Setting Up WireGuard on OPNsense with PremierVPN

Last updated 31 Mar 2026 5 views 🌐 Router Setup Guides

This guide walks you through setting up a WireGuard VPN tunnel on your OPNsense firewall using your PremierVPN Dedicated WireGuard Server. Once configured, you can route all traffic from your network — or just specific devices — through PremierVPN automatically.

What You Need

Before you start, make sure you have the following:

  • OPNsense 23.1 or later (WireGuard is built-in from 23.1 onwards; earlier versions require the os-wireguard plugin)
  • A PremierVPN Dedicated WireGuard Server — you need an active subscription with a dedicated server assigned to your account
  • A WireGuard user created in the portal — this gives you the configuration file containing your keys and server details

If you have not yet created a WireGuard user, follow the steps in the "Creating and Managing WireGuard Users" article in the Dedicated WireGuard VPN section of this Knowledge Base first.

Step 1 — Download Your Configuration File

  1. Log in to the PremierVPN Client Portal.
  2. Go to WireGuard Servers from the Quick Links on your Dashboard.
  3. Click "Manage Server" on your server.
  4. If you have not already created a user for your OPNsense router, create one now — use a name like opnsense or router.
  5. Click "Download .conf" to download the configuration file.
  6. Open the .conf file in a text editor. You will need the values from this file throughout the setup.

Your configuration file will look similar to this:

[Interface]
PrivateKey = aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789...
Address = 10.66.66.2/32
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = xYzAbCdEfGhIjKlMnOpQrStUvWxYz9876543...
PresharedKey = pQrStUvWxYz0123456789aBcDeFgHiJkLmN...
Endpoint = 203.0.113.10:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Keep this file open — you will copy each value into OPNsense in the following steps.

Step 2 — Enable WireGuard on OPNsense

  1. In OPNsense, navigate to VPN → WireGuard.
  2. If you see a message about the WireGuard plugin not being installed, go to System → Firmware → Plugins, search for os-wireguard, and install it. Then return to VPN → WireGuard.
  3. On the General tab, tick Enable WireGuard and click Save.

Step 3 — Add the Peer (PremierVPN Server)

The peer is the PremierVPN server you are connecting to. You need to add this before creating the local instance.

  1. Go to VPN → WireGuard → Peers (or Endpoints depending on your OPNsense version).
  2. Click + to add a new peer.
  3. Fill in the following fields using the values from your .conf file:
Field Value Source
Name PremierVPN Your choice — descriptive name
Public Key The PublicKey value from the [Peer] section e.g. xYzAbCdEfG...
Pre-shared Key The PresharedKey value from the [Peer] section e.g. pQrStUvWxY...
Allowed IPs 0.0.0.0/0 Routes all IPv4 traffic through the tunnel
Endpoint Address The IP address from the Endpoint value e.g. 203.0.113.10
Endpoint Port The port from the Endpoint value e.g. 51820
Keepalive 25 Matches the PersistentKeepalive in your config
  1. Click Save.

Note: If you also want to route IPv6 traffic, add ::/0 to the Allowed IPs field, separated by a comma: 0.0.0.0/0, ::/0.

Step 4 — Create the Local Instance

The local instance is your OPNsense router's side of the WireGuard tunnel.

  1. Go to VPN → WireGuard → Instances (or Local depending on your version).
  2. Click + to add a new instance.
  3. Fill in the following:
Field Value Source
Name premiervpn-wg Your choice
Listen Port 51821 Any unused port — this is the local listen port, not the server's
Private Key The PrivateKey value from the [Interface] section e.g. aBcDeFgHiJ...
Tunnel Address The Address value from the [Interface] section e.g. 10.66.66.2/32
Peers Select PremierVPN (the peer you created in Step 3)
Disable Routes Ticked Important — we will create the route manually via a gateway for proper policy-based routing
Gateway Leave empty for now
  1. Click Save.
  2. Click Apply at the top of the page to activate the WireGuard configuration.

Step 5 — Assign the WireGuard Interface

OPNsense needs a network interface assigned to the WireGuard tunnel so you can create firewall rules and gateways for it.

  1. Go to Interfaces → Assignments.
  2. In the New Interface dropdown at the bottom, you should see a new wg1 (or similar) device — this is the WireGuard tunnel you just created.
  3. Click + to assign it. It will be given a name like OPT1.
  4. Click on the new interface name (e.g. OPT1) to edit it.
  5. Configure it as follows:
Field Value
Enable Ticked
Description WG_PREMIERVPN (or any descriptive name — no spaces)
IPv4 Configuration Type Static IPv4
IPv4 Address The Address from your config, e.g. 10.66.66.2 with a subnet of /32
IPv4 Upstream Gateway Click Add a new gateway — see Step 6
  1. Click Save and then Apply Changes.

Step 6 — Create the Gateway

You need a gateway so OPNsense can route traffic through the WireGuard tunnel.

  1. Go to System → Gateways → Configuration.
  2. Click + to add a new gateway.
  3. Fill in:
Field Value
Name WG_PREMIERVPN_GW
Interface WG_PREMIERVPN (the interface you created in Step 5)
Address Family IPv4
IP Address 10.66.66.1 (the server's internal gateway — this is typically the .1 address of your tunnel subnet)
Far Gateway Ticked (this is important because the gateway is not directly connected)
Disable Gateway Monitoring Ticked for now (you can enable monitoring later once the tunnel is confirmed working)
  1. Click Save and Apply Changes.

Tip: If you are unsure of the server's gateway IP, it is almost always the first address in your tunnel subnet. If your Address is 10.66.66.2/32, the gateway is 10.66.66.1.

Step 7 — Configure NAT (Outbound)

For traffic to flow correctly through the WireGuard tunnel, you need an outbound NAT rule.

  1. Go to Firewall → NAT → Outbound.
  2. If you are in Automatic outbound NAT mode, switch to Hybrid outbound NAT rule generation and click Save.
  3. Click + to add a new rule.
  4. Configure:
Field Value
Interface WG_PREMIERVPN
Source LAN net (or whichever network you want to route through the VPN)
Source Port Any
Destination Any
Destination Port Any
Translation / Target Interface address
  1. Click Save and Apply Changes.

Step 8 — Firewall Rules

You need to allow traffic from your LAN to pass through the WireGuard interface.

WireGuard Interface Rule

  1. Go to Firewall → Rules → WG_PREMIERVPN.
  2. Click + to add a new rule.
  3. Configure:
Field Value
Action Pass
Interface WG_PREMIERVPN
Direction In
Protocol Any
Source Any
Destination Any
  1. Click Save and Apply Changes.

LAN Rule (Route Traffic Through VPN)

To send all LAN traffic through PremierVPN:

  1. Go to Firewall → Rules → LAN.
  2. Click + to add a new rule at the top of the list (above the default LAN pass rule).
  3. Configure:
Field Value
Action Pass
Interface LAN
Protocol Any
Source LAN net
Destination Any
Gateway WG_PREMIERVPN_GW
  1. Click Save and Apply Changes.

Important: This rule must be above the default LAN to Any rule, otherwise traffic will use your normal WAN gateway instead of the VPN.

Step 9 — Set DNS

To prevent DNS leaks, configure OPNsense to use DNS servers through the tunnel.

  1. Go to System → Settings → General.
  2. Set the DNS servers to:
    • 1.1.1.1 — Gateway: WG_PREMIERVPN_GW
    • 8.8.8.8 — Gateway: WG_PREMIERVPN_GW
  3. Untick Allow DNS server list to be overridden by DHCP/PPP on WAN.
  4. Click Save.

Alternatively, if you run Unbound on OPNsense:

  1. Go to Services → Unbound DNS → General.
  2. Under Outgoing Network Interfaces, select WG_PREMIERVPN.
  3. Click Save and restart Unbound.

Step 10 — Verify the Connection

  1. Go to VPN → WireGuard → Diagnostics (or check the Handshake column on the instances page).
  2. You should see a recent handshake timestamp for the PremierVPN peer — this confirms the tunnel is active.
  3. From a device on your LAN, visit premiervpn.net/ip-leak-test to confirm your public IP matches your dedicated server's IP.
  4. Run a DNS leak test to verify DNS is resolving through the tunnel.

If the handshake column shows "Never" or stays empty, see the Troubleshooting section below.

Optional — Routing Only Specific Devices (Split Tunnel by Device)

If you only want certain devices to use the VPN (rather than all LAN traffic), use OPNsense aliases and targeted firewall rules:

  1. Go to Firewall → Aliases and create an alias (e.g. VPN_Devices) containing the LAN IP addresses of the devices you want routed through PremierVPN.
  2. Modify the LAN firewall rule from Step 8 — change the Source from LAN net to the VPN_Devices alias.
  3. Devices not in the alias will use your normal WAN gateway.

This approach lets you route your gaming PC through the VPN while keeping smart TVs or IoT devices on your normal connection.

Optional — Kill Switch (Prevent VPN Bypass)

To ensure that traffic does not leak out of your WAN if the WireGuard tunnel goes down:

  1. Go to Firewall → Rules → LAN.
  2. Add a Block rule below your VPN pass rule:
Field Value
Action Block
Interface LAN
Protocol Any
Source LAN net (or VPN_Devices alias)
Destination Any
Gateway * (default)
  1. Place this rule after the VPN pass rule but before the default LAN pass rule.

Now if the WireGuard tunnel drops, traffic will be blocked rather than falling back to your WAN — acting as a kill switch.

Troubleshooting

No handshake appearing

  • Verify the PrivateKey, PublicKey, and PresharedKey values were copied correctly — a single wrong character will prevent the handshake.
  • Check that the Endpoint Address and Endpoint Port are correct.
  • Ensure your WAN firewall allows outbound UDP traffic on the server's port (usually 51820).
  • Try restarting the WireGuard service: VPN → WireGuard → General, untick Enable, save, then re-enable.

Handshake works but no internet

  • Confirm the outbound NAT rule (Step 7) is in place and uses the WG_PREMIERVPN interface.
  • Check that the LAN firewall rule (Step 8) specifies the WG_PREMIERVPN_GW gateway.
  • Verify DNS is configured to resolve through the tunnel (Step 9).
  • Go to Firewall → Diagnostics → States and check that traffic is flowing through the wg1 interface.

DNS leak detected

  • Ensure DNS servers are assigned to the WG_PREMIERVPN_GW gateway in System → Settings → General.
  • If using Unbound, confirm the outgoing interface is set to WG_PREMIERVPN.
  • Disable Allow DNS server list to be overridden by DHCP/PPP on WAN.

Slow speeds through the tunnel

  • Lower the MTU on the WireGuard instance to 1420 (go to VPN → WireGuard → Instances, edit your instance, and set the MTU field).
  • Check your server's location — connecting to a geographically closer server will give better speeds.
  • Confirm your ISP is not throttling UDP traffic on the WireGuard port.

Connection drops intermittently

  • Ensure PersistentKeepalive (Keepalive interval) is set to 25 on the peer.
  • Check the WireGuard service logs at VPN → WireGuard → Log File for errors.

FAQs

Can I use this with a shared VPN plan instead of a dedicated server?

No. The WireGuard configuration file and key management is only available with PremierVPN's Dedicated WireGuard Server plans. Shared plans use the PremierVPN apps with different authentication.

Can I run WireGuard alongside OpenVPN on OPNsense?

Yes. WireGuard and OpenVPN are independent — they use different interfaces and can coexist. You could route different devices through different VPN tunnels using policy-based routing.

Will this work with OPNsense running in a virtual machine?

Yes, as long as the VM has network access and you pass through or bridge the LAN interface correctly.

Do I need to update the configuration if my server IP changes?

Yes. If PremierVPN changes your server's IP address (which is rare), you will need to update the Endpoint Address in the peer configuration. You will be notified by email if this happens.

Router Setup Guides All Categories

Didn't find what you were looking for?

Our support team is happy to help.

Open a Ticket