Michael Shriver Senior Computer Specialist - College of the Environment

#OpenBSD Kernel Wireguard Configuration

Since OpenBSD 7.4 Wireguard support has been added into the kernel. In this release and later, it is no longer necessary to add additional wireguard packages, instead you configure wireguard as it’s own interface using a file such as /etc/hostname.wg0:

wgkey <private_key_here>
wgpeer <peer_public_key> wgendpoint 128.208.74.7 51821 wgaip 192.168.1.0/24 wgaip 192.168.2.0/24 wgaip 222.22.2.0/24 wgaip 222.22.3.0/24 wgpka 20
inet 192.168.1.254/24
up
!route add -net 182.168.1.0/24 192.168.1.1

Available fields in this file:

• wgkey: the local node private key
• wgport: Port to listen on for incoming peer connections
• wgpeer line: One per peer, contains the specific configurations for each peer. Options for each peer are added all in one line:
  • wgendpoint: Externally reachable endpoint IP and port for the peer
  • wgpsk: Pre-shared key for authentication
  • wgaip: Allowed IP addresses, may be specified multiple times per peer. Takes CIDR address blocks (use /32 for a single host)
  • wgpka: Send keepalive packets at this interval, in seconds

Additional fields are configured as per normal OpenBSD network interfaces, e.g.:

• inet: an ip address to assign to the interface
• up: specify that this interface should be brought up automatically
• !: run after bringing the interface up. Useful for modifying the routing table, etc.

References:

• Full WireGuard setup with OpenBSD
• Creating an OpenBSD Wireguard VPN Gateway
• WireGuard on OpenBSD with wg(4)
• OpenBSD Man Page: wg — WireGuard pseudo-device
• OpenBSD Man Page: hostname.if — interface-specific configuration files