKey in the Peer section of the ProtonVPN config file> Shared Secret: <empty> Allowed IPs: 0.0.0.0/0 Endpoint Address: <The Endpoing IP in the Peer section of the ProtonVPN config file> Endpoint Port: <The Endpoing Port in the Peer section of the ProtonVPN config file>
10. Login the shell
You can do this remotely by first enabling Secure Shell in
System > Settings > Administration, and activating the checkboxes
Enable Secure Shell,
Permit lroot user login and
Permit password login that are disabled by default. Higly recommended to disable them this.
You can also login locally with the root user and enter option 8
The ProtonVPN config file you generated in the previous step will contain a Private Key of the Interface and Public Key of the Peer. We need to obtain the Public Key of the Interface that can be obtained from the Private Key of the Interface.
For this, in the shell enter:
echo PrivateKeyofInterface | wg pubkey
11. Add Local
Click on VPN–> Wireguard -> Local –> Add
Advanced mode the view more config options.
And fill out:
Name: <whatever you want> Public Key: <empty> Private Key: <empty> Listen Port: <Select a unique port for each tunnel> MTU: 1412 DNS Server: <empty> Tunnel Address: 10.2.0.2/28 Peers: <Endpoint we just created> Disable Routes: Checked Gateway: <Select a unique IP for each tunnel>
When we leave the Public Key and Private Key fields empty, wireguard will generate them automatically (we will change them later).
The tunnel address mask provided by ProtonVPN is
/32, which should also work, but if we want to use multiple tunnels we need a more open range like
12. Enable Wireguard
VPN > Wireguard > General activate
Enable WireGuard and click
If you then go to
VPN > Wireguard > Status and
Handshake you should see the connection and data being sent and received.
13. Edit Local Configuration
Go again to
VPN > Wireguard > Local , edit the tunnel.
You will see that Wireguard created a Public Key and Private Key.
Replace them with the Private Key in the Interface section of the ProtonVPN config file and Publick Key we generated in the console earlier.
14. Create Interface
Go to `Interfaces > Assignments
Select the new interface that will appear and click
Add and then
15. Enable Interface
Interfaces > MynewInterface (for example OPT1)
Enable the new interface and click
Save and then
16. Add Gateway
System > Gateways > Single, click
Enter the following settings:
Name: <Your choice> Interface: <The newly created Interface, like OPT1> Address Family: IPv4 IP address: <The Peer Endpoint in my Proton config file> Upstream Gateway: Unchecked Far Gateway: Checked Disable Gateway Monitoring: Unchecked
Save and apply changes.
17. Firewall Aliases
Firewall > Aliases
Add a new alias with the following:
Add a new alias to the group of IPs that will use this gateway.
18. Configure NAT
Firewall > NAT > Outbound and select
Hybrid outbout NAT rule generation, click
Add a new rule with:
Interface: <Your new Wireguard Interface> Source Address: <The Alias you wish to route>
Save and Apply.
19. Firewall rule for local IPs
Firewall > Rules > LAN
More info in Opnsense docs
Official docs still don’t have the steps needed for Opnsense, but can help you for troubleshooting and more info.
Appendix. Adding a second Wireguard Endpoint
You can add multiple wireguard endpoints. So for example, some of your hosts can use a VPN in one country and other on another country.
- Generate a new config file for your desired configuration.
- Add the new endpoint on
VPN > Wireguard > Endpoints
- Add the new local on
VPN > Wireguard > Local
- For the hosts you want to connect to the secondary VPN edit the
Firewall > Rules > LANand the
Firewall > NAT > Outbound