openbsd_wg sets up a point-to-point WireGuard tunnel between two OpenBSD
servers, one wg0 interface on each end, persisted across reboots via
/etc/hostname.wg0. No peer-to-peer negotiation – the script SSHes into
both boxes, collects each one’s public key, and writes each side’s
config with the other’s key and endpoint baked in.
server1 (wg0: 192.168.5.1/24) <====UDP 51820====> server2 (wg0: 192.168.5.2/24)
What it does
- On each server: installs
wireguard-toolsif missing (only needed forwg genkey/wg pubkey– OpenBSD’s WireGuard interface itself is a native kernel driver, no userland daemon required), reuses the private key already embedded in/etc/hostname.wg0if one exists, otherwise generates a fresh one, and reads back its public key. - Backs up any existing
/etc/hostname.wg0(.bak.<timestamp>), then writes a new one on each server referencing the other server’s public key and endpoint address. - Applies the config live with
sh /etc/netstart wg0on both servers – no reboot needed. - Verifies the tunnel by pinging server2’s tunnel address from server1, and reports success or failure.
Safe to re-run: it won’t regenerate an existing key or blindly clobber an
existing hostname.wg0 without backing it up first.
Quick start
./openbsd_wg [user@]<server1> [user@]<server2>
Requires root SSH access to both servers (or a user with permission to
write /etc/hostname.wg0 and run pkg_add/ifconfig), and UDP port
51820 open between them. Example:
./openbsd_wg 203.0.113.10 203.0.113.20
./openbsd_wg admin@vpn1.example.com admin@vpn2.example.com
The tunnel addressing (192.168.5.1/192.168.5.2, /24, port 51820,
interface wg0) is fixed at the top of the script – this is a two-node
point-to-point setup, not a generic multi-peer provisioner.