wireguard - www.codemadness.org - www.codemadness.org saait content files
HTML git clone git://git.codemadness.org/www.codemadness.org
DIR Log
DIR Files
DIR Refs
DIR README
DIR LICENSE
---
wireguard (14763B)
---
1 1<- Back / codemadness.org 70
2 i codemadness.org 70
3 i codemadness.org 70
4 i# Wireguard on OpenBSD for use as a mobile VPN codemadness.org 70
5 i codemadness.org 70
6 iLast modification on 2026-03-29 codemadness.org 70
7 i codemadness.org 70
8 iWireguard is a fast, modern and secure VPN tunnel. codemadness.org 70
9 i codemadness.org 70
10 hBelow is a guide to setup »Wireguard« on the OpenBSD URL:https://www.wireguard.com/ codemadness.org 70
11 ioperating system intended for use as a mobile VPN. codemadness.org 70
12 i codemadness.org 70
13 iIt describes using the OpenBSD Wireguard wg(4) kernel driver using ifconfig, codemadness.org 70
14 inot the userland application, and will focus on setting up a IPv4 tunnel. codemadness.org 70
15 i codemadness.org 70
16 iIt is however recommended to install wireguard-tools, because it contains codemadness.org 70
17 iuseful tools to generate a private and public key (wg genkey, wg pubkey). codemadness.org 70
18 i codemadness.org 70
19 iTo install the wireguard-tools package on OpenBSD: codemadness.org 70
20 i codemadness.org 70
21 i # pkg_add wireguard-tools codemadness.org 70
22 i codemadness.org 70
23 i codemadness.org 70
24 i## Enable IPv4 traffic forwarding codemadness.org 70
25 i codemadness.org 70
26 iTo enable traffic forwarding for IPv4 run: codemadness.org 70
27 i codemadness.org 70
28 i # sysctl net.inet.ip.forwarding=1 codemadness.org 70
29 i codemadness.org 70
30 iTo make it persistent add the above lines to the file /etc/sysctl.conf. These codemadness.org 70
31 isysctl lines are loaded on boot time. codemadness.org 70
32 i codemadness.org 70
33 i codemadness.org 70
34 i## Server config: /etc/hostname.wg0 codemadness.org 70
35 i codemadness.org 70
36 iThis is an example config for the wg0 network interface. It is stored at codemadness.org 70
37 i/etc/hostname.wg0: codemadness.org 70
38 i codemadness.org 70
39 i wgport 51820 wgkey 'private_key_here' codemadness.org 70
40 i inet 10.1.2.1/24 codemadness.org 70
41 i up codemadness.org 70
42 i codemadness.org 70
43 i # peer: phone codemadness.org 70
44 i wgpeer 'pubkey' wgaip 10.1.2.2/32 wgdescr 'phone' wgpsk 'psk_here' codemadness.org 70
45 i codemadness.org 70
46 i codemadness.org 70
47 i## Generating a private key codemadness.org 70
48 i codemadness.org 70
49 iUsing wireguard-tools wg command: codemadness.org 70
50 i codemadness.org 70
51 i $ wg genkey codemadness.org 70
52 i codemadness.org 70
53 iReplace private_key_here with the generated text. codemadness.org 70
54 i codemadness.org 70
55 iTo generate both a private and public key to the files private.key and codemadness.org 70
56 ipublic.key: codemadness.org 70
57 i codemadness.org 70
58 i $ wg genkey | tee private.key | wg pubkey > public.key codemadness.org 70
59 i codemadness.org 70
60 i**!!! Keep the private key secure. Do not share it with anyone!!!** codemadness.org 70
61 i codemadness.org 70
62 i codemadness.org 70
63 i## Generate a separate preshared key (PSK). codemadness.org 70
64 i codemadness.org 70
65 iUsing a preshared key (PSK) is optional, but recommended. This is used in the codemadness.org 70
66 ihandshake to guard against future compromise of the peers' encrypted tunnel if codemadness.org 70
67 ia quantum-computational attack on their Diffie-Hellman exchange becomes codemadness.org 70
68 ifeasible. codemadness.org 70
69 i codemadness.org 70
70 iUsing wireguard-tools wg command: codemadness.org 70
71 i codemadness.org 70
72 i $ wg genpsk codemadness.org 70
73 i codemadness.org 70
74 iThe PSK can be shared with a known client when configuring the clients. **Make sure codemadness.org 70
75 ito share it via a safe channel**. codemadness.org 70
76 i codemadness.org 70
77 iTo configure or restart the wg0 interface using the configuration in codemadness.org 70
78 i/etc/hostname.wg0: codemadness.org 70
79 i codemadness.org 70
80 i # sh /etc/netstart wg0 codemadness.org 70
81 i codemadness.org 70
82 iTo show general info of the interface run the command (requires root codemadness.org 70
83 ipermissions to view all information): codemadness.org 70
84 i codemadness.org 70
85 i # ifconfig wg0 codemadness.org 70
86 i codemadness.org 70
87 iIn the ifconfig wg0 output it should list the server public key as: codemadness.org 70
88 i codemadness.org 70
89 i wgpubkey server_pubkey_here codemadness.org 70
90 i codemadness.org 70
91 i codemadness.org 70
92 i## Full example of a client config: wg-client.conf codemadness.org 70
93 i codemadness.org 70
94 i [Interface] codemadness.org 70
95 i Address = 10.1.2.2/32 codemadness.org 70
96 i DNS = 10.1.2.1 codemadness.org 70
97 i PrivateKey = CHBzstIHCi7+YOOa2MN0RXhkPAmJwIXQW0e6/n6+Pno= codemadness.org 70
98 i codemadness.org 70
99 i [Peer] codemadness.org 70
100 i AllowedIPs = 0.0.0.0/0 codemadness.org 70
101 i Endpoint = example.org:51820 codemadness.org 70
102 i PreSharedKey = 8ao/EMExyPAHrT3ShX+lnA0u7jUmo7MhrT0GjDcrIJA= codemadness.org 70
103 i PublicKey = Rny+AW4EPqPPxfO+8O+QdlkIrWbZRGQ6u6Fje5pUOFM= codemadness.org 70
104 i codemadness.org 70
105 i**Of course do not copy-paste this private key and PSK. Generate your own ;)** codemadness.org 70
106 i codemadness.org 70
107 i codemadness.org 70
108 i## pf(4) firewall rules codemadness.org 70
109 i codemadness.org 70
110 iBelow is a fragment of the firewall rules required for Wireguard. codemadness.org 70
111 iThese rules assume a simple VPS with a vio network interface connected to the codemadness.org 70
112 iinterwebs (no double NAT or other weird complex things ;)). codemadness.org 70
113 i codemadness.org 70
114 ipf.conf: codemadness.org 70
115 i codemadness.org 70
116 i # wireguard codemadness.org 70
117 i pass out quick on egress inet from (wg0:network) nat-to (vio0:0) codemadness.org 70
118 i pass in quick on wg0 from any to any codemadness.org 70
119 i pass in quick on wg0 proto udp from any to any port 51820 codemadness.org 70
120 i # allow all on wireguard codemadness.org 70
121 i pass quick on wg0 codemadness.org 70
122 i codemadness.org 70
123 i codemadness.org 70
124 i## Mobile VPN application codemadness.org 70
125 i codemadness.org 70
126 hFor Android download the APK from »https://www.wireguard.com/install/«. URL:https://www.wireguard.com/install/ codemadness.org 70
127 iThere are also other versions available on the page. codemadness.org 70
128 i codemadness.org 70
129 i## Android Wireguard settings codemadness.org 70
130 i codemadness.org 70
131 i## Adding a tunnel codemadness.org 70
132 i codemadness.org 70
133 iIn the Wireguard application press the plus (+) button in the bottom left of codemadness.org 70
134 ithe screen to add a tunnel. codemadness.org 70
135 i codemadness.org 70
136 i codemadness.org 70
137 i## Option: "Scan from QR code" codemadness.org 70
138 i codemadness.org 70
139 i### Generate a QR code image from a client config codemadness.org 70
140 i codemadness.org 70
141 iInstall the libqrencode package for the qrencode program: codemadness.org 70
142 i codemadness.org 70
143 i # pkg_add libqrencode codemadness.org 70
144 i codemadness.org 70
145 iGenerate a QR code PNG image from a client config: codemadness.org 70
146 i codemadness.org 70
147 i $ qrencode -o qr.png < wg-client.conf codemadness.org 70
148 i codemadness.org 70
149 iThis QR code simply contains the full text from the wg-client.conf. It can be codemadness.org 70
150 iscanned from the Android Wireguard application. If it contains sensitive codemadness.org 70
151 iinformation such as the private key make sure to share the image in a safe way codemadness.org 70
152 iand/or destroy it immediately. codemadness.org 70
153 i codemadness.org 70
154 IQR code image /downloads/openbsd-wg/client-example-qr.png codemadness.org 70
155 i codemadness.org 70
156 iIf the QR code contains a private key, make sure to destroy it "Inspector Gadget"-style. codemadness.org 70
157 i codemadness.org 70
158 Iinspector Gadget reading self-destruct message codemadness.org 70
159 i codemadness.org 70
160 9Inspector Gadget, self-destruct video clip /downloads/openbsd-wg/inspector_gadget.webm codemadness.org 70
161 i codemadness.org 70
162 iNow scan the generated image to import the config. codemadness.org 70
163 i codemadness.org 70
164 i codemadness.org 70
165 i### Option: "Import from file or archive" codemadness.org 70
166 i codemadness.org 70
167 iImport a text .conf file or archive (ZIP) file containing one or more configs. codemadness.org 70
168 i codemadness.org 70
169 0Example conf file: »client-example.conf«. /downloads/openbsd-wg/client-example.conf codemadness.org 70
170 9Example ZIP file: »client-example.zip«. /downloads/openbsd-wg/client-example.zip codemadness.org 70
171 i codemadness.org 70
172 i codemadness.org 70
173 i### Option: "Create from scratch" codemadness.org 70
174 i codemadness.org 70
175 iGenerating the private key on the device itself and sharing the **public** key codemadness.org 70
176 iand PSK is probably the safest option. Although sharing the public key text codemadness.org 70
177 ifrom a mobile device can be a bit annoying. codemadness.org 70
178 i codemadness.org 70
179 i codemadness.org 70
180 i## Android settings codemadness.org 70
181 i codemadness.org 70
182 iOnly allow connections and DNS using VPN: codemadness.org 70
183 i codemadness.org 70
184 i* Settings -> VPN -> Network & Internet: codemadness.org 70
185 i Make sure Wireguard is set and enabled under VPN. codemadness.org 70
186 i codemadness.org 70
187 iVPN settings, open Wireguard cogwheel: codemadness.org 70
188 i* Enable: Always on VPN option, with the description: "Stay connected to VPN at all times". codemadness.org 70
189 i* Enable: Block connections without VPN. codemadness.org 70
190 i codemadness.org 70
191 iOther recommendations: codemadness.org 70
192 i codemadness.org 70
193 i* Under Wi-Fi -> Privacy. codemadness.org 70
194 i * Use randomized MAC. codemadness.org 70
195 i * Disable "Send device name". codemadness.org 70
196 i* Set a secure and privacy-respecting DNS server. codemadness.org 70
197 i codemadness.org 70
198 i codemadness.org 70
199 i## Wireguard persistent keepalive setting codemadness.org 70
200 i codemadness.org 70
201 iIf the interface very rarely sends traffic, but it might at anytime receive codemadness.org 70
202 itraffic from a peer, and it is behind NAT, the interface might benefit from codemadness.org 70
203 ihaving a persistent keepalive interval of 25 seconds. codemadness.org 70
204 i codemadness.org 70
205 iIf it is not needed, then it is recommended to not enable it, which is the codemadness.org 70
206 idefault. codemadness.org 70
207 i codemadness.org 70
208 iThis option is called PersistentKeepalive in Wireguard conf and is called codemadness.org 70
209 iwgpka for OpenBSD ifconfig, see the ifconfig(8) man page WIREGUARD section. codemadness.org 70
210 i codemadness.org 70
211 i codemadness.org 70
212 i## Debugging tips codemadness.org 70
213 i codemadness.org 70
214 iFor the Wireguard Android application you can find a textual log: codemadness.org 70
215 i codemadness.org 70
216 i* Open the Wireguard application. codemadness.org 70
217 i* At the top right select the 3 dots settings thingy. codemadness.org 70
218 i* Select the menu labeled "View application log". codemadness.org 70
219 i codemadness.org 70
220 iOn the OpenBSD server you can run enable run-time debugging on the wg0 interface: codemadness.org 70
221 i codemadness.org 70
222 i # ifconfig wg0 debug codemadness.org 70
223 i codemadness.org 70
224 i codemadness.org 70
225 i## Bonus: example using wg-quick from wg-tools codemadness.org 70
226 i codemadness.org 70
227 iUsing the wg-quick program from wg-tools you can also quickly setup a client. codemadness.org 70
228 iThis will setup the DNS, routing and interface. It can setup and restore the codemadness.org 70
229 iDNS and routing settings easily. codemadness.org 70
230 i codemadness.org 70
231 iAs root, to setup the interface: codemadness.org 70
232 i codemadness.org 70
233 i # wg-quick up absolute/path/to/config/wg-client.conf codemadness.org 70
234 i codemadness.org 70
235 iAs root, to restore the interface: codemadness.org 70
236 i codemadness.org 70
237 i # wg-quick down absolute/path/to/config/wg-client.conf codemadness.org 70
238 i codemadness.org 70
239 i codemadness.org 70
240 i## Bonus: generating a private key using only OpenSSL commands codemadness.org 70
241 i codemadness.org 70
242 iGenerate a private key: codemadness.org 70
243 i codemadness.org 70
244 i $ openssl genpkey -algorithm X25519 -outform DER -out private.der codemadness.org 70
245 i codemadness.org 70
246 iNow extract the last 32 bytes which has part of the actual private key (the codemadness.org 70
247 ifirst ASN.1 DER encoded bytes contain metadata information). Convert the actual codemadness.org 70
248 ikey data to base64. codemadness.org 70
249 i codemadness.org 70
250 iRun: codemadness.org 70
251 i codemadness.org 70
252 i $ tail -c 32 private.der | openssl enc -a -A > private.key codemadness.org 70
253 i codemadness.org 70
254 iDerive public key: codemadness.org 70
255 i codemadness.org 70
256 i $ openssl pkey -inform DER -in private.der -pubout -outform DER -out public.der codemadness.org 70
257 i codemadness.org 70
258 iConvert public key to Wireguard format: codemadness.org 70
259 i codemadness.org 70
260 i $ tail -c 32 public.der | openssl enc -a -A > public.key codemadness.org 70
261 i codemadness.org 70
262 iOr even the magical voodoo commands: codemadness.org 70
263 i codemadness.org 70
264 i $ openssl rand -base64 32 > private.key codemadness.org 70
265 i $ (printf '\060\056\002\001\000\060\005\006\003\053\145\156\004\042\004\040';openssl enc -d -a -A < private.key) | \ codemadness.org 70
266 i openssl pkey -inform DER -pubout -outform DER | \ codemadness.org 70
267 i tail -c 32 | \ codemadness.org 70
268 i openssl enc -a -A > public.key codemadness.org 70
269 i codemadness.org 70
270 i codemadness.org 70
271 i## References codemadness.org 70
272 i codemadness.org 70
273 h* Wireguard: URL:https://www.wireguard.com/ codemadness.org 70
274 h * Wireguard quickstart page: URL:https://www.wireguard.com/quickstart/ codemadness.org 70
275 i This uses the userland Wireguard programs and config. But it contains codemadness.org 70
276 i helpful information. codemadness.org 70
277 h * wg(8) man page. URL:https://www.man7.org/linux/man-pages/man8/wg.8.html codemadness.org 70
278 h * wg-quick(8) man page. URL:https://www.man7.org/linux/man-pages/man8/wg-quick.8.html codemadness.org 70
279 h* OpenBSD operating system: URL:https://www.openbsd.org/ codemadness.org 70
280 h * wg(4) driver man page. URL:https://man.openbsd.org/wg codemadness.org 70
281 h * ifconfig(8) man page WIREGUARD section. URL:https://man.openbsd.org/ifconfig.8#WIREGUARD codemadness.org 70
282 h * pf.conf(5) file format. URL:https://man.openbsd.org/pf.conf.5 codemadness.org 70
283 .