# Wireguard installation



## SansSerif (May 17, 2020)

Hello!
I would like to ask, how can I install wireguard on my FreeBSD machine? Yea I know this sounds pretty bad, but I'm a noob and just started with FreeBSD. I found a tutorial on the official wireguard webpage (https://www.wireguard.com/quickstart/), but still don't know how. There was a command IP, that is not installed on my machine (IP: command not found), so I decided to run "sudo pkg install ip". didn't work so I'm asking here. Can someone post some instructions on how to do that? (again: I'm starting with FreeBSD)

Sorry for my bad English


----------



## sand_man (May 18, 2020)

This article explains how to configure it in a jail but it should be useful to you. https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-jail/


----------



## SansSerif (May 19, 2020)

sand_man said:


> This article explains how to configure it in a jail but it should be useful to you. https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-jail/


but this is installing wireguard to jail. I would like to install it normally without jails (I don't know what should I do and what not (things to do to set up it in jail))

but thanks for the reply


----------



## olivier (May 19, 2020)

Start by a `pkg install wireguard`, then here is an example of simple setup:





						VPN with GRE, GIF, IPSec, OpenVPN and Wireguard [BSD Router Project]
					






					bsdrp.net


----------



## Bucky (May 19, 2020)

Here are my notes from when I installed it a couple of years ago. There is no quick-and-easy way to get this running. You need to understand how a VPN works in order to understand what the various parts below mean. Running on FBSD 11.3 presently:

    |# pkg search wireguard
    |# pkg install ...

    |# cd /usr/local/etc/wireguard
    |# umask 077
    |# wg genkey > server-private.key
    |# wg pubkey < server-private.key > server-public.key
    |# wg genkey > client0-private.key
    |# wg pubkey < client0-private.key > client0-public.key
    |# wg genpsk > client0.psk    // .psk = pre-shared key

each additional client computer needs its own keys
    |# wg genkey > client1-private.key
    |# wg pubkey < client1-private.key > client1-public.key
    |# wg genpsk > client1.psk

    |# touch wg0.conf
    |# touch client0.conf
    // the 'server' end of the tunnel can see lots of peers (clients)
    |# ee wg0.conf
        # server
        [Interface]
        Address = 10.14.28.1/24 #, fc00:23:5::1/64, inside tunnel
        ListenPort = 1500
        PrivateKey = < server private key>
        DNS = 10.0.1.1

        # client0
        [Peer]
        PublicKey = < client0 public key >
        PresharedKey = < client0 pre-shared key >
        AllowedIPs = 10.14.28.2/32      #, fc00:23:5::2/128, inside tunnel, clients may not share AllowedIPs

        # client1
        #[Peer]
        #PublicKey = < client1 public key >
        #PresharedKey = < client1 pre-shared key >
        #AllowedIPs = 10.14.28.3/32      #, fc00:23:5::2/128, inside tunnel, clients may not share AllowedIPs

        # -EOF-

the server side...
    |# sysrc gateway_enabled="YES"
-or-
    |# sysctl net.inet.ip.forwarding=1
    |# ee /boot/loader.conf
        net.inet.ip.forwarding=1
        # -EOF-

    |# sysrc wireguard_enable=YES
    |# sysrc wireguard_interfaces=wg0

be sure the /etc/pf.conf NAT covers all interfaces

    |# service wireguard start

check on the wireguard daemon

    |# netstat -4rn
    |# top
    |# ps -auxc
    |# sockstat -4l

on the client side...

// the client end of the tunnel can only see one peer (server)
    |# ee client0.conf
        # client0
        [Interface]
        PrivateKey = < client0 private key >
        Address = 10.14.28.2/24    #, fc00:23:5::2/64

        # server
        [Peer]
        PublicKey = < server public key >
#        PresharedKey = < client0 pre-shared key >
        Endpoint = 10.0.0.133:1500 # FQDN:1500
        AllowedIPs = 0.0.0.0/0    #, ::/0, all traffic thru the tunnel

        # -EOF-

the client computer will need a 'client' which talks to the
wireguard server.

    fetch from https://tunsafe.com/
        TunSafe-1.4-x64.zip            // the windows client is in here
        TunSafe-TAP-9.21.2.exe    // windows interface

I found these sites very helpful:

<https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/>
<https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-android/>


----------

