Home / Articles

WireGuard on OpenBSD with wg(4)

2020-10-25T13:49:12.850Z.

This article describes the installation and configuration of WireGuard on OpenBSD 6.8 (server) and iOS (client). Once the setup is complete, the traffic from the client will go through the server before reaching the Internet (also known as "road warrior" setup).

With the built-in WireGuard support on OpenBSD, the WireGuard server setup can be completed using tools in the base, without the need of third-party software packages.

The setup assumes the following:

Network diagram.

Enable IP forwarding

Enable IP forwarding by running:


sysctl net.inet.ip.forwarding=1

To make the settings permanent, save the configuration in /etc/sysctl.conf:


net.inet.ip.forwarding=1

Prepare keys

The server private key and pre-shared key will be placed in the /etc/wireguard directory:


mkdir -p /etc/wireguard/

Generate the server private key, as root:


openssl rand -base64 32 > /etc/wireguard/server.key
chmod 600 /etc/wireguard/server.key

Generate the pre-shared key:


openssl rand -base64 32 > /etc/wireguard/peer-01.psk
chmod 600 /etc/wireguard/peer-01.psk

More pre-shared keys can be generated if more peers will be connected to the WireGuard server.

Configure network interface

Create the wg0 interface by creating a file /etc/hostname.wg0 with the following content:


wgkey SERVER_PRIVATE_KEY wgport 50000
inet 10.0.1.1 255.255.255.0
The interface file /etc/hostname.wg0 should be accessible to root user and wheel group only:

chmod 640 /etc/hostname.wg0
chown root:wheel /etc/hostname.wg0
      

Replace SERVER_PRIVATE_KEY with the content of /etc/wireguard/server.key.

Start the interface:


sh /etc/netstart wg0

Now you can check the public key of the WireGuard server, as root:


ifconfig wg0 | grep wgpubkey

The string after wgpubkey shown on screen is the server public key.

Configure Packet Filter

Configure the Packet Filter (PF) for filtering networking traffic and doing NAT.

In /etc/pf.conf, skip packet filtering on the wg0 interface:


set skip on { lo wg0 }

Then add the following:


pass in on egress inet proto udp from any to egress port 50000
pass out on egress inet from (wg0:network) nat-to (egress:0)

Validate the configuration and reload the ruleset:


pfctl -n -f /etc/pf.conf
pfctl -f /etc/pf.conf

Configure VPN client

In WireGuard for iOS, create a new WireGuard tunnel.

WireGuard for iOS.

In the interface section:

WireGuard for iOS.

In the peer section:

Activate VPN tunnel

Add a peer on the server, as root:


ifconfig wg0 wgpeer PEER_PUBLIC_KEY wgpsk PRESHARED_KEY wgaip 10.0.1.2/32

Replace PEER_PUBLIC_KEY with client public key and PRESHARED_KEY with content of /etc/wireguard/peer-01.psk.

Now the client should be able to connect to the server and the traffic is protected by WireGuard. On the client, you can visit website such as https://ifconfig.co/ to verify the IP address is the server's public IP address, instead of the client's public IP address.

Add the following line to /etc/hostname.wg0 so that the peer configuration is loaded automatically when the system is rebooted:


wgpeer PEER_PUBLIC_KEY wgpsk PRESHARED_KEY wgaip 10.0.1.2/32

Again, replace PEER_PUBLIC_KEY with client public key and PRESHARED_KEY with content of /etc/wireguard/peer-01.psk.

References