LINUXMIND.DEV

How to choose, use and configure a VPN in OpenBSD (Tutorial)

OpenBSD’s security-first ethos and minimalist base system—augmented by its pledge/unveil sandboxing, pf(4) firewall, and LibreSSL—make it a unique playground for VPN enthusiasts. The default package manager (pkg_add) and the presence of trustworthy ports mean you’ll often use OpenBSD for both servers and desktops, typically running lighter window managers like cwm, fvwm, or even Xfce and KDE if you prefer more bells and whistles. Given its emphasis on auditability, any VPN solution must integrate cleanly with pf, respect resource constraints, and play nicely with OpenBSD’s rc(8) startup scripts.

When selecting a VPN for OpenBSD, look for:

  • Native protocol support: WireGuard or OpenVPN, available in the ports tree or as packages.
  • Minimal external dependencies: Avoid clients that bundle heavy GUI toolkits.
  • Strong auditing and open-source credentials: Matches OpenBSD’s philosophy.
  • pf integration: Ability to easily add tunnel endpoints to pf tables.

Based on these criteria, the top candidates are:

  • Mullvad – Excellent WireGuard support, audit-friendly, simple configs.
  • ProtonVPN – Solid OpenVPN profiles, strong privacy pedigree.
  • IVPN – Provides both WireGuard and OpenVPN configs, transparent privacy policy.
  • NordVPN – Comprehensive guide for OpenVPN on OpenBSD, though no native WireGuard client.
VPN Provider Protocol(s) OpenBSD Package Client Type Official Site
Mullvad WireGuard, OpenVPN wireguard-tools, openvpn CLI (wg-quick style) Mullvad
ProtonVPN OpenVPN openvpn CLI ProtonVPN
IVPN WireGuard, OpenVPN wireguard-tools, openvpn CLI IVPN
NordVPN OpenVPN openvpn CLI NordVPN

1. Mullvad on OpenBSD (WireGuard)

Mullvad’s WireGuard configuration is a breeze on OpenBSD. The following steps assume you’ve already created an account and downloaded your WireGuard keypair from the Mullvad website.

  1. Install the required packages:
# pkg_add wireguard-tools
  1. Create /etc/wg0.conf with your Mullvad details:
[Interface]
Address = 10.66.66.2/32
PrivateKey = YOUR_PRIVATE_KEY

[Peer]
PublicKey = MULLVAD_SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0
Endpoint = wireguard.mullvad.net:51820
PersistentKeepalive = 25
  1. Enable at boot (add to /etc/rc.conf.local):
wireguard=YES
  1. Bring up the interface:
# rcctl start wireguard
  1. Optionally integrate with pf:
# echo table  persist file /etc/wg_mullvad_endpoints >> /etc/pf.conf
# echo wireguard.mullvad.net > /etc/wg_mullvad_endpoints
# pfctl -f /etc/pf.conf

2. ProtonVPN on OpenBSD (OpenVPN)

ProtonVPN uses standard OpenVPN profiles, which you can fetch from their dashboard. Here’s how to set it up:

  1. Install OpenVPN:
# pkg_add openvpn
  1. Copy your .ovpn profile to /etc/openvpn/client:
# mkdir -p /etc/openvpn/client
# cp ~/Downloads/ProtonVPN-.ovpn /etc/openvpn/client/proton.conf
  1. Edit /etc/rc.conf.local:
openvpn_clients=proton
  1. Start the service:
# rcctl start openvpn
  1. Verify connectivity:
# ifconfig tun0
# ping -c 3 10.0.0.1   # ProtonVPN internal gateway, for example

3. IVPN on OpenBSD

IVPN offers both protocols. For WireGuard follow the Mullvad steps above, substituting your IVPN keypair and endpoint. For OpenVPN, repeat the ProtonVPN procedure using the IVPN profile.

By choosing one of the above services, you harness OpenBSD’s reliability and security to the fullest—whether it’s a headless server in a data centre or a polished Xfce desktop in your London flat.

Download TXT



Powered by LinuxMind

Leave a Reply

Your email address will not be published. Required fields are marked *