Skip to main content

Wireguard OpenBSD client

In this post, I will be installing Wireguard on my OpenBSD laptop to be able to connect to my personal services over a secure tunnel.


OpenBSD client setup

Install Wireguard

Wireguard tools are officially included in the OpenBSD repository, but are usually a bit outdated. To install them, type:

$ doas pkg_add wireguard-tools

As usual, OpenBSD provides excellent documentation about Wireguard (man wg), use it if necessary.

Prepare directories

1. Switch to root so you don't have to type sudo over and over again, also the config directory will only be readable by root.

$ doas su

2. Set umask to 077 to allow rw access to root only.

(root)$ umask 077

3. Create the config folder and its subdirectories.

(root)$ mkdir /etc/wireguard/{keys,psk}

Generate keys

1. Move to the keys directory and generate client's public and private key. You will put the public key to the server config later, private key will never leave the device.

(root)$ cd /etc/wireguard/keys
(root)$ wg genkey | tee wg0_private.key | wg pubkey > wg0_public.key

The wg genkey command generates a random private key in base64 and prints it to standard output (terminal). The output is instead redirected to tee, which both prints it to stdout (terminal), but also saves it into a file wg0_private.key. The private key printed to stdout is then piped (| symbol) to wg pubkey, which calculates the public key and prints it in base64 to stdout from a corresponding private key (the one we redirected to it with the pipe), lastly redirect the public key from stdout to a file wg0_public.key

You will now have two files in /etc/wireguard directory. One containing public, the other private key.

wg0_private.key  wg0_public.key
2. Create client config file (wg0.conf) in /etc/wireguard. Make sure you still have umask set to 077.
(root)$ touch wg0.conf

3. Open the file and make it look like this. Replace IPs with the ones you are planning to use. [Peer] section specifies the servers part of config. AllowedIPs should point to the interal IP of the server within the Wireguard tunnel. PublicKey should contain the servers public key. PresharedKey will be generated on the server in a moment. Actually, you can generate this key on the client and then copy it to the server or vice versa, it's up to you. Either way, because it's a shared secret, it has to be present in both configuration files – on the server and the client.

[Interface]
PrivateKey = GeneratedPrivateKey_from_wg0_private.key
Address = 10.20.20.5/29

[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.20.20.1/32
Endpoint = publicIP:port

Server setup

We assume that the server is already set up and we are just adding a new client. For a guide how to setup a server, head over here.

1. Go to /etc/wireguard/psk and generate the preshared key. Ideally, switch to 077 umask again.

(root)$ cd /etc/wireguard/psk
(root)$ wg genpsk > openbsd_client.psk

2. Add the following [Peer] block to the server wg0.conf. Replace PublicKey with the client public key (wg0_public.key). Copy the generated preshared key from openbsd_client.psk to PresharedKey in both the server and client config.

[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.20.20.5/32

Start the Wireguard interface

 1. Go back to the OpenBSD client and bring up the Wireguard interface manually:

$ sudodoas wg-quick downup wg0

2. Now check ifconfig and confirm connectivity to

$ sudo wg-quick up wg0

script it &&

CLIENT

wg-quick up wg0