VPN(7) Miscellaneous Information Manual VPN(7)

vpnvirtual private network

OpenBSD has adopted the main wg driver for the WireGuard protocol.

Install requirements.

$ pkg_add wireguard-tools
...
wireguard-tools-1.0.20210914p0v0: ok

Enable IP forwarding.

$ sysctl net.inet.ip.forwarding=1
net.inet.ip.forwarding: 0 -> 1
$ sysctl net.inet.ip.forwarding=1
net.inet6.ip6.forwarding: 0 -> 1

Make it persistent.

$ echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf
$ echo net.inet6.ip6.forwarding=1 >> /etc/sysctl.conf

Create folder /etc/wireguard and generate private and public key.

$ mkdir -p /etc/wireguard
$ chmod 700 /etc/wireguard
$ cd /etc/wireguard
$ wg genkey > secret.key
$ chmod 600 secret.key
$ wg pubkey < secret.key > public.key

Create /etc/wireguard/wg0.conf and add these lines below.

[Interface]
PrivateKey = SERVER_PRIVATE_KEY
ListenPort = 51820

# client 1
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

Set up /etc/hostname.wg0.

inet 10.0.0.1 255.255.255.0 NONE
up

!/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf

Add the following lines to /etc/pf.conf.

pass in on wg0
pass in inet proto udp from any to any port 51820
pass out on egress inet from (wg0:network) nat-to (vio0:0)

Realod firewall.

$ pfctl -f /etc/pf.conf.

Install packages.

$ brew install wireguard-go wireguard-tools
...
Pruned 0 symbolic links and 1 directories from /usr/local

Create a folder where the configuration file will be placed.

$ sudo mkdir /usr/local/etc/wireguard

Create a client config file /usr/local/etc/wireguard/wg0.conf.

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/32

[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0
Endpoint = 216.238.81.127:51820

Activate WireGuard with your config.

$ sudo wg-quick up wg0
...
[+] Backgrounding route monitor

To disconnect.

$ sudo wg-quick down wg0
[+] Interface for wg0 is utun7
...
December 15, 2023 OpenBSD 7.4