Replacing tinc with wireguard
──────────────────────────────────────────────────────────────────────
After a few months of heavy procrastination, I finally replaced my old
tinc[0] mesh VPN with wireguard[1].

Since version 6.8, OpenBSD now ships with the wg(4) driver by default,
providing ifconfig(8) with all the tools required to setup a wireguard
VPN.
You don't even need the (in)famous wireguard-tools package !

Generating the private key is done with openssl(1):

   openssl rand -base64 32
   y4mJJGiPwpZIauJlZuDSY0f+Dqx8UPD9WGD0fQvzkK4=

You can then put it in the /etc/hostname.wg0, along with your peers
public keys:

# /etc/hostname.wg0
inet 10.0.0.1 255.255.255.240
wgport 51820 wgkey y4mJJGiPwpZIauJlZuDSY0f+Dqx8UPD9WGD0fQvzkK4=
wgpeer FbRKfD8E6D/6xIHJqpigq0I6DYe63pF/ak1FArQXoDA= wgendpoint peer1.domain.tld 51820 wgaip 10.0.0.2
wgpeer z6sXdKvJAYnjqL2pTUoG8U+mzj19lcgUdfHXV8pLAkQ= wgendpoint peer2.domain.tld 51820 wgaip 10.0.0.3
up

The public key is printed along with the other interface attributes,
under the name "wgpubkey". Use ifconfig(8) to get it:

   doas ifconfig wg0 | grep wgpubkey

So far it does the job just as well as tinc, but as it's built into the
kernel, no external tool/daemon is required, which is really nice.

I also managed to automate the whole setup (generate priv keys,
distribute public ones) thanks to drist(1).

keep hacking!
--
~wgs

[0]: https://tinc-vpn.org
[1]: https://wireguard.com

20210928.1804

You are viewing proxied material from phlog.z3bra.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.