My notes about setting wireguard the FreeBSD way.

[xsouku04]

I was straggling few hours finding the best way how to setup wireguard on FreeBSD.

It seems that the best way is using the rc.conf and avoiding wg-quick scripts in wireguard-tools and wireguard-tools-lite packages.

Good think is that you have all the network settings on place where you would expect (rc.conf) and you do not need the wireguard-tools possibly buggy dependency.
Also you see all the ip's and routing on one place together with other network settings. The file wg0.conf must still exists and is very similar to the one used by wg-quick.
But some options like Address are not allowed. The ip address and routing must be added manually like with any other network interface in rc.conf.

Added to rc.conf:

cloned_interfaces="wg0"
# The commented lines below are not needed
# They would be useful only when the wireguard-tools is used.
#wireguard_enable="YES"
#wireguard_interfaces="wg0"
ifconfig_wg0="inet 192.168.145.47/24"

# routing according to allowed_ips
static_routes="wg0"
route_wg0="-net  81.XX.XX.XX/32 192.168.145.1"

Content of /etc/start_if.wg0

wg syncconf wg0 /etc/wg0.conf

Content of /etc/wg0.conf

[Interface]
# The line below must not be here as this is used only when wireguard-tools is used
# Address = 192.168.145.47/32
# If you want to choose port number open by wireguard, uncomment the line below
#ListenPort = 51820
PrivateKey = ............=

[Peer]
AllowedIPs = 192.168.145.0/24, 81.XX.XX.XXX/32
PublicKey = .............=
Endpoint = 81.XX.XX.XX:28150
PersistentKeepalive = 30

Now I can test it by issuing:

 service netif start wg0
 ifconfig
 netstat -4rn
 ping X.X.X.X
 service netif stop wg0
 ifconfig
 netstat -4rn

It looks like network port of wireguard is open always on all network interfaces. It is impossible to restrict it to one interface only. Workaround is to make a firewall rules to leave only one interface open.

 

[tuaris]

How would we know to do this? I can't find any documentation on how to setup Wireguard on FreeBSD

 

[xsouku04]

Wireguard is part of kernel so that is why you do not have to install anything, you just set it up and it just works. And it works the same way as in Linux so there is no need for special documentation.

However it may be convenient not to use the wg-quick , but the FreeBSD way to set it up, unless you have very large list in AllowedIPs. Or you change config very often. If you use wg-quick the usage should be the same as with Linux.

All I have found was this https://www.reddit.com/r/freebsd/comments/1ee0w3y/what_is_proper_way_to_use_wireguard_in_141/ https://forums.freebsd.org/threads/how-to-enable-wireguard-service-in-freebsd14-2.96022/ My setting is based on the info I have found there.

Wireguard is easy to use and fast. Much better then any other vpn. I want to use it with zrepl for snapshot backup. This way I can use only TCP connection for the ZFS snapshot transfers as wireguards provides encryption, NAT traversal and another layer of protection. SSH can be very slow with internet connection which has higher packet delay so I want to avoid that.