-- Leo's gemini proxy

-- Connecting to perso.pw:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini;

OpenBSD scripts to convert wg-quick VPN files


Author: Solène

Date: 27 April 2024

Tags: openbsd vpn security


NIL# Introduction


If you use commercial VPN, you may have noticed they all provide WireGuard configurations in the wg-quick format, this is not suitable for an easy use in OpenBSD.


As I currently work a lot for a VPN provider, I often have to play with configurations and I really needed a script to ease my work.


I made a shell script that turns a wg-quick configuration into a hostname.if compatible file, for a full integration into OpenBSD. This is practical if you always want to connect to a given VPN server, not for temporary connections.


OpenBSD manual pages: hostname.if

Sourcehut project: wg-quick-to-hostname-if


Usage


It is really easy to use, download the script and mark it executable, then run it with your wg-quick configuration as a parameter, it will output the hostname.if file to the standard output.


wg-quick-to-hostname-if fr-wg-001.conf | doas tee /etc/hostname.wg0

In the generated file, it uses a trick to dynamically figure the current default route which is required to keep a non-vpn route to the VPN gateway.


Short VPN sessions


When I shared my script on mastodon, Carlos Johnson shared their own script which is pretty cool and complementary to mine.


If you prefer to establish a VPN for a limited session, you may want to take a look at his script.


Carlos Johnson GitHub: file-wg-sh gist


Prevent leaks


If you need your WireGuard VPN to be leakproof (= no network traffic should leave the network interface outside the VPN if it's not toward the VPN gateway), you should absolutely do the following:


your WireGuard VPN should be on rdomain 0

WireGuard VPN should be established on another rdomain

use PF to block traffic on the other rdomain that is not toward the VPN gateway

use the VPN provider DNS or a no-log public DNS provider


Older blog post: WireGuard and rdomains


Conclusion


OpenBSD's ability to configure WireGuard VPNs with ifconfig has always been an incredible feature, but it was not always fun to convert from wg-quick files. But now, using a commercial VPN got a lot easier thanks to a few piece of shell.

-- Response ended

-- Page fetched on Tue May 21 18:53:17 2024