Skip to main content

Wireguard OpenBSD client

In this post, I will be installing Wireguard on my OpenBSD laptop to be able to connect to my personal services over a secure tunnel.

Setting up OpenBSD client

Installing Wireguard

Wireguard tools are officially included in the OpenBSD repository, but are usually a bit outdated. To install them, type:

$ doas pkg_add wireguard-tools

As usual, OpenBSD provides excellent documentation about Wireguard (man wg), use it if necessary.

Preparing directories

 Switch to root so you don't have to type sudo over and over again, also the config directory will only be readable by root.

$ doas su

Set umask to 077 to allow rw access to root only.

(root)$ umask 077

mkdir /etc/wireguard/{keys,psk}

wg genkey | tee wg0_private.key | wg pubkey > wg0_public.key

touch wg0.conf

[Interface]
PrivateKey = generatedprivatekey
Address = 10.20.20.5/29

[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.20.20.1/32
Endpoint = publicIP:port

SERVER

wg genpsk > openbsd_client.psk

[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.20.20.5/32

$ sudo wg-quick down wg0

$ sudo wg-quick up wg0

script it &&

CLIENT

wg-quick up wg0