Introduction

Having his own VPN allow you to be connected as if you would be surfing from home.

I'm regularly using ssh tunnels to allow my OpenBSD laptop to work as if I'm at home. But having such ssh tunnels from an Android mobile device is not possible. At least with my setup.

But which VPN system to use ?

Selection of the VPN system

At home, except 1, all my machines are running OpenBSD. So, imagine on which machine I will host my VPN?
Sure it will be on OpenBSD.
On this OS, we have 3 VPN systems possible: IPsec, OpenVPN and Wireguard.

After some research, I've decided to implement Wireguard because is easy to setup and works nicely on Android (and on lot of systems).

My setup

Let me draw a schematic view of my setup:

So the goal will be to configure the firewall to allow incoming wireguard traffic.

Assign IP in the range 10.0.0.0/24 for such connection. And let him go inside to my zigbee coordinator machine.

OpenBSD configuration

Since wireguard is in base (cfr wg), we do not have to install packages.

First create the required certificates.

I've just said that packages are not required, but I will install one for the creation of the certificates. I will do this on my laptop:

obsd:~ $ doas pkg_add wireguard-tools py3-qrcode
obsd:~ $ wg genkey | tee server-pri.key | wg pubkey > server-pub.key
obsd:~ $ wg genkey | tee android-pri.key | wg pubkey > android-pub.key

Thanks to this command I have my private and public keys for both my server (my firewall in my case) and the client (my android device in my case).

We can now transfer those files to the firewall machine:

obsd:~ $ scp server-pri.key vi@fw:/home/vi
obsd:~ $ scp android-pub.key vi@fw:/home/vi

Note: the 2nd package called py3-qrcode will be used to transfer those keys to the android devise. I'll detail this later.

Let's create a wireguard channel on the firewall machine

I first create the required folder on my firewall:

fw:~ # mkdir /etc/wireguard
fw:~ # mv /home/vi/server-pri.key /etc/wireguard/
fw:~ # mv /home/vi/android-pub.key /etc/wireguard/

We can now create our wireguard interface:

fw:~ # ifconfig wg0 create wgport 51820 wgkey $(cat /etc/wireguard/server-pri.key)
fw:~ # ifconfig wg0 10.0.0.1/24

You we have something like this:

fw:~ # ifconfig wg0
wg0: flags=8082<BROADCAST,NOARP,MULTICAST> mtu 1420
    index 6 priority 0 llprio 3
    wgport 51820
    wgpubkey <server pub key>
    groups: wg

The next step is to allow connection coming from my android device:

fw:~ # ifconfig wg0 wgpeer $(cat /etc/wireguard/android-pub.key)  wgaip 10.0.0.1/24

In such case the ifconfig will be something like this:

fw:~ # ifconfig wg0
wg0: flags=8082<BROADCAST,NOARP,MULTICAST> mtu 1420
    index 6 priority 0 llprio 3
    wgport 51820
    wgpubkey <server pub key>
    wgpeer <android pub key>
        tx: 0, rx: 0
        wgaip 10.0.0.1/24
    groups: wg

In this case I'm authorising IP in the range 10.0.0.1/24

This setup is manual and temporary. If you want to disable it you can do:

fw:~ # ifconfig wg0 destroy

To make it permanent, you have to create a /etc/hostname.wg0 file like this:

fw:~ # cat /etc/hostname.wg0
wgkey <server private key> wgport 51820
inet 10.0.0.1/24
wgpeer <android public key> wgaip 10.0.0.1/24
up

We have now to adapt our pf rules

In my case, $ext_if is "re0", and I apply the following rules:

pass in on $ext_if proto udp from any to any port 51820
pass on wg0
pass out on $ext_if inet from 10.0.0.1/24 nat-to $ext_if

You can apply the rules by doing:

fw:~ # pfctl -vf /etc/pf.conf

Adapt your internet router

Since we are hosting a service inside our home's lan, we have to adapt the internet router.
I cannot show it here because every ISP has his own router with different layout and features.

But globally we must redirect outside traffic coming on port 51820 to the IP of the interface "re0".
After such change, it could be that you have to reboot this internet router.

With those elements our firewall is now ready to accept remote connection from the outside.

Configure our Android device

In my case I've install the app "wireguard" as documented on their website: https://www.wireguard.com/install/

The following steps will be executed on my laptop, at least the machine where we have created the keys and install a qr code generator.

The 1st step is to build a config file like this one:

obsd:~ $ cat wg_android.conf
[Interface]
PrivateKey = <android private key>
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = <server public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <your ISP public IP>:<public ISP port>

You have to replace few elements with your specific keys, IP and port.

Then we can generate a qr code that our mobile device can read:

obsd:~ $ cat wg_android.conf | qr

Then a big qr code will be generated. In my case it works inside xterm and alacrity sessions.
I'm not sure this can works directly from a server.

But it looks like this:

Then on your mobile device, you have to start the wireguard app and click on "+" to add a new channel.
The app will propose you to scan a QR code via the camera.
Just point you terminal session and you should be good to go ;).

Once the VPN is started a small "key icon" is presented on the top of your android screen.
In such case all applications will use the VPN. So it's like you mobile device is located at your home.

By applying few PF rules, I can let pass the traffic between my vlan 10.0.0.0/24 and my zigbee coordinator.
This part is very specific case by case, so I let you define what you need.

Debugging

To confirm it's working as it should, you must see values in transfer part for "rx".
If you only have "tx" KB, then you have a problem with the VPN. Most probably the mobile device send requests, but the server does not answer.

In case something else is not working, you can activate a debugging feature on the server side:

fw:~ # ifconfig wg0 debug

Anyhow, on the mobile device, you can check the log screen.

Please also make you that your ISP allow such traffic. You could have some "natting" or firewall rules which block such traffic.
the only possibility to be sure is to try it :(.

So, be patient and verify each steps closely.

Wireguard on FreeBSD laptop

Install required software on FreeBSD

Before you can configure WireGuard on FreeBSD, you need to make sure the necessary tools and kernel modules are available. While WireGuard support is native in OpenBSD, on FreeBSD you must install the userland tools and ensure the kernel module is loaded at boot.

Installing the WireGuard tools

# pkg install wireguard-tools

This package provides the wg and wg-quick commands, which are essential for generating keys, creating configuration files, and starting or stopping your VPN interface.

Ensuring the kernel module loads at boot

While you can load the WireGuard kernel module manually with:

# kldload if_wg

it’s more convenient to have it load automatically at boot. To do this, edit /boot/loader.conf as the root user and add:

if_wg_load="YES"

This tells the FreeBSD boot loader to load the WireGuard interface driver early in the boot process, so it’s ready whenever you run wg-quick up.

After saving the file, you can reboot to verify that the module is loaded automatically. You can check its status with:

# kldstat | grep if_wg

If you see if_wg.ko in the output, the kernel module is active.

Generating the key pair

We must first generate a pair of cryptographic keys: a private key (which must be kept secret) and a public key (which you share with the VPN server):

# wg genkey | tee privatekey | wg pubkey > publickey

This creates two files in the current directory:

• privatekey contains your private key.
• publickey contains your public key.

The private key will be used in your local WireGuard configuration file.
The public key must be copied to your OpenBSD server so it can recognize and authenticate your laptop.

Registering the public key on the OpenBSD server

On OpenBSD, WireGuard is integrated directly into the base system. The network interface is configured just like any other, using /etc/hostname.wg0. To register your FreeBSD laptop as a new peer, open the server’s /etc/hostname.wg0 file and add a wgpeer line with your laptop’s public key and the internal VPN IP address you want to assign it. For example:

wgpeer <your_laptop_public_key_here> wgaip 10.0.0.1/24
doas sh /etc/netstart wg0

10.0.0.1/24 is the range of accepted IPs

This will apply the updated configuration without requiring a full system reboot.

Creating the configuration file on FreeBSD

On FreeBSD laptop, we will now create the WireGuard configuration file. WireGuard tools expect this file to be placed in /usr/local/etc/wireguard/ and named after the interface, for example wg0.conf:

# mkdir -p /usr/local/etc/wireguard
# cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = <contents_of_privatekey_file for this FreeBSD machine>
Address = 10.0.0.4/32
DNS = 1.1.1.1

[Peer]
PublicKey = <server_public_key_here>
Endpoint = <server_hostname_or_ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

The [Interface] section contains your private key of the FreeBSD machine, the internal VPN IP address assigned to your laptop, and the DNS server to use while connected. The [Peer] section defines the server’s public key, its IP address and port, the ranges of IPs to route through the VPN, and a keepalive setting to maintain the connection.

To redirect all packets int he VPN, it's important that AllowedIPs for the Peer section is set to 0.0.0.0/0.

Starting and stopping the VPN

Once the configuration is in place, you can bring up the VPN with:

# wg-quick up wg0

This creates the wg0 network interface and establishes the encrypted tunnel to your OpenBSD server. To check the status, run:

# wg

This shows the active peers, handshake times, and data transferred.

When you’re done using the VPN, bring the interface down:

# wg-quick down wg0

These two commands are all you need for manual control of your WireGuard connection.

With this setup, your FreeBSD laptop can securely connect to your OpenBSD WireGuard server whether you’re on your home network, a public hotspot, or tethered to your smartphone. The combination of FreeBSD’s WireGuard’s simplicity makes for a fast, reliable, and private connection that you can manage entirely from the terminal.

Other readings

Other readings that could interest you:

• Securely tunnal smart phone traffic with wireguard and OpenBSD by Thomas Ward
• How to setup a wireguard VPN server with unbound on OpenBSD by Marco Cetica
• Howto: Wireguard on OpenBSD by Ianix
• Full wireguard setup with OpenBSD by Solene