Wireguard on OpenBSD

2023-02-15 - How to configure a wireguard endpoint on OpenBSD
Tags: OpenBSD vpn wireguard


This article explains how to configure wireguard on OpenBSD.

I chose to kick off this wireguard series with OpenBSD because it is the cleanest and the better integrated of all operating systems that support wireguard.


OpenBSD does things elegantly as usual : where linux distributions have a service, OpenBSD has a simple /etc/hostname.wg0 file. The interface is therefore managed without any tool other than the standard ifconfig, it’s so simple and elegant!

If you want you can still install the usual tooling with:

pkg_add wireguard-tools

Generating keys

The private and public keys for a host can be generated with the following commands:

PRIVATE_KEY=`wg genkey`
PUBLIC_KEY=`printf $PRIVATE_KEY|wg pubkey`
echo private_key: $PRIVATE_KEY
echo public_key: $PUBLIC_KEY

Private keys can also be generated with the following command if you do not wish to use the wg tool:

openssl rand -base64 32

I am not aware of an openssl command to extract the corresponding public key, but after setting up your interface ifconfig will kindly show it to you.


Here is a configuration example of my /etc/hostname.wg0 that creates a tunnel listening on udp port 342 and several peers :

wgport 342 wgkey '4J7O3IN7+MnyoBpxqDbDZyAQ3LUzmcR2tHLdN0MgnH8='
wgpeer 'LWZO5wmkmzFwohwtvZ2Df6WAvGchcyXpzNEq2m86sSE=' wgaip
wgpeer 'SjqCIBpTjtkMvKtkgDFIPJsAmQEK/+H33euekrANJVc=' wgaip
wgpeer '4CcAq3xqN496qg2JR/5nYTdJPABry4n2Kon96wz981I=' wgaip
wgpeer 'vNNic3jvXfbBahF8XFKnAv9+Cef/iQ6nWxXeOBtehgc=' wgaip

Your private key goes on the first line as argument to wgkey, the other keys are public keys for each peer. As all other hostname interface files on OpenBSD, each line is a valid argument you could pass the ifconfig command.

To re-read the interface configuration, use :

sh /etc/netstart wg0


The tunnel can be managed with the standard ifconfig command:

root@yen:~# ifconfig wg0
        index 4 priority 0 llprio 3
        wgport 342
        wgpubkey R4A01RXXqRJSY9TiKQrZGR85HsFNSXxhRKKEu/bEdTQ=
        wgpeer LWZO5wmkmzFwohwtvZ2Df6WAvGchcyXpzNEq2m86sSE=
                wgendpoint 1024
                tx: 158515972, rx: 151576036
                last handshake: 93 seconds ago
        wgpeer SjqCIBpTjtkMvKtkgDFIPJsAmQEK/+H33euekrANJVc=
                wgendpoint 51110
                tx: 30969024, rx: 14034688
                last handshake: 9527 seconds ago
        wgpeer 4CcAq3xqN496qg2JR/5nYTdJPABry4n2Kon96wz981I=
                wgendpoint 46247
                tx: 36877516, rx: 19036472
                last handshake: 23 seconds ago
        wgpeer vNNic3jvXfbBahF8XFKnAv9+Cef/iQ6nWxXeOBtehgc=
                wgendpoint 1025
                tx: 150787792, rx: 146836696
                last handshake: 43 seconds ago
        groups: wg
        inet netmask 0xffffff00 broadcast

Alternatively you can also use the wg tool if you installed it.