Re: wg(4) missing info

[red . solo]

Hi Sha'ul,

I actually agree with you. The wireguard man page isn't super helpful 
for people
trying to setup wireguard in an a-typical setup. (or "learn")
2 things to note:
1) You have to pay attention the "#" prior to the command ifconfig line 
just before
the EXAMPLES section. The thing that will catch many people out is that 
they
will run the command as their "normal" user, which actually works but 
doesn't
show you the full output if you had used "doas" in front, or su to root.
Can be useful for troubleshooting.

2) The whole man page doesn't touch on routing which most people will 
need to
get things working.

Lots of the examples on the internet for OpenBSD (given its small user 
base) are
either missing, incorrect or outdated as things change in versions.

Anyway, I am happy to help you out as much as I can.

You do only need the hostname.wg0 file in a normal scenario.
And presuming you are connecting to a VPN service, then these are the 
elements
in the config file you'll need to change:

--- hostname.wg0 ---
wgkey <the private key you generated>
wgport 51820
inet 10.10.10.10/32                                      <- change this 
to the internal address
                                                                         
 your provider or remote gave you
wgpeer <VPN service or remote public key> = wgendpoint
                                               111.111.111.111 51820 
wgaip 0.0.0.0/0 wgpka 20
(change 111.111.111.111 to the public IP address your provider gave you)
#DNS = 99.99.99.99                    <- optional DNS line if you want 
to use their DNS
up

!route add -priority 2  <put the 111.111.111.111 changed address here>  
-gateway 192.168.1.1
!route add -priority 7 -inet default -iface 10.10.10.10   <- change the 
10.10.10.10 address here
---

That should get you up and running.
So, private key in wgkey line.
Internal address of VPN service in the inet line, and bottom routing 
line.
External address of VPN service in the wgpeer line, and the first route 
line.
Assumes your gateway is 192.168.1.1 so change that to you home gateway 
address.

Sincerely hope that helps, and you get it working. Once you do, its 
super elegant being
in one file. Its just a bit tricky getting your first config going.

Oh, if you get errors during boot, using dmesg -s  (this shows console 
message buffer
during boot so you can see what errors you get).
Or   doas sh /etc/netstart of course to see it "live" when trying a 
config out.

Good luck!


On 29.04.2026 18:22, Sha'ul wrote:
I have been trying to go through WireGuard manual to set it up and
failed. I checked with AI which replied "To answer your question: the
manual is accurate but dense. It assumes you already understand the
"OpenBSD Way." For example, it tells you wgkey sets the key and 
wgpubkey
shows it, but it doesn't explicitly warn you that a standard user
(without doas) might see a truncated output, or that the driver needs a
specific "trigger" (like netstart or an IP assignment) to initialize 
the
cryptographic state." Is that a false perspective?