Isn't a majority of this already in the manual page? Or alternatively, does your attempt to create a FAQ entry indicate that the manual page is weak or unsuitable?
> There has been a lot of interest in WireGuard on the OpenBSD subreddit. So > here > is a patch that provides a few basic examples for usage. > > Thanks, > Jim > > > Index: www/faq/faq17.html > =================================================================== > RCS file: /cvs/www/faq/faq17.html,v > retrieving revision 1.16 > diff -u -p -u -r1.16 faq17.html > --- www/faq/faq17.html 12 Dec 2020 19:07:25 -0000 1.16 > +++ www/faq/faq17.html 2 May 2021 15:08:42 -0000 > @@ -54,6 +54,7 @@ FAQ - Virtual Private Networks (VPN) > <li><a href="#clientwindows">With a Windows Client</a> > </ul> > <li><a href="#clientikev1" >Connecting to an IKEv1/L2TP OpenBSD VPN</a> > + <li><a href="#wireguard" >WireGuard</a> > </ul> > > <hr> > @@ -78,12 +79,6 @@ also available and, coupled with > <a href="https://man.openbsd.org/npppd";>npppd(8)</a>, it allows you to build > an IKEv1/L2TP VPN where IKEv2 can't be deployed. > > -<p> > -Native WireGuard support is also available via the > -<a href="https://man.openbsd.org/wg";>wg(4)</a> device. > -As the manual explains, it can be configured the same way as all other > -<a href="faq6.html">network interfaces</a> in OpenBSD. > - > <h2 id="authentication">Authentication</h2> > > <a href="https://man.openbsd.org/iked";>iked(8)</a> supports the following > @@ -644,3 +639,169 @@ OpenBSD doesn't provide an L2TP client b > > Refer to <code>/usr/local/share/doc/pkg-readmes/xl2tpd</code> for > instructions > on how to properly setup the L2TP client. > + > +<h2 id="wireguard">WireGuard</h2> > + > +<p> > +Native WireGuard support is also available via the > +<a href="https://man.openbsd.org/wg";>wg(4)</a> device. > +As the manual explains, it can be configured the same way as all other > +<a href="faq6.html">network interfaces</a> in OpenBSD. > + > +<p> > +WireGuard is an interface based VPN tunnel, which requires more knowledge > +about networking to get functioning. > +It can act as a responder or initiator or both where possible. > +WireGuard is a connectionless based tunnel, meaning there is no need to worry > +about daemons or state of the tunnel. > +The encryption / decryption key that is negotiated has a very short life > span of > +2 minutes and does not rely on the last packet recieved; so it is very > resilient > +against packet loss. > + > +<p> > +Required to forward traffic over WireGuard interfaces. > + > +<pre class="cmdbox"> > +# <b>sysctl net.inet.ip.forwarding=1</b> > +</pre> > + > +<h3>Client to Server example</h3> > + > +<h4>Server configuration (responder)</h4> > + > +<p> > +Create a persistnent private key and interface, set listening port, get the > +pubkey that the client will need. > + > +<pre class="cmdbox"> > +server# <b>echo "wgkey `openssl rand -base64 32`" > /etc/hostname.wg0</b> > +server# <b># sh /etc/netstart wg0</b> > +server# <b>ifconfig wg0 wgport 51820</b> > +server# <b>ifconfig wg0 | grep wgpubkey | cut -d â â -f 2</b> > +zQfRbQPcQiLppc55LJWbFCdrnHdpxZTg47VQmJG6heE= > +server# <b>ifconfig wg0 inet 192.0.2.1/24</b> > +server# <b>ifconfig wg0 wgpeer f+wtDqJrNnSIRqOCCiBa4YWGZ58WLSo5b5oWjBQt6Xg= \ > + wgpsk jPNozq8SGbXk5ACrfAHEA3/O1jWlrhiCJ4ibvon3oqc= \ > + wgaip 192.0.2.2/32</b> > +</pre> > + > +<p> > +PF rules needed for clients to establish a connection and enter and leave on > the > +wg0 interface on the server. > +The nat-to rule is only needed if you want the client to be able to use the > +internet of the server. > + > +<pre class="cmdbox"> > +pass in on egress inet proto udp to port 51820 > +match out on egress from wg0:network nat-to egress # needed for client to > surf the internet > +pass on wg keep state (if-bound) > +</pre> > + > +<h4>Client configuration (initiator)</h4> > + > +<p> > +Create a persistnent private key and interface and get the pubkey that the > +server will need. > + > +<pre class="cmdbox"> > +client# <b>echo "wgkey `openssl rand -base64 32`" > /etc/hostname.wg0</b> > +client# <b># sh /etc/netstart wg0</b> > +clinet# <b>ifconfig wg0 | grep wgpubkey | cut -d â â -f 2</b> > +f+wtDqJrNnSIRqOCCiBa4YWGZ58WLSo5b5oWjBQt6Xg= > +client# <b>ifconfig wg0 inet 192.0.2.2/24</b> > +client# <b>ifconfig wg0 wgpeer zQfRbQPcQiLppc55LJWbFCdrnHdpxZTg47VQmJG6heE= \ > + wgpsk jPNozq8SGbXk5ACrfAHEA3/O1jWlrhiCJ4ibvon3oqc= \ > + wgendpoint a.b.c.d 51820 wgaip 0.0.0.0/0</b> > +</pre> > + > +<p> > +PF rules needed for traffic to enter and leave on the wg0 interface on the > +client. > + > +<pre class="cmdbox"> > +pass on wg keep state (if-bound) > +</pre> > + > +<p> > +Routes needed on client to tunnel all traffic to / through the server. > + > +<pre class="cmdbox"> > +client# <b>route add -priority 2 a.b.c.d `netstat -rn | grep default | \ > + awk â{print $2}â`</b> > +client# <b>route add -priority 7 default 192.0.2.1/24</b> > +</pre> > + > +<h3>Server to Server example</h3> > + > +<p> > +This example shows 2 servers each with another subnet connected to them. Pay > +close attention to the wgaip info. There can be multiple allowed IP's or > +subnets each with their own wgaip for the wgpeer line. > + > + > +<h4>Server 1 configuration (initiator and responder)</h4> > + > +<p> > +Create a persistnent private key and interface, set listening port, get the > +pubkey that server 2 will need. > + > +<pre class="cmdbox"> > +server1# <b>echo "wgkey `openssl rand -base64 32`" > /etc/hostname.wg0</b> > +server1# <b># sh /etc/netstart wg0</b> > +server1# <b>ifconfig wg0 wgport 51820</b> > +server1# <b>ifconfig wg0 | grep wgpubkey | cut -d â â -f 2</b> > +zQfRbQPcQiLppc55LJWbFCdrnHdpxZTg47VQmJG6heE= > +server1# <b>ifconfig wg0 inet 192.0.2.1/24</b> > +server1# <b>ifconfig wg0 wgpeer f+wtDqJrNnSIRqOCCiBa4YWGZ58WLSo5b5oWjBQt6Xg= > \ > + wgpsk jPNozq8SGbXk5ACrfAHEA3/O1jWlrhiCJ4ibvon3oqc= \ > + wgendpoint e.f.g.h 51820 wgaip 192.0.2.2/32 wgaip > 10.0.1.0/24</b> > +</pre> > + > +<p> > +PF rules needed for server 2 to establish a connection and enter and leave on > +the wg0 interface. > + > +<pre class="cmdbox"> > +pass in on egress inet proto udp to port 51820 > +pass on wg keep state (if-bound) > +</pre> > + > +<p> > +Routes needed on server 1 to allow 10.0.0.0/24 to reach 10.0.1.0/24. > + > +<pre class="cmdbox"> > +server1# <b>route add 10.0.1.0/24 192.0.2.2</b> > +</pre> > + > +<h4>Server 2 configuration (initiator and responder)</h4> > + > +<p> > +Create a persistnent private key and interface and get the pubkey that the > +server 1 will need. > + > +<pre class="cmdbox"> > +server2# <b>echo "wgkey `openssl rand -base64 32`" > /etc/hostname.wg0</b> > +server2# <b># sh /etc/netstart wg0</b> > +server2# <b>ifconfig wg0 | grep wgpubkey | cut -d â â -f 2</b> > +f+wtDqJrNnSIRqOCCiBa4YWGZ58WLSo5b5oWjBQt6Xg= > +server2# <b>ifconfig wg0 inet 192.0.2.2/24</b> > +server2# <b>ifconfig wg0 wgpeer zQfRbQPcQiLppc55LJWbFCdrnHdpxZTg47VQmJG6heE= > \ > + wgpsk jPNozq8SGbXk5ACrfAHEA3/O1jWlrhiCJ4ibvon3oqc= \ > + wgendpoint a.b.c.d 51820 wgaip 192.0.2.1/32 wgaip > 10.0.0.0/24</b> > +</pre> > + > +<p> > +PF rules needed for server 1 to establish a connection and enter and leave > on the > +wg0 interface. > + > +<pre class="cmdbox"> > +pass in on egress inet proto udp to port 51820 > +pass on wg keep state (if-bound) > +</pre> > + > +<p> > +Routes needed on server 2 to allow 10.0.1.0/24 to reach 10.0.0.0/24. > + > +<pre class="cmdbox"> > +server2# <b>route add 10.0.0.0/24 192.0.2.1</b> > +</pre> >
