FFirewalls & routers

OPNSENSE Surfshark VPN Selective Traffic routing via Wireguard Tunnel on VLAN

0
Shares
0
0
0
0

This guide describes the process of routing subnet clients on selected VLAN (ex. GUEST-VLAN) via paid Surfshark VPN service. This may come handy if you’d like to isolate clients from your private network and from ISP network via encrypted tunnel.

PLEASE NOTE: The guide is not sponsored by any VPN company and same steps would apply to any other Provider with Wireguard Tunnel

STEP1: Generate SURFSHARK wireguard credentials

  • Login to Surfshark and navigate to VPN -> Manual Setup -> Router -> WireGuard
  • Then choose ‘I don’t have a keypair’ so you would generate credentials for your tunnel
  • You may name it as OPNSENSE-SURFSHARK-VPN and then click on Generate a new key pair
  • Copy paste the Public key and Private Key somewhere safe, since it’s going to be needed in later process

Name: OPNSENSE-SURFSHARK-VPN

Public Key: BGYr8……………………………..

Private Key: SOBud……………………………..

Now you may choose a location for the VPN server and download the config.

As example we have chosen Switzerland, Zurich

You shall have the configuration for the Wireguard with below content:

[Interface]
Address = 10.14.0.2/16
PrivateKey = SOBud……………………………..
DNS = 162.252.172.57, 149.154.159.92
[Peer]
PublicKey = qFuwa……………………………..
AllowedIPs = 0.0.0.0/0
Endpoint = ch-zur.prod.surfshark.com:51820

STEP2: CREATE A VLAN WITH ISOLATED SUBNET

Prepare a VLAN according to a Guide – How to Set Up a VLAN in OPNsense

https://www.wundertech.net/how-to-set-up-a-vlan-in-opnsense/

Interfaces > Other Types > VLAN > Add

  • Device: <leave empty>
  • Parent: <one-of-the-LAN-interfaces-VLAN-aware>
  • VLAN tag: 44
  • Description: VLAN44-VPN-SURFSHARK

Apply

Interfaces > Assignments > Assign new Interface > Add

  • Device: vlan01   //// it is assigned to your LAN interface
  • Description: VLAN44-VPN

Interfaces > Assignments > VLAN44VPN > EDIT

  • Enable interface
  • IPv4 Configuration Type: Static IPv4
  • IPv4 Address: 10.10.18.1/24
  • Save & Apply

If you’re using KEA DHCP on OPNSENSE

Go to Services > KEA DHCP > KEA DHCPV4 > Settings > Add VLAN44VPN interface

Apply

Go to Services > KEA DHCP > KEA DHCPV4 > Subnets > Add

  • Subnet: 10.10.18.0/24
  • Description: VLAN44-VPN
  • Pools: 10.10.18.100-10.10.18.200
  • Save & Apply

VLAN Subnet is prepared. Whenever client is connected to this subnet, it’s traffic should be automatically routed via Surfshark VPN Wireguard tunnel, that we’ll configure later.

STEP3: CONFIGURE WIREGUARD TUNNEL

Go to VPN > Wireguard >  Instances > Add

  • Toggle: Advanced mode
  • Name: SURFSHARK-CH
  • Private key: SOBud……………………………..
  • Listen Port: 51825
  • Tunnel address: 10.14.0.2/32
  • Disable routes: CHECKED
  • Gateway: 10.14.0.1
  • Save & Apply

Go to VPN > Wireguard > Peers > Add

  • Enabled: Checked
  • Name: Peer-SURFSHARK-CH
  • Public-key: qFuwa……………………………..
  • Allowed IPs: 0.0.0.0/0
  • Endpoint address: ch-zur.prod.surfshark.com
  • Endpoint port: 51820
  • Instances: SURFSHARK-CH
  • Keep interval: 25
  • Save & Apply

Go to VPN > Wireguard > Status

Please annotate the Public IP of endpoint ch-zur.prod.surfshark.com > 89.37.173.37

STEP4: ADD WIREGUARD INTERFACE

Interfaces > Assignments > Assign new Interface > Add

  • Device: wg0
  • Description: WGSURFSHARK
  • Add & Save

Interfaces > Assignments > WGSURFSHARK

  • Enable interface
  • MTU: 1420
  • MSS: 1420
  • Save & Apply

STEP5: CONFIGURE GATEWAY

System > Gateways > Configuration > Add

  • Name: GWSURFSHARKCH
  • Description: Gateway for SURFSHARK VPN CH
  • Interface: WGSURFSHARK
  • IP address: 10.14.0.1
  • Far Gateway: checked
  • Disable Gateway Monitoring: unchecked
  • Monitor IP: 89.37.173.37 (ch-zur.prod.surfshark.com)
  • Save & Apply

 

Toggle Disable/Enable Gateway until it becomes connected

Refresh

STEP6: CREATE AN ALIAS FOR VLAN44 SUBNET

Go to Firewall -> Aliases -> Add

  • Enabled: checked
  • Name: VLAN44SUBNET
  • Type: Network(s)
  • Content: 10.10.18.0/24
  • Save & Apply

 

STEP7: CONFIGURE FIREWALL OUTBOUND NAT

Go to Firewall -> NAT -> Outbound. Ensure it is set to ‘Hybrid’.

Save & Apply

Add a new entry in Manual rules

  • Select Interface: WGSURFSHARK
  • Source address: Alias VLAN44SUBNET
  • Leave everything else as default
  • Save & Apply

STEP8: CREATE FIREWALL RULE TO ROUTE TRAFFIC

Go to Firewall -> Rules -> WGSURFSHARK -> Add rule

  • Action: Pass
  • Interface: WGSURFSHARK
  • Leave rest as default
  • Log: checked
  • Save & Apply

Go to Firewall -> Rules -> VLAN44VPN -> Add rule

  • Interface: VLAN44VPN
  • SOURCE: VLAN44SUBNET   //// ALIAS CREATED EARLIER
  • Log: checked
  • Gateway: GWSURFSHARKCH  //// GATEWAY CREATED EARLIER
  • Rest leave as default
  • Save & Apply

STEP9: RECONFIGURE DHCP SUBNET FOR VLAN44

Go to Services > KEA DHCP > KEA DHCPV4 > Subnets > VLAN44-VPN > Edit

  • Auto collect option data: unchecked
  • Routers (gateway): 10.10.18.1
  • DNS servers: 162.252.172.57, 149.154.159.92  /// SURFSHARK DNS
  • Save & Apply

 

STEP10: ADD A KILL SWITCH

If the VPN interface goes down for some reason, a killswitch will ensure that the client traffic will not exit via the default WAN interface.

 

Go to Firewall -> Rules -> VLAN44VPN -> Edit the rule created earlier

  • Click on Advanced features
  • Set local tag: NO_WAN_EGRESS
  • Save & Apply

Go to Firewall -> Rules -> Floating -> Add new

  • Action: Block
  • Interface: WAN
  • Direction: out
  • Log: checked
  • Click on Advanced features
  • Match local tag: NO_WAN_EGRESS

STEP10: TEST CONNECTION

Please connect via Ethernet cable to your L3 switch with the VLAN44 untagged port which would assign a DHCP IP from VLAN44 subnet.

Elsewhere you may configure Access Point Wifi SSID to route via VLAN44.

Once connected:

ISSUES YOU MAY RUN INTO:

If for any reason the connection to Surfshark VPN server is not working:

  • Go to OPNSENSE > Dashboard > Services > Restart Wireguard Tunnel used for Surfshark VPN
  • Go to OPNSENSE > Configuration > Gateways > Disable/Enable the Gateway used for Surfshark VPN
  • If OPNSENSE > VPN > Status has an issue with VPN tunnel with DNS resolution. In STEP3 instead of domain name ch-zur.prod.surfshark.com put an resolved IP address 89.37.173.27 (CMD> nslookup ch-zur.prod.surfshark.com > 89.37.173.27)

Sources:

0 Shares:
Share 0
Tweet 0
Pin it 0

Network security expert with a deep passion for wireless networks, networking and data security. When I'm not working, you'll find me diving into hobby projects, contributing to open-source initiatives, or enjoying hands-on experiments with cutting-edge tech. My goal is to bridge the gap between complex concepts and accessible knowledge, making the world of network security both intriguing and approachable for all.

You May Also Like