Privilege separated implementation of WireGuard

Latest release

wiresep-0.11.3.tar.gz (April 26, 2020)
sha256 - changes - license ISC

Now that a kernel version is integrated into OpenBSD and will probably ship with OpenBSD 6.8, this project is in maintenance mode and will only receive fixes for critical bugs.



$ doas pkg_add wiresep

Generate a new private key for the tun0 interface.

$ doas wiresep-keygen tun0

Then create a configuration and store it in /etc/wiresep/wiresep.conf. A simple example looks like the following:

# This is an example of a server listening on the public ip port
# 1022. It uses the tun0 device with the internal ip addresses 2001:db8::7
# and and allows communication with the peer Jane and Joe. Jane is
# allowed to use any source ip, while Joe may only use 2001:db8::4 or
# as the source ip of his packets. The private key for the tun0
# interface can be generated with `wiresep-keygen tun0`.

interface tun0 {
    ifaddr 2001:db8::7/126


    peer jane {
        pubkey BhyBpDfD7joIPPpjBW/g/Wdhiu3iVOzQhKodbsLqJ3A=
        allowedips *

    peer joe {
        pubkey AhyBpDfD7joIPPpjBW/g/Wdhiu3iVOzQhKodbsLqJ3A=
        allowedips 2001:db8::4

See wiresep.conf(5) for a complete description of the configuration file.

Once everyting is set, run wiresep(8):

$ doas wiresep


Refer to the manuals for documentation and a configuration example:

The design documents can be found in the doc directory.

Code and repository

Browse the release archive, browse the source code online or clone the repository:

$ git clone https://netsend.nl/wiresep.git

Known issues


You can send a message to tim at this domain. When sending in patches I prefer the format created by git-format-patch(1).