Wireguard woes

[beaker%sdf.org@localhost (beaker)]

I would like to try to setup a NetBSD 11 laptop for use with the
ProtonVPN Wireguard service and I'm wondering if that is currently
possible with the current state of NetBSD's Wireguard using
wgconfig(8) ?

For manual Wireguard Proton VPN setup one typically makes some
selections in their web interface then downloads a config file [1].
I've done this and tried to follow the examples in the wg(4) manpage
based on said config file contents (see below).  So far, the best
I can achieve is a momentary handshake and only if I add an IPv6
address to --allowed-ips argument string for wgconf(8).


What has been done:
1) added "if_wg" to /etc/modules.conf to load at startup

2) made a setup script using proton.conf[1] as guide:

    #! /bin/sh -e
    # wg_create
    #
    if ( 2>1 ifconfig wg0 >/dev/null )
    then
        echo 'wireguard interface already configured.'
    else
        echo 'setting up wireguard interface..'
        sleep 1
        sudo ifconfig wg0 create
        sudo ifconfig wg0 inet 10.2.0.2/32
        # /etc/wg/wg0 contains just the Proton PrivateKey
        sudo wgconfig wg0 set private-key /etc/wg/wg0
        sudo wgconfig wg0 add peer Proton '<Proton PublicKey>' \
          --allowed-ips=0.0.0.0/0,::/0 --endpoint=<Proton Endpoint:Port>
        sudo ifconfig wg0 up
    fi

 ---
After running wg_create and pinging some random address I can see that
there was at least a momentary handshake made:

    $ ifconfig wg0
    wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
            status: active
            inet6 fe80::725a:b6ff:fe65:5d38%wg0/64 flags 0 scopeid 0x4
            inet 10.2.0.2/32 flags 0

    $ wgconfig wg0
    interface: wg0
            private-key: (hidden)
            listen-port: (none)
            peer: Proton
                    public-key: ***************************************
                    endpoint: 212.***.**.***:5****
                    preshared-key: (hidden)
                    allowed-ips: 0.0.0.0/0
                    latest-handshake: Sat Sep 27 01:15:43 2025

However an IPv4 ping fails:
    $ ping -n 10.2.0.2
    PING 10.2.0.2 (10.2.0.2): 56 data bytes

    ----10.2.0.2 PING Statistics----
    15 packets transmitted, 0 packets received, 100.0% packet loss

I can also see that a route gateway has been created:

    $ route -n show |head
    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use    Mtu Interface
    default            192.168.1.1        UG          -        -      -  urtwn0
    10.2.0.2           wg0                UHl         -        -      -  wg0
    10.2.0.2/32        10.2.0.2           U           -        -      -  wg0
    127/8              127.0.0.1          UGRS        -        -  33624  lo0
    127.0.0.1          lo0                UHl         -        -  33624  lo0
    192.168.1/24       link#2             UC          -        -      -  urtwn0


My understanding is that changing the default route shouldn't be needed with
wireguard and doing so via 'sudo route -f add default 10.2.0.2' consistently
hangs the system..

Am I missing something or is this sort of use just not achievable at this time?

BTW, I tried installing the wireguard-tools package but this package
really doesn't seem to be for NetBSD at all.

-B

--
refs:
[1] # proton.conf
    [Interface]
    # Key for wg-proton
    # Bouncing = 1
    # NetShield = 1
    # Moderate NAT = off
    # VPN Accelerator = on
    PrivateKey = *******************************************
    Address = 10.2.0.2/32
    DNS = 10.2.0.1

    [Peer]
    # US-ST#42
    PublicKey = ********************************************
    AllowedIPs = 0.0.0.0/0
    Endpoint = 212.***.**.***:5****