WireGuard Peer Authentication; A Captive Portal Approach

WireGuard has proved to be fast and secure and easy to set up. Even though security is not an issue with WireGuard , I have seen a lot of online questions on different forums about how to authenticate WireGuard VPN clients. I figured out how to utilize the captive portal in OPNsense to achieve this. This is a very simple process that will take just a few minutes. In this article it is assumed that you have prior knowledge about OPNsense and how to set up captive portal and WireGuard .

1. Setup WireGuard server

Sample WireGuard configuration

2.Enable WireGuard interface. The captive portal wont work for WireGuard if this interface is not enabled.

Random interface name; Guard

3. Define the appropriate firewall rules for the WireGuard Interface. Note that these rules are meant for the interface that was enabled in the step above.

After these rules all other rules are up to your own discretion.

4.Create Captive portal and set ‘Guard’ as the interface to enable for captive portal. Here you can set your desired authentication server and other specifications that fit your use case.

5.Finally configure WireGuard client. Here, if you prefer your captive portal to use an fqdn instead of the interface IP, you must include the WireGuard interface in the DNS option for all clients.

Conclusion

This is a pretty basic configuration that works. You can make changes to suit your use case. You can share your concerns , questions or contributions in the comments. I will answer them all.