WireGuard

After upgrading my system to FreeBSD 14.0 I have decided to try WireGuard. I have never used it before and even after reading wg(8) I didn't really know how to make it work. After reading few articles I have found about wg-quick(8) that made the whole setup a bit simpler.

WireGuard is now part of the FreeBSD kernel so there is no need to install it manually. The only thing I have installed is wireguard-tools to get wg-quick.

pkg install wireguard-tools

You need to get a WireGuard INI-like config file from your provider. See the example below from the wg(8) man pages.

[Interface]
PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
ListenPort = 51820

[Peer]
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
Endpoint = 192.95.5.67:1234
AllowedIPs = 10.192.122.3/32, 10.192.124.1/24

Next we need to generate public and private key for our machine. I have created /etc/wireguard/ directory and run the following as a root user:

umask 077
wg genkey | tee private.key | wg pubkey > public.key

WireGuard protects these files by enforcing that only root should be able read them. This is why we run umask first.

You can move your config file to /etc/wireguard/. This is the default directory that wg-quick uses to find config files.

You can start WireGuard by providing path to the config file:

wg-quick up /etc/wireguard/sample.conf

or provide just the config name if it's inside /etc/wireguard/.

wg-quick up sample

You can disable it with wg-quick down sample and see running connections with wg.