WireGuard on OpenBSD

This is an old blogpost but maybe someone is finding it useful

There are many way’s to set up WireGuard on OpenBSD, I prefer to use the hostname.wg method, in that it follows the same path as all other interfaces in OpenBSD. I have two tunnels at home, one for management and one with less privileges. All in all six clients.

Let us start with creating the keys. In a terminal window:

Server keys
umask 077   
wg genkey > server.priv (PrivateKey)  
wg pubkey < server.priv > server.pub (PublicKey)

Then create the clients keys.

Client keys
wg genkey > client.priv (PrivateKey)  
wg pubkey < client.priv > client.pub (PublicKey)  
wg genpsk > wg.psk (PresharedKey)

Create as many clients as you need. And if you want to separate these you can create more tunnels, like hostname.wg0, hostname.wg1 and so on, all with a different listening ports, and in that way separate tunnels with different privileges on the network. Then continue to create the configuration file /etc/hostname.wg0 and put the information in it:

wgkey "Server Private Key"  
wgport 51820   
inet 172.16.10.1/29 (do not make the subnet bigger than you need)
client 1
wgpeer "Client Public Key" wgpsk "Preshared Key" wgpka 25 wgaip 172.16.10.2/32 (all on line line)  
up   
group services (if no interface groups is used disregard this)  
group mgmt

Then we can create the client conf, client.conf:

[Interface]   
PrivateKey = "Client Private Key"   
Address = 172.16.10.2/29   
DNS = preferred DNS server address, domain (if used)

[Peer]   
PublicKey = "Server Public Key"   
PresharedKey = "Preshared Key"  
AllowedIPs = 0.0.0.0/0 (if you want to route all traffic through the tunnel)   
Endpoint = WireGuard public ip-address or dynamic DNS adress:51820  
PersistentKeepalive = 25

If this is not your router you should also add to sysctl.conf

net.inet.ip.forwarding=1

Instead of rebooting your server you can instead then do in the terminal:

doas sysctl net.inet.ip.forwarding=1   
doas sh /etc/netstart wg0

An ifconfig would then show:

wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420  index 15 priority 0 llprio 3   
wgport 51820   
groups: wg mgmt services     
inet 172.16.10.1 netmask 0xfffffff8 broadcast 172.16.10.7

If you do a:

doas ifconfig wg0 or doas wg show wg0

You will get much more information about the connection.

In pf.conf you would have to open your firewall, I have a NAT rule for all my clients.

NAT rules
match out on egress inet from any to any nat-to (egress:0) port 1024:65535 set prio (5, 6 ) label "nat" (all on one line)# pass in rules for WireGuard #  
pass in quick log on egress inet proto udp to egress 51820 keep state set prio (3, 5) label "WireGuard" (all on one line)

After a doas pfctl -f /etc/pf.conf you should be set.

If your client has a camera then you can create a QR-code from the client.conf file and scan that QR-code in an easy way to configure the tunnel. On Linux and MacOS Brew you can install qrencode very easy and then:

qrencode -t ansiutf8 < client.conf

Essential links:
Quick Start - WireGuard
How to generate WireGuard QR code on Linux for mobile - nixCraft

This article was updated on August 24, 2023