Wireguard OpenBSD client
In this post, I will be installing Wireguard on my OpenBSD laptop to be able to connect to my personal services over a secure tunnel.
Setting up OpenBSD client
Installing Wireguard
Wireguard tools are officially included in the OpenBSD repository, but are usually a bit outdated. To install them, type:
$ doas pkg_add wireguard-tools
As usual, OpenBSD provides excellent documentation about Wireguard (man wg
), use it if necessary.
Preparing directories
1. Switch to root
so you don't have to type sudo
over and over again, also the config directory will only be readable by root
.
$ doas su
2. Set umask
to 077
to allow rw
access to root
only.
(root)$ umask 077
3. Create the config folder and its subdirectories.
(root)$ mkdir /etc/wireguard/{keys,psk}
4. Move to the keys
directory and generate client's public and private key. You will put the public key to the server config later, private key will never leave the device.
(root)$ cd /etc/wireguard/keys
(root)$ wg genkey | tee wg0_private.key | wg pubkey > wg0_public.key
The wg genkey
command generates a random private key in base64 and prints it to standard output (terminal). The output is instead redirected to tee
, which both prints it to stdout (terminal), but also saves it into a file wg0_private.key
. The private key printed to stdout is then piped (|
symbol) to wg pubkey
, which calculates the public key and prints it in base64 to stdout from a corresponding private key (the one we redirected to it with the pipe), lastly redirect the public key from stdout to a file wg0_public.key
You will now have two files in /etc/wireguard
directory. One containing public, the other private key.
wg0_private.key wg0_public.key
wg0_private.key wg0_public.key
touch wg0.conf
[Interface]
PrivateKey = generatedprivatekey
Address = 10.20.20.5/29
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.20.20.1/32
Endpoint = publicIP:port
SERVER
wg genpsk > openbsd_client.psk
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.20.20.5/32
$ sudo wg-quick down wg0
$ sudo wg-quick up wg0
script it &&
CLIENT
wg-quick up wg0