OpenBSD now includes an in-kernel WireGuard implementation wg(4).
Well, the WireGuard VPN protocol has been available on OpenBSD as a port for a while; Puffy has actually had user-land support for WireGuard using WireGuard-go, an implementation in Go, and later as the wiresep port in C, -both using tun devices-, which incurs a slight penalty for crossing the kernel/userspace border for each packet, much like OpenVPN and others.
Since OpenBSD version 6.8, WireGuard being in-kernel, comes installed by default, brings an implementation way much faster. It also means we can skip using extra software and use base-only utilities for a very simple, easy configuration.
So, obviously for this write-up we’ll need -at least- version 6.8 of OpenBSD installed. And after OpenBSD 6.8 installation is done, using the newly released in-kernel wg(4) driver with only base utilities, we’ll implement a very secure, fast and stable VPN server for any OpenBSD/MacOS/Linux/Windows clients.
Our VPN server will be OpenBSD, and as for the client, I’ll go with Windows 10 Enterprise LTSC 2019 (Long Term Servicing Channel) in this write-up of mine. What is a Windows 10 LTSC?