Two servers joined by an encrypted WireGuard tunnel

openbsd_wg

One command, two OpenBSD boxes, one encrypted tunnel.

openbsd_wg sets up a point-to-point WireGuard tunnel between two OpenBSD servers, one wg0 interface on each end, persisted across reboots via /etc/hostname.wg0. No peer-to-peer negotiation – the script SSHes into both boxes, collects each one’s public key, and writes each side’s config with the other’s key and endpoint baked in.

server1 (wg0: 192.168.5.1/24) <====UDP 51820====> server2 (wg0: 192.168.5.2/24)

What it does

  1. On each server: installs wireguard-tools if missing (only needed for wg genkey/wg pubkey – OpenBSD’s WireGuard interface itself is a native kernel driver, no userland daemon required), reuses the private key already embedded in /etc/hostname.wg0 if one exists, otherwise generates a fresh one, and reads back its public key.
  2. Backs up any existing /etc/hostname.wg0 (.bak.<timestamp>), then writes a new one on each server referencing the other server’s public key and endpoint address.
  3. Applies the config live with sh /etc/netstart wg0 on both servers – no reboot needed.
  4. Verifies the tunnel by pinging server2’s tunnel address from server1, and reports success or failure.

Safe to re-run: it won’t regenerate an existing key or blindly clobber an existing hostname.wg0 without backing it up first.

Quick start

./openbsd_wg [user@]<server1> [user@]<server2>

Requires root SSH access to both servers (or a user with permission to write /etc/hostname.wg0 and run pkg_add/ifconfig), and UDP port 51820 open between them. Example:

./openbsd_wg 203.0.113.10 203.0.113.20
./openbsd_wg admin@vpn1.example.com admin@vpn2.example.com

The tunnel addressing (192.168.5.1/192.168.5.2, /24, port 51820, interface wg0) is fixed at the top of the script – this is a two-node point-to-point setup, not a generic multi-peer provisioner.