dataswamp.org

       Title: OpenBSD scripts to convert wg-quick VPN files
       Author: Solène
       Date: 27 April 2024
       Tags: openbsd vpn security
       Description: In this article, you will learn about scripts that
       allowing using commercial VPN provider files on OpenBSD
       
       # Introduction
       
       If you use commercial VPN, you may have noticed they all provide
       WireGuard configurations in the wg-quick format, this is not suitable
       for an easy use in OpenBSD.
       
       As I currently work a lot for a VPN provider, I often have to play with
       configurations and I really needed a script to ease my work.
       
       I made a shell script that turns a wg-quick configuration into a
       hostname.if compatible file, for a full integration into OpenBSD.  This
       is practical if you always want to connect to a given VPN server, not
       for temporary connections.
       
 (HTM) OpenBSD manual pages: hostname.if
 (HTM) Sourcehut project: wg-quick-to-hostname-if
       
       # Usage
       
       It is really easy to use, download the script and mark it executable,
       then run it with your wg-quick configuration as a parameter, it will
       output the hostname.if file to the standard output.
       
       ```
       wg-quick-to-hostname-if fr-wg-001.conf | doas tee /etc/hostname.wg0
       ```
       
       In the generated file, it uses a trick to dynamically figure the
       current default route which is required to keep a non-vpn route to the
       VPN gateway.
       
       # Short VPN sessions
       
       When I shared my script on mastodon, Carlos Johnson shared their own
       script which is pretty cool and complementary to mine.
       
       If you prefer to establish a VPN for a limited session, you may want to
       take a look at his script.
       
 (HTM) Carlos Johnson GitHub: file-wg-sh gist
       
       # Prevent leaks
       
       If you need your WireGuard VPN to be leakproof (= no network traffic
       should leave the network interface outside the VPN if it's not toward
       the VPN gateway), you should absolutely do the following:
       
       * your WireGuard VPN should be on rdomain 0
       * WireGuard VPN should be established on another rdomain
       * use PF to block traffic on the other rdomain that is not toward the
       VPN gateway
       * use the VPN provider DNS or a no-log public DNS provider
       
 (HTM) Older blog post: WireGuard and rdomains
       
       # Conclusion
       
       OpenBSD's ability to configure WireGuard VPNs with ifconfig has always
       been an incredible feature, but it was not always fun to convert from
       wg-quick files.  But now, using a commercial VPN got a lot easier
       thanks to a few piece of shell.