WireGuard Stuff, 2019-09-18
Resourcen
Also Check my new Post about Wireguard on Current …
Using wireguard on OpenBSD
OpenBSD Router: VPN
Wireguard Server
Packages
pkg_add wireguard-go \
wireguard-tools \
libqrencode
Config & Enable WG
rcctl enable wireguard_go
rcctl set wireguard_go flags tun2
Prepare Environment
mkdir -p /etc/wireguard/{keys,config}
cd /etc/wireguard
Generate Keys
wg genkey | tee keys/server-private.key | wg pubkey > keys/server-public.key
wg genkey | tee keys/client001-private.key | wg pubkey > keys/client001-public.key
wg genkey | tee keys/client002-private.key | wg pubkey > keys/client002-public.key
wg genkey | tee keys/client003-private.key | wg pubkey > keys/client003-public.key
chmod 600 keys/*private.key
Config Interface
cat << 'EOF' > /etc/hostname.tun2
10.0.0.1 10.0.0.2 netmask 255.255.255.0
inet6 alias 2001:db8::1 128
dest 2001:db8::2
!/bin/sleep 10 && /usr/local/bin/wg setconf tun2 /etc/wireguard/server.conf &
EOF
IP Forwarding
cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
EOF
sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1
server.conf
cat << 'EOF' > server.conf
[Interface]
PrivateKey = $(cat keys/server-private.key)
ListenPort = 51820
# IPv4 only
[Peer]
PublicKey = $(cat keys/client001-public.key)
AllowedIPs = 10.0.0.2/32
# IPv6 only
[Peer]
PublicKey = $(cat keys/client002-public.key)
AllowedIPs = 2001:db8::3/128
# IPv4 and IPv6
[Peer]
PublicKey = $(cat keys/client003-public.key)
AllowedIPs = 2001:db8::4/128, 10.0.0.4/32
EOF
chmod 600 server.conf
Update PF
... snip ...
set skip on { lo0 enc0 tun2 }
# WG Stuff
match out log on egress inet from (tun2:network) nat-to (egress:0)
match out log on egress inet6 from (tun2:network) nat-to (egress)
... snip ...
# Block all
block log
... snip ...
# Allow Wireguard from any
pass in log quick inet proto { tcp udp } from any to (self) port { 51820 }
pass in log quick inet6 proto { tcp udp } from any to (self) port { 51820 }
... snip ...
Reboot Server and active all config
Update Config Script
cat << 'EOF' > wg_update_config.sh
# !/bin/sh
wg setconf tun2 server.conf
wg show
exit 0
EOF
chmod 755 wg_update_config.sh
Wireguard Client
IPv4 only
cat << 'EOF' > config/client001.conf
[Interface]
PrivateKey = $(cat keys/client001-private.key)
Address = 10.0.0.2/32
DNS = 8.8.8.8
[Peer]
PublicKey = $(cat keys/server-public.key)
AllowedIPs = 8.8.8.8/32
Endpoint = $(ifconfig egress |awk '/inet / {print $2}'):51820
EOF
IPv6 only
cat << 'EOF' > config/client002.conf
[Interface]
PrivateKey = $(cat keys/client002-private.key)
Address = 2001:db8::3/128
DNS = 2001:4860:4860::8888
[Peer]
PublicKey = $(cat keys/server-public.key)
AllowedIPs = 2001:4860:4860::8888/128
Endpoint = [$(ifconfig egress |awk '/inet6 / {print $2}' |grep -v 'fe80::')]:51820
EOF
IPv4+6 (not yet working …)
cat << 'EOF' > config/client003.conf
[Interface]
PrivateKey = $(cat keys/client003-private.key)
Address = 10.0.0.4/32, 2001:db8::4/128
DNS = 8.8.8.8, 2001:4860:4860::8888
[Peer]
PublicKey = $(cat keys/server-public.key)
AllowedIPs = 8.8.8.8/32, 2001:4860:4860::8888/128
Endpoint = $(ifconfig egress |awk '/inet / {print $2}'):51820, [$(ifconfig egress |awk '/inet6 / {print $2}' |grep -v 'fe80::')]:51820
EOF
Generate QR
cat config/client001.conf | qrencode -t ansiutf8
cat config/client002.conf | qrencode -t ansiutf8
cat config/client003.conf | qrencode -t ansiutf8
Show Commands
puffy66 1 ../wireguard# wg show
interface: tun2
public key: eBzb9Q+95EQj2C2hRd7RuGH4dES9sjfgjWHHFskJ+SQ=
private key: (hidden)
listening port: 51820
peer: 6i2k+s3bgUgRRbVefCNzjQPJZbsIzipNsFOmjFCnLHE=
endpoint: 192.168.108.125:52565
allowed ips: 10.0.0.2/32
latest handshake: 56 seconds ago
transfer: 13.19 KiB received, 8.07 KiB sent
peer: gRWzWzJIelqez9/lHsL/KsDDKjCoZK6I91hggeNELmc=
allowed ips: 2001:db8::3/128
peer: pulLKxKk6dwFf6xlb+mEiP4AdS0jbs5hYOvMC7FfNXM=
allowed ips: 10.0.0.4/32, 2001:db8::4/128
Any Comments ?
sha256: eac4ea99441b96d1bd1b22b00d615ca82cda2d67a6dfada8f9876ba75e6fb4f1