OpenBSD’s security-first ethos and minimalist base system—augmented by its pledge/unveil sandboxing, pf(4) firewall, and LibreSSL—make it a unique playground for VPN enthusiasts. The default package manager (pkg_add) and the presence of trustworthy ports mean you’ll often use OpenBSD for both servers and desktops, typically running lighter window managers like cwm, fvwm, or even Xfce and KDE if you prefer more bells and whistles. Given its emphasis on auditability, any VPN solution must integrate cleanly with pf, respect resource constraints, and play nicely with OpenBSD’s rc(8) startup scripts.
When selecting a VPN for OpenBSD, look for:
- Native protocol support: WireGuard or OpenVPN, available in the ports tree or as packages.
- Minimal external dependencies: Avoid clients that bundle heavy GUI toolkits.
- Strong auditing and open-source credentials: Matches OpenBSD’s philosophy.
- pf integration: Ability to easily add tunnel endpoints to
pftables.
Based on these criteria, the top candidates are:
- Mullvad – Excellent WireGuard support, audit-friendly, simple configs.
- ProtonVPN – Solid OpenVPN profiles, strong privacy pedigree.
- IVPN – Provides both WireGuard and OpenVPN configs, transparent privacy policy.
- NordVPN – Comprehensive guide for OpenVPN on OpenBSD, though no native WireGuard client.
| VPN Provider | Protocol(s) | OpenBSD Package | Client Type | Official Site |
|---|---|---|---|---|
| Mullvad | WireGuard, OpenVPN | wireguard-tools, openvpn |
CLI (wg-quick style) | Mullvad |
| ProtonVPN | OpenVPN | openvpn |
CLI | ProtonVPN |
| IVPN | WireGuard, OpenVPN | wireguard-tools, openvpn |
CLI | IVPN |
| NordVPN | OpenVPN | openvpn |
CLI | NordVPN |
1. Mullvad on OpenBSD (WireGuard)
Mullvad’s WireGuard configuration is a breeze on OpenBSD. The following steps assume you’ve already created an account and downloaded your WireGuard keypair from the Mullvad website.
- Install the required packages:
# pkg_add wireguard-tools
- Create
/etc/wg0.confwith your Mullvad details:
[Interface] Address = 10.66.66.2/32 PrivateKey = YOUR_PRIVATE_KEY [Peer] PublicKey = MULLVAD_SERVER_PUBLIC_KEY AllowedIPs = 0.0.0.0/0 Endpoint = wireguard.mullvad.net:51820 PersistentKeepalive = 25
- Enable at boot (add to
/etc/rc.conf.local):
wireguard=YES
- Bring up the interface:
# rcctl start wireguard
- Optionally integrate with pf:
# echo tablepersist file /etc/wg_mullvad_endpoints >> /etc/pf.conf # echo wireguard.mullvad.net > /etc/wg_mullvad_endpoints # pfctl -f /etc/pf.conf
2. ProtonVPN on OpenBSD (OpenVPN)
ProtonVPN uses standard OpenVPN profiles, which you can fetch from their dashboard. Here’s how to set it up:
- Install OpenVPN:
# pkg_add openvpn
- Copy your
.ovpnprofile to/etc/openvpn/client:
# mkdir -p /etc/openvpn/client # cp ~/Downloads/ProtonVPN-.ovpn /etc/openvpn/client/proton.conf
- Edit
/etc/rc.conf.local:
openvpn_clients=proton
- Start the service:
# rcctl start openvpn
- Verify connectivity:
# ifconfig tun0 # ping -c 3 10.0.0.1 # ProtonVPN internal gateway, for example
3. IVPN on OpenBSD
IVPN offers both protocols. For WireGuard follow the Mullvad steps above, substituting your IVPN keypair and endpoint. For OpenVPN, repeat the ProtonVPN procedure using the IVPN profile.
By choosing one of the above services, you harness OpenBSD’s reliability and security to the fullest—whether it’s a headless server in a data centre or a polished Xfce desktop in your London flat.
Leave a Reply