back WireGuard VPN on OpenBSD

publication: Setembro 11 2022 20:19
last update: Setembro 21 2022 21:03

Install WireGuard tools

# pkg_add wireguard-tools

For QR code config:

pkg_add libqrencode

Create a directory to store keys and config files:

# mkdir /etc/wireguard

Create server keys

# cd /etc/wireguard
# umask 077
# wg genkey > server-private.key
# wg pubkey <<EOF > server-public.key
> server private key goes here

Configure wg0

I'm using network. Create /etc/hostname.wg0 with the content:

!/usr/local/bin/wg setconf wg0 /etc/wireguard/server.conf

Setup pf

Add the lines below in /etc/pf.conf

pass in on egress proto udp from any to any port 51820
pass out quick on egress from (wg0:network) to any nat-to (egress:0)

Reload pf rules:

# pfctl -f /etc/pf.conf

Enable IP forwarding

# sysctl net.inet.ip.forwarding=1

Make it persistent:

# echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf

Creating client and server config file

Creating client keys:

# cd /etc/wireguard
# umask 077
# wg genkey > client1-private.key
# wg pubkey <<EOF > client1-public.key
> client1 private key goes here

These files can be deleted after we use.

Create the client1.conf config file with the content:

PrivateKey = client1 private key goed here
Address =

PublicKey = server public key goes here
AllowedIPs =
Endpoint = server public address:51820

Create the file /etc/wireguard/server.conf with the content

PrivateKey = server private key goes here
ListenPort = 51820

PublicKey = client 1 public key goes here
AllowedIPs =

PublicKey = client 2 public key goes here
AllowedIPs =

Start wg0 interface

# sh /etc/netstart wg0


# wg
interface: wg0
public key: SERVERPUBKEY
private key: (hidden)
listening port: 51820

allowed ips:

Configure Android and iOS clients

On server:

# qrencode -t ansiutf8 < client1.conf

Scan the QR code using WireGuard app on your mobile device.

Configure Linux client

Rename client1.conf to wg0.conf

# nmcli connection import type wireguard file wg0.conf

or use nm-connection-editor and create a WireGuard virtual connection with client1.conf information.

To start the connection:

# nmcli connection up wg0


get in touch