How to install a Wireguard VPN client in a FreeBSD jail

I installed/set up a Wireguard VPN server on Debian 10 Linux box. How do I install, configure and set up a Wireguard client in a FreeBSD jail?

WireGuard is an open-source software application and communication protocol that implements VPN to create secure point-to-point connections in routed or bridged mode. It was initially developed for Linux but now ported to FreeBSD and other operating systems. This page explains how to install and set up WireGuard clients on the FreeBSD system, including jail.
Tutorial requirements
Operating system/appFreeBSD host, FreeBSD jail or FreeNAS
Root privileges requiredYes
DifficultyIntermediate (rss)
Estimated completion time10m
Table of contents

ADVERTISEMENTS

How to install a Wireguard VPN client in a FreeBSD

This guide assumes that the WireGuard server is up and running either Linux or FreeBSD server. See how to install WireGuard:

I tested this guide running on FreeBSD 11.x, but instructions remain same for FreeBSD 12.x.

A note about FreeBSD jail

Make sure you unhide tun* and bpf* devices for your jail. For example, here is my config file displayed using the cat command:
# cat /etc/devfs.rules

[devfsrules_jail_nixcraft-jail=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'tun*' unhide
add path 'bpf*' unhide
add path zfs unhide

See my guide “How to configure a FreeBSD Jail with vnet and ZFS” for more information. If you are using FreeNAS based jail make sure you turn on VNET/BPF support as follows in UI:
FreeNAS jail VNET support for WireGuard VPN

Step 1 – Update FreeBSD

Run the following pkg command:
# pkg update
# pkg upgrade

Search for WireGuard package, run:
# pkg search wireguard

wireguard-1.0.20200513         Fast, modern and secure VPN Tunnel
wireguard-go-0.0.20200320      WireGuard implementation in Go

Step 2 – Installing a Wireguard VPN client in a FreeBSD jail

Execute the following command to install a Wireguard VPN client in a FreeBSD jail or FreeBSD host:
# pkg install wireguard
How to install a Wireguard VPN client in a FreeBSD jail

Step 3 – Generating private and public keys for WireGuard VPN client

We need to use the wg command command. It is the configuration utility for getting and setting the configuration of WireGuard tunnel interfaces:
# cd /usr/local/etc/wireguard/
# umask 077; wg genkey | tee privatekey-remote-ln-sg-vpn | wg pubkey > publickey-remote-ln-sg-vpn
# ls -l
# cat privatekey-remote-ln-sg-vpn publickey-remote-ln-sg-vpn

FreeBSD WirdGuard VPN Client Config

Step 4 – Creating wg0.conf file

Use a text editor such as vim to edit/update wg0.conf file:
# vim /usr/local/etc/wireguard/wg0.conf
Sample config file:

# WireGuard config client for Linode VPN server running on Debian 10 #
[Interface]
## FreeBSD client's private key here ##
PrivateKey = {FreeBSD_Jail_PRIVATE_KEY_HERE}
 
## Client ip address as per your set up ##
Address = 172.16.0.3/24
## Set DNS as per your VPN set up ##
DNS = 10.8.0.1
 
[Peer]
## Debian 10 WireGuard server's public key goes here ##
PublicKey = {SERVER_PUBLIC_KEY_HERE}
 
## set ACL ##
AllowedIPs = 0.0.0.0/0
 
## Your Debian 10 WireGuard server's public IPv4/IPv6 address and port goes here ##
Endpoint = {WG_PUBLIC_IP}:{WG_PORT}
 
## Keep connection alive ##
PersistentKeepalive = 15

Step 4 – Turn on WireGuard VPN client service

Type the following sysrc command:
# sysrc wireguard_interfaces="wg0"
# sysrc wireguard_enable="YES"

Step 5 – Running WireGuard VPN client on FreeBSD jail for the first time

The syntax is as follows for the service command:

Start the wireguard vpn client

# service wireguard start

[#] wireguard-go wg0
INFO: (wg0) 2020/08/08 12:24:37 Starting wireguard-go version 0.0.20200320
[#] wg setconf wg0 /tmp/tmp.DjieZIFu/sh-np.EtDMVd
[#] ifconfig wg0 inet 172.16.0.3/24 172.16.0.3 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 0.0.0.0/1 -interface wg0
[#] route -q -n add -inet 128.0.0.0/1 -interface wg0
[#] route -q -n add -inet 13.xxx.yyy.zzz -gateway 192.168.2.254
[+] Backgrounding route monitor

Stop the wireguard vpn client

# service wireguard stop

Restart the wireguard vpn client

# service wireguard restart

Get the status of wireguard vpn client

# wg
# ps aux | grep wireguard

Step 5 – Test WireGuard VPN connectivty

Let us verify VPN connectivty. Run the ping command to send ICMP ECHO_REQUEST packets to network to VPN server IP address 172.16.0.1:
# ping -c 4 ping 172.16.0.1

PING 172.16.0.1 (172.16.0.1): 56 data bytes
64 bytes from 172.16.0.1: icmp_seq=0 ttl=64 time=41.848 ms
64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=41.683 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=64 time=41.793 ms
64 bytes from 172.16.0.1: icmp_seq=3 ttl=64 time=42.089 ms

--- 172.16.0.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 41.683/41.853/42.089/0.149 ms

Use the ifconfig command and netstat command to view routing information:
# ifconfig
# ifconfig wg0

wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
	options=80000<LINKSTATE>
	inet 172.16.0.3 --> 172.16.0.3 netmask 0xffffff00
	nd6 options=101<PERFORMNUD,NO_DAD>
	groups: tun
	Opened by PID 96281

See routing info on your FreeBSD:
# netstat -f inet -r -n
# netstat -f inet6 -r -n

Make sure you get public IPv4/IPv6 address of your VPN end point using the host command/dig command/drill command:
# drill TXT +short o-o.myaddr.l.google.com @ns1.google.com
# dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 1382
;; flags: qr aa rd ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; o-o.myaddr.l.google.com.	IN	TXT

;; ANSWER SECTION:
o-o.myaddr.l.google.com.	60	IN	TXT	"13.xxx.yyy.zzz"

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 42 msec
;; SERVER: 216.239.32.10
;; WHEN: Sat Aug  8 12:23:05 2020
;; MSG SIZE  rcvd: 68

Conclusion

This quick guide covered the WireGuard VPN client installation and configuration for FreeBSD jail. See WireGuard project documentation or read man pages by typing the following man command:
$ man 8 wg-quick
$ man 8 wg

This entry is 5 of 5 in the WireGuard moden Linux/Unix/*BSD VPN Tutorial series. Keep reading the rest of the series:
  1. Ubuntu 20.04 set up WireGuard VPN server
  2. CentOS 8 set up WireGuard VPN server
  3. Debian 10 set up WireGuard VPN server
  4. WireGuard Firewall Rules in Linux
  5. Wireguard VPN client in a FreeBSD jail
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.