On reddit there were questions about using a commercial vpn config file on OpenBSD. I mean after wireguard has landed in the kernel and there is no need for extra tools like before (wg-quick). ifconfig and route do the job.
There are many vpn services, here is an example with mullvad. Config files look like:
PrivateKey = supprscreetprriiivvaatteekeeeeyyyyyyyyyyy=
Address = 10.68.166.222/32,fc00:aaaa:cccc:bb02::5:b6e4/128
DNS = 184.108.40.206
PublicKey = ThxxiisxsiissthhxeseerVeRPubliickeeybbccyy=
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 220.127.116.11:51280
That's imaginary data here for the example. The DNS server address should be configured in /etc/resolv.conf.
wgkey (PrivateKey) is the same for every server connection, if you generated multiple config files for one key. The "Address" line shows the private network IP for the connection.
wgpeer (PublicKey of the vpn server) depends on the country/server, just like the Endpoint IP.
wgaip (AllowedIPs) 0.0.0.0/0 shows that this config accepts any IP. The default (listening) port setting is 51280 but it could be also something else like 51234.
Setting up the connection (here ipv4) has basically two parts. 1. Configure interface, 2. change routing table:
doas ifconfig wg0 create wgkey supprscreetprriiivvaatteekeeeeyyyyyyyyyyy= wgpeer ThxxiisxsiissthhxeseerVeRPubliickeeybbccyy= wgendpoint 18.104.22.168 51280 wgaip 0.0.0.0/0
doas ifconfig wg0 10.68.166.222/32
The second IP is the default gateway (you can check it with 'route show'):
doas route add 22.214.171.124 192.168.0.1
doas route change default 10.67.185.229
Verify that the VPN is up:
Or use mullvad's api:
This site also checks DNS leaks.
For turning the VPN off change back the default gateway:
doas route change default 192.168.0.1
Those /etc/wireguard/*.conf files scream for a nice, simple ksh script. :)