WireGuard has been officially included in OpenBSD as a native, in-kernel implementation since OpenBSD 6.8 released in October 2020.
It is quite simple to create a private WireGuard key using the “openssl” command. However, the process of key derivation from a known private key isn’t as simple.
This is a simple little script that I wrote to solve the problem of generating a WireGuard keypair using only the tools from a base install without the need for any additional software:
1#!/bin/sh
2
3umask 077
4
5### Generate Private Key Funtion ###
6private_key_gen() {
7 /usr/bin/openssl rand -base64 32
8}
9
10### Derive Public Key Using OpenBSD Kernel Function ###
11public_key_gen() {
12 _privkey="$1"
13
14 /sbin/ifconfig wg99 create wgkey "$_privkey" >/dev/null 2>&1
15 _pubkey=$(/sbin/ifconfig wg99 | /usr/bin/awk '/wgpubkey/ { print $2 }' 2>/dev/null 2>&1)
16 /sbin/ifconfig wg99 destroy >/dev/null 2>&1
17
18 printf '%s\n' "$_pubkey"
19}
20
21### Main ###
22
23### Generate Private Key ###
24PRIVATE_KEY=$(private_key_gen)
25
26### Derive Public Key Using OpenBSD Kernel ###
27PUBLIC_KEY=$(public_key_gen "$PRIVATE_KEY")
28
29printf 'Private Key:\n%s\n\n' "$PRIVATE_KEY"
30printf 'Public Key:\n%s\n' "$PUBLIC_KEY"