💾 Archived View for thrig.me › tech › wireguard › openbsd-client.gmi captured on 2024-12-17 at 10:45:51. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

OpenBSD Wireguard Client

For hostname.wg0 or another such file if you've already got a wg0 interface.

    wgkey CLIENTPRIVATEKEY
    wgpeer SERVERPUBLICKEY wgendpoint 198.51.100.42 4433 wgaip 192.0.2.0/24 wgaip 2001:db8:d0c::/64 wgpka 25 wgpsk PRESHAREDKEY
    inet 192.0.2.2/24
    inet6 2001:db8:d0c::2/64
    up

"wgpka" is equivalent to "PersistentKeepalive", and "wgaip" similar to "Address" of the wireguard configuration format. This configuration attempts to route all traffic over the tunnel, though I mostly only use it to handle DNS and SMTP traffic to the server.

Optional Routing

Some configure their client to send all traffic through the server:

gemini://perso.pw/blog/articles/openbsd-wireguard-exit.gmi

Another method is to create a custom routing table and only use that for specific commands. Note that the "wgaip" have been modified from the above.

    wgkey CLIENTPRIVATEKEY
    wgpeer SERVERPUBLICKEY wgendpoint 198.51.100.42 4433 wgaip 0.0.0.0/0 wgaip ::/0 wgpka 25 wgpsk PRESHAREDKEY
    inet 192.0.2.2/24
    inet6 2001:db8:d0c::2/64
    up
    !route -T 1 add -inet  default 192.0.2.1
    !route -T 1 add -inet6 default 2001:db8:d0c::1

To use this rtable, launch the command wrapped by route(8):

    $ route -T 1 exec ping -c 1 8.8.8.8
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=117 time=23.512 ms

    --- 8.8.8.8 ping statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 23.512/23.512/23.512/0.000 ms
    $ route -T 1 exec ksh
    $ id -R
    1
    $ exit
    $ id -R
    0

It may be good to check on the server that the traffic is indeed seen on the wg0 interface:

    # tcpdump -i wg0 not port 22
    tcpdump: listening on wg0, link-type LOOP
    22:03:58.065793 client.example.org > dns.google: icmp: echo request
    22:03:58.066401 dns.google > client.example.org: icmp: echo reply
    ...

Be sure to exclude your SSH traffic if you establish the SSH connection over the same wireguard tunnel!