drkhsh.at

 (DIR) <- Back
       
       
       # Using Mullvad WireGuard VPN on OpenBSD
       
       Last modification on 2023-03-02
       
       
       Recently I bought a ThinkPad X230 from a friend to use as a lightweight but
       robust travel laptop. I looked for a simpler and especially more
       battery-pleasing operating system than Qubes OS (which I use on my main
       machine) - but without compromising security on the run.
       So I went with installing OpenBSD (I have been using it on dozens of other
       machines, especially servers), as it seems to fit my usecases pretty well.
       
       To be suitable as a travel machine, a VPN is essential for my needs. The
       provider I am using at the moment is Mullvad[^1]. Easy I thought, download the
       WireGuard config files and go ...
       
       Nope, that just wasn't it. OpenBSD uses *ifconfig(8)* to configure WireGuard
       interfaces and a different syntax from Linux's *wg-quick* files. So, I
       translated the configs to the OpenBSD syntax, and... still no connection.
       
       Turns out OpenBSD needs some deluxe routing rules to correctly tunnel the VPN
       traffic. So I found a forum thread[^2], which proposed a fix and a blog post
       explaining a slightly different setup but still containing useful
       information[^3] - but still, it wasn't working for me.
       
       With a lot of route and WireGuard magic, and reading miles of OpenBSD man pages
       (which I love, btw), I got it to work finally. Here I want to show you my
       setup/configs so you won't have to spend an evening worth of time for route
       fixing too.
       
       ```
       # hostname.wg0
       description "Mullvad WireGuard (xx-xxx-wg-001)"
       inet <client ip>/32
       wgkey foo wgpeer bar wgendpoint <endpoint ip> <port> wgaip 0.0.0.0/0 wgpka 20 wgrtable 1
       wgrtable 1
       up
       !route add default -net <client ip>
       ```
       
       For each of your outgoing network interfaces (Wifi, Ethernet), add `rdomain 1`
       to the `hostname.if` file.
       
       ```
       # resolv.conf
       nameserver 10.64.0.3 # mullvad
       lookup file bind
       ```
       
       To skip the VPN route temporarily, one can use the following command:
       
       ```
       $ route -T 1 exec <command>
       ```
       
       When something does not work as expected using following command, debugging
       messages can be enabled on the WireGuard interface using `ifconfig wg0 debug`
       and read in `dmesg`.
       
       Edit: Somehow, reconnection after suspend or network reconnect is slow, maybe
       anyone knows a fix?
       
       [^1]: https://mullvad.net/
       [^2]: https://www.unitedbsd.com/d/421-setting-up-a-wireguard-vpn-connection-on-openbsd-how-to/2
       [^3]: https://dataswamp.org/~solene/2021-10-09-openbsd-wireguard-exit.html
       
       .