 |
Title: OpenBSD scripts to convert wg-quick VPN files |
|
Author: Solène |
|
Date: 27 April 2024 |
|
Tags: openbsd vpn security |
|
Description: In this article, you will learn about scripts that |
|
allowing using commercial VPN provider files on OpenBSD |
|
|
|
# Introduction |
|
|
|
If you use commercial VPN, you may have noticed they all provide |
|
WireGuard configurations in the wg-quick format, this is not suitable |
|
for an easy use in OpenBSD. |
|
|
|
As I currently work a lot for a VPN provider, I often have to play with |
|
configurations and I really needed a script to ease my work. |
|
|
|
I made a shell script that turns a wg-quick configuration into a |
|
hostname.if compatible file, for a full integration into OpenBSD. This |
|
is practical if you always want to connect to a given VPN server, not |
|
for temporary connections. |
|
|
 |
OpenBSD manual pages: hostname.if |
|
Sourcehut project: wg-quick-to-hostname-if |
|
|
|
# Usage |
|
|
|
It is really easy to use, download the script and mark it executable, |
|
then run it with your wg-quick configuration as a parameter, it will |
|
output the hostname.if file to the standard output. |
|
|
|
``` |
|
wg-quick-to-hostname-if fr-wg-001.conf | doas tee /etc/hostname.wg0 |
|
``` |
|
|
|
In the generated file, it uses a trick to dynamically figure the |
|
current default route which is required to keep a non-vpn route to the |
|
VPN gateway. |
|
|
|
# Short VPN sessions |
|
|
|
When I shared my script on mastodon, Carlos Johnson shared their own |
|
script which is pretty cool and complementary to mine. |
|
|
|
If you prefer to establish a VPN for a limited session, you may want to |
|
take a look at his script. |
|
|
|
Carlos Johnson GitHub: file-wg-sh gist |
|
|
|
# Prevent leaks |
|
|
|
If you need your WireGuard VPN to be leakproof (= no network traffic |
|
should leave the network interface outside the VPN if it's not toward |
|
the VPN gateway), you should absolutely do the following: |
|
|
|
* your WireGuard VPN should be on rdomain 0 |
|
* WireGuard VPN should be established on another rdomain |
|
* use PF to block traffic on the other rdomain that is not toward the |
|
VPN gateway |
|
* use the VPN provider DNS or a no-log public DNS provider |
|
|
|
Older blog post: WireGuard and rdomains |
|
|
|
# Conclusion |
|
|
|
OpenBSD's ability to configure WireGuard VPNs with ifconfig has always |
|
been an incredible feature, but it was not always fun to convert from |
|
wg-quick files. But now, using a commercial VPN got a lot easier |
|
thanks to a few piece of shell. |
