Home VPN, pt. 1: A Basic Setup

So right before I left for my trip to Florida I realized that there was no way to access my home network remotely. This was a bit of a sitch, so now that I’m back, I’m finally going to make one.

This can be done in two ways, and I’m thinking of doing the former:

• Create a jail/container on my NAS machine, host it there
• Set up another device and have it on bare metal

While writing this, I tried doing all of this via a TrueNAS jail, but jails were missing features that I needed for configuring and running a VPN. Luckily, I have a bunch of laptops laying around that I can install OpenBSD on.

I basically followed Mental Outlaw’s guide on hosting a WireGuard VPN on OpenBSD, but the steps are as follows:

VPN Server #

1. I installed OpenBSD on my laptop, gave it a static IP, etc. I don’t believe having the IP be dynamic would actually cause any issues, but it would be easier to configure on a static IP.

2. Allow ip forwarding. This needs to be put in /etc/sysctl.conf for it to be persistent across reboots, apparently.

    net.inet.ip.forwarding=1
    machdep.lidswitch=0 # Needed to disable suspend on lid close
   

3. Install WireGuard and generate a keypair. Luckily, WireGuard has utilities for generating keys.

    # wg genkey > private.key
    # wg pubkey < private.key > public.key
   

4. Configure WireGuard. WireGuard doesn’t have a default config, but this should be enough to get it started.

    [Interface]
    ListenPort = ******
    PrivateKey = ******************************************** # Server private key
       
    [Peer]
    PublicKey = ******************************************** # Client public key
    AllowedIPs = ***.***.***.***/**
    PersistentKeepalive = ***
   

5. Configure pf/firewall. I think I only need to add the following 3 lines:

    pass in on wg0
    pass in inet proto udp from any to any port ***** # This port is the same as the listen port
    pass out on egress inet from (wg0:network) nat-to (bge:0)
   

   In the video, he’s using a Vultr VPS, which seems to have vio0 as the default interface. From my ifconfig, I believe that my device is bge0.

6. Configure the VPN ip settings. This is put into /etc/hostname.wg0.

    inet xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NONE # ip addr and netmask
    up
    !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf
   

   From here, I can simply start up the wg0 device with

    # sh /etc/netstart wg0
   

   and it should start accepting connections to the VPN.

VPN Client #

Configuration for the client is about the same, but I configured via systemd-networkd, so I used networkd-unit files.

1. Generate wireguard keypar.
2. Created the WireGuard net device. The configuration is basically the same, just an added NetDev header. Interface info now goes under WireGuard and Peer info now goes under WireGuardPeer.

    [NetDev]
    Name=wg0
    type=wireguard
    Description=WireGuard tunnel
       
    [WireGuard]
    PrivateKey=******************************************** # Client private key
   
    [WireGuardPeer]
    PublicKey=******************************************** # Server public key
    Endpoint=***.***.***.***:****** # Server public IP and wireguard listening port
    AllowedIPs=***.***.***.***/*** # Allowed IPs and netmasks, you can use wildcards
   

3. Added the associated network configuration.

    [Match]
    Name=wg0
       
    [Network]
    Address=***.***.***.***/***
   

Now I can just reload systemd-networkd and it should connect. I can successfully ping to the VPN server, but I can’t route the internet through it. I’ll have to figure out that another time.