Replacing tinc with wireguard
──────────────────────────────────────────────────────────────────────
After a few months of heavy procrastination, I finally replaced my old
tinc[0] mesh VPN with wireguard[1].
Since version 6.8, OpenBSD now ships with the wg(4) driver by default,
providing ifconfig(8) with all the tools required to setup a wireguard
VPN.
You don't even need the (in)famous wireguard-tools package !
Generating the private key is done with openssl(1):
openssl rand -base64 32
y4mJJGiPwpZIauJlZuDSY0f+Dqx8UPD9WGD0fQvzkK4=
You can then put it in the /etc/hostname.wg0, along with your peers
public keys:
# /etc/hostname.wg0
inet 10.0.0.1 255.255.255.240
wgport 51820 wgkey y4mJJGiPwpZIauJlZuDSY0f+Dqx8UPD9WGD0fQvzkK4=
wgpeer FbRKfD8E6D/6xIHJqpigq0I6DYe63pF/ak1FArQXoDA= wgendpoint peer1.domain.tld 51820 wgaip 10.0.0.2
wgpeer z6sXdKvJAYnjqL2pTUoG8U+mzj19lcgUdfHXV8pLAkQ= wgendpoint peer2.domain.tld 51820 wgaip 10.0.0.3
up
The public key is printed along with the other interface attributes,
under the name "wgpubkey". Use ifconfig(8) to get it:
doas ifconfig wg0 | grep wgpubkey
So far it does the job just as well as tinc, but as it's built into the
kernel, no external tool/daemon is required, which is really nice.
I also managed to automate the whole setup (generate priv keys,
distribute public ones) thanks to drist(1).
keep hacking!
--
~wgs
[0]:
https://tinc-vpn.org
[1]:
https://wireguard.com
20210928.1804