VPN
omfreebdy supports two VPN options: WireGuard (built into the FreeBSD kernel) and Tailscale (mesh VPN with zero-config networking). The vpn-setup helper handles installation and management for both.
vpn-setup
Section titled “vpn-setup”vpn-setup is the unified entry point for VPN management. Run it with no arguments to see status of all configured VPNs.
# Show WireGuard + Tailscale statusvpn-setup statusTailscale
Section titled “Tailscale”Tailscale builds a mesh VPN on top of WireGuard. Every device on your Tailscale network gets a stable IP, and connections are peer-to-peer when possible. No port forwarding or config files required.
Install and connect
Section titled “Install and connect”# Install via vpn-setupvpn-setup tailscale install
# Or manually:pkg install tailscalesysrc tailscaled_enable=YESservice tailscaled startAfter install, authenticate with your Tailscale account:
# Opens a browser link for authenticationvpn-setup tailscale up
# Or directly:tailscale uptailscale up prints a URL. Open it in a browser to authorize the device on your Tailscale network.
Status and management
Section titled “Status and management”# Show connected peerstailscale status
# Disconnect (keeps daemon running)vpn-setup tailscale down
# Reconnectvpn-setup tailscale upWhat vpn-setup tailscale install does
Section titled “What vpn-setup tailscale install does”- Installs the
tailscalepackage viapkg - Enables
tailscaledat boot viasysrc - Starts the
tailscaledservice
WireGuard
Section titled “WireGuard”WireGuard runs as a kernel module (if_wg) on FreeBSD. It is fast, minimal, and uses short static config files.
Install
Section titled “Install”# Install via vpn-setupvpn-setup wireguard install
# Or manually:pkg install wireguard-tools wireguard-kmodkldload if_wgsysrc kld_list+=" if_wg"Configure
Section titled “Configure”WireGuard configs live in /usr/local/etc/wireguard/. Copy your config file (from your VPN provider, self-hosted server, or wg genkey setup) into place:
sudo cp your-config.conf /usr/local/etc/wireguard/wg0.confA minimal wg0.conf looks like:
[Interface]PrivateKey = <your-private-key>Address = 10.0.0.2/24
[Peer]PublicKey = <server-public-key>Endpoint = vpn.example.com:51820AllowedIPs = 0.0.0.0/0Connect and disconnect
Section titled “Connect and disconnect”# Bring up the tunnelvpn-setup wireguard up wg0
# Tear down the tunnelvpn-setup wireguard down wg0
# Check tunnel statusvpn-setup wireguard statuswg0 is the default interface name. If your config file is named differently (e.g., office.conf), pass that name instead: vpn-setup wireguard up office.
Troubleshooting
Section titled “Troubleshooting”Tailscale daemon not running
service tailscaled status# If stopped:service tailscaled startWireGuard kernel module not loaded
kldstat | grep if_wg# If missing:sudo kldload if_wgEnsure kld_list in /etc/rc.conf includes if_wg so it loads at boot.
No connectivity after WireGuard up
Check that your config has the correct Endpoint, keys, and AllowedIPs. Verify with sudo wg show wg0.
Tailscale can’t reach peers
Run tailscale ping <peer-ip> to diagnose. If using a firewall, ensure UDP port 41641 is open for direct connections. Tailscale falls back to relay (DERP) servers if direct connections fail, so connectivity should still work — just slower.