This script automates the process of getting Wireguard set up on OPNsense to connect to PIA's NextGen Wireguard servers. It will create Wireguard Instance(Local) and Peer(Endpoint) on your OPNsense set up automaticly, it'll then maintain the tunnel to keep it up and connected.
Warning: Advanced Users Recommended
What does it do
- Creates WireGuard Interface in OPNsense
- Maintains connection to a PIA server (encase PIA server goes down) default check is every 5 minutes
- Allows rotation of PIA server on a user defined schedule, create a cron job and add "changeserver" to the parameters
Prerequisites
- OPNsense 23.7.3 onwards
- WireGuard Plugin Installed
- Enable Secure Shell, Permit root user login and Permit password login (System: Settings: Administration -> Secure Shell) this can be reverted once the tunnel is working.
- HTTPS WebUI enabled (System: Settings: Administration -> Protocol: HTTPS)
Setup
- Create new user called something on the lines of
WireguardAPI
,- Go to System: Access: Users
- Click Add on the top right
- Username: WireguardAPI
- Password leave empty and tick
Generate a scrambled password to prevent local database logins for this user.
- Scroll right to the bottom and click
Save
- Now the user is created we can give its permissions and generate an API key pair
- Scroll down to you see
Effective Privileges
, you want to give it the following permissions- Firewall: Alias: Edit
- Firewall: Aliases
- System: Static Routes
- VPN: Wireguard
- Click Plus sign on API Keys, it'll download you the keys in a txt file. We'll want this later
- Click Save
- SSH on to OPNsense, use putty on windows or ssh commandline, as ROOT. Run the below commands.
fetch -o /conf https://raw.githubusercontent.com/FingerlessGlov3s/OPNsensePIAWireguard/main/PIAWireguard.py
fetch -o /conf https://raw.githubusercontent.com/FingerlessGlov3s/OPNsensePIAWireguard/main/ca.rsa.4096.crt
fetch -o /usr/local/opnsense/service/conf/actions.d https://raw.githubusercontent.com/FingerlessGlov3s/OPNsensePIAWireguard/main/actions_piawireguard.conf
- Edit
PIAWireguard.json
and edit the variables with the api keys from OPNsense, your PIA credentials and region id. Use Notepad++ or your favourite IDE.- You can get your PIA region id by running
ListRegions.py
on your local device. If you don't have Python installed on your local device you can use this Online Python Tool copy the contents of the file and then clickRun
. This will list the name and region id of each PIA region, for you choose from. - It is also possible to get PIA region ids running the main script using the argument
listregions
- Following variables need filling in.
opnsenseKey
WireguardAPI key you downloaded from step 1apikeys.txt
opnsenseSecret
WireguardAPI secret you downloaded from step 1apikeys.txt
piaUsername
Your PIA usernamepiaPassword
Your PIA passwordpiaRegionId
Change to your PIA region id
- You can get your PIA region id by running
- Copy the json file to OPNsense using SCP or Filezilla etc, make sure you using the root user of OPNsense when you connect, otherwise you'll get access denied messages.
PIAWireguard.json
to/conf/
- SSH to OPNsense and drop in to a terminal
option 8
. - Run the following commands
chmod +x /conf/PIAWireguard.py
service configd restart
/conf/PIAWireguard.py debug
- Go to Interfaces: Assignments in OPNsense, so we can assign the new interface
- At the bottom of the interfaces you'll see
New interface
, on the drop down selectwg0
, unless you already had one set up then selectwg1
etc... - Give it a description like
WAN_PIAWG
- Once selected click the + button
- A new
WAN_PIAWG
interface will show on the list, which will be the new wg interface, click on it to edit. - Tick
Enable Interface
, click save and Apply Changes. nothing else
- At the bottom of the interfaces you'll see
- Go to System: Gateways: Single, so we can set up the PIA gateway
- Top right Click Add
- Make sure Disabled is unchecked
- Enter the name
WAN_PIAWG_IPv4
- Interface select
WAN_PIAWG
- Tick
Far Gateway
- Untick
Disable Gateway Monitoring
- Click Save and Apply Changes
- Go back to the SSH terminal, run the following command
/conf/PIAWireguard.py debug changeserver
- Now OPNsense should be se tup to be able to use PIA as an internet gateway, if you go back in to System: Gateways: Single, you should see
WAN_PIAWG_IPv4
now has a gateway IP and its pinging - Now we need to set up a cron to make sure the tunnel says up and change server when necessary. Go to System: Settings: Cron
- Click the plus button at the bottom right of the table
- Enter
*/5
in the minute box - Enter
*
in the hours box - Select
PIA WireGuard
on the command dropdown - Give it a Description of your choice.
- Click Save
- Last thing we need to set up is maximum MSS for TCP packets, which is 40 bytes smaller than the MTU of WireGuard, by default Wireguard uses 1420 bytes MTU. So we need to set an MSS maximum of 1380. (Without this you may have issues loading websites or slow speeds).
Goto Firewall: Settings: Normalization
- Click Add
- Interface select
WAN_PIAWG
- Enter Description of
Maximum MSS for PIA WireGuard Tunnel
- Max MSS to
1380
- Click Save (you will notice it'll now list this as OPT rather than the interface name, don't worry it's still correct, just edit it to verify you made the right selection)
- Click Apply Changes
- OPNsense should now look after the tunnel itself encase the tunnel disconnects, every 5 minutes it'll check the status and change server if the server has gone down.
- You'll need to create your own NAT and Firewall rules to use this tunnel, an advanced user should be able to do this.
- There is now a guide on OPNsense Docs, which will help you here. Step 7 onwards.
Note: If your having speed issues, you may need to change PIA server region or lower the default MTU from 1420, advanced users should understand how to do this.
Updating
Normally only the PIAWireguard.py
script needs updating as the rest of the files and JSON file won't very change often. So if you only update the PIAWireguard.py
file and then run it manually as a one off it will tell you if there's missing variables/settings from the JSON file. If it returns json is missing some settings
you will need to update to the latest PIAWireguard.json
file. Before you start backup your current JSON file, keep it safe and use it to reference the opnsenseKey
and opnsenseSecret
(piaDipToken
if configured), as this is only given on API key creation. If you have lost these details, you can delete the API keys from the WireguardAPI
API user and create new API key following step 1 part 8 again. Once everything is working you may delete your backed up file.
Rerun the commands from step 2 to upgrade all required files.
Port Forwarding
To use port forwarding Enable piaPortForward
variable in the json file from false
to true
. This will create an alias in your system called PIA_Port, which you can then use in your Port Forwarding rule. This alias will self update when required.
If you need a way to find out this port for an internal application, you can go to the following URL of your OPNsense to get the port, as its published publicly to devices that can reach the HTTPS port of OPNsense
https://opnsense.lan/wg0_port.txt
Note: Not all server locations support port forwarding.
Dedicated IP
If you have purchased a Dedicated IP from PIA. Add your DIP token to piaDipToken
in the json file, then to enable the usage simply set piaUseDip
to true
. Remember PIA only give you the DIP token once, so make sure you have backed up the token somewhere.
I have developed this functionality by reserve engineering the PIA client, at this moment in time manual connections for DIP is not offically supported by PIA.
Set outgoing tunnel gateway (outgoing interface)
In some deployments, people may be running dual or even triple WAN configurations, in this case due to how WireGuard is configured in FreeBSD (OPNsense), it'll route the PIA tunnel over the default WAN interface. Some people will want to change this to use another WAN interface as the gateway to route the PIA tunnel over.
To accommodate this functionality, this is built in to the script. You will need to get the name of your wanted gateway, for example WAN2_DHCP
, then set this as the tunnelGateway
variable value in the json file (value needs to be in double quotes). When the script then runs it'll add/change a static route to enforce the PIA tunnel to use that gateway (interface).
You'll find your gateway names in System: Gateways: Single
, making sure its the IPv4 one.
WireGuard kernel module
OPNsense 23.1 onwards kernel module is now the default.
Since OPNsense 21.1.4, they now support the install the new kernel module implementation of WireGuard, its early days for the module and should be considered experimental.
The WireGuard kernel module is new implementation of WireGuard for FreeBSD, which runs in the kernel space instead of user space using the WireGuard-go implementation. Giving us better performance and bandwidth. Performance increase of 2.5x and more has been observed in certain workloads. I have managed to get 1.1gbit throughput on PIA's WireGuard servers using this kernel module on OPNsense.
If you wish to test and tryout the kernel module, simply install the kmod and reboot OPNsense pkg install wireguard-kmod
. Note the wireguard-go
will show as stopped due to it no longer being used since you'll then be using the kernel module.
At this time this code is new, unvetted, possibly buggy, and should be
considered `experimental`. It might contain security issues. We gladly
welcome your testing and bug reports, but do keep in mind that this code
is new, so some caution should be exercised at the moment for using it
in mission critical environments.
Module is taken from https://www.freshports.org/net/wireguard-kmod/ which in turn is from https://git.zx2c4.com/wireguard-freebsd/.
This kernel code is by Jason A. Donenfeld and others, not the version by Netgate.
WireGuard
is a registered trademarks of Jason A. Donenfeld.
Private Internet Access
is owned by Private Internet Access, Inc. All Rights Reserved