Table of content
VPN as exit point
Selecting a VPN provider
Very few VPN providers allow to use WireGuard with a manual configuration, they usually force you to use their own binary utilities. One exception (I haven’t looked for others) is Mullvad, which allows you to download raw configuration file.
Further more it give you a web API to check the state of your connection:
1 2 3 | |
Configuration
Create VPN interface vpn0:
- it’s a renamed cloned WireGuard interface
- created on a dedicated empty routing table (fib 1)
- associated to group
vpnfor easy management from the firewall
1 2 3 | |
Now we need to generate a key pair that will be used for requesting a configuration for our device.
1 | |
Once the configuration information has been retrieved, it will be used to configure FreeBSD startup scripts.
In the case of Mullvad, the configuration can be generated here:
And you will get something like:
1 2 3 4 5 6 7 8 9 | |
Note that the configuration is generated such that:
- IPv4 and IPv6 assigned addresses are tight to the interface key
- Each endpoint address have a different key
The Address and DNS fields are not used/understood by wg setconf,
and will need to be stripped down from the configuration for later use with it,
using for example:
1 | |
These removed fields will need to be used in other configuration parts:
Address- will be used directly by
ifconfigin/etc/rc.conf DNS- can be used in
resolv.confto rely on the VPN provided DNS server to avoid DNS leak to your ISP… but if you are already using your own DNS that can be unnecessary
Interface vpn0 is initialized with the IP addresses that have
been allocated for it on the VPN server side:
1 2 3 | |
The directive defaultif is not supported
by the interface, it will not be possible to use it to
indicate that we want to be the route by default if none
are present. So we need to add a default route ourselves:
1 2 3 4 5 | |
As FreeBSD integration with WireGuard has been delayed to 13.1
release, we will need to rely on /etc/rc.local and
/etc/rc.shutdown.local to perform additional configuration
steps that can’t be performed yet in /etc/rc.conf:
When using wg setconf, only the following fields are allowed in the
configuration file:
| Section | Fields |
|---|---|
Interface |
PrivateKey, ListenPort, FwMark |
Peer |
PublicKey, PresharedKey, AllowedIPs, Endpoint, PersistentKeepalive |
1 2 | |
1 2 | |
Incoming VPN
Server configuration
1 | |
1 2 3 4 5 | |
1 2 3 4 | |
If you have firewall, you will need to tailor the following configuration fragment to your need:
1 2 3 4 5 6 | |
Generating device configuration
This will need to be done for each device that is allowed to connect to the VPN
-
Create a key pair
Generate private/public key pair 1
wg genkey | tee device.key | wg pubkey > device.pubkey1 2 3 4 5
$ cat device.key CJ4r+v57yCwRfDR4uYqa7R8RUQQ9fe33DDGAyOcpFUI= $ cat device.pubkey VQIfnjUiX4RJzg+6mx6KgYEZu9UtouKEUrWpfLUwQQ0= -
Create the configuration file. Here the peer is the server to which we will connect to establish the VPN connection, and we will allow routing all the traffic to the VPN (look for:
0.0.0.0/0,::0/0)`device`.conf 1 2 3 4 5 6 7 8 9
[Interface] PrivateKey = CJ4r+v57yCwRfDR4uYqa7R8RUQQ9fe33DDGAyOcpFUI= Address = 192.168.110.2/32 DNS = 192.168.1.5 [Peer] PublicKey = gMvXaaghDj74eBjjnvX2Qy8vyv5uul1cpP7pzRBHcTw= AllowedIPs = 0.0.0.0/0,::0/0 Endpoint = 1.2.3.4:51820 -
Generate a QR-code (optional).
QR-code allows easy integration with android WireGuard application, which can be found on:
- F-Droid: https://f-droid.org/en/packages/com.wireguard.android/
- Play Store: https://play.google.com/store/apps/details?id=com.wireguard.android
Generate QR-code from config file 1
qrencode -t ansiutf8 < device.conf -
Add device peer to the server.
You usually want to restrict the
allowed-ipsto the same set of addresses defined inAddressin the client configuration file.Adding peer to the server side 1 2
wg set vpn0 peer VQIfnjUiX4RJzg+6mx6KgYEZu9UtouKEUrWpfLUwQQ0= \ allowed-ips 192.168.110.2/32
FAQ
1 | |