💾 Archived View for thrig.me › tech › wireguard › openbsd-basics.gmi captured on 2024-12-17 at 10:45:43. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
OpenBSD uses a custom configuration format as wireguard support has been integrated into ifconfig(8) and hostname.if(5), though a wireguard-tools package is available. The commands here assume OpenBSD 7.6.
Note that ifconfig only shows certain details (the wgpubkey field, in particular) when run as the superuser. The public key is used on the other side of the connection. wg0 is more typical, but I've already got a working VPN there, so this documentation starts with wg1.
$ ifconfig wg1
wg1: no such interface
$ doas ifconfig wg1 up
$ doas ifconfig wg1
wg1: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 7 priority 0 llprio 3
wgport 19769
groups: wg
$ openssl rand -base64 32
X5q0jCGTJ/xJ0cKd/dO5NN8rUu3dWTVUlzAgtmjkpFc=
$ doas ifconfig wg1 wgkey X5q0jCGTJ/xJ0cKd/dO5NN8rUu3dWTVUlzAgtmjkpFc=
$ ifconfig wg1
wg1: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 7 priority 0 llprio 3
wgport 19769
groups: wg
$ doas ifconfig wg1
wg1: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 7 priority 0 llprio 3
wgport 19769
wgpubkey PkpJcr+qKFdXuA3AI7zOsN5ti+k+QSHRd7Z0JmHe6Ak=
groups: wg
$ doas ifconfig wg1 destroy
Create two interfaces and set a private key on each.
# ifconfig wg1
wg1: no such interface
# ifconfig wg2
wg2: no such interface
# alias wgprivkey="openssl rand -base64 32"
# ifconfig wg1 wgkey `wgprivkey` up
# ifconfig wg2 wgkey `wgprivkey` up
Get and then set the public key on the other interface.
# ifconfig wg1 | grep pubkey
wgpubkey soqJwRA8Wks+O8K6FYaJLasclWvNFf5nL5+OxlZX9zw=
# ifconfig wg2 wgpeer soqJwRA8Wks+O8K6FYaJLasclWvNFf5nL5+OxlZX9zw=
# ifconfig wg2 | grep pubkey
wgpubkey DEAc/9LdpFOHog5OdIIHC6yqWYZBaJ78NLJc0xgJ2W0=
# ifconfig wg1 wgpeer DEAc/9LdpFOHog5OdIIHC6yqWYZBaJ78NLJc0xgJ2W0=
Tell one of the interfaces (the client) where to find the other side (the server with with fixed address).
# ifconfig wg1 | grep port
wgport 22105
# ifconfig wg2 wgendpoint 127.0.0.1 22105
ifconfig: wgendpoint: wgpeer not set
# ifconfig wg2 | grep peer
wgpeer soqJwRA8Wks+O8K6FYaJLasclWvNFf5nL5+OxlZX9zw=
Or not like that. Maybe it wants the other attributes alongside the peer setting, not in a distinct command? This might be a good reason to do the configuration with a hostname.if(5) file instead.
# ifconfig wg2 wgpeer soqJwRA8Wks+O8K6FYaJLasclWvNFf5nL5+OxlZX9zw= \ wgendpoint 127.0.0.1 22105
Some addresses might be of use. And can we ping across them? One might also use tcpdump(8) to confirm that traffic is actually flowing over the expected interfaces. ifconfig(8) can also show various wireguard interface statistics.
# ifconfig wg1 inet 192.0.2.1 netmask 255.255.255.0
# ifconfig wg2 inet 192.0.2.2 netmask 255.255.255.0
# ping -I 192.0.2.1 192.0.2.2
PING 192.0.2.2 (192.0.2.2): 56 data bytes
64 bytes from 192.0.2.2: icmp_seq=0 ttl=255 time=0.176 ms
64 bytes from 192.0.2.2: icmp_seq=1 ttl=255 time=0.130 ms
^C
--- 192.0.2.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.130/0.153/0.176/0.023 ms
# ping -I 192.0.2.2 192.0.2.1
PING 192.0.2.1 (192.0.2.1): 56 data bytes
64 bytes from 192.0.2.1: icmp_seq=0 ttl=255 time=0.146 ms
64 bytes from 192.0.2.1: icmp_seq=1 ttl=255 time=0.163 ms
^C
--- 192.0.2.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.146/0.154/0.163/0.009 ms
Cleanup.
# ifconfig wg1 destroy
# ifconfig wg2 destroy
# ping -I 192.0.2.2 192.0.2.1
ping: bind: Can't assign requested address
If the ping continued to work, then you might need to debug why, and maybe redo the wireguard testing in light of what you learned.
hostname.if(5), ifconfig(8)