Some devices don't need to be connected to the internet with your home IP address publicly visible, and if you use OPNsense, it's actually very easy to automatically route designated traffic over a VPN while still allowing local access. I've been playing around with it, and all you need is a VPN that supports WireGuard and the configuration details required to connect to the provider using a regular WireGuard client.

For this, I'm using Windscribe, but most other VPN providers will work as well. NordVPN is a bit of a different case as the service uses NordLynx, based on WireGuard, but there are ways to extract your connection keys required. Once you can get a WireGuard profile from your provider and you've installed the WireGuard VPN plugin on OPNsense, though, then you're ready to begin!

Connecting to our VPN in OPNsense

Creating a peer and opening a connection

Firstly, you'll want to configure your VPN provider as a "peer" in WireGuard running on OPNsense. This essentially creates a client that connects to the provider, though no traffic is being routed over it yet. Under VPN, WireGuard, and Peers, enter the following information:

• Name: Anything you want, but make it recognizable
• Public key: In your WireGuard config from your provider, under the [Peer] section
• Pre-shared key: In your WireGuard config from your provider, under the [Peer] section
• Allowed IPs: 0.0.0.0/0 (and ::/0 if using IPv6)
• Endpoint address: In your WireGuard config from your provider, under the [Peer] section.
• Endpoint port: The port from the endpoint in your WireGuard config
• Keepalive interval: 25

Next, we'll create an interface. In OPNsense, an interface serves as a gateway for traffic flow, and we'll be using WireGuard as an interface for specified devices. Set the following details:

• Name: Anything you want, but make it recognizable
• Public key/private key: Click the cog wheel to generate both of them
• Tunnel address: In your WireGuard config from your provider, under the [Interface] section
• Peers: Set to your previously created peer
• Disable routes: Ensure that this is checked

Make sure to click apply and ensure that WireGuard is enabled. The setup may differ slightly depending on your VPN provider, but this worked for me and allowed my OPNsense to connect to my VPN provider and retrieve an IP address.

Once you've done this, you're ready to move on to creating an interface through which traffic can be routed. Again, ensure that Disable routes is checked. Otherwise, all of your traffic will be routed over the VPN connection, rather than designating specific devices to use it.

Creating the interface and gateway

Only traffic sent here will go to our VPN

Navigate to Interfaces and click Assignments. Here, we'll give WireGuard its own interface, which was "opt2" in my case. Once assigned, click the name of your new interface at the top to enter its settings. There isn't a huge amount to do here, aside from ensuring that the interface is enabled with the checkbox at the top.

However, there is one other thing to be aware of in these settings. While I have Dynamic gateway policy disabled in the above screenshot, I actually ran into issues where my client could not complete a handshake with my provider. Once I enabled this setting, it worked. As I mentioned already, your settings will vary depending on your provider, so play around with settings like these if things don't work immediately.

Next, we'll create our gateway. Navigate to System, Gateways, and Configuration​​​​​. A gateway should have been created once you disabled routes, and mine is called "WIREGUARD_ONLY_GW." Assuming that it exists, you can move on, but otherwise, you can create a gateway yourself with "Far Gateway" enabled. Now we'll move on to our firewall rules to dictate the specific traffic we want to route over our VPN.

Making our aliases and firewall rules

The final step

Go to Firewall, Aliases, and create a new alias of type Host that will represent the IP addresses of the devices we want to route over the VPN. For this, I also recommend using reserved IP addresses for recognized devices in OPNsense, and possibly using "blocks" of IP addresses for specific types of devices. As an example, I have IoT devices designated to a specific range of addresses. This will depend on your needs and what you want to use a VPN for, but to route traffic consistently, the device will need a consistent local IP address.

Next, create an RFC1918 alias of type URLs (IPs). This isn't required, but it will allow those devices to still make local connections as normal. Otherwise, traffic sent to local IP addresses from those devices would be routed through the WireGuard interface too. I added 192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12 to this alias, as these are the allocated addresses for private networks. Now we're ready to take the final steps for routing all traffic through WireGuard.

In your LAN rules under firewall, create a new rule where the Action is "Pass", the Source is your alias representing the devices we want to route over the VPN, and the Destination (with invert checked) is our RFC1918 alias. Finally, set the gateway to the WireGuard gateway. Save it, and place this rule above the "Default allow LAN to any rule" so that traffic matches it first. Finally, go to NAT and then Outbound, set the mode to Hybrid at the top, then create a new rule on the WireGuard interface where the Source is the alias representing devices we want to route over the VPN, and Translation is set to "Interface address." Hit apply.

Now, we're done! Designated devices will only communicate over our WireGuard VPN. Optionally, you could add a kill switch too, by adding a tag in your initial LAN rule. Then, add a floating rule that blocks traffic with that specific tag. Right now, DNS will still be leaked, but you can also designate the DNS server to be the VPN provider's, using the alias we created through the DHCP.

If you have devices that you always want to be routed through a VPN, OPNsense is one of the best ways to achieve exactly that. You don't need to run a VPN client on the device, and for providers that limit the number of devices that can be logged in at a time, this is an easy way to treat multiple devices as a singular connection.