Implementing Routing Domains on an OpenBSD workstation for use with WireGuard By: Josh Grosse

I operate a small network with both local and remote systems that share a single bastion WireGuard gateway to the Internet. Some WireGuard client applications, such as WireGuard for Android, allow application-level granularity selection for routing traffic via the VPN or not. OpenBSD does not have a client application. It uses a kernel driver, which doesn't make routing decisions. Instead, routing is controlled by the kernel"s routing table or tables. When I first deployed WireGuard, I deployed a single routing table, and used routing priorities to route traffic via the VPN if happened to be active and operational, enabling the VPN or disabling it as needed. Eventually, I switch from a single routing table to two, using OpenBSD's routing domains facility. This transition afforded me the ability to cease using an all-or-nothing VPN with a single on / off control, and to have application level granularity. OpenBSD admins determine routing domain selection at process initiation via the route(8) exec feature. Josh has been an OpenBSD user for 20 years. He still enjoys the OS, and continues to maintain a handful of ports for the Project. He lives in Michigan with his daughter's two cats.