Wireguard OpenBSD client
In this post, I will be installing Wireguard on my OpenBSD laptop to be able to connect to my personal services over a secure tunnel.
Setting up OpenBSD client
Installing Wireguard
Wireguard tools are officially included in the OpenBSD repository, but are usually a bit outdated. To install them, type:
$ doas pkg_add wireguard-tools
As usual, OpenBSD provides excellent documentation about Wireguard (man wg
), use it if necessary.
Preparing directories
Switch to root
so you don't have to type sudo
over and over again, also the config directory will only be readable by root
.
$ doas su
Set umask
to 077
to allow rw
access to root
only.
(root)$ umask 077
mkdir /etc/wireguard/{keys,psk}
wg genkey | tee wg0_private.key | wg pubkey > wg0_public.key
touch wg0.conf
[Interface]
PrivateKey = generatedprivatekey
Address = 10.20.20.5/29
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.20.20.1/32
Endpoint = publicIP:port
SERVER
wg genpsk > openbsd_client.psk
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.20.20.5/32
$ sudo wg-quick down wg0
$ sudo wg-quick up wg0
script it &&
CLIENT
wg-quick up wg0