aboutsummaryrefslogtreecommitdiffstats

wireguard-bsd

PLEASE NOTE: THIS SOFTWARE DOES NOT GUARANTEE ANY SECURITY PROPERTIES (YET)

If you're lucky, this will allow you to send packets to another WireGuard peer. If you're even more lucky, it might be hard to decrypt those packets.

Installation

The easy way is to update from https://files.noconroy.net.

This can be achieved by rebooting into bsd.rd and running "update", or installing a fresh snapshot from an official mirror, or using cd65.iso from the above site.

Alternatively, snap can be used on a running (-current) system: snap

Build from source

To build from source, follow the steps in release(8), and use src/clean_patch.sh to patch the source code.

The openbsd_build.sh can assist you in this endeavour, but will not do it for you.

Using

Primarily the configuration is done using ifconfig(8), as such:

# ifconfig wg0 create
# ifconfig wg0 wgkey <priv key>
# ifconfig wg0 wgport <port>
# ifconfig wg0 wgpeer <peer key> wgpsk <psk>
# ifconfig wg0 wgpeer <peer key> wgpip <peer ip and port>
# ifconfig wg0 wgpeer <peer key> wgaip <allowed ip>
# ifconfig wg0 inet 192.168.1.1/24 up
$ ifconfig wg0
wg0: flags=81c1<UP,RUNNING,NOARP,PROMISC,MULTICAST> mtu 1420
        index 5 priority 0 llprio 3
        wgport 52800
        wgkey cnw6JyBR44QYNqHAS+N69EwLIoRkyJjPJ8e92wnhHgI=
        wgpeer KMc4GEgbBXSroeZBKWRUz7SmXCIm1XcZlmGlSllt1kY=
                tx: 0, rx: 0
                wgpsk 0F836d+oC+CsY/Q6ndlLSwpcyQ5LOyBEvqVi9QBeulg=
                wgpip 123.123.123.123 52800
                wgaip 192.168.1.1/24
        groups: wg
        inet 192.168.1.1 netmask 0xffffff00

This is likely to get rolled into a netstart(8) script, named /etc/hostname.wg0 or so:

wgport 3689
wgkey KmDUgApHqim36Iqwyph6SE90GIZx0Hq38mz1m8kpWfg=

wgpeer xY28FIHnumyD5ZNksGscYOD23PX27e9niZsP4gh6kBc= wgpsk +lg/KzRQQk1e939wMLlYRAAIxHuVz9dQkSoaOHumUxY=
wgpeer xY28FIHnumyD5ZNksGscYOD23PX27e9niZsP4gh6kBc= wgaip 10.0.0.2/32
wgpeer xY28FIHnumyD5ZNksGscYOD23PX27e9niZsP4gh6kBc= wgaip fc01::1/16
wgpeer xY28FIHnumyD5ZNksGscYOD23PX27e9niZsP4gh6kBc= wgpip 123.123.123.123 9863

up
10.0.0.1/30
inet6 fc01::1/16

Preliminary support has been added to the wg(8) tool, and can be used to view the configuration, but is not likely to be able to configure an interface. It is available at https://git.noconroy.net/WireGuard.git/log/?h=ncon/openbsd.

Known issues

  • No rate limiting on handshake incoming handshake packets
  • Using net/art.h is kinda hacky (casting pointers)
  • No audit done of code
  • Code not perfect style(8)

Contact and support

  • ncon on freenode:#wireguard
  • ncon@mail.noconroy.net