OPNsense WireGuard Remote Access: Browser RDP and SSH to Your Entire LAN

OPNsense has become the go-to firewall for MSPs who moved away from pfSense after the 2023 Netgate licensing changes. It runs on the same hardware, has a cleaner plugin architecture, and ships with WireGuard support built in as of version 24.1. If your client sites run OPNsense, one WireGuard tunnel per firewall gives you browser-based RDP, VNC, and SSH access to every device on the LAN — without a static IP, without port forwarding, and without installing anything on individual machines.

Installing the WireGuard Plugin

On OPNsense 24.1 and later, WireGuard is a built-in kernel module. On earlier versions, install the plugin first:

1. Go to System → Firmware → Plugins
2. Search for os-wireguard and click the install button
3. Wait for the install to complete, then reload the page

WireGuard will appear under VPN → WireGuard. Enable the service with the toggle at the top of the page.

Creating the Local Instance

Under VPN → WireGuard → Local, add a new instance:

• Name: ProxyLink
• Listen Port: 51820 (any unused UDP port)
• Tunnel Address: Your assigned peer IP from ProxyLink — e.g. 10.100.0.X/32
• Generate new keys — copy the public key, you will need to register it with the relay server

Save and apply.

Adding the Relay Server as a Peer

Under VPN → WireGuard → Endpoints, add the relay:

• Public Key: The relay server's WireGuard public key (shown in ProxyLink when you create a tunnel)
• Allowed IPs: 10.100.0.0/16 — the relay's tunnel range
• Endpoint Address: The relay server's hostname or IP
• Endpoint Port: 51820
• Keepalive: 25 seconds — critical for NAT traversal. Without it, OPNsense behind a typical ISP connection will not maintain the handshake.

Assign the endpoint to your Local instance. Apply changes.

Assigning the Interface

OPNsense requires you to assign the WireGuard tunnel as a named interface before you can write firewall rules for it:

1. Go to Interfaces → Assignments
2. Select wg0 from the dropdown at the bottom and click Add
3. Click the interface name to configure it — enable it and save

This creates a named interface (defaults to OPT1 or similar) that appears in the firewall rules panel.

Firewall Rules

OPNsense does not automatically allow traffic through a new interface. Add rules under Firewall → Rules → [WireGuard interface name]:

Action:     Pass
Direction:  In
Source:     10.100.0.0/16
Destination: LAN net
Protocol:   Any

For multi-VLAN sites, add a separate rule for each VLAN subnet:

Destination: 192.168.10.0/24  (e.g. PBX VLAN)
Destination: 192.168.20.0/24  (e.g. camera VLAN)

OPNsense is stateful — if you allow inbound connections from the tunnel, return packets are permitted automatically. You do not need a separate LAN → WireGuard allow rule for stateful connections.

Do not add NAT or masquerade rules for the WireGuard interface. OPNsense routes traffic natively once the interface and rules are in place; masquerade breaks the return path.

Verifying the Tunnel

Under VPN → WireGuard → Diagnostics, the peer should show a recent handshake time once the tunnel connects. If the handshake is not occurring, check:

• UDP 51820 is allowed outbound through the WAN firewall rules — it usually is by default, but an explicit drop rule can block it
• The relay server's public key is correct — a single wrong character silently prevents the handshake
• Keepalive is set to 25 seconds — without it, the NAT entry expires and the tunnel goes silent

Multi-VLAN Sites: Hotels, Offices, and Industrial Networks

OPNsense is frequently deployed at sites with multiple VLANs — a hotel with a guest network, PBX VLAN, and camera VLAN, or an office with separate networks for servers, workstations, and VoIP. ProxyLink handles multi-VLAN access natively: declare each subnet when setting up the tunnel, and all of them become reachable through the single WireGuard peer on that OPNsense firewall.

In OPNsense, add each VLAN subnet to the peer's Allowed IPs and add a firewall rule on the WireGuard interface for each subnet. One firewall, one tunnel, all VLANs covered. An MSP engineer can reach the camera NVR on VLAN 20, the PBX admin panel on VLAN 10, and the Windows server on VLAN 1 — all from the same browser session, without switching tools or logging into a jump server.

What Engineers Actually Get

Once the OPNsense tunnel is up, every device on every LAN and VLAN gets a URL in ProxyLink. An engineer opens a browser, selects the client site, and clicks any device:

• Windows PCs and servers → browser RDP (no mstsc.exe, no local VPN client required)
• Linux servers → browser SSH terminal
• NVR systems, PBX admin panels, switch web UIs → HTTP/HTTPS proxy link, opens in any browser
• Managed switches → browser SSH with the built-in terminal, supports Cisco enable mode

Audit logs capture every session automatically: engineer identity, target device, connection time, duration. Session recording is available per proxy link. For NIS2-regulated clients in the EU, this is the audit trail that answers the access control questions directly — who accessed which device, when, and for how long.

pfSense to OPNsense Migration

If you are migrating client sites from pfSense to OPNsense, the WireGuard peer configuration carries over directly — the same public and private keys work on both platforms. You can export the key pair from pfSense before migration and import it into the OPNsense instance configuration. The ProxyLink relay does not need to be reconfigured; only the WireGuard config on the firewall changes.

Try ProxyLink free — no card required. If you manage OPNsense firewalls at client sites, the first tunnel takes about 15 minutes to set up. Full setup guides for pfSense, MikroTik, OpenWRT, and Debian gateways are in the docs.