About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(BSD OpenBSD Qubes OS Lisp cmdline gaming security QubesOS internet-stuff). I love percent and lambda characters. OpenBSD developer solene@. No AI is involved in this blog.

Contact me: solene at dataswamp dot org or @solene@bsd.network (mastodon).

You can sponsor my work financially if you want to help me writing this blog and contributing to Free Software as my daily job.

OpenBSD scripts to convert wg-quick VPN files

Written by Solène, on 27 April 2024.
Tags: #openbsd #vpn #security

Comments on Fediverse/Mastodon

1. Introduction §

If you use commercial VPN, you may have noticed they all provide WireGuard configurations in the wg-quick format, this is not suitable for an easy use in OpenBSD.

As I currently work a lot for a VPN provider, I often have to play with configurations and I really needed a script to ease my work.

I made a shell script that turns a wg-quick configuration into a hostname.if compatible file, for a full integration into OpenBSD. This is practical if you always want to connect to a given VPN server, not for temporary connections.

OpenBSD manual pages: hostname.if

Sourcehut project: wg-quick-to-hostname-if

2. Usage §

It is really easy to use, download the script and mark it executable, then run it with your wg-quick configuration as a parameter, it will output the hostname.if file to the standard output. 

wg-quick-to-hostname-if fr-wg-001.conf | doas tee /etc/hostname.wg0

In the generated file, it uses a trick to dynamically figure the current default route which is required to keep a non-vpn route to the VPN gateway.

3. Short VPN sessions §

When I shared my script on mastodon, Carlos Johnson shared their own script which is pretty cool and complementary to mine.

If you prefer to establish a VPN for a limited session, you may want to take a look at his script.

Carlos Johnson GitHub: file-wg-sh gist

4. Prevent leaks §

If you need your WireGuard VPN to be leakproof (= no network traffic should leave the network interface outside the VPN if it's not toward the VPN gateway), you should absolutely do the following:

  • your WireGuard VPN should be on rdomain 0
  • WireGuard VPN should be established on another rdomain
  • use PF to block traffic on the other rdomain that is not toward the VPN gateway
  • use the VPN provider DNS or a no-log public DNS provider

Older blog post: WireGuard and rdomains

5. Conclusion §

OpenBSD's ability to configure WireGuard VPNs with ifconfig has always been an incredible feature, but it was not always fun to convert from wg-quick files. But now, using a commercial VPN got a lot easier thanks to a few piece of shell.