init

README.md

@@ -0,0 +1,29 @@
+# Wireguard config for OpenBSD
+
+## Server
+```sh
+pkg_add wireguard-tools
+pkg_add qrencode #optional
+sh wireguard_server.sh
+```
+### For each client
+```sh
+sh wireguard_client.sh client_name
+```
+- config file will be generated at /etc/wireguard/clients/client_name.conf
+- qr code will be generated
+
+
+## Client
+```sh
+wg-quick up client_name.conf
+```
+
+### IOS
+https://apps.apple.com/us/app/wireguard/id1441195209 (App Store)
+https://apps.apple.com/us/app/wireguard/id1451685025 (Mac App Store)
+
+
+### Android
+https://play.google.com/store/apps/details?id=com.wireguard.android
+https://f-droid.org/en/packages/com.wireguard.android/

wireguard_client.sh

@@ -0,0 +1,59 @@
+#!/bin/sh
+
+if [ "$(id -u)" -ne 0 ]; then
+	echo "This script must be run as root"
+	exit 1
+fi
+
+if [ -z "$1" ]; then
+  echo "Usage: $0 <client>"
+  exit 1
+fi
+
+client=$1
+server_ip=$(curl ipinfo.io/ip)
+interface="wg0"
+config_file="/etc/wireguard/${interface}.conf"
+clients_dir="/etc/wireguard/clients"
+server_port=$(grep "ListenPort" ${config_file} | awk '{print $3}')
+
+last_ip=$(tail -n 1 ${config_file} |\
+		grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}")
+new_ip=$(echo "$last_ip" | awk -F. '{print $1"."$2"."$3"."$4+1}')
+client_ip="${new_ip}/32"
+
+mkdir -p ${clients_dir}
+cd ${clients_dir} || exit
+server_public=$(cat "../public.key")
+umask 077 && wg genkey > "${client}_private.key"
+wg pubkey < "${client}_private.key" > "${client}_public.key"
+
+client_private=$(cat "${client}_private.key")
+client_public=$(cat "${client}_public.key")
+
+cat > "${client}.conf" << EOF
+[Interface]
+PrivateKey = ${client_private}
+Address=${client_ip}
+DNS = 9.9.9.9
+
+# Server
+[Peer]
+PublicKey = ${server_public}
+Endpoint = ${server_ip}:${server_port}
+AllowedIPs = ::/0, 0.0.0.0/0
+PersistentKeepalive = 25
+EOF
+
+cat >> ${config_file} << EOF
+
+# client [${client}]
+[Peer]
+PublicKey = ${client_public}
+AllowedIPs = ${client_ip}
+EOF
+
+qrencode --read-from="${client}.conf" --type=UTF8 --level=M
+
+sh /etc/netstart ${interface}
+cat "${clients_dir}/${client}.conf"

wireguard_server.sh

@@ -0,0 +1,47 @@
+#!/bin/sh
+
+if [ "$(id -u)" -ne 0 ]; then
+	echo "This script must be run as root"
+	exit 1
+fi
+
+random_digits=$(LC_ALL=C tr -dc 0-9 </dev/urandom | head -c 4)
+server_port="5${random_digits}"
+interface="wg0"
+config_file="/etc/wireguard/${interface}.conf"
+
+pkg_add wireguard-tools
+sysctl net.inet.ip.forwarding=1
+sysctl net.inet6.ip6.forwarding=1
+echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf
+echo "net.inet6.ip6.forwarding=1" >> /etc/sysctl.conf
+mkdir -p /etc/wireguard
+chmod 700 /etc/wireguard
+cd /etc/wireguard || exit
+wg genkey > private.key
+chmod 600 private.key
+wg pubkey < private.key > public.key
+server_private=$(cat "private.key")
+
+cat > ${config_file} << EOF
+[Interface]
+PrivateKey = ${server_private}
+ListenPort = ${server_port}
+EOF
+
+cat > /etc/hostname.${interface} << EOF
+inet 10.0.0.1 255.255.255.0 NONE
+up
+
+!/usr/local/bin/wg setconf ${interface} ${config_file}
+EOF
+
+# pf
+cat >> /etc/pf.conf << EOF
+pass in on ${interface}
+pass in inet proto udp from any to any port ${server_port}
+pass out on egress inet from (${interface}:network) nat-to (vio0:0)
+EOF
+
+sh /etc/netstart ${interface}
+pfctl -f /etc/pf.conf