Re: Problem with WireGuard on OpenBSD 7.3
Hello Andre, Thanks for all the good input and links. I should be able to get a working setup now. As far as I understand, I can use the keys generated with the wg tools, instead of those generated by openssl. They look very simular to me. Am I right? Regarding pf, should the udp port I choose for tunnelling be re-directed to the wg IP, or just be open on the external interface? Regards, Martin.
Re: Problem with WireGuard on OpenBSD 7.3
On 2023-05-08 23:15, Tor Houghton wrote: > On Sat, May 06, 2023 at 04:40:21PM -, Stuart Henderson wrote: > > > > [snip] > > > > wgport port-number wgkey my-private-key > > inet 10.0.98.1/24 > > > > [snip] > > Here's[*] a super hacky way to convert a pivpn wireguard config file to output > that can be placed in a /etc/hostname.wg0 file, if this helps anyone at all. > > $ cat client.conf | ./wgconv.sh > > Tor > > * https://www.bogus.net/~torh/files/wgconv.sh > Huh, neat. :) It made me smile to see this because I wrote my own pledged + unveiled tool in Perl for this exact same task some time ago. Though mine does some basic validation on the IPs, base64 keys, etc. Tool: https://github.com/3uryd1ce/sysadm/blob/master/translate_wg_conf Man page: https://github.com/3uryd1ce/sysadm/blob/master/man/man1/translate_wg_conf.1 One thing to note is that it depends on p5-Config-Std and p5-Net-IP to handle parsing and validation, so this would be needed first: # pkg_add p5-Config-Std p5-Net-IP Anyway, my self-plug is over. Hope it helps someone.
Re: Problem with WireGuard on OpenBSD 7.3
On Sat, May 06, 2023 at 04:40:21PM -, Stuart Henderson wrote: > > [snip] > > wgport port-number wgkey my-private-key > inet 10.0.98.1/24 > > [snip] Here's[*] a super hacky way to convert a pivpn wireguard config file to output that can be placed in a /etc/hostname.wg0 file, if this helps anyone at all. $ cat client.conf | ./wgconv.sh Tor * https://www.bogus.net/~torh/files/wgconv.sh
Re: Problem with WireGuard on OpenBSD 7.3
On 2023-05-06, Odd Martin Baanrud wrote: > I choosed the WireGuard-tools solution, because I understood how it works, > and it is easy to configure. > I’ve read a bit in the wg(4) manual, and I get confused of how things > actually works. > Is it possible to use wireguard-tools’s private/public key e.g? > If not, is the actual configuration using the included tools easy to do? The configuration for wg looks like this: wgport port-number wgkey my-private-key inet 10.0.98.1/24 wgpeer peer-public-key wgaip 10.0.98.2/32 wgpsk peer2-pre-shared-key wgpeer peer2-public-key wgaip 10.0.98.3/32 wgpsk peer2-pre-shared-key etc The keys are 44 character long strings, base64 encoded. You can generate a suitable key with openssl rand -base64 32. To find the oublic key associated with a private key that has been set, use "ifconfig wg0" as root. It will be shown as wgpubkey and you can copy that to another system. I've never used wireguard-tools but I assume the keys will be in the correct format to use directly in the ifconfig line or hostname.wg0 file.
Re: Problem with WireGuard on OpenBSD 7.3
On Sat, 6 May 2023 02:18:30 +0200 Odd Martin Baanrud wrote: > Hello Stuart, > > Thanks for a detailed and good explenation! > > I choosed the WireGuard-tools solution, because I understood how it works, > and it is easy to configure. > I*ve read a bit in the wg(4) manual, and I get confused of how things > actually works. > Is it possible to use wireguard-tools*s private/public key e.g? > If not, is the actual configuration using the included tools easy to do? > > I*m blind, so reading lots of documentation, when not knowing what to look > for, can be pritty time consuming. > So, if it is an easy way to set up a wireguard-tools style vpn using tools > from the base system, please let me know. > > Regarding pf, thanks for good advice regarding how to use NAT rules. > > Regards, Martin. Hello Martin. I just recently started using WireGuard, as a client only, using commercial VPN service. I did not have to use wireguard-tools. In addition to the manual pages for wireguard and rdomain, I also consulted several online guides that helped clarify how everything should work (DNS is the tricky part). 1. Solene Rapenne - "Full WireGuard setup with OpenBSD" Solene explains how to setup both wireguard server and client on OpenBSD without using wireguard-tools. She uses openssl to generate private keys. Note: page has one ASCII network diagram. https://dataswamp.org/~solene/2021-10-09-openbsd-wireguard-exit.html 2. Matthieu Herrb - "Setting up a WireGuard client with routing domains on OpenBSD". Matthieu explains step-by-step how to setup OpenBSD as wireguard client for 3rd party VPN. He uses wireguard-tools, but only to generate the private key initially. Note: page includes one long output of ps command. https://md.laas.fr/s/NMc3qt5PQ Since both of the above guides use rdomains for their setup, I found this writeup about rdomains and rtables useful: 3. Joel Knight - "Virtualizing the OpenBSD Routing Table" Note: page has four images of network diagramms. https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/ It is a lot of reading, and I apologize for that. I can see, but it still took me couple days to figure out how to get just the client part working right, and you are trying to do both server and client at once. I hope you succeed. -- Andre
Re: Problem with WireGuard on OpenBSD 7.3
Hello Stuart, Thanks for a detailed and good explenation! I choosed the WireGuard-tools solution, because I understood how it works, and it is easy to configure. I’ve read a bit in the wg(4) manual, and I get confused of how things actually works. Is it possible to use wireguard-tools’s private/public key e.g? If not, is the actual configuration using the included tools easy to do? I’m blind, so reading lots of documentation, when not knowing what to look for, can be pritty time consuming. So, if it is an easy way to set up a wireguard-tools style vpn using tools from the base system, please let me know. Regarding pf, thanks for good advice regarding how to use NAT rules. Regards, Martin.
Re: Problem with WireGuard on OpenBSD 7.3
On 2023-05-04, Odd Martin Baanrud wrote: > Hello, > > Ok, now I finally got it running. > I decided to bring up the wg interface using hostname.wg0, and start > WireGuard from /etc/rc.local. You don't need anything from rc.local, or the wireguard-tools package, the whole thing can be done using tools built-in to the OS. And that is what you want, because after updating the OS, you might have problems running old packages until they're updated too. > This machine also acts as the router for my lan/wlan, so I already have a > “match out” rule to enable NAT for those interfaces in pf. > Will this rule also do NAT from the wg if? > The rule is: > “match out on egress inet from !egress nat-to (egress) The "egress" interface group is an automatic group to which interfaces are added when a default route points via them. Firstly the "on egress" will be expanded by pfctl when loading the ruleset, so that route would need to exist at the right time. Secondly the "nat-to (egress)" will dynamically look up members of the egress group when a packet is tested against the ruleset, and if more than one interface is in "egress" will round-robin between them, which is not what you want. Say you have the main internet connection on ixl0 and wireguard on wg0 and want to NAT packets on both. In that case you could use match out on em0 inet from !egress nat-to (em0) match out on wg0 inet from !egress nat-to (wg0) Or, as the wg interface is probably not going to change address unexpectedly you can cut out the repeated runtime address lookup by omitting the brackets match out on em0 inet from !egress nat-to (em0) match out on wg0 inet from !egress nat-to wg0 (similarly if em0 has a fixed address not dhcp, you can skip the runtime lookup there too). But you don't _have_ to nat packets going over wg, that depends on what you want to do with it and how your onfigure it. > I have also added a pass in rule for external connections. > “pass in quick inet proto udp to $wg_port” wg packets can flow in either direction and there might sometimes be a delay between packets (say if there are network prpblems) long enough for the firewall state entry to timeout. So you might like to remove the "in". > I have a default block policy, so I guess I’ll need to open for traffic in > both directions on the wg interface? Yes. > I have a server running behind the router. > Will I be able to access it from the VPN with this setup, or do I need to > implement rules for that purpoce? You'll need firewall rules that permit the traffic to the server (wg doesn't bypass the firewall). You'll also need to decide whether you want to use nat/rdr rules using a single router address over the wg tunnel, or whether you want to carry a range of addresses and access the server using its own address.
Re: Problem with WireGuard on OpenBSD 7.3
On Thu, May 4, 2023 at 9:45 AM Janne Johansson wrote: > Apart from that, you either use /usr/local/bin/wg(-quick) to set up > your wireguard interface OR hostname.wg0 not calling one from the > other. Thanks for that. Seems every website I've found uses calling /usr/local/bin/wg from the hostname.wg file. And I've been running it like this since Wireguard was put in the kernel. However, I decided to try hostname.wg only and it works a treat. As an added benefit the wireguard-tools package is not even needed. Chris
Re: Problem with WireGuard on OpenBSD 7.3
Hello, Ok, now I finally got it running. I decided to bring up the wg interface using hostname.wg0, and start WireGuard from /etc/rc.local. This machine also acts as the router for my lan/wlan, so I already have a “match out” rule to enable NAT for those interfaces in pf. Will this rule also do NAT from the wg if? The rule is: “match out on egress inet from !egress nat-to (egress) I have also added a pass in rule for external connections. “pass in quick inet proto udp to $wg_port” I have a default block policy, so I guess I’ll need to open for traffic in both directions on the wg interface? I have a server running behind the router. Will I be able to access it from the VPN with this setup, or do I need to implement rules for that purpoce? Regards, Martin
Re: Problem with WireGuard on OpenBSD 7.3
Den tors 4 maj 2023 kl 15:08 skrev Odd Martin Baanrud : > inet 10.0.6.1 0xfgffgf00 NONE up !/usrlocal/bin/wg setconf wg0 > /etc/wireguard/wg0.conf While multiple slashes combine into one, having /usr... seems like a weird thing to put in the config. Apart from that, you either use /usr/local/bin/wg(-quick) to set up your wireguard interface OR hostname.wg0 not calling one from the other. If you go for hostname.wg0, read up on the "man ifconfig" section about wireguard tunnels and skip the wg0.conf. If you go for wg/wg-quick, you can call it from rc.local or something. > Accourding to hostname.if(5), !-commands must work in single-user mode, if > they should be executed. > If this is the case, why is ‘wg’ in /usr/local/bin? ..which solves this "mystery" too. -- May the most significant bit of your life be positive.
Re: Problem with WireGuard on OpenBSD 7.3
On Thu, May 4, 2023, at 08:06, Odd Martin Baanrud wrote:
> https://ianix.com/wireguard/openbsd-howto.html
This tutorial has one installing a port ("wireguard-tools"), and then making
one's wireguard interface depend on that package. I am not sure why it does
that, but that one problem with your configuration.
Ports install with a prefix of /usr/local/ by default.
I am unfamiliar with the wireguard-tools package, but it's unnecessary for
configuring wg(4) interfaces:
https://man.openbsd.org/wg
weaver
Re: Problem with WireGuard on OpenBSD 7.3
On Thu, May 04, 2023 at 03:06:13PM +0200, Odd Martin Baanrud wrote: > Hello, > > I???m configuring a WireGuard server on an OpenBSD 7.3 machine, using this > howto: > https://ianix.com/wireguard/openbsd-howto.html > > I don???t get the wg0 interface up. > The hostname.wg0 contains: > inet 10.0.6.1 0xfgffgf00 NONE up !/usrlocal/bin/wg setconf wg0 > /etc/wireguard/wg0.conf 0xfgffgf00 is an invalid netmask, as it is not hexadecimal (0-f). Your netmask should be one of: a. address/subnet CIDR notation b. decimal notation c. hexadecimal notation https://en.wikipedia.org/wiki/IP_address#Subnetworks
Problem with WireGuard on OpenBSD 7.3
Hello, I’m configuring a WireGuard server on an OpenBSD 7.3 machine, using this howto: https://ianix.com/wireguard/openbsd-howto.html I don’t get the wg0 interface up. The hostname.wg0 contains: inet 10.0.6.1 0xfgffgf00 NONE up !/usrlocal/bin/wg setconf wg0 /etc/wireguard/wg0.conf And when I try to bring wg0 up with /etc/netstart, I get the following: # sh /etc/netstart wg0 ifconfig: !/usr/local/bin/wg: bad value Accourding to hostname.if(5), !-commands must work in single-user mode, if they should be executed. If this is the case, why is ‘wg’ in /usr/local/bin? Regards, Martin
