WireGuard (OpenBSD)

From Wiki
Jump to navigation Jump to search

Prologue

!! Work in progress !!

WireGuard is a reliable and easy to use VPN solution, featuring modern cryptography. It is very well integrated into OpenBSD (in-kernel), the configuration is done via ifconfig(8). Here are some examples.

Scenario: Peer-to-Peer

Manual

Server:

# openssl rand -base64 32 > srv.key
# openssl rand -base64 32 > psk.key
# ifconfig wg0 create wgkey `cat srv.key` wgport 5000
# ifconfig wg0 | grep wgpubkey | cut -d ' ' -f 2 > srv.pub

Now you need to copy srv.pub and psk.key to the client.

Client:

# openssl rand -base64 32 > cl.key
# ifconfig wg0 create wgkey `cat cl.key`
# ifconfig wg0 | grep wgpubkey | cut -d ' ' -f 2 > cl.pub
# ifconfig wg0 wgpeer `cat srv.pub` wgpsk `cat psk.key` wgendpoint 10.0.1.1 5000 wgaip 172.16.0.1/32 wgpka 60
# ifconfig wg0 inet 172.16.0.2/24

Copy the cl.pub to the server.

Server:

# ifconfig wg0 wgpeer `cat cl.pub` wgpsk `cat psk.key` wgaip 172.16.0.2/32 wgpka 60
# ifconfig wg0 inet 172.16.0.1/24 

Client:

# ping 172.16.0.1

Reboot Save

Server:

Create the file /etc/hostname.wg0:

wgkey ccGQiUPYghwzfp63/pzF7nYvp68G34EpT52Q7ebeabg= wgport 5000
wgpeer fcbqzsmz1q+sSPRDJYE4iNLtAXPVGI3ANXwvILLnRik= wgpsk TUTcyH604vbgS+Zs4vJM9EhztbSyCQuRFTBmlVE9F4o= wgaip 172.16.0.2/32 wgpka 60
inet 172.16.0.1/24
up

Client:

Create the file /etc/hostname.wg0:

wgkey DCYnxM//wireCmukQLrkAbMgeRY50/pcBpNvjRmg7RA=
wgpeer 8dTlkQmFvtWcqS2BBX5GzfLMMee5n+RgFUUNGB19ZF4= wgpsk TUTcyH604vbgS+Zs4vJM9EhztbSyCQuRFTBmlVE9F4o= wgendpoint 10.0.1.1 5000 wgaip 172.16.0.1/32 wgpka 60
inet 172.16.0.2/24
up

On both:

# chmod 640 /etc/hostname.wg0
# chown root:wheel /etc/hostname.wg0

Scenario: VPN-Gateway

Create the /etc/pf.conf file with the following content:

pass in proto udp from any to any port 5000 keep state
pass on wg0
match out on egress from (wg0:network) to any nat-to (egress:0)

Verify the configuration file:

# pfctl -n -f /etc/pf.conf

And activate the changes:

# pfctl -f /etc/pf.conf

Scenario: Company with branch offices

Consider the following scenario: A company has a head office where all servers are located. In addition, there are two branch offices where some clients are located who want to access these servers.

OpenBSD WireGuard Scenario 3


The following table provides an overview of the IP addresses used:

WireGuard VPN Hosts
Hostname Public IP VPN IP Private IP
wg0 10.0.1.10/24 172.16.0.1/24 192.168.0.1/24
wg1 10.0.1.11/24 172.16.0.2/24 192.168.1.1/24
wg2 10.0.1.12/24 172.16.0.3/24 192.168.2.1/24 , 192.168.3.1/24

The 10.0.1.0/24 net is the "Internet" in this example, these are the public IP addresses, which are exposed to the Internet. 172.16.0.0/24 is the VPN transfer net, which handles the routing communication. Last but not least the 192.168.0.0/24, 192.168.1.0/24 and 192.168.2.0/24 nets are company internal.

Clients and Server
Hostname Private IP
srv0 192.168.0.10/24
cl1 192.168.1.50/24
cl2 192.168.2.50/24
cl3 192.168.3.50/24

Host: wg0

File /etc/sysctl.conf:

net.inet.ip.forwarding=1

File /etc/hostname.vio0:

inet 10.0.1.10 0xffffff00

File /etc/hostname.vio1:

inet 192.168.0.1/24

file /etc/hostname.wg0:

wgkey jXfr8jv3uTilsvJl9j52j0k4+8ECcilAxWHEPeaHbWI=
wgport 5000
wgpeer S3quxk4hqshRfCV+T/CyjvDiqGc9sPIzueGsQURmQHk= wgpsk IyhNbttjbCh1ku+FL4TzfXgmuJIBfcZSidBqqF4GSlQ= wgpka 60 wgaip 172.16.0.2/32 wgaip 192.168.1.0/24
wgpeer 0WMsM9SfbQL2UjbrD3Yan+Raya9BA8fY8igJ4mE0KQI= wgpsk IyhNbttjbCh1ku+FL4TzfXgmuJIBfcZSidBqqF4GSlQ= wgpka 60 wgaip 172.16.0.3/32 wgaip 192.168.2.0/24 wgaip 192.168.3.0/24
inet 172.16.0.1/24
up

!route -n add 192.168.1.0/24 172.16.0.2
!route -n add 192.168.2.0/24 172.16.0.3
!route -n add 192.168.3.0/24 172.16.0.3

Host: wg1

File /etc/sysctl.conf:

net.inet.ip.forwarding=1

File /etc/hostname.vio0:

inet 10.0.1.11 0xffffff00

File /etc/hostname.vio1:

inet 192.168.1.1/24

File /etc/hostname.wg0:

wgkey XsxeQRGiWgA0D7TYUOhlx0Q9xgKA4Sso6Ihgjr+Ix0E=
wgpeer 9hJKhr0YzbS+A4bodjre1mpVsx+FgZ7VXH7I86AJmS4= wgpsk IyhNbttjbCh1ku+FL4TzfXgmuJIBfcZSidBqqF4GSlQ= wgendpoint 10.0.1.10 5000 wgpka 60 wgaip 0.0.0.0/0
inet 172.16.0.2/24
up

!route -n change default 172.16.0.1
!ping -c 2 172.16.0.1

Host: wg2

File /etc/sysctl.conf:

net.inet.ip.forwarding=1

File /etc/hostname.vio0:

inet 10.0.1.12 0xffffff00

File /etc/hostname.vio1:

inet 192.168.2.1/24

File /etc/hostname.vio2:

inet 192.168.3.1/24

File /etc/hostname.wg0:

wgkey yJDhn/hZCYdQjNePPbpZ9tJNF40HByXnPdWfAHqDDDc=
wgpeer 9hJKhr0YzbS+A4bodjre1mpVsx+FgZ7VXH7I86AJmS4= wgpsk IyhNbttjbCh1ku+FL4TzfXgmuJIBfcZSidBqqF4GSlQ= wgendpoint 10.0.1.10 5000 wgaip 0.0.0.0/0 wgpka 60
inet 172.16.0.3/24
up

!route -n change default 172.16.0.1
!ping -c 2 172.16.0.1

Routing and VPN Tests

  • cl3srv0
cl3# traceroute 192.168.0.10
traceroute to 192.168.0.10 (192.168.0.10), 64 hops max, 40 byte packets
 1  192.168.3.1 (192.168.3.1)  0.181 ms  0.071 ms  0.068 ms
 2  172.16.0.1 (172.16.0.1)  0.291 ms  0.208 ms  0.189 ms
 3  192.168.0.10 (192.168.0.10)  0.312 ms  0.21 ms  0.277 ms
  • srv0cl1
srv0# traceroute 192.168.1.50
traceroute to 192.168.1.50 (192.168.1.50), 64 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  0.132 ms  0.089 ms  0.085 ms
 2  172.16.0.2 (172.16.0.2)  1.08 ms  0.316 ms  0.156 ms
 3  192.168.1.50 (192.168.1.50)  0.447 ms  0.285 ms  0.245 ms
  • cl3cl2
cl3# traceroute 192.168.2.50
traceroute to 192.168.2.50 (192.168.2.50), 64 hops max, 40 byte packets
 1  192.168.3.1 (192.168.3.1)  0.126 ms  0.063 ms  0.063 ms
 2  192.168.2.50 (192.168.2.50)  0.334 ms  0.164 ms  0.177 ms
  • cl2cl1
cl2# traceroute 192.168.1.50                                                   
traceroute to 192.168.1.50 (192.168.1.50), 64 hops max, 40 byte packets
 1  192.168.2.1 (192.168.2.1)  0.116 ms  0.087 ms  0.076 ms
 2  172.16.0.1 (172.16.0.1)  0.244 ms  0.196 ms  0.156 ms
 3  172.16.0.2 (172.16.0.2)  0.319 ms  0.314 ms  0.275 ms
 4  192.168.1.50 (192.168.1.50)  0.393 ms  0.393 ms  0.325 ms