======================================= FreeBSD 14.1 Wireguard in-kernel ======================================= Create a vpn using the FreeBSD kernel implementation of Wireguard. Wireguard can be configured on the fly to connect to and allow connections from many end points. Wireguard is available on pretty much all major operating systems. You can even use it to quickly create a vpn between two phones. Server public ip:port = 88.77.66.55:444 (you can use NAT to port forward UDP to your private ip) Server private ip = 192.168.100.11/24 Server wireguard ip = 10.50.50.1/32 steven wireguard ip = 10.50.50.2/32 erika wireguard ip = 10.50.50.3/32 ======================================= /etc/rc.conf gateway to LAN (optional) --------------------------------------- gateway_enable="YES" ======================================= Add static route to wireguard gateway on local LAN machines (optional) --------------------------------------- # freebsd /etc/rc.conf static_routes="wireguard" route_wireguard="-net 10.50.50.0/24 192.168.100.11" ....................................... # linux /etc/network/interfaces up route add -net 10.50.50.0/24 gw 192.168.100.11 dev enp0s3 ....................................... # windows route -p ADD 10.50.50.0 MASK 255.255.255.0 192.168.100.11 ======================================= Install wireguard-tools --------------------------------------- pkg install wireguard-tools ======================================= Generate some Wireguard keys --------------------------------------- cd /usr/local/etc/wireguard # server keys wg genkey | tee wg0.key | wg pubkey > wg0_pub.key - private key: EFnH8URxTo4KMQJm4OI8VfGOsEd3wqt932bNlCegEnk= - public key: tjX9Wl9mZZDqXPyckCAos24PgFaRsFS6bQgvd6Mh3xs= # steven keys wg genkey | tee steven.key | wg pubkey > steven_pub.key - private key: 8CEdguNUCydTkHVzjy+JnHFooOpDlyE42VsNHhJbG2c= - public key: KAjMnyMzkxNydH4jlvwHUUAX9y9tvk56x7BvTWUA9E8= # erika keys wg genkey | tee erika.key | wg pubkey > erika_pub.key - private key: kMV70d8p7V2sI/0WC4fBIMDYhGdewevzM/V0LcrqtH4= - public key: QYi8RMPwEDvY4Mw6vDIuFmFiIYDVsXe+QGfsmJTQyX8= ======================================= /usr/local/etc/wireguard/wg0.conf --------------------------------------- # server config with two clients [Interface] # wg0 Address = 10.50.50.1/24 PrivateKey = EFnH8URxTo4KMQJm4OI8VfGOsEd3wqt932bNlCegEnk= ListenPort = 444 [Peer] # steven PublicKey = KAjMnyMzkxNydH4jlvwHUUAX9y9tvk56x7BvTWUA9E8= AllowedIPs = 10.50.50.2/32 [Peer] # erika PublicKey = QYi8RMPwEDvY4Mw6vDIuFmFiIYDVsXe+QGfsmJTQyX8= AllowedIPs = 10.50.50.3/32 ======================================= /usr/local/etc/wireguard/steven.conf --------------------------------------- # steven config [Interface] # steven Address = 10.50.50.2/32 PrivateKey = YKFXflBBztg/F/2MpVOOyc55k8t1Y0ngyyVbXOF/VEs= [Peer] # wg0 PublicKey = RS51BjVIna8EYo6kELKYQvfDk5UOsaUboKD3bKCu+hE= Endpoint = 88.77.66.55:444 # full tunnel # AllowedIPs = 0.0.0.0/0 # split tunnel AllowedIPs = 192.168.100.0/24 ======================================= /usr/local/etc/wireguard/erika.conf --------------------------------------- # erika config [Interface] # erika Address = 10.50.50.3/32 PrivateKey = kMV70d8p7V2sI/0WC4fBIMDYhGdewevzM/V0LcrqtH4= [Peer] # wg0 PublicKey = RS51BjVIna8EYo6kELKYQvfDk5UOsaUboKD3bKCu+hE= Endpoint = 88.77.66.55:444 # full tunnel # AllowedIPs = 0.0.0.0/0 # split tunnel AllowedIPs = 192.168.100.0/24 --------------------------------------- chmod 640 /usr/local/etc/wireguard/* ======================================= /// STARTING WIREGUARD BY HAND //////// ======================================= wg-quick up wg0 --------------------------------------- wg-quick down wg0 ======================================= /// STARTING WIREGUARD SERVICE //////// ======================================= Start Wireguard service on boot. ======================================= /etc/rc.conf --------------------------------------- # wireguard wireguard_enable="YES" wireguard_interfaces="wg0" gateway_enable="YES" --------------------------------------- service wireguard start ======================================= /// WIREGUARD MANAGEMENT ////////////// ======================================= wg wg show all dump wg showconf wg0 wg showconf steven # sync: this is broken wg syncconf wg0 < (wg-quick strip wg0) # sync: this works wg-quick strip wg0 > /usr/local/etc/wireguard/wg0strip.conf wg syncconf wg0 /usr/local/etc/wireguard/wg0strip.conf rm /usr/local/etc/wireguard/wg0strip.conf ======================================= If you like to tinker... --------------------------------------- wg set wg0 listen-port 444 private-key /usr/local/etc/wireguard/wg0.key wg set wg0 peer KAjMnyMzkxNydH4jlvwHUUAX9y9tvk56x7BvTWUA9E8= allowed-ips 10.50.50.2/32 wg set wg0 peer QYi8RMPwEDvY4Mw6vDIuFmFiIYDVsXe+QGfsmJTQyX8= allowed-ips 10.50.50.3/32 wg setconf wg0 /usr/local/etc/wireguard/wg0.conf wg syncconf wg0 /usr/local/etc/wireguard/wg0.conf ======================================= /// WIREGUARD FREEBSD REMOTE CLIENT /// ======================================= 1. Run: pkg install wireguard-tools 2. Copy the steven.conf file to /usr/local/etc/wireguard/steven.conf 3. Run: wg-quick up steven --------------------------------------- wg-quick down steven ======================================= /// WIREGUARD ANDROID CLIENT ////////// ======================================= 1. Install Wireguard app on the client 2. Import the steven.conf file 3. Activate the tunnel ======================================= References --------------------------------------- https://man.freebsd.org/cgi/man.cgi?query=wg https://man.freebsd.org/cgi/man.cgi?query=wg-quick https://www.wireguard.com/ ======================================= Done =======================================