Installing OpenBSD 7.0 on an RPi4 and using as a WireGuard client gateway

[Reeshar]

I've put together some detailed notes on how to install OpenBSD 7.0 on an RPi4, including replacing the UEFI files to allow OpenBSD to boot, and how to configure OpenBSD for use as a WireGuard client gateway linking to a remote WireGuard server. More or less the same configuration could be used for the server end of the WireGuard link. Total boot time from power-on to login prompt is approximately 80 seconds - 35 secs in the UEFI bootloader and 45 secs due to OpenBSD itself.

The notes also cover how to configure the UEFI bootloader to allow OpenBSD to use a DS3231 real-time clock as time is critical to correct WireGuard operation.

Finally be aware of a gotcha which caught me out for a while: ifconfig only shows the full wg0 configuration if you run it as root. So use either:

Code:

# ifconfig wg0

or (as a non-privileged user):

Code:

$ doas ifconfig wg0

Some clear omissions:

• Firewalling, so you'll need to add appropriate filter rules etc to pf.conf
  
• DNS other than in outline. You might want to consider implementing unbound with secure DNS on the RPi4, and details of how to do this can be found elsewhere on the Internet
  
• Setting WireGuard up to use a hostname for the remote server rather than an IP address. hostname.if config files don't support hostname resolution.

Comments, errata and suggestions welcome. I might eventually format up these notes into something a bit more presentable!

[Reeshar]

I've now updated my RPi4 test rig to use VLANs rather than a USB Ethernet adaptor. The net result is a significant increase in performance: whereas I could only get 100Mbit/s throughput with the Ethernet dongle, I get 200+Mbit/s using VLANs where the "200" is the upload speed limit of my broadband connection.

Using a D-Link 5-port smart switch, which incidentally I run off a USB power supply alongside my RPi4 so I need only one power source for the two, the total power consumption is around 10W.

My next goal is to set the RPi4 up as a fully-fledged firewall with two internal VLANs, one routed directly out to the Internet, the other going through the WireGuard tunnel. This mirrors a setup already in existence at our house in France which allows us to stream UK content via an OpenBSD WireGuard server at our UK home while in parallel being able to directly access the local Internet in France. The two networks are accessed via two separate APs, one for the UK and one for France. Currently though we're using a GL-iNet Slate to manage the WireGuard link.

Ironically we have a better and cheaper Internet connection in a small village of 200 inhabitants in the Pyrenees (300/200Mbit/s over fibre-to-the-home) than we do here in the UK where we have 200/20Mbit/s over cable.

Updated notes will follow...