Securely Access Your Home Network with WireGuard VPN on OPNsense

You’re welcome! Glad it has helped in your journey!
Also it goes beyond just making things more complex (making things more complex without good reason is not always very helpful). Gradually increasing overall complexity while also attempting to minimize complexity where it’s not necessary can be tough to balance. If you work to slowly improve upon it over time, it can be both stable and relatively easy to maintain.

I'm glad the wait is over! haha. I've been wanting to do a video on it for a while and thought it was a good time to do one since I updated the written version of my guide not long ago to get it up to date with the latest updates to WireGuard in OPNsense. Hopefully the demonstration on accessing an internal web app externally via the WireGuard VPN is useful since it shows a bit more of what you can do once you have the VPN configured.

Thanks! I’m glad it was helpful!

Thanks! Yeah, I didn’t think about if you changed the default settings. I have more info about outbound NAT on my website guide.
You could probably use Hybrid for outbound NAT so it would still generate the interface NAT rules but you can still create your own NAT rules. However, you may have a good reason to manually define all of your outbound NAT rules.

You’re welcome! I’m glad it helped you create an awesome network! Haha

Thanks! I updated my written guide a while ago but hadn't done any WG videos on OPNsense yet so I figured it would be a good time to do one since they now include the peer generator which makes things much easier to set up.

Haha no problem! I understand. It’s hard to find a good balance of real world examples that fit in a reasonable amount of time for a video (sometimes I get criticized for including too many details/caveats/tangents so I have been trying to minimize that- it’s difficult to avoid). I definitely prefer to do real world homelab examples rather than short one off guides because you can see many concepts come together and can help make the concepts click.
I have more of those type of videos planned (various OPNsense builds along with some switch/AP configurations) so I’m thinking maybe I could sneak some Proxmox in there as well since I have yet to combine my full network builds with a Proxmox server build in the same videos (or written content).

Thanks! I mostly only connect my phone to my home network via WireGuard so it's not a lot of effort to set up WG so I can connect directly to my home network. I know a lot of people love the ease of use of Tailscale.

Somehow I had a ton of issues with Tailscale on my NAS, so I switched to WireGuard on my UDM SE, never encountered any problems since... I'm not saying that Tailscale is bad, loved it while it worked but once there's a problem, it's kinda hard to fix...

Yeah, I just like the simplicity of connecting a small number of clients directly to my home network. Once I got WG set up, it always just works.

Absolutely! Once you’re connected securely via WG, you can safely connect to anything on your network! On my network I can connect to my IP cameras that are on an isolated VLAN that doesn’t allow access to the Internet and it works great!

Haha yeah that could be interesting, but the funny thing is that I still have a lot of things in flux on my LAB VLAN because that’s where I try out several things. I’ve been meaning to establish a few things to be a more permanent fixtures for that network. I’m working on building 2 test rackmount clients for speed testing devices, for instance. I do have one of my Proxmox nodes dedicated to testing as well. It has some OPNsense VMs as well as a few Linux VMs I can use as clients for testing. I have a few other containers I use to demonstrate setting up example apps/services on the network. I do have some more project ideas I’m working on for some videos soon too. I think I’m going to focus more on those type of videos than a basic setup of a specific feature because I like showing real world examples (likely more useful for learning and idea purposes).

Thanks!

Glad you enjoyed the video! It would be possible to OpenVPN but not sure when I would get to it because I have a lot of other project videos I want to do soon. It means more OPNsense builds to show different types of configurations!

The only thing I can think of is that your WAN IP address has changed since you first set up your WG connection. Once I have mine set up, I’ve never have issues connecting to it after that unless my public IP address is out of date.

I’m glad my guide worked! It’s good confirmation I didn’t accidentally miss any steps in the video.
As for SMB, did you allow specific ports for SMB or all ports? Also in TrueNAS, make sure you don’t have the share limited to specific IP/network address ranges (or update them to include the WireGuard network IPs).

@@homenetworkguy I haven't mess with any network settings in TrueNAS other than setting a static IP and made 2 SMB shares. I looked at Network

What ports did you allow in the firewall rules? TCP or UDP or both? “Any” would work but it’s better to use specific ports. Typically there is more than one port that needs opened for SMB/NFS shares. I’d have to look up the port numbers and protocol for each port for SMB. Don’t have it memorized off the top of my head.

@@homenetworkguy I have it set for both TCP/UDP and "any" for ports. I have the same setup for another rule for my Docker IP and can access services like Jellyfin and Dashboard just fine.

@@SonicNinja6600 "any" ... ooof

I haven't used Tailscale but I have looked into it briefly a few times. I believe some differences are you have to create a cloud account and use their Tailscale coordination server that all of the nodes communicate with. I believe it can be self-hosted. I realize Tailscale makes the process easy because it can traverse through NAT firewalls easier, etc.
For my needs, connecting 3-4 devices to my OPNsense WireGuard VPN is easy enough especially once it is set up because I never have to touch it. 99% of the time I only connect to my home network with my phone so I only really need that one connection set up. I have other devices like iPads set up with WireGuard so if I am traveling, I can connect back home when I need to be on an untrusted network.

Did you configure your WireGuard peers to use those internal DNS servers? You also need to make sure your firewall rules allow access to the DNS servers for your WireGuard network.

@@homenetworkguy i have configure the clients to use it like this :
[Interface]
PrivateKey = IBUjY/fzuec6xxxxxxxxxxxxxxxx
Address = 10.10.10.7/32
DNS = 10.1.10.251,10.1.10.252
[Peer]
PublicKey = zgcYen5mPNXXexxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xxx.xxx.xxx.xxx:51820
For testing i have create the roles with any to any
I can brows in internet but internal dns lookup dont work

Are you trying to use WireGuard on your internal network to access your OPNsense web UI on the management VLAN? Or do you mean when you connect remotely to your network via WireGuard? If you’re connected to your local network on VLAN 20, you just need to create a firewall rule on the VLAN 20 interface in OPNsense to allow access to your OPNsense web UI.

@@homenetworkguy
Thanks for the quick response! I'm connected to my local network on VLAN20 and trying to access the Management VLAN for network infrastructure. I was able to do this with Firewall Rules, but want to be able to do it with WireGuard (on my local network) so I don't allow the VLAN20 untethered access to the management vlan.

If you only want a single device on VLAN20 to access your management network, you should use a static IP address for that device and make the source for the firewall rule only allow that single IP. That’s what I used to do for one of my PCs until I dedicated a Raspberry Pi (and soon to be a Radxa X4 instead) to manage devices on my management network (so I don’t have to open holes into my management network). That solution is more simple that using WireGuard on your internal network. I’ve had trouble using WireGuard on internal networks (for testing purposes) because you have to be careful how you route traffic

@@homenetworkguy That makes a lot of sense. Even though this is for my home network, I want to learn and follow best practices. Looks like I have use for my old Raspberry Pi 3B!
Do you run the dedicated Raspberry Pi headless and remote into it? Do you have a video I can refer to setting that up?

I have a Raspberry Pi 5 and run Ubuntu desktop on it because most of my management interfaces have web UIs. I do use SSH to get into all my servers as well. Performance of the 3B for a desktop environment will be more limited. I have the RPi connected to a KVM so I can switch between my main desktop PC and my RPi when I want to manage my network. I haven’t done anything special on the Raspberry Pi other than set up a few web browser bookmarks. I’m working on setting up a Homepage dashboard to have all the links I typically access but on a nicely organized web interface. It keeps getting put on the back burner though. Haha.

Ohh yeah. Site to site WG. I haven’t tried that yet but I would like to demonstrate how at some point.

@@homenetworkguy hope to see it in your way!

Why is that? I’m showing more than just setting up WG itself. I’m showing how to open up access to internal parts of your network so you can remotely access anything on your network when you are away from home.

@@homenetworkguythat is exactly what I need and I have bookmarked this video !! I have tried and failed many times to make this work and I appreciate this !!!