Joseph Choe

WireGuard on OpenBSD

I’ll be traveling a bit next year, and when I do I’ll want to have access to my homelab and all the services therein.

This is where a virtual private network or VPN would certainly come in handy, an encrypted tunnel that would allow me to access my private network from public networks.

So I decided to take a look at WireGuard, which conveniently for me is available on OpenBSD as wg(4).

Server Configuration

I first provisioned a new virtual machine with OpenBSD 7.0 installed.

Then, I enabled IP forwarding:

$ doas sysctl net.inet.ip.forwarding=1
$ echo 'net.inet.ip.forwarding=1' | doas tee -a /etc/sysctl.conf

After that, I downloaded the WireGuard tools:

$ doas pkg_add wireguard-tools

I use these only to extract the public keys from the private keys, but I could probably make do without them. However, I am at times inexplicably, incredibly lazy.

In any case, let’s generate the server keys:

# Generate server private key
$ openssl rand -base64 32 > server_secret.key
# Extract server public key
$ wg pubkey < server_secret.key > server_public.key

Next, I need to configure a WireGuard interface by creating a new file called /etc/hostname.wg0 on the server:

wgpeer $PEER_PUBLIC_KEY wgaip
wgport 51820

I’ve decided upon for the server’s local IP and for the peer or client’s local IP.

I need to update the server’s firewall via the /etc/pf.conf file:

set skip on wg0
pass in inet proto udp from any to any port 51820 keep state
pass out on egress inet from wg0:network to any nat-to (egress)

These rules allow traffic through the encrypted UDP tunnel over the network interface vio0.

Can’t forget to run doas pfctl -f /etc/pf.conf!

I will need to run doas sh /etc/netstart wg0 to start the interface. We can see that the interface is running by querying ifconfig:

$ doas ifconfig wg0
        index 5 priority 0 llprio 3
        wgport 51820
        wgpubkey $SERVER_PUBLIC_KEY
        wgpeer $PEER_PUBLIC_KEY
                tx: 0, rx: 0
        groups: wg
        inet netmask 0xffffff00 broadcast

It’s also important that I configure the network router to port forward the UDP port 51820 to the virtual machine. However, this is outside the scope of this essay, though it’s fairly simple.

We can test this works by using nc(1):

$ nc -uvz $SERVER_PUBLIC_IP 51820
Connection to $SERVER_PUBLIC_IP port 51820 [udp/*] succeeded!

Looking good so far!

MacOS Client Configuration

While I do have a new Framework laptop, I still use my old MacBook Pro from time to time. I also need to make sure that my wife can connect to the encrypted tunnel, so this section could just as well be titled “Android Client Configuration”.

I’ll need to download the WireGuard client applicable to whatever platform this is, whether MacOS or Android. Once I’ve done that, I can generate the client’s keys:

# Generate peer private key
$ openssl rand -base64 32 > peer1_secret.key
# Extract peer public key
$ wg pubkey < peer1_secret.key > peer1_public.key

Then, I click Add Empty Tunnel and paste the following:

ListenPort = 51820
Address =

AllowedIPs =
Endpoint = $SERVER_PUBLIC_IP:51820

Upon pressing Activate, the computer or smartphone begins to route traffic through the encrypted tunnel.

Framework Laptop Configuration

Ostensibly, my wife and I need to access the WireGuard encrypted tunnel at the same time. Since my Framework laptop is running OpenBSD, the process to configure WireGuard is a bit different.

To start with, I’ll need to generate a new set of keys and add an additional peer to the server’s /etc/hostname.wg0 file:

wgpeer $PEER2_PUBLIC_KEY wgaip

I’ve selected for the second peer’s local IP. Once that file is updated, I can run doas sh /etc/netstart wg0 once more to catch the new changes on the interface.

In order to route traffic from the WireGuard tunnel to the network device on the Framework laptop, we need to grab the laptop’s default gateway:

$ route show
Routing tables

Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default          UGS       11       24     -    12 iwx0

Then, I’ll create a new /etc/hostname.wg0 file on the Framework laptop:

wgpeer $SERVER_PUBLIC_KEY wgendpoint $SERVER_PUBLIC_IP 51820 wgaip
wgport 51820
!route add -priority 2 $SERVER_PUBLIC_IP $LOCAL_GATEWAY
!route add -priority 7 default

Note the difference between this and the server’s wg0 interface: we’ve added two routing rules that will route traffic from the local default gateway and through the WireGuard tunnel.

Finally, we can run doas sh /etc/netstart wg0 to start the new interface. The traffic on the Framework laptop should be immediately routed through the encrypted tunnel. We can tell via the icmp protocol and pinging the server’s local IP from the laptop:

$ ping -c 2
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=255 time=307.325 ms
64 bytes from icmp_seq=1 ttl=255 time=315.128 ms

--- ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 307.325/311.226/315.128/3.902 ms



WireGuard was actually fairly simple to setup. Creating new interfaces, for example, used an easily readable syntax that was easy to wrap my head around.

I’m actually pretty pleased with how this all turned out, and I’m excited by the new things I’m learning with OpenBSD as well.

Having access to my homelab while I’m traveling will be pretty nice, too.