add first version of OpenBSD wireguard phlog, fix some feeds links - www.codemadness.org - www.codemadness.org saait content files
HTML git clone git://git.codemadness.org/www.codemadness.org
DIR Log
DIR Files
DIR Refs
DIR README
DIR LICENSE
---
DIR commit 02ff345794a1a9753523fca249a1f9cff1d520f9
DIR parent 03d389f8126d9eb017b1c99c634b2ab7ecfe8de8
HTML Author: Hiltjo Posthuma <hiltjo@codemadness.org>
Date: Fri, 27 Mar 2026 16:34:01 +0100
add first version of OpenBSD wireguard phlog, fix some feeds links
Diffstat:
M config.cfg | 2 +-
M feeds/pages/atom.md | 2 +-
M output/atom.html | 2 +-
M output/atom.md | 2 +-
M output/atom.xml | 14 +++++++++++++-
M output/atom_content.xml | 207 ++++++++++++++++++++++++++++++-
M output/atom_content_gopher.xml | 207 ++++++++++++++++++++++++++++++-
M output/atom_gopher.xml | 14 +++++++++++++-
A output/downloads/openbsd-wg/client… | 0
A output/downloads/openbsd-wg/client… | 10 ++++++++++
A output/downloads/openbsd-wg/client… | 0
A output/downloads/openbsd-wg/inspec… | 0
A output/downloads/openbsd-wg/inspec… | 0
M output/index | 1 +
M output/index.html | 1 +
M output/jsonfeed.json | 8 ++++++++
M output/jsonfeed_content.json | 8 ++++++++
M output/jsonfeed_content_gopher.json | 8 ++++++++
M output/jsonfeed_gopher.json | 8 ++++++++
M output/phlog/atom | 2 +-
A output/phlog/susmb | 129 +++++++++++++++++++++++++++++++
A output/phlog/wireguard | 262 +++++++++++++++++++++++++++++++
M output/rss.xml | 8 ++++++++
M output/rss_content.xml | 200 +++++++++++++++++++++++++++++++
M output/rss_content_gopher.xml | 200 +++++++++++++++++++++++++++++++
M output/rss_gopher.xml | 8 ++++++++
M output/sfeed.tsv | 1 +
M output/sfeed_content.tsv | 1 +
M output/sfeed_content_gopher.tsv | 1 +
M output/sfeed_gopher.tsv | 1 +
M output/sitemap.xml | 4 ++++
M output/twtxt.txt | 1 +
M output/twtxt_gopher.txt | 1 +
M output/urllist.txt | 1 +
A output/wireguard.html | 243 +++++++++++++++++++++++++++++++
A output/wireguard.md | 254 +++++++++++++++++++++++++++++++
A pages/wireguard.cfg | 6 ++++++
A pages/wireguard.md | 254 +++++++++++++++++++++++++++++++
38 files changed, 2062 insertions(+), 9 deletions(-)
---
DIR diff --git a/config.cfg b/config.cfg
@@ -1,5 +1,5 @@
# last updated the site.
-siteupdated = 2026-03-14
+siteupdated = 2026-03-27
sitetitle = Codemadness
siteurl = https://www.codemadness.org
DIR diff --git a/feeds/pages/atom.md b/feeds/pages/atom.md
@@ -35,7 +35,7 @@ Documentation:
## [JSONfeed 1.1](https://www.jsonfeed.org/version/1.1/)
* JSONfeed 1.1 feed, smaller filesize with only a summary: [jsonfeed.json](jsonfeed.json).
-* JSONfeed 1.1 feed with content: [jsonfeed\_content.json](jsonfeed\_content.json).
+* JSONfeed 1.1 feed with content: [jsonfeed\_content.json](jsonfeed_content.json).
* JSONfeed 1.1 feed, smaller filesize with only a summary, gopher: [jsonfeed\_gopher.json](jsonfeed_gopher.json).
* JSONfeed 1.1 feed with content, gopher: [jsonfeed\_content\_gopher.json](jsonfeed_content_gopher.json).
DIR diff --git a/output/atom.html b/output/atom.html
@@ -77,7 +77,7 @@
<h2><a href="https://www.jsonfeed.org/version/1.1/">JSONfeed 1.1</a></h2>
<ul>
<li>JSONfeed 1.1 feed, smaller filesize with only a summary: <a href="jsonfeed.json">jsonfeed.json</a>.</li>
-<li>JSONfeed 1.1 feed with content: <a href="jsonfeed\_content.json">jsonfeed_content.json</a>.</li>
+<li>JSONfeed 1.1 feed with content: <a href="jsonfeed_content.json">jsonfeed_content.json</a>.</li>
<li>JSONfeed 1.1 feed, smaller filesize with only a summary, gopher: <a href="jsonfeed_gopher.json">jsonfeed_gopher.json</a>.</li>
<li>JSONfeed 1.1 feed with content, gopher: <a href="jsonfeed_content_gopher.json">jsonfeed_content_gopher.json</a>.</li>
</ul>
DIR diff --git a/output/atom.md b/output/atom.md
@@ -35,7 +35,7 @@ Documentation:
## [JSONfeed 1.1](https://www.jsonfeed.org/version/1.1/)
* JSONfeed 1.1 feed, smaller filesize with only a summary: [jsonfeed.json](https://codemadness.org/jsonfeed.json).
-* JSONfeed 1.1 feed with content: [jsonfeed\_content.json](jsonfeed\_content.json).
+* JSONfeed 1.1 feed with content: [jsonfeed\_content.json](https://codemadness.org/jsonfeed_content.json).
* JSONfeed 1.1 feed, smaller filesize with only a summary, gopher: [jsonfeed\_gopher.json](https://codemadness.org/jsonfeed_gopher.json).
* JSONfeed 1.1 feed with content, gopher: [jsonfeed\_content\_gopher.json](https://codemadness.org/jsonfeed_content_gopher.json).
DIR diff --git a/output/atom.xml b/output/atom.xml
@@ -2,11 +2,23 @@
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
<title>Codemadness</title>
<subtitle>blog with various projects and articles about computer-related things</subtitle>
- <updated>2026-03-06T00:00:00Z</updated>
+ <updated>2026-03-27T00:00:00Z</updated>
<link rel="alternate" type="text/html" href="https://www.codemadness.org" />
<id>https://www.codemadness.org/atom.xml</id>
<link rel="self" type="application/atom+xml" href="https://www.codemadness.org/atom.xml" />
<entry>
+ <title>Wireguard on OpenBSD for use as a mobile VPN</title>
+ <link rel="alternate" type="text/html" href="https://www.codemadness.org/wireguard.html" />
+ <id>https://www.codemadness.org/wireguard.html</id>
+ <updated>2026-03-27T00:00:00Z</updated>
+ <published>2026-03-27T00:00:00Z</published>
+ <author>
+ <name>Hiltjo</name>
+ <uri>https://www.codemadness.org</uri>
+ </author>
+ <summary>Guide to setup a Wireguard endpoint on OpenBSD to use as a (mobile) VPN</summary>
+</entry>
+<entry>
<title>susmb: unprivileged mounting of SMB/CIFS shares via FUSE</title>
<link rel="alternate" type="text/html" href="https://www.codemadness.org/susmb.html" />
<id>https://www.codemadness.org/susmb.html</id>
DIR diff --git a/output/atom_content.xml b/output/atom_content.xml
@@ -2,11 +2,216 @@
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
<title>Codemadness</title>
<subtitle>blog with various projects and articles about computer-related things</subtitle>
- <updated>2026-03-06T00:00:00Z</updated>
+ <updated>2026-03-27T00:00:00Z</updated>
<link rel="alternate" type="text/html" href="https://www.codemadness.org" />
<id>https://www.codemadness.org/atom_content.xml</id>
<link rel="self" type="application/atom+xml" href="https://www.codemadness.org/atom_content.xml" />
<entry>
+ <title>Wireguard on OpenBSD for use as a mobile VPN</title>
+ <link rel="alternate" type="text/html" href="https://www.codemadness.org/wireguard.html" />
+ <id>https://www.codemadness.org/wireguard.html</id>
+ <updated>2026-03-27T00:00:00Z</updated>
+ <published>2026-03-27T00:00:00Z</published>
+ <author>
+ <name>Hiltjo</name>
+ <uri>https://www.codemadness.org</uri>
+ </author>
+ <summary>Guide to setup a Wireguard endpoint on OpenBSD to use as a (mobile) VPN</summary>
+ <content type="html"><![CDATA[<h1>Wireguard on OpenBSD for use as a mobile VPN</h1>
+ <p><strong>Last modification on </strong> <time>2026-03-27</time></p>
+ <p>Wireguard is a fast, modern and secure VPN tunnel.</p>
+<p>Below is a guide to setup <a href="https://www.wireguard.com/">Wireguard</a> on the OpenBSD
+operating system intended for use with a mobile VPN.</p>
+<p>It describes using the OpenBSD Wireguard wg(4) kernel driver (not the userland
+application) and will focus on setting up a IPv4 tunnel.</p>
+<p>It is recommended to install wireguard-tools. Although not required for using
+the OpenBSD wg(4) kernel driver they contain useful tools to generate a private
+and public key.</p>
+<p>To install the wireguard-tools package on OpenBSD:</p>
+<pre><code># pkg_add wireguard-tools
+</code></pre>
+<h1>Enable IPv4 traffic forwarding</h1>
+<p>To enable traffic forwarding for IPv4 run:</p>
+<pre><code># sysctl net.inet.ip.forwarding=1
+</code></pre>
+<p>To make it persistent add the above lines to the file /etc/sysctl.conf. These
+sysctl lines are loaded on boot time.</p>
+<h1>Server: /etc/hostname.wg0</h1>
+<pre><code>wgport 51820 wgkey 'private_key_here'
+inet 10.1.2.1/24
+up
+
+# peer: phone
+wgpeer 'pubkey' wgaip 10.1.2.2/32 wgdescr 'phone' wgpsk 'psk_here'
+</code></pre>
+<h1>Generating a private key</h1>
+<p>Using wireguard-tools wg command:</p>
+<pre><code>$ wg genkey
+</code></pre>
+<p>Replace private_key_here with the generated text.</p>
+<p>To generate both a private and public key to the files private.key and
+public.key:</p>
+<pre><code>$ wg genkey | tee private.key | wg pubkey > public.key
+</code></pre>
+<p><strong>Keep the private key secure. Do not share it with anyone!</strong></p>
+<h1>Generate a separate preshared key (PSK).</h1>
+<p>Using a preshared key (PSK) is optional, but recommended. This is used in the
+handshake to guard against future compromise of the peers' encrypted tunnel if
+a quantum-computational attack on their Diffie-Hellman exchange becomes
+feasible.</p>
+<p>Using wireguard-tools wg command:</p>
+<pre><code>$ wg genpsk
+</code></pre>
+<p>The PSK can be shared with a known client when configuring the clients. <strong>Make sure
+to share it via a safe channel</strong>.</p>
+<p>To configure or restart the wg0 interface using the configuration in
+/etc/hostname.wg0:</p>
+<pre><code># sh /etc/netstart wg0
+</code></pre>
+<p>To show general info of the interface run the command (requires root
+permissions to view all information):</p>
+<pre><code># ifconfig wg0
+</code></pre>
+<p>In the ifconfig wg0 output it should list the server public key as:</p>
+<pre><code>wgpubkey server_pubkey_here
+</code></pre>
+<h1>Full example of a client config: wg-client.conf</h1>
+<pre><code>[Interface]
+Address = 10.1.2.2/32
+DNS = 10.1.2.1
+PrivateKey = CHBzstIHCi7+YOOa2MN0RXhkPAmJwIXQW0e6/n6+Pno=
+
+[Peer]
+AllowedIPs = 0.0.0.0/0
+Endpoint = example.org:51820
+PreSharedKey = 8ao/EMExyPAHrT3ShX+lnA0u7jUmo7MhrT0GjDcrIJA=
+PublicKey = Rny+AW4EPqPPxfO+8O+QdlkIrWbZRGQ6u6Fje5pUOFM=
+</code></pre>
+<p><strong>Of course do not copy-paste this private key and PSK. Generate your own ;)</strong></p>
+<h1>pf(4) firewall rules</h1>
+<p>Below is a fragment of the firewall rules required for Wireguard.
+These rules assume a simple VPS with a vio network interface connected to the
+interwebs (no double NAT or other weird complex things ;)).</p>
+<p>pf.conf:</p>
+<pre><code># wireguard
+pass out quick on egress inet from (wg0:network) nat-to (vio0:0)
+pass in quick on wg0 from any to any
+pass in quick on wg0 proto udp from any to any port 51820
+# allow all on wireguard
+pass quick on wg0
+</code></pre>
+<h1>Mobile VPN application</h1>
+<p>For Android download the APK from <a href="https://www.wireguard.com/install/">https://www.wireguard.com/install/</a>.
+There are also other versions available on the page.</p>
+<h1>Android Wireguard settings</h1>
+<h1>Adding a tunnel</h1>
+<p>In the Wireguard application press the plus (+) button in the bottom left of
+the screen to add a tunnel.</p>
+<h1>Option: "Scan from QR code"</h1>
+<h2>Generate a QR code image from a client config</h2>
+<p>Install the libqrencode package for qrencode:</p>
+<pre><code># pkg_add libqrencode
+</code></pre>
+<p>Generate a QR code PNG image from a client config:</p>
+<pre><code>$ qrencode -o qr.png < wg-client.conf
+</code></pre>
+<p>This QR code simply contains the full text from the wg-client.conf. It can be
+scanned from the Android Wireguard application. If it contains sensitive
+information such as the private key make sure to share the image in a safe way
+and/or destroy it immediately.</p>
+<p><img src="downloads/openbsd-wg/client-example-qr.png" alt="QR code image" /></p>
+<p>If the QR code contains a private key, make sure to destroy it "Inspector Gadget"-style.</p>
+<p><img src="downloads/openbsd-wg/inspector_gadget.jpg" alt="inspector Gadget reading self-destruct message" />
+<a href="downloads/openbsd-wg/inspector_gadget.webm">Inspector Gadget, self-destruct</a></p>
+<p>Now scan the generated image to import the config.</p>
+<h1>Option: "Import from file or archive"</h1>
+<p>Import a text .conf file or archive (ZIP) file containing one or more configs.</p>
+<p>Example conf file: <a href="downloads/openbsd-wg/client-example.conf">client-example.conf</a>.<br />
+Example ZIP file: <a href="downloads/openbsd-wg/client-example.zip">client-example.zip</a>.</p>
+<h1>Option: "Create from scratch"</h1>
+<p>Generating the private key on the device itself and sharing the public key and
+PSK is probably the safest option. Although sharing the public key text from a
+mobile device can be a bit annoying.</p>
+<h1>Android settings</h1>
+<p>Only allow connections and DNS using VPN:</p>
+<ul>
+<li>Settings -> VPN -> Network & Internet:
+Make sure Wireguard is set and enabled under VPN.</li>
+</ul>
+<p>VPN settings, open Wireguard cogwheel:
+<ul>
+<li>Enable: Always on VPN option, with the description: "stay connected to VPN at all times".</li>
+<li>Enable: Block connections without VPN.</li>
+</ul>
+</p>
+<p>Other recommendations:</p>
+<ul>
+<li>Under Wi-Fi -> Privacy.
+<ul>
+<li>Use randomized MAC.</li>
+<li>Disable "Send device name".</li>
+</ul>
+</li>
+<li>Set a secure and privacy-respecting DNS server.</li>
+</ul>
+<h1>Debugging tips</h1>
+<p>For the Wireguard Android application you can find a textual log:</p>
+<ul>
+<li>Open the Wireguard application.</li>
+<li>At the top right select the 3 dots settings thingy.</li>
+<li>Select the menu labeled "View application log".</li>
+</ul>
+<p>On the OpenBSD server you can run enable run-time debugging on the wg0 interface:</p>
+<pre><code># ifconfig wg0 debug
+</code></pre>
+<h1>Bonus: example using wg-quick from wg-tools</h1>
+<p>Using the wg-quick program from wg-tools you can also quickly setup a client.
+This will setup the DNS, routing and interface. It can setup and restore the
+DNS and routing settings easily.</p>
+<p>As root, to setup the interface:</p>
+<pre><code># wg-quick up absolute/path/to/config/wg-client.conf
+</code></pre>
+<p>As root, to restore the interface:</p>
+<pre><code># wg-quick down absolute/path/to/config/wg-client.conf
+</code></pre>
+<h1>Bonus: generating a private key using only OpenSSL commands</h1>
+<p>Generate a private key:</p>
+<pre><code>$ openssl genpkey -algorithm X25519 -outform DER -out private.der
+</code></pre>
+<p>Now extracts the last 32 bytes which has the actual private key (the first
+ASN.1 DER encoded bytes contain metadata information). Convert the actual key
+(partly truncated) data to base64.</p>
+<p>Run:</p>
+<pre><code>$ tail -c 32 private.der | openssl enc -a -A > private.key
+</code></pre>
+<p>Derive public key:</p>
+<pre><code>$ openssl pkey -inform DER -in private.der -pubout -outform DER -out public.der
+</code></pre>
+<p>Convert public key to Wireguard format:</p>
+<pre><code>$ tail -c 32 public.der | openssl enc -a -A > public.key
+</code></pre>
+<h1>References</h1>
+<ul>
+<li><a href="https://www.wireguard.com/">Wireguard</a>:
+<ul>
+<li><a href="https://www.wireguard.com/quickstart/">Wireguard quickstart page</a>:
+This uses the userland Wireguard programs and config. But it contains
+helpful information.<br /> </li>
+<li><a href="https://www.man7.org/linux/man-pages/man8/wg.8.html">wg(8) man page</a>.</li>
+<li><a href="https://www.man7.org/linux/man-pages/man8/wg-quick.8.html">wg-quick(8) man page</a>.</li>
+</ul>
+</li>
+<li><a href="https://www.openbsd.org/">OpenBSD operating system</a>:
+<ul>
+<li><a href="https://man.openbsd.org/wg">wg(4) driver man page</a>.</li>
+<li><a href="https://man.openbsd.org/ifconfig.8#WIREGUARD">ifconfig(8) man page WIREGUARD section</a>.</li>
+<li><a href="https://man.openbsd.org/pf.conf.5">pf.conf(5) file format</a>.</li>
+</ul>
+</li>
+</ul>
+]]></content>
+</entry>
+<entry>
<title>susmb: unprivileged mounting of SMB/CIFS shares via FUSE</title>
<link rel="alternate" type="text/html" href="https://www.codemadness.org/susmb.html" />
<id>https://www.codemadness.org/susmb.html</id>
DIR diff --git a/output/atom_content_gopher.xml b/output/atom_content_gopher.xml
@@ -2,11 +2,216 @@
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
<title>Codemadness</title>
<subtitle>blog with various projects and articles about computer-related things</subtitle>
- <updated>2026-03-06T00:00:00Z</updated>
+ <updated>2026-03-27T00:00:00Z</updated>
<link rel="alternate" type="text/gopher" href="gopher://codemadness.org" />
<id>gopher://codemadness.org/0/atom_content_gopher.xml</id>
<link rel="self" type="application/atom+xml" href="gopher://codemadness.org/0/atom_content_gopher.xml" />
<entry>
+ <title>Wireguard on OpenBSD for use as a mobile VPN</title>
+ <link rel="alternate" type="text/gopher" href="gopher://codemadness.org/1/phlog/wireguard" />
+ <id>gopher://codemadness.org/1/phlog/wireguard</id>
+ <updated>2026-03-27T00:00:00Z</updated>
+ <published>2026-03-27T00:00:00Z</published>
+ <author>
+ <name>Hiltjo</name>
+ <uri>gopher://codemadness.org</uri>
+ </author>
+ <summary>Guide to setup a Wireguard endpoint on OpenBSD to use as a (mobile) VPN</summary>
+ <content type="html"><![CDATA[<h1>Wireguard on OpenBSD for use as a mobile VPN</h1>
+ <p><strong>Last modification on </strong> <time>2026-03-27</time></p>
+ <p>Wireguard is a fast, modern and secure VPN tunnel.</p>
+<p>Below is a guide to setup <a href="https://www.wireguard.com/">Wireguard</a> on the OpenBSD
+operating system intended for use with a mobile VPN.</p>
+<p>It describes using the OpenBSD Wireguard wg(4) kernel driver (not the userland
+application) and will focus on setting up a IPv4 tunnel.</p>
+<p>It is recommended to install wireguard-tools. Although not required for using
+the OpenBSD wg(4) kernel driver they contain useful tools to generate a private
+and public key.</p>
+<p>To install the wireguard-tools package on OpenBSD:</p>
+<pre><code># pkg_add wireguard-tools
+</code></pre>
+<h1>Enable IPv4 traffic forwarding</h1>
+<p>To enable traffic forwarding for IPv4 run:</p>
+<pre><code># sysctl net.inet.ip.forwarding=1
+</code></pre>
+<p>To make it persistent add the above lines to the file /etc/sysctl.conf. These
+sysctl lines are loaded on boot time.</p>
+<h1>Server: /etc/hostname.wg0</h1>
+<pre><code>wgport 51820 wgkey 'private_key_here'
+inet 10.1.2.1/24
+up
+
+# peer: phone
+wgpeer 'pubkey' wgaip 10.1.2.2/32 wgdescr 'phone' wgpsk 'psk_here'
+</code></pre>
+<h1>Generating a private key</h1>
+<p>Using wireguard-tools wg command:</p>
+<pre><code>$ wg genkey
+</code></pre>
+<p>Replace private_key_here with the generated text.</p>
+<p>To generate both a private and public key to the files private.key and
+public.key:</p>
+<pre><code>$ wg genkey | tee private.key | wg pubkey > public.key
+</code></pre>
+<p><strong>Keep the private key secure. Do not share it with anyone!</strong></p>
+<h1>Generate a separate preshared key (PSK).</h1>
+<p>Using a preshared key (PSK) is optional, but recommended. This is used in the
+handshake to guard against future compromise of the peers' encrypted tunnel if
+a quantum-computational attack on their Diffie-Hellman exchange becomes
+feasible.</p>
+<p>Using wireguard-tools wg command:</p>
+<pre><code>$ wg genpsk
+</code></pre>
+<p>The PSK can be shared with a known client when configuring the clients. <strong>Make sure
+to share it via a safe channel</strong>.</p>
+<p>To configure or restart the wg0 interface using the configuration in
+/etc/hostname.wg0:</p>
+<pre><code># sh /etc/netstart wg0
+</code></pre>
+<p>To show general info of the interface run the command (requires root
+permissions to view all information):</p>
+<pre><code># ifconfig wg0
+</code></pre>
+<p>In the ifconfig wg0 output it should list the server public key as:</p>
+<pre><code>wgpubkey server_pubkey_here
+</code></pre>
+<h1>Full example of a client config: wg-client.conf</h1>
+<pre><code>[Interface]
+Address = 10.1.2.2/32
+DNS = 10.1.2.1
+PrivateKey = CHBzstIHCi7+YOOa2MN0RXhkPAmJwIXQW0e6/n6+Pno=
+
+[Peer]
+AllowedIPs = 0.0.0.0/0
+Endpoint = example.org:51820
+PreSharedKey = 8ao/EMExyPAHrT3ShX+lnA0u7jUmo7MhrT0GjDcrIJA=
+PublicKey = Rny+AW4EPqPPxfO+8O+QdlkIrWbZRGQ6u6Fje5pUOFM=
+</code></pre>
+<p><strong>Of course do not copy-paste this private key and PSK. Generate your own ;)</strong></p>
+<h1>pf(4) firewall rules</h1>
+<p>Below is a fragment of the firewall rules required for Wireguard.
+These rules assume a simple VPS with a vio network interface connected to the
+interwebs (no double NAT or other weird complex things ;)).</p>
+<p>pf.conf:</p>
+<pre><code># wireguard
+pass out quick on egress inet from (wg0:network) nat-to (vio0:0)
+pass in quick on wg0 from any to any
+pass in quick on wg0 proto udp from any to any port 51820
+# allow all on wireguard
+pass quick on wg0
+</code></pre>
+<h1>Mobile VPN application</h1>
+<p>For Android download the APK from <a href="https://www.wireguard.com/install/">https://www.wireguard.com/install/</a>.
+There are also other versions available on the page.</p>
+<h1>Android Wireguard settings</h1>
+<h1>Adding a tunnel</h1>
+<p>In the Wireguard application press the plus (+) button in the bottom left of
+the screen to add a tunnel.</p>
+<h1>Option: "Scan from QR code"</h1>
+<h2>Generate a QR code image from a client config</h2>
+<p>Install the libqrencode package for qrencode:</p>
+<pre><code># pkg_add libqrencode
+</code></pre>
+<p>Generate a QR code PNG image from a client config:</p>
+<pre><code>$ qrencode -o qr.png < wg-client.conf
+</code></pre>
+<p>This QR code simply contains the full text from the wg-client.conf. It can be
+scanned from the Android Wireguard application. If it contains sensitive
+information such as the private key make sure to share the image in a safe way
+and/or destroy it immediately.</p>
+<p><img src="downloads/openbsd-wg/client-example-qr.png" alt="QR code image" /></p>
+<p>If the QR code contains a private key, make sure to destroy it "Inspector Gadget"-style.</p>
+<p><img src="downloads/openbsd-wg/inspector_gadget.jpg" alt="inspector Gadget reading self-destruct message" />
+<a href="downloads/openbsd-wg/inspector_gadget.webm">Inspector Gadget, self-destruct</a></p>
+<p>Now scan the generated image to import the config.</p>
+<h1>Option: "Import from file or archive"</h1>
+<p>Import a text .conf file or archive (ZIP) file containing one or more configs.</p>
+<p>Example conf file: <a href="downloads/openbsd-wg/client-example.conf">client-example.conf</a>.<br />
+Example ZIP file: <a href="downloads/openbsd-wg/client-example.zip">client-example.zip</a>.</p>
+<h1>Option: "Create from scratch"</h1>
+<p>Generating the private key on the device itself and sharing the public key and
+PSK is probably the safest option. Although sharing the public key text from a
+mobile device can be a bit annoying.</p>
+<h1>Android settings</h1>
+<p>Only allow connections and DNS using VPN:</p>
+<ul>
+<li>Settings -> VPN -> Network & Internet:
+Make sure Wireguard is set and enabled under VPN.</li>
+</ul>
+<p>VPN settings, open Wireguard cogwheel:
+<ul>
+<li>Enable: Always on VPN option, with the description: "stay connected to VPN at all times".</li>
+<li>Enable: Block connections without VPN.</li>
+</ul>
+</p>
+<p>Other recommendations:</p>
+<ul>
+<li>Under Wi-Fi -> Privacy.
+<ul>
+<li>Use randomized MAC.</li>
+<li>Disable "Send device name".</li>
+</ul>
+</li>
+<li>Set a secure and privacy-respecting DNS server.</li>
+</ul>
+<h1>Debugging tips</h1>
+<p>For the Wireguard Android application you can find a textual log:</p>
+<ul>
+<li>Open the Wireguard application.</li>
+<li>At the top right select the 3 dots settings thingy.</li>
+<li>Select the menu labeled "View application log".</li>
+</ul>
+<p>On the OpenBSD server you can run enable run-time debugging on the wg0 interface:</p>
+<pre><code># ifconfig wg0 debug
+</code></pre>
+<h1>Bonus: example using wg-quick from wg-tools</h1>
+<p>Using the wg-quick program from wg-tools you can also quickly setup a client.
+This will setup the DNS, routing and interface. It can setup and restore the
+DNS and routing settings easily.</p>
+<p>As root, to setup the interface:</p>
+<pre><code># wg-quick up absolute/path/to/config/wg-client.conf
+</code></pre>
+<p>As root, to restore the interface:</p>
+<pre><code># wg-quick down absolute/path/to/config/wg-client.conf
+</code></pre>
+<h1>Bonus: generating a private key using only OpenSSL commands</h1>
+<p>Generate a private key:</p>
+<pre><code>$ openssl genpkey -algorithm X25519 -outform DER -out private.der
+</code></pre>
+<p>Now extracts the last 32 bytes which has the actual private key (the first
+ASN.1 DER encoded bytes contain metadata information). Convert the actual key
+(partly truncated) data to base64.</p>
+<p>Run:</p>
+<pre><code>$ tail -c 32 private.der | openssl enc -a -A > private.key
+</code></pre>
+<p>Derive public key:</p>
+<pre><code>$ openssl pkey -inform DER -in private.der -pubout -outform DER -out public.der
+</code></pre>
+<p>Convert public key to Wireguard format:</p>
+<pre><code>$ tail -c 32 public.der | openssl enc -a -A > public.key
+</code></pre>
+<h1>References</h1>
+<ul>
+<li><a href="https://www.wireguard.com/">Wireguard</a>:
+<ul>
+<li><a href="https://www.wireguard.com/quickstart/">Wireguard quickstart page</a>:
+This uses the userland Wireguard programs and config. But it contains
+helpful information.<br /> </li>
+<li><a href="https://www.man7.org/linux/man-pages/man8/wg.8.html">wg(8) man page</a>.</li>
+<li><a href="https://www.man7.org/linux/man-pages/man8/wg-quick.8.html">wg-quick(8) man page</a>.</li>
+</ul>
+</li>
+<li><a href="https://www.openbsd.org/">OpenBSD operating system</a>:
+<ul>
+<li><a href="https://man.openbsd.org/wg">wg(4) driver man page</a>.</li>
+<li><a href="https://man.openbsd.org/ifconfig.8#WIREGUARD">ifconfig(8) man page WIREGUARD section</a>.</li>
+<li><a href="https://man.openbsd.org/pf.conf.5">pf.conf(5) file format</a>.</li>
+</ul>
+</li>
+</ul>
+]]></content>
+</entry>
+<entry>
<title>susmb: unprivileged mounting of SMB/CIFS shares via FUSE</title>
<link rel="alternate" type="text/gopher" href="gopher://codemadness.org/1/phlog/susmb" />
<id>gopher://codemadness.org/1/phlog/susmb</id>
DIR diff --git a/output/atom_gopher.xml b/output/atom_gopher.xml
@@ -2,11 +2,23 @@
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
<title>Codemadness</title>
<subtitle>blog with various projects and articles about computer-related things</subtitle>
- <updated>2026-03-06T00:00:00Z</updated>
+ <updated>2026-03-27T00:00:00Z</updated>
<link rel="alternate" type="text/gopher" href="gopher://codemadness.org" />
<id>gopher://codemadness.org/0/atom_gopher.xml</id>
<link rel="self" type="application/atom+xml" href="gopher://codemadness.org/0/atom_gopher.xml" />
<entry>
+ <title>Wireguard on OpenBSD for use as a mobile VPN</title>
+ <link rel="alternate" type="text/gopher" href="gopher://codemadness.org/1/phlog/wireguard" />
+ <id>gopher://codemadness.org/1/phlog/wireguard</id>
+ <updated>2026-03-27T00:00:00Z</updated>
+ <published>2026-03-27T00:00:00Z</published>
+ <author>
+ <name>Hiltjo</name>
+ <uri>gopher://codemadness.org</uri>
+ </author>
+ <summary>Guide to setup a Wireguard endpoint on OpenBSD to use as a (mobile) VPN</summary>
+</entry>
+<entry>
<title>susmb: unprivileged mounting of SMB/CIFS shares via FUSE</title>
<link rel="alternate" type="text/gopher" href="gopher://codemadness.org/1/phlog/susmb" />
<id>gopher://codemadness.org/1/phlog/susmb</id>
DIR diff --git a/output/downloads/openbsd-wg/client-example-qr.png b/output/downloads/openbsd-wg/client-example-qr.png
Binary files differ.
DIR diff --git a/output/downloads/openbsd-wg/client-example.conf b/output/downloads/openbsd-wg/client-example.conf
@@ -0,0 +1,10 @@
+[Interface]
+Address = 10.1.2.2/32
+DNS = 10.1.2.1
+PrivateKey = CHBzstIHCi7+YOOa2MN0RXhkPAmJwIXQW0e6/n6+Pno=
+
+[Peer]
+AllowedIPs = 0.0.0.0/0
+Endpoint = example.org:51820
+PreSharedKey = 8ao/EMExyPAHrT3ShX+lnA0u7jUmo7MhrT0GjDcrIJA=
+PublicKey = Rny+AW4EPqPPxfO+8O+QdlkIrWbZRGQ6u6Fje5pUOFM=
DIR diff --git a/output/downloads/openbsd-wg/client-example.zip b/output/downloads/openbsd-wg/client-example.zip
Binary files differ.
DIR diff --git a/output/downloads/openbsd-wg/inspector_gadget.jpg b/output/downloads/openbsd-wg/inspector_gadget.jpg
Binary files differ.
DIR diff --git a/output/downloads/openbsd-wg/inspector_gadget.webm b/output/downloads/openbsd-wg/inspector_gadget.webm
Binary files differ.
DIR diff --git a/output/index b/output/index
@@ -11,6 +11,7 @@ i codemadness.org 70
i codemadness.org 70
iPhlog posts codemadness.org 70
i codemadness.org 70
+12026-03-27 Wireguard on OpenBSD for use as a mobile VPN /phlog/wireguard codemadness.org 70
12026-03-06 susmb: unprivileged mounting of SMB/CIFS shares via FUSE /phlog/susmb codemadness.org 70
12024-02-02 Chess puzzle book generator /phlog/chess-puzzles codemadness.org 70
12023-11-22 xargs: an example for parallel batch jobs /phlog/xargs codemadness.org 70
DIR diff --git a/output/index.html b/output/index.html
@@ -39,6 +39,7 @@
<div id="main">
<h1>Posts</h1>
<table>
+<tr><td><time>2026-03-27</time></td><td><a href="wireguard.html">Wireguard on OpenBSD for use as a mobile VPN</a></td></tr>
<tr><td><time>2026-03-06</time></td><td><a href="susmb.html">susmb: unprivileged mounting of SMB/CIFS shares via FUSE</a></td></tr>
<tr><td><time>2024-02-02</time></td><td><a href="chess-puzzles.html">Chess puzzle book generator</a></td></tr>
<tr><td><time>2023-11-22</time></td><td><a href="xargs.html">xargs: an example for parallel batch jobs</a></td></tr>
DIR diff --git a/output/jsonfeed.json b/output/jsonfeed.json
@@ -3,6 +3,14 @@
"title": "Newsfeed",
"items": [
{
+ "id": "https://www.codemadness.org/wireguard.html",
+ "date_published": "2026-03-27T00:00:00Z",
+ "title": "Wireguard on OpenBSD for use as a mobile VPN",
+ "url": "https://www.codemadness.org/wireguard.html",
+ "authors": [{"name": "Hiltjo"}],
+ "content_text": "Guide to setup a Wireguard endpoint on OpenBSD to use as a (mobile) VPN"
+},
+{
"id": "https://www.codemadness.org/susmb.html",
"date_published": "2026-03-06T00:00:00Z",
"title": "susmb: unprivileged mounting of SMB/CIFS shares via FUSE",
DIR diff --git a/output/jsonfeed_content.json b/output/jsonfeed_content.json
@@ -3,6 +3,14 @@
"title": "Newsfeed",
"items": [
{
+ "id": "https://www.codemadness.org/wireguard.html",
+ "date_published": "2026-03-27T00:00:00Z",
+ "title": "Wireguard on OpenBSD for use as a mobile VPN",
+ "url": "https://www.codemadness.org/wireguard.html",
+ "authors": [{"name": "Hiltjo"}],
codemadness.org:70 /git/www.codemadness.org/commit/02ff345794a1a9753523fca249a1f9cff1d520f9.gph:650: line too long