Wireguard Setup

This post is a short digest of this video, with my own additions and fixes!

In short this is a tutorial on how to configure a wireguard network in a server-client model where:

  1. The server-peer runs OpenBSD
  2. One client-peer runs Archlinux
  3. Another client-peer runs Android (the wireguard app on F-Droid)

On OpenBSD (Server)

  1. Run the following commands:

    echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf
mkdir -p /etc/wireguard; cd /etc/wireguard
pkg_add wireguard
wg genkey > private.key
wg pubkey < private.key > public.key

    This will enable persistent ip-forwarding, install wireguard, and generate public and private-keys for the “server”

  2. Create the file wg0.conf however you like with content:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

    [Interface]
PrivateKey =
ListenPort =

[Peer] # 
PublicKey = THIS-WILL-BE-GENERATED-COME-BACK-LATER
AllowedIPs = 192.168.1.2/32 # static-vpn-ip/32
PersistentKeepAlive = 25 # helps with connectivity problems

#[Peer]
#PublicKey = THIS-WILL-BE-GENERATED-COME-BACK-LATER
#AllowedIPs = 192.168.1.3/32 # static-vpn-ip/32
#PersistentKeepAlive = 25

    This confused me in the video as I think he configured the clients with 0.0.0.0/0 which (for some reason) works with one “client” (peer), but nukes the network once you add more peers (made a lot of sense once I realized wireguard is peer-to-peer)

  3. Add the following lines to /etc/pf.conf:

    pass in on wg0
pass in inet proto udp from any to any port $theportyouchose
pass out on egress inet from (wg0:network) nat-to ($yourwaninterface)

    This is straight up copy-paste from the video, adapt this to your particular setup and security context

  4. Run the following to reload the firewall rules:

    pfctl -f /etc/pf.conf

    Remember to fix any problems reported after running this command. This is typically syntax errors which will break your firewall upon reboot

  5. Create /etc/hostname.wg0 with contents:

    1
2
3

    inet 192.168.1.1 255.255.255.0 NONE
up
! /usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf

    This is what actually creates the wg0 interface. I have chosen 192.168.1.1 to be the “server ip” within this VPN. Adapt to your needs. Make sure the path to wg0.conf matces wherever you put the file.

  6. Run the following to start wg0:

    sh /etc/netstart wg0

    It should fail because of: missing keys

On Archlinux (Peer 1)

  1. Run the following commands:

    sudo pacman -Syu wireguard-tools
mkdir -p /etc/wireguard; cd /etc/wireguard
sudo wg genkey | tee private | wg pubkey > public.key

  2. Create wg0.conf with contents:

    1
2
3
4
5
6
7
8
9

    [Interface]
PrivateKey = SEE-CONTENT-OF-FILE-YOU-JUST-GENERATED
Address = 192.168.1.2/24 # or whatever you want

[Peer]
PublicKey = THE-PUBLIC-KEY-OF-YOUR-SERVER
Endpoint = serverip.or.domain.com:listenport
AllowedIPs = 0.0.0.0/0, ::/0 # do whatever you want here
PersistentKeepalive = 25 # helps connectivity

    This file dictates what wg0 routes via the VPN. In this case it’s 0.0.0.0/0 which means: all traffic. If you only have a few things you want to route via the VPN, limit AllowedIPs. Remember that the interface address must match AllowedIPs for this peer in the “server config”

  3. Run the following command to start wg0:

    sudo wg-quick up wg0

    It should fail because the server does not know us (yet)

Back to Server

  1. Add the public-key to the relevant [Peer] section on the “server” 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

    [Interface] # The (this) wireguard interface (wg0)
PrivateKey =
ListenPort =

[Peer] # A laptop or something
PublicKey = PUT-THE-PUBLIC-KEY-HERE
AllowedIPs =
PersistentKeepAlive =

[Peer] # Your (android) phone perhaps?
PublicKey =
AllowedIPs =
PersistentKeepAlive =
  2. Re-run sh /etc/netstart wg0 to start the virtual interface

Back to Arch

The VPN should work now, poke around if not

sudo wg-quick up wg0 # enables VPN
sudo wg-quick down wg0 # disables VPN

Android Peer

  1. Install the Wireguard App on F-Droid (or wherever you get your APK’s)
  2. Click the + button to add a new interface
  3. I tricked myself a lot in the following steps:
  4. Configure the wireguard interface:
    1. You need to generate a private key in the app
    2. The public key will automatically be filled in for you (dont touch it)
    3. The “Addresses” field is what static ip you want to grab in the VPN subnet
    4. DONT SET THE LISTEN PORT (unless you know what you’re doing)
    5. The DNS fields I just set to 1.1.1.1 and MTU of 1280 (not sure if it’s necessary)
  5. Configure the server peer:
    1. You need to enter the public key of the server in the “Public key” field
    2. Persistent keepalive can be set to 25 or something (connectivity)
    3. The allowed IP’s can be configured the same way as the arch-peer
    4. The endpoint is the same as on the arch-peer
  6. Tap Save and Enable the interface

I had lots of trouble getting the phone to connect eventhough my arch peer worked right away. Then I remembered something one of my colleagues always says: “It’s not a problem until you have restarted”. It worked straight away after rebooting my server.

Hope this can be useful.