Creating a VPN Tunnel with FreeBSD + WireGuard for Android

4 min

wireguardandroid
language: ja bn en es hi pt ru zh-cn zh-tw

Hello, this is incompetent.

In the previous article, I only posted the speed results, but here are the steps to create a tunnel.

I couldn't find any other Japanese articles on this, so I'm documenting it.

WireGuard

Smartphone side (Client)

You need to generate WireGuard keys on the PC side.

wg genkey | tee private.key
wg genpsk | tee psk.key

If you just create the private key, the public key will be displayed on the smartphone version of WireGuard, so you don't need to create it here. Alternatively, you can create it together with wg genkey | tee private.key | wg pubkey > pub.key.

Once you pass this key to your smartphone, in the WireGuard smartphone app,

Private key = content of private.key  
Pre-shared key = content of psk.key  
Address = IP you want to communicate with, this time we'll use `10.1.0.4/32`
Endpoint = WireGuard server's global IP:51820
Allowed IPs = 0.0.0.0/0 , ::/0 # Route all traffic through VPN

enter these, and make sure the public key generated at this time can be sent or pasted to the server side.

PC side (Server side)

First, assuming WireGuard is installed, add a Peer at the end.

[Peer]
PublicKey = Public key displayed after entering private.key on the smartphone side, or content of pub.key
PreSharedKey = content of psk.key
AllowedIPs = 10.1.0.4/32
PersistentKeepalive = 25

For now, run wg quick up wg0. If you turn on the VPN on your smartphone and traffic is being forwarded, it's OK. However, with this setup, traffic can only flow within the WireGuard tunnel, so you need to create NAT rules.

FreeBSD

First, enable port forwarding for IPv4 and IPv6.

vi /etc/sysctl.conf

Then add the following:

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

Then restart.

And create rules with pf.

vi /etc/pf.conf

Then add the following:

wireguard_clients=10.1.0.4
wanint="vtnet0"
wg_ports="{51820}"

nat on $wanint inet from $wireguard_clients to any -> $wanint
pass in on $wanint proto udp from any to $wanint port $wg_ports
pass out quick

Then activate

pfctl -nf /etc/pf.conf

If there are no errors,

pfctl -f /etc/pf.conf

This will apply the rules. Let's check if the IP address is that of the server, or if it's the WireGuard server's IP address at Takashi's simple and convenient site. bibi.moe/ip
This concludes the setup.

If this is done, and your home server is proxying services running in your local environment to the WireGuard network while connected to the VPN, you can access your home network from your smartphone's browser, which is very convenient. See you next time. Best regards.

Related Posts