Howto: WireGuard on OpenBSD

Updated: June 28, 2022

Running WireGuard on OpenBSD is easy and pleasant. This is a minimalist howto for getting a basic server/client pair running such as in a "roadwarrior" or VPS setting.

OpenBSD server setup

On your existing OpenBSD server type the following as root:

Now, create /etc/wireguard/wg0.conf. It should look something like this:

Replace "aaaa" with the actual contents of the server's secret.key file you just created. Later, after setting up the client, replace "BBBB" with the actual contents of the client's public.key file.

Now set up /etc/hostname.wg0 to look like this:

Add the following to /etc/pf.conf:

Replace vio0 with whatever network device you have.

That's it, apart from putting the client's public key in the server's wg0.conf file.

OpenBSD client setup

The client setup is very similar to the server setup. On your existing OpenBSD client type the following as root:

Now, create /etc/wireguard/wg0.conf. It should look something like this:

Replace "bbbb" with the actual contents of the client's secret.key file you just created. Then replace "AAAA" with the actual contents of the server's public.key file. Replace 192.0.2.42:51820 with the actual public IP address and port (51820 is recommended) of your server. What is the AllowedIPs config line? It specifies that packets destined for these IP addresses go over WireGuard. IPs not in the list don't get sent over WireGuard. Here, 0.0.0.0/0 and ::/0 mean all IP addresses in IPv4 and IPv6, respectively.

Now set up /etc/hostname.wg0 to look like this:

Only a single line is strictly necessary in pf.conf, but of course feel free to keep your other pf rules:

Again, replace vio0 with whatever network device you have.

Finally, it's helpful to have a couple shell scripts to enable or disable the VPN. Put something like this into /etc/wireguard/enable.sh:

Replace 192.0.2.42 with the actual public IP address of the remote WireGuard server, in case you want to directly SSH to it. Replace 192.168.0.1 with your typical (non-VPN) router/gateway IP address.

You can put something like this into /etc/wireguard/disable.sh:

With these scripts you can easily switch to or away from the VPN. There's typically no reason to have these scripts on the server. They only really benefit the client.

Wrapping it up

Now either reboot, or on both machines, run:

You can check your IP address with either of the following commands:

Post-quantum security

It's not true post-quantum cryptography but mixing in a preshared key with the X25519 key agreement does protect against post-quantum attacks, and is useful until WireGuard and/or Noise adopt a pqcrypto key exchange. You can generate a PSK on OpenBSD with:

You can then add that key to your server wg0.conf and client wg0.conf, under the [Peer] section like so:

Replace CCCC with the actual contents of the PSK. This PSK is shared between both endpoints, your computer and the server. If you have multiple WireGuard peers, you can use a different PSK for each one. You can safely transmit this key using post-quantum cryptography already deployed OpenSSH by setting the following in your server's sshd.conf and your client's ssh.conf:

Note than as of OpenBSD 7.1 / OpenSSH 9.0, sntrup761x25519-sha512@openssh.com is the default key exchange, so there's no need to modify your server's sshd.conf or client ~/.ssh/config files.

"Powered by WireGuard"