Replacing tinc with wireguard
──────────────────────────────────────────────────────────────────────
After a few months of heavy procrastination, I finally replaced my old 
tinc[0] mesh VPN with wireguard[1].

Since version 6.8, OpenBSD now ships with the wg(4) driver by default, 
providing ifconfig(8) with all the tools required to setup a wireguard 
VPN.
You don't even need the (in)famous wireguard-tools package !

Generating the private key is done with openssl(1):

    openssl rand -base64 32
    y4mJJGiPwpZIauJlZuDSY0f+Dqx8UPD9WGD0fQvzkK4=

You can then put it in the /etc/hostname.wg0, along with your peers 
public keys:

# /etc/hostname.wg0
inet 10.0.0.1 255.255.255.240
wgport 51820 wgkey y4mJJGiPwpZIauJlZuDSY0f+Dqx8UPD9WGD0fQvzkK4=
wgpeer FbRKfD8E6D/6xIHJqpigq0I6DYe63pF/ak1FArQXoDA= wgendpoint peer1.domain.tld 51820 wgaip 10.0.0.2
wgpeer z6sXdKvJAYnjqL2pTUoG8U+mzj19lcgUdfHXV8pLAkQ= wgendpoint peer2.domain.tld 51820 wgaip 10.0.0.3
up

The public key is printed along with the other interface attributes, 
under the name "wgpubkey". Use ifconfig(8) to get it:

    doas ifconfig wg0 | grep wgpubkey

So far it does the job just as well as tinc, but as it's built into the 
kernel, no external tool/daemon is required, which is really nice.

I also managed to automate the whole setup (generate priv keys, 
distribute public ones) thanks to drist(1).

keep hacking!
-- 
~wgs

[0]: https://tinc-vpn.org
[1]: https://wireguard.com

20210928.1804