Jared Tulayan

> blog > vpn1.html

Home VPN, pt. 1: A Basic Setup

2022-07-19

#computers #network


So right before I left for my trip to Florida I realized that there was no way to access my home network remotely. This was a bit of a sitch, so now that I’m back, I’m finally going to make one.

This can be done in two ways, and I’m thinking of doing the former:

While writing this, I tried doing all of this via a TrueNAS jail, but jails were missing features that I needed for configuring and running a VPN. Luckily, I have a bunch of laptops laying around that I can install OpenBSD on.

An old ACER Aspire that I installed OpenBSD 7.1 onto

I basically followed Mental Outlaw’s guide on hosting a WireGuard VPN on OpenBSD, but the steps are as follows:

VPN Server #

  1. I installed OpenBSD on my laptop, gave it a static IP, etc. I don’t believe having the IP be dynamic would actually cause any issues, but it would be easier to configure on a static IP.

  2. Allow ip forwarding. This needs to be put in /etc/sysctl.conf for it to be persistent across reboots, apparently.
     net.inet.ip.forwarding=1
     machdep.lidswitch=0 # Needed to disable suspend on lid close
    
  3. Install WireGuard and generate a keypair. Luckily, WireGuard has utilities for generating keys.
     # wg genkey > private.key
     # wg pubkey < private.key > public.key
    
  4. Configure WireGuard. WireGuard doesn’t have a default config, but this should be enough to get it started.
     [Interface]
     ListenPort = ******
     PrivateKey = ******************************************** # Server private key
        
     [Peer]
     PublicKey = ******************************************** # Client public key
     AllowedIPs = ***.***.***.***/**
     PersistentKeepalive = ***
    
  5. Configure pf/firewall. I think I only need to add the following 3 lines:
     pass in on wg0
     pass in inet proto udp from any to any port ***** # This port is the same as the listen port
     pass out on egress inet from (wg0:network) nat-to (bge:0)
    

    In the video, he’s using a Vultr VPS, which seems to have vio0 as the default interface. From my ifconfig, I believe that my device is bge0.

  6. Configure the VPN ip settings. This is put into /etc/hostname.wg0.
     inet xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NONE # ip addr and netmask
     up
     !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf
    

    From here, I can simply start up the wg0 device with

     # sh /etc/netstart wg0
    

    and it should start accepting connections to the VPN.

VPN Client #

Configuration for the client is about the same, but I configured via systemd-networkd, so I used networkd-unit files.

  1. Generate wireguard keypar.
  2. Created the WireGuard net device. The configuration is basically the same, just an added NetDev header. Interface info now goes under WireGuard and Peer info now goes under WireGuardPeer.
     [NetDev]
     Name=wg0
     type=wireguard
     Description=WireGuard tunnel
        
     [WireGuard]
     PrivateKey=******************************************** # Client private key
    
     [WireGuardPeer]
     PublicKey=******************************************** # Server public key
     Endpoint=***.***.***.***:****** # Server public IP and wireguard listening port
     AllowedIPs=***.***.***.***/*** # Allowed IPs and netmasks, you can use wildcards
    
  3. Added the associated network configuration.
     [Match]
     Name=wg0
        
     [Network]
     Address=***.***.***.***/***
    

Now I can just reload systemd-networkd and it should connect. I can successfully ping to the VPN server, but I can’t route the internet through it. I’ll have to figure out that another time.