how-to run a wireguard vpn server on openbsd

### OpenBSD server setup On your existing OpenBSD server run the following commands ```Shell pkg_add wireguard-tools sysctl net.inet.ip.forwarding=1 sysctl net.inet6.ip6.forwarding=1 echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf echo "net.inet6.ip6.forwarding=1" >> /etc/sysctl.conf mkdir -p /etc/wireguard chmod 700 /etc/wireguard cd /etc/wireguard wg genkey > secret.key chmod 600 secret.key wg pubkey < secret.key > public.key ``` Now, create /etc/wireguard/wg0.conf. It should look something like this: ```Shell [Interface] PrivateKey = <server secret key> ListenPort = 51820 # client 1 [Peer] PublicKey = <client public key> AllowedIPs = 10.0.0.2/32 ``` Now set up /etc/hostname.wg0 to look like this: ```Shell inet 10.0.0.1 255.255.255.0 NONE up !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf ``` Add the following to /etc/pf.conf: ```Shell pass in on wg0 pass in inet proto udp from any to any port 51820 pass out on egress inet from (wg0:network) nat-to (vio0:0) ``` Replace vio0 with whatever network device you have. ### OpenBSD client setup On your existing OpenBSD client type the following as root: ```Shell pkg_add wireguard-tools mkdir -p /etc/wireguard chmod 700 /etc/wireguard cd /etc/wireguard wg genkey > secret.key chmod 600 secret.key wg pubkey < secret.key > public.key ``` Now, create /etc/wireguard/wg0.conf. It should look something like this: ```Shell [Interface] PrivateKey = <client secret key> [Peer] PublicKey = <server public key> Endpoint = <server public IP>:51820 AllowedIPs = 0.0.0.0/0, ::/0 ``` Now set up /etc/hostname.wg0 to look like this: ```Shell inet 10.0.0.2 255.255.255.0 NONE up !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf ``` Add the following to your pf.conf file: ```Shell pass out on egress inet from (wg0:network) nat-to (vio0:0) ``` Again, replace vio0 with whatever network device you have. Finally, it's helpful to have a couple shell scripts to enable or disable the VPN. Put something like this into /etc/wireguard/enable.sh: ```Shell #!/bin/sh route add <server public IP> 192.168.0.1 route change default 10.0.0.1 ``` ###### credits: ianix & mental outlaw