So right before I left for my trip to Florida I realized that there was no way to access my home network remotely. This was a bit of a sitch, so now that I’m back, I’m finally going to make one.
This can be done in two ways, and I’m thinking of doing the former:
- Create a jail/container on my NAS machine, host it there
- Set up another device and have it on bare metal
While writing this, I tried doing all of this via a TrueNAS jail, but jails were missing features that I needed for configuring and running a VPN. Luckily, I have a bunch of laptops laying around that I can install OpenBSD on.
I basically followed Mental Outlaw’s guide on hosting a WireGuard VPN on OpenBSD, but the steps are as follows:
VPN Server #
-
I installed OpenBSD on my laptop, gave it a static IP, etc. I don’t believe having the IP be dynamic would actually cause any issues, but it would be easier to configure on a static IP.
- Allow ip forwarding. This needs to be put in
/etc/sysctl.conf
for it to be persistent across reboots, apparently.net.inet.ip.forwarding=1 machdep.lidswitch=0 # Needed to disable suspend on lid close
- Install WireGuard and generate a keypair. Luckily, WireGuard has utilities for generating keys.
# wg genkey > private.key # wg pubkey < private.key > public.key
- Configure WireGuard. WireGuard doesn’t have a default config, but this should be enough to get it started.
[Interface] ListenPort = ****** PrivateKey = ******************************************** # Server private key [Peer] PublicKey = ******************************************** # Client public key AllowedIPs = ***.***.***.***/** PersistentKeepalive = ***
- Configure pf/firewall. I think I only need to add the following 3 lines:
pass in on wg0 pass in inet proto udp from any to any port ***** # This port is the same as the listen port pass out on egress inet from (wg0:network) nat-to (bge:0)
In the video, he’s using a Vultr VPS, which seems to have
vio0
as the default interface. From myifconfig
, I believe that my device isbge0
. - Configure the VPN ip settings. This is put into
/etc/hostname.wg0
.inet xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx NONE # ip addr and netmask up !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf
From here, I can simply start up the
wg0
device with# sh /etc/netstart wg0
and it should start accepting connections to the VPN.
VPN Client #
Configuration for the client is about the same, but I configured via systemd-networkd
, so I used networkd-unit files.
- Generate wireguard keypar.
- Created the WireGuard net device. The configuration is basically the same, just an added
NetDev
header.Interface
info now goes underWireGuard
andPeer
info now goes underWireGuardPeer
.[NetDev] Name=wg0 type=wireguard Description=WireGuard tunnel [WireGuard] PrivateKey=******************************************** # Client private key [WireGuardPeer] PublicKey=******************************************** # Server public key Endpoint=***.***.***.***:****** # Server public IP and wireguard listening port AllowedIPs=***.***.***.***/*** # Allowed IPs and netmasks, you can use wildcards
- Added the associated network configuration.
[Match] Name=wg0 [Network] Address=***.***.***.***/***
Now I can just reload systemd-networkd
and it should connect. I can successfully ping to the VPN server, but I can’t route the internet through it. I’ll have to figure out that another time.