OPNsense + WireGuard road-warrior — config that actually works

Third attempt at getting WireGuard road-warrior working on OPNsense. First two failed because I was following tutorials that were written for older versions and silently wrong in one or two details. This one works.

The goal: phone and laptop can VPN back to the homelab from anywhere. Split tunnel — only homelab traffic (192.168.1.0/24 and 10.0.0.0/8) routes through the tunnel. Everything else hits the local network. Kill switch optional.

Server side (OPNsense)

WireGuard plugin: os-wireguard. Not the kernel module — the plugin. Install from System → Firmware → Plugins.

Key detail that burned me: the OPNsense WireGuard plugin expects the interface to be assigned before the tunnel comes up. Go to Interfaces → Assignments, assign the WireGuard instance, enable it. Without this, peers connect but get no routes.

Tunnel network: 10.10.0.0/24
Listen port: 51820
DNS server: 192.168.1.1  ← your OPNsense LAN IP

Firewall rules: allow UDP 51820 on WAN. Allow traffic from wg0 to LAN. That’s it.

Client side

[Interface]
PrivateKey = <client-private>
Address = 10.10.0.2/32
DNS = 192.168.1.1

[Peer]
PublicKey = <server-public>
Endpoint = your.domain.com:51820
AllowedIPs = 192.168.1.0/24, 10.0.0.0/8
PersistentKeepalive = 25

Split tunnel: AllowedIPs only includes the homelab ranges. Nothing else routes through the VPN. Works on iOS, Android, macOS. Linux needs wg-quick.

The kill switch variant adds 0.0.0.0/0 to AllowedIPs and a PostUp/PostDown pair that blocks all non-tunnel traffic. I don’t use it daily — too annoying when the tunnel drops — but I know it works.

Took about two hours total. Most of that was reading OPNsense docs and reversing one wrong assumption about interface assignment order.