If you keep servers in the office, the need to access them remotely is inevitable. Port-forwarding SSH to the internet is a security risk, and cloud VPN services cost money every month. We set up WireGuard on OPNsense to give laptops and smartphones secure access to our office servers — zero recurring cost, enterprise-grade encryption.
4,000
Lines of Code
~1ms
Handshake Latency
500Mbps+
Throughput (N100)
UDP
Protocol
1Why You Need a VPN
There are several ways to reach office servers from outside, but most have security or usability drawbacks.
| Method | Security | Convenience | Drawback |
|---|---|---|---|
| Port Forwarding | Low | High | SSH port exposed to the internet; brute-force target |
| Cloud VPN | High | High | Monthly subscription; traffic routed through third party |
| Remote Desktop | Medium | Medium | Unnecessary GUI overhead for CLI-based servers |
| Self-Hosted VPN (WireGuard) | High | High | One-time setup, zero recurring cost, fully encrypted |
The Core Value of a VPN
Once connected, a VPN makes you part of the office network — even when you’re on the other side of the world. You can reach servers by their internal IPs and every byte is encrypted. Pair it with SSH key authentication for an even stronger security posture.
2WireGuard vs OpenVPN
The two real contenders are WireGuard and OpenVPN. As of 2026, WireGuard wins on nearly every metric.
| Aspect | WireGuard | OpenVPN |
|---|---|---|
| Codebase | ~4,000 lines | ~100,000 lines |
| Protocol | UDP | UDP/TCP |
| Speed | Very fast | Moderate |
| Connection Time | ~100 ms | ~10 seconds |
| Battery Usage | Low | High |
| Config Complexity | Key pair only | Certificates + CA management |
| Kernel Integration | Built into Linux kernel | Userspace |
When OpenVPN Still Wins
If you need TCP 443 tunneling to bypass corporate firewalls, or certificate-based fine-grained access control, OpenVPN may be the better fit. For typical office remote access, WireGuard is the clear choice.
3OPNsense WireGuard Server Setup
OPNsense 24.x ships with WireGuard built in — no plugin installation needed. Everything is configured through the web interface.
Step 1: Create a Server Instance
# OPNsense web interface # VPN > WireGuard > Instances [+] Add new instance Name: wg0 Listen Port: 51820 Tunnel Address: 10.x.30.1/24 # VPN subnet gateway # Key pair is auto-generated (click Generate) # Save and enable the instance
Step 2: Add Firewall Rules
# Allow WireGuard port on the WAN interface # Firewall > Rules > WAN Action: Pass Protocol: UDP Destination Port: 51820 Description: Allow WireGuard VPN # Allow VPN clients to reach the server subnet # Firewall > Rules > WireGuard (wg0) Action: Pass Source: 10.x.30.0/24 (VPN subnet) Destination: 10.x.10.0/24 (server subnet) Port: 22, 443 # SSH and HTTPS only Description: VPN to Server access
Step 3: Register Peers (Clients)
# VPN > WireGuard > Peers [+] Add new peer Name: laptop-user1 Public Key: (public key generated on the client) Allowed IPs: 10.x.30.10/32 # IP assigned to this client Tunnel Address: (leave empty) # Add a peer for each device # laptop-user1: 10.x.30.10 # phone-user1: 10.x.30.11 # laptop-user2: 10.x.30.12
4Client Setup — Laptop & Mobile
Laptop (Linux / macOS / Windows)
# Generate a key pair (Linux/macOS) wg genkey | tee privatekey | wg pubkey > publickey # Create config: /etc/wireguard/wg0.conf [Interface] PrivateKey = <client private key> Address = 10.x.30.10/32 DNS = 1.1.1.1 [Peer] PublicKey = <OPNsense server public key> Endpoint = office.example.com:51820 AllowedIPs = 10.x.10.0/24, 10.x.30.0/24 PersistentKeepalive = 25 # Connect sudo wg-quick up wg0 # Disconnect sudo wg-quick down wg0 # Check status sudo wg show
Mobile (iOS / Android)
Use the official WireGuard app on mobile. Convert the config file to a QR code and scan it with the app — setup takes seconds.
# Generate a QR code (on the server) # Requires the qrencode package qrencode -t ansiutf8 < /etc/wireguard/phone-user1.conf # Or save as a PNG qrencode -o phone-vpn.png < /etc/wireguard/phone-user1.conf # In the mobile app: [+] > Scan QR Code
AllowedIPs Determines the Tunnel Mode
Setting AllowedIPs = 0.0.0.0/0 routes all traffic through the VPN (full tunnel). To reach only office servers, specify their subnet IPs (split tunnel) — regular internet traffic stays on the device’s default route.
5Key Management and Adding Users
WireGuard uses public/private key pairs for authentication — just like SSH. When a new user joins, generate a key pair and register them as a peer on the server.
One Key Per Device
Never share a key pair across multiple devices. Per-device keys let you revoke a lost phone or a departing team member's laptop independently.
Never Share the Private Key
The private key stays on the device that generated it. Only the public key is registered on the server. If a private key is compromised, regenerate the pair immediately.
Revoke by Removing the Peer
To block a lost device or ex-employee, delete their peer from OPNsense. Access is revoked instantly.
# Adding a new user — summary # 1. User generates a key pair on their device wg genkey | tee user2-private.key | wg pubkey > user2-public.key # 2. User sends the PUBLIC key to the admin (private key stays with the user) # 3. Admin registers the peer on OPNsense # VPN > WireGuard > Peers > [+] # Name: laptop-user2 # Public Key: (received from user) # Allowed IPs: 10.x.30.12/32 # 4. Admin sends the config file to the user # Includes: Endpoint, server public key, assigned IP
6Security Hardening
WireGuard’s encryption is strong by itself, but operational security requires a few extras.
| Setting | Config | Reason |
|---|---|---|
| Change the port | Use a non-standard port instead of 51820 | Avoid default-port scanners |
| Restrict allowed IPs | Only permit VPN → server subnet | Least-privilege principle |
| Rotate keys | Regenerate key pairs every 6 months | Limit long-term key exposure |
| Monitor logs | Check OPNsense firewall logs | Detect anomalous connection attempts |
| Use DDNS | Set up DDNS if you lack a static IP | Reliable endpoint resolution on dynamic IPs |
Add a Pre-Shared Key (PSK)
WireGuard supports an optional Pre-Shared Key (PSK) per peer. It adds a layer of post-quantum security and is trivial to set up:wg genpsk generates the key, then register it on both sides.
7Common Issues and Fixes
Connected but can't reach internal servers
Check that the OPNsense firewall has a rule allowing the WireGuard interface to reach the server subnet. Rule order matters — the allow rule must be above any deny-all.
Handshake fails
Verify that the server and client public keys match exactly. Trailing whitespace or line breaks in the key string cause authentication failures. Also confirm that UDP port 51820 is allowed on the WAN firewall.
Mobile connection drops frequently
Set PersistentKeepalive = 25. Behind NAT, idle connections lose their mapping after a timeout. A keepalive packet every 25 seconds prevents this.
Can't connect from a dynamic-IP network
Set up DDNS (DuckDNS, Cloudflare DDNS, etc.) on OPNsense and use the domain name as the Endpoint in the client config.
Summary
WireGuard VPN Build Checklist
- Create an OPNsense WireGuard instance — port, subnet, and key pair
- Add a WAN firewall rule allowing the WireGuard UDP port
- Add a VPN interface rule allowing access to the server subnet
- Generate a key pair per device — one key per device principle
- Distribute client configs — use QR codes for mobile devices
- Set AllowedIPs for split tunnel or full tunnel as needed
- Enable PersistentKeepalive for NAT environments
- Rotate keys regularly and remove peers when people leave
WireGuard’s minimal configuration and excellent performance make it ideal for small-team remote access. Even on an N100 mini PC it pushes over 500 Mbps of VPN throughput, and battery impact on mobile is noticeably lower than OpenVPN.
This article is based on an OPNsense 24.x deployment. IP addresses, port numbers, and domains shown are examples — adapt them to your environment. Settings may vary across WireGuard and OPNsense versions. Non-commercial sharing is welcome. For commercial use, please contact us.
Need a Secure Remote Work Setup?
Treeru handles WireGuard VPN design, deployment, and user management end to end. Work from anywhere as securely as if you were in the office.
Get a VPN Consultation