diff options
author | Julien Dessaux | 2023-02-15 23:44:12 +0100 |
---|---|---|
committer | Julien Dessaux | 2023-02-15 23:44:12 +0100 |
commit | 5136efe70281b8a7f90e42742f73a0876833b597 (patch) | |
tree | 9ffc00ed53447a89b7c5fb66aba8cb4ce6de76c0 /content/docs/openbsd | |
parent | Added the first blog article in a series about wireguard (diff) | |
download | www-5136efe70281b8a7f90e42742f73a0876833b597.tar.gz www-5136efe70281b8a7f90e42742f73a0876833b597.tar.bz2 www-5136efe70281b8a7f90e42742f73a0876833b597.zip |
Add wireguard on OpenBSD blog article
Diffstat (limited to '')
-rw-r--r-- | content/docs/openbsd/wireguard.md | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/content/docs/openbsd/wireguard.md b/content/docs/openbsd/wireguard.md index 83c7cb1..8e86ced 100644 --- a/content/docs/openbsd/wireguard.md +++ b/content/docs/openbsd/wireguard.md @@ -4,6 +4,7 @@ description: How to configure a wireguard endpoint on OpenBSD tags: - OpenBSD - vpn +- wireguard --- ## Introduction @@ -14,7 +15,7 @@ This article explains how to configure wireguard on OpenBSD. OpenBSD does things elegantly as usual : where linux distributions have a service, OpenBSD has a simple `/etc/hostname.wg0` file. The interface is therefore managed without any tool other than the standard ifconfig, it's so simple and elegant! -You can still install the usual tooling with: +If you want you can still install the usual tooling with: ```sh pkg_add wireguard-tools ``` @@ -30,24 +31,25 @@ echo public_key: $PUBLIC_KEY ``` Private keys can also be generated with the following command if you do not wish to use the `wg` tool: -{{< highlight sh >}} +```sh openssl rand -base64 32 -{{< /highlight >}} +``` +I am not aware of an openssl command to extract the corresponding public key, but after setting up your interface `ifconfig` will kindly show it to you. ## Configuration Here is a configuration example of my `/etc/hostname.wg0` that creates a tunnel listening on udp port 342 and several peers : -{{< highlight cfg >}} +```cfg wgport 342 wgkey '4J7O3IN7+MnyoBpxqDbDZyAQ3LUzmcR2tHLdN0MgnH8=' 10.1.2.1/24 wgpeer 'LWZO5wmkmzFwohwtvZ2Df6WAvGchcyXpzNEq2m86sSE=' wgaip 10.1.2.2/32 wgpeer 'SjqCIBpTjtkMvKtkgDFIPJsAmQEK/+H33euekrANJVc=' wgaip 10.1.2.4/32 wgpeer '4CcAq3xqN496qg2JR/5nYTdJPABry4n2Kon96wz981I=' wgaip 10.1.2.8/32 wgpeer 'vNNic3jvXfbBahF8XFKnAv9+Cef/iQ6nWxXeOBtehgc=' wgaip 10.1.2.6/32 -{{< /highlight >}} +``` -Your private key goes on the first line as argument to `wgkey`, the other keys are public keys for each peer. +Your private key goes on the first line as argument to `wgkey`, the other keys are public keys for each peer. As all other hostname interface files on OpenBSD, each line is a valid argument you could pass the `ifconfig` command. To re-read the interface configuration, use : ```sh @@ -57,7 +59,7 @@ sh /etc/netstart wg0 ## Administration The tunnel can be managed with the standard `ifconfig` command: -{{< highlight sh >}} +```sh root@yen:~# ifconfig wg0 wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420 index 4 priority 0 llprio 3 @@ -85,6 +87,6 @@ wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420 wgaip 10.1.2.6/32 groups: wg inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255 -{{< /highlight >}} +``` Alternatively you can also use the `wg` tool if you installed it. |