Set up an point-to-point Wireguard tunnel between OpenBSD router/firewalls This is a persistent point-to-point tunnel with OpenBSD firewall/routers at both ends. The topology of the network: Network 1 hosts <-- em0--Router 1--wg0 <--> tunnel <--> wg0--Router2--igc0 --> network 2 hosts External if (em0, igc0): as assigned by ISP. Wireguard interface ips: network 1: 10.10.10.1/30 network 2: 10.10.10.2/30 Lan ips: network 1 - 10.1.0.0/24 network 2 - 10.2.0.0./24 Internal if (em1, igc1): network 1: 10.1.0.1 network 2: 10.2.0.1 Network 1: (wgO 10.10.10.1, internal lan 10.1.0.0/24): First install wireguard-tools: doas pkg_add wireguard-tools Configure wg0.conf mkdir /etc/wireguard nano /etc/wireguard/wg0.conf [Interface] # PrivateKey for local wg client PrivateKey = aATXXXXXXXXXXXXXXXXXXXXXXXXXXXX= ListenPort=21266 #Your choice here # Client [Peer] # Public key for server PublicKey = jxtXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= # IP addresss of server Endpoint = XXX.XXX.XXX.XXX:21266 # or can use a FDQN # Endpoint = client.example.network:21266 # IP addresses of local wg interfaces and ip range of network 2 for vpn traffic AllowedIPs = 10.10.10.0/30,10.2.0.0/24 # Note: use lan ip range of peer network if you want to access hosts in peer network; # if you only want to access firewall/router/endpoint, use lan ip of firewall # Keep alive PersistentKeepalive = 25 Configure wg0: nano /etc/hostname.wg0 inet 10.10.10.1 255.255.255.252 up !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf !route add -net 10.2.0.0/24 10.10.10.2 Add to pf.conf: # Wireguard vpn wg_if="wg0" wg_port="21266" # WireGuard pass on $wg_if pass on egress inet proto udp from any to any port $wg_port Network 2: (wg0 10.10.10.2, internal lan 10.2.0.0/24): Install wireguard-tools: doas pkg_add wireguard-tools Configure /etc/wireguard/wg0.conf: [Interface] # Private key of local server PrivateKey = OKQXXXXXXXXXXXXXXXXXXXXXXXXX= ListenPort = 21266 # Client [Peer] # Public key of client PublicKey = +MIXXXXXXXXXXXXXXXXXXXXXXXXXX= # IP addresss of client Endpoint = XXX.XXX.XXX.XXX:21266 # or can use a FDQN # Endpoint = server.example.network # IP addresses of local wg interfaces and ip range client's network for vpn traffic AllowedIPs = 10.10.10.0/30,10.1.0.0/24 # Note: use lan ip range of peer network if you want to access any host in peer network; # if you only want to access firewall/router/endpoint, use lan ip of router. # Keep alive PersistentKeepalive = 25 Configure /etc/hostname.wg0: inet 10.10.10.2 255.255.255.252 up !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf !route add -net 10.1.0.0/24 10.10.10.1 Add to pf.conf: # Wireguard vpn wg_if="wg0" wg_port="21266" ## Rules for wireguard pass on $wg_if pass on egress inet proto udp from any to any port $wg_port Now, restart routers or issue "doas sh /etc/netstart wg0" on both routers.