Thomas Ward's website
Thoughts on AI, surgery, programming, and more.

Securely tunnel smart phone traffic with WireGuard and OpenBSD

Posted on

Table of Contents


Learn how to securely tunnel smart phone traffic over a WireGuard VPN with an OpenBSD 6.8 endpoint using the newly released in-kernel wg(4) driver with only base utilities.


Why tunnel internet traffic?

When you browse the internet, check emails, use social media, etc. on your laptop or smart phone, the traffic must go from your device, through the local network, then through the wider internet until it ultimately reaches the destination server. Whoever runs the local Wi-Fi or cell network can see what websites you visit, and if the connection to the website is not encrypted, exactly what you are sending and receiving from the site. Further, if the Wi-Fi network is not encrypted (an open insecure network with no password), then any user on the network can also read your traffic!

One way to keep your browsing and activity private and secured from the people on the local network is to tunnel it through an encrypted Virtual Private Network (VPN). I commonly do this when using public Wi-Fi at airports, libraries, restaurants, etc. to secure my internet traffic from potential eavesdroppers. Ways to obtain a VPN include buying one from a commercial VPN provider, but this shifts the issue of who can look at your traffic from people on the Wi-Fi to this provider. Instead, I setup my own VPN (using WireGuard) on a virtual private server (VPS) that I own on Vultr that runs on OpenBSD, my favorite operating system.

What is WireGuard?

WireGuard is becoming the go-to software to create a VPN. Compared to common alternatives (OpenVPN, IPsec) it is simpler, faster, and uses modern cryptography (making it arguably more secure). OpenBSD has had user-land support for WireGuard using WireGuard-go. OpenBSD 6.8 was released today (2020-10-18) and now includes an in-kernel WireGuard implementation wg(4). Being in-kernel, this implementation is faster. It also means we can skip using extra software and use base-only utilities for simple, easy configuration.

What will things look like at the end?

Your smart phone will enable the VPN through one-click on the WireGuard app. All traffic on your phone will then go over an encrypted tunnel to the OpenBSD endpoint server, after which, it will route to the rest of the internet. This will protect your traffic from anyone snooping on the Wi-Fi or cell network.

OpenBSD Configuration.

Below shows configuration for an OpenBSD server to be a WireGuard endpoint. All instructions below pertain to OpenBSD 6.8 released on 2020-10-18.

Network setup

Below will set-up some background configuration to allow tunneling of packets and configure the firewall:

  1. Enable internet protocol (IP) forwarding

    This will allow packets to move between the WireGuard interface and the egress interface.

    First enable it on the running system:

    # sysctl net.inet.ip.forwarding=1

    Then make it be enabled after system reboot:

    # echo  'net.inet.ip.forwarding=1' >> /etc/sysctl.conf
  2. Configure pf

    Configure OpenBSD's firewall/packet filter, pf(4) to open the port for WireGuard, allow traffic between WireGuard peers, and forward tunneled traffic from the client to the internet. To do so, add the following lines to your pf.conf(5):

    # wireguard
    # open wireguard port
    pass in on egress proto udp from any to any port 51820
    # allow communication between wireguard peers
    pass on wg0
    # allow clients connected to wg0 to tunnel their outside world traffic
    pass out on egress inet from (wg0:network) nat-to (egress:0)

WireGuard Configuration

Previous to OpenBSD 6.8, configuration required the wireguard-tools packages. Now that WireGuard is in base, we can do all configuration with base utils. This is all nicely documented in the manual pages ( wg(4), ifconfig(4)) and summarised below:

Set-up wg0

  1. Generate a end point private key

    WireGuard uses a Curve25519 key that is 32 bytes in length and base64 encoded. A Curve25519 key needs 5 particular bits to be configured in a certain way to valid, but wg(4) can correct this from any randomly generated 32 bytes. Therefore, we just need a 32 bytes random base 64 encoded string and can use openssl(1) for that:

    $ openssl rand -base64 32 > ep_private.key

    This will save the private key to ep_private.key. Keep a hold of this for now. We can delete it after the set-up is complete.

  2. Bring up wg0 interface

    # ifconfig wg0 create wgkey "$(cat ep_private.key)" wgport 51820
  3. Save end point public key

    Bringing up the wg0 interface generates a public key from the private key. You will need to give this public key to the client (your laptop, smart phone etc), so save it for now:

    # ifconfig wg0 | grep wgpubkey | cut -d ' ' -f 2 > ep_public.key
  4. Assign wg0 an IP address

    This IP address will be the IP address your endpoint will have on the VPN. The OpenBSD endpoint will be reachable at by clients (smartphone, laptop, etc) which will also be on the subnet. I recommend picking an ip address range randomly to prevent any collision between a network you may join and your WireGuard network (eg To keep things simple for this tutorial I'll just use subnet and give the end point the first IP address:

    # ifconfig wg0

wg0 is now set up and functional.

Generate public/private key pair for client

Below is a bit of a hack so we can use base utilities only. It brings up a temporary wg interface with a generated private key just so we can extract the generated public key.

  1. Generate a client private key

    $ openssl rand -base64 32 > client1_private.key

    This will save the private key to client1_private.key. Keep a hold of this for now. We can delete it after the set-up is complete.

  2. Bring up wg1 interface

    Note, I'm picking a different port (this can be whatever you want) since wg0 is already up on 51820.

    # ifconfig wg1 create wgkey "$(cat client1_private.key)" wgport 51822
  3. Save client public key

    You will need to use this public key on the OpenBSD endpoint in order for the client to connect.

    # ifconfig wg1 | grep wgpubkey | cut -d ' ' -f 2 > client1_public.key
  4. Remove the temporary wg1 interface

    This will remove the temporary interface we created to extract keys:

    # ifconfig wg1 destroy

Finalize setting up OpenBSD Endpoint

Now that we have the client's public key, we can establish a WireGuard peer on the endpoint to allow the client to connect:

# ifconfig wg0 wgpeer "$(cat client1_public.key)" wgaip

This will limit the IP address of the peer to Changed the IP address to the IP address you would like on the subnet you picked.

Enable configuration to persist on reboot

With the above instructions, your endpoint works. However, it will not work once you reboot the operating system. Save this configuration with the below text in /etc/hostname.wg0:

wgkey REPLACE_WITH_EP_PRIVATE_KEY wgport 51820

Making sure to replace REPLACE_WITH_EP_PRIVATE_KEY with the text stored in ep_private.key and REPLACE_WITH_CLIENT1_PUBLIC_KEY with the text stored in client1_public.key.

Make sure the permissions for /etc/hostname.wg0 are correct so users outside of root and those in the group wheel cannot read the keys:

# chmod 640 /etc/hostname.wg0
# chown root:wheel /etc/hostname.wg0

Now, after a reboot OpenBSD will bring up the WireGuard endpoint for you automatically.

Smart phone configuration

With the endpoint set-up, now you just need to configure your smart phone to use the tunnel. The authors of WireGuard provide apps for both Android and iOS. These applications make configuration easy. You just need to take a photo of a QR code made from a client.conf that you can write on your computer. The client.conf should have the following contents:

Address =

AllowedIPs =
Endpoint = OPENBSD_EP_IP_ADDRESS:51820

Make sure to replace REPLACE_WITH_CLIENT1_PRIVATE_KEY with the contents from client1_private.key, REPLACE_WITH_EP_PUBLIC_KEY with the contents from ep_public.key, and OPENBSD_EP_IP_ADDRESS with the IPv4 address of your OpenBSD end point.

Next, generate a qr code with this information using the libqrencode package. If you do not want to install a package outside of base, you can enter the above info by hand into your phone instead. Then do the following to create the code:

$ qrencode -t ansiutf8 < client.conf

If you have issues taking a photo from the QR code generated in your terminal, you can also save it as an image and take a photo of the image.

Open your WireGuard application and take a photo of the QR code, and the app is now configured! Toggle the switch in the app to turn it on. To verify it is working, go to a website like to see your IP address. It should change when the WireGuard tunnel is up to the same address as your OpenBSD end point.

Once everything works, if you want, you can delete the key files and client.conf:

$ rm {client1,ep}_{public,private}.key
$ rm client.conf

Enjoy securely tunneling your traffic with WireGuard!

Optional DNS Resolver

You can additionally setup unbound(8), to serve as a DNS cache and resolver. This will allow you to guarantee that your DNS queries are tunneled to your Wireguard server then sent to your preferred upstream DNS resolver. By setting up unbound, you also cache your DNS requests for some added speed compared to specifying a dedicated public resolver.

Credit goes to David Robert Newman for this part who suggested adding a DNS line to the client configuration.

To do so, you need to:

  1. Setup unbound
  2. Add a DNS resolver to your wireguard client configurations

Setup unbound

  1. Configure unbound to always run on system start
# rcctl enable unbound
  1. Create a /var/unbound/etc/unbound.conf, you can use the below to get started:
        # Only listen locally
        interface: ::1
        access-control: refuse
        access-control: allow
        access-control: allow
        access-control: ::0/0 refuse
        access-control: ::1 allow
        hide-identity: yes
        hide-version: yes

        # Perform DNSSEC validation.
        auto-trust-anchor-file: "/var/unbound/db/root.key"
        val-log-level: 2

        # Synthesize NXDOMAINs from DNSSEC NSEC chains.
        aggressive-nsec: yes

        # Perform DNSSEC validation.
        auto-trust-anchor-file: "/var/unbound/db/root.key"
        name: "."                               # use for ALL queries
        forward-addr:                   # Google DNS
        forward-addr:            # UltraDNS
  1. Start unbound
# /etc/rc.d/unbound start

Add DNS cache to wireguard config

This is easy, you just need to add a DNS line to your client configuration:

Address =

AllowedIPs =
Endpoint = OPENBSD_EP_IP_ADDRESS:51820

Comments, questions, input, concerns?

Please contact me with any questions or input on the article using any of the methods on my contact page.