-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
109 lines (73 loc) · 2.93 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
$OpenBSD$
+------------------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+------------------------------------------------------------------------------
rc.d(8) script
===============
The included rc.d script is limited to supporting a single instance of
WireGuard. Create your configuration with a .conf extension in /etc/wireguard
and add the name of your configuration to the daemon's flags. The rc.d script
supports both reloading the configuration during runtime and monitoring the run
state of the daemon.
For example, for a configuration file named wg0.conf, the file should be
located at:
/etc/wireguard/wg0.conf
The configuration file should have the appropriate permissions and ownership:
# chmod 0400 /etc/wireguard/wg0.conf
# chown root:wheel /etc/wireguard/wg0.conf
The system daemon configuration database should be updated to start the
WireGuard daemon with the name of the configuration:
# rcctl enable wireguard
# rcctl set wireguard flags tun0
The daemon can then be controlled using normal rc.d mechanisms:
# rcctl start wireguard
Setting up two OpenBSD peers
============================
Assumptions:
Two nodes, wg1 and wg2 which will use 10.0.0.1 and 10.0.0.2 respectively within
the VPN network. wg1 will be the "server" and wg2 the client. Both nodes use
`tun0` as the tunneling interface. wg1 is reachable for wg2 on 192.168.1.1.
Generating keys
---------------
First generate the private keys and derive the public keys from it for both the
server and client:
# wg genkey | tee server-private.key | wg pubkey > server-public.key
# wg genkey | tee client-private.key | wg pubkey > client-public.key
Networking setup
----------------
On wg1 a few setting are required:
# sysctl net.inet.ip.forwarding=1
# echo 'pass out on egress inet from (tun0:network) nat-to (egress:0)' >> /etc/pf.conf
Configure the tun0 interfaces for wg1:
# ifconfig tun2 up 10.0.0.1 10.0.0.2 netmask 255.255.255.0
and wg2:
# ifconfig tun2 up 10.0.0.2 10.0.0.1 netmask 255.255.255.0
Configure the wireguard service on both nodes:
# rcctl enable wireguard
# rcctl set wireguard flags tun0
# rcctl start wireguard
Interface configuration
-----------------------
server.conf would be:
----------8<----------
[Interface]
PrivateKey = <contents of server-private.key go here>
ListenPort = 8080
[Peer]
PublicKey = <contents of client-public.key go here>
AllowedIPs = 10.0.0.2/32
----------8<----------
Apply it on wg1:
# wg setconf tun0 server.conf
and client.conf:
----------8<----------
[Interface]
PrivateKey = <contents of client-private.key go here>
[Peer]
PublicKey = <contents of server-public.key go here>
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.1.1:8080
----------8<----------
Apply it on wg2:
# wg setconf tun0 client.conf
Now you can reach 10.0.0.1 from wg2 via the tunnel.