I have three machines, Gateway, A, and B. My goal is to have Gateway as a Wireguard server, and A and B as Wireguard clients; and have all three be able to connect to each other via ssh.
The current situation is that A and B will just time out trying to connect to any of the others; and Gateway trying to connect to either resulting in an immediate "no route to host" error.
Configurations:
Gateway:
/etc/wireguard/wg0.conf:
/etc/pf.conf:
/etc/rc.conf:
A:
/etc/wireguard/wg0.conf:
/etc/pf.conf:
/etc/rc.conf:
B:
/etc/wireguard/wg0.conf:
/etc/pf.conf:
/etc/rc.conf:
The current situation is that A and B will just time out trying to connect to any of the others; and Gateway trying to connect to either resulting in an immediate "no route to host" error.
Configurations:
Gateway:
/etc/wireguard/wg0.conf:
INI:
[Interface]
Address = 10.0.0.1/8, fd00::1/8
DNS = 1.0.0.1, 2606:4700:4700::1001
ListenPort = 51820
PrivateKey = REDACTED
# Main Server
[Peer]
PublicKey = REDACTED
AllowedIPs = 10.2.0.0/8, fd00::2:0:0/8
# Storage Server
[Peer]
PublicKey = REDACTED
AllowedIPs = 10.1.0.0/8, fd00::1:0:0/8/etc/pf.conf:
Code:
ext_if="vtnet0"
wg_if="wg0"
set skip on lo0
set block-policy return
scrub in on $ext_if all fragment reassemble
nat on $ext_if from $wg_if:network to any -> ($ext_if)
rdr from any to $wg_if:network -> $wg_if
block in all
pass out all
antispoof for $ext_if
pass in proto tcp from any to any port ssh flags S/SA modulate state
pass in proto udp from any to any port 51820
pass in on $wg_if from any to any
pass quick on $wg_if/etc/rc.conf:
sh:
cloudinit_enable="YES"
clear_tmp_enable="YES"
sshd_enable="YES"
sendmail_enable="NONE"
qemu_guest_agent_enable="YES"
qemu_guest_agent_flags="-d -v -l /var/log/qemu-ga.log"
hostname=gateway.dc3-a.pub1.infomaniak.cloud
ifconfig_vtnet0="inet REDACTED netmask 0xffffff00 broadcast REDACTED"
ifconfig_vtnet0_ipv6="inet6 REDACTED prefixlen 64 alias"
ipv6_defaultrouter="REDACTED"
defaultrouter="REDACTED"
wireguard_enable="YES"
wireguard_interfaces="wg0"
gateway_enable="YES"
pf_enable="YES"
static_routes="wgnet0"
route_wgnet0="-net 10.0.0.0/8 10.0.0.1"A:
/etc/wireguard/wg0.conf:
INI:
[Interface]
Address = 10.2.0.0/8, fd00::2:0:0/8
DNS = 1.0.0.1, 2606:4700:4700::1001
PrivateKey = REDACTED
[Peer]
PublicKey = REDACTED
AllowedIPs = 10.0.0.0/8, fd00::/8
Endpoint = REDACTED:51820/etc/pf.conf:
Code:
ext_if="vtnet0"
wg_if="wg0"
set skip on lo0
set skip on bastille0
set block-policy return
scrub in on $ext_if all fragment reassemble
scrub in on $wg_if all fragment reassemble
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"
rdr from any to $wg_if:network -> $wg_if
block in all
pass out all
# pass out keep state
antispoof for $ext_if
pass in proto tcp from any to any port ssh flags S/SA modulate state
pass in proto tcp from any to any port 443 flags S/SA modulate state
pass proto ipv6-icmp from any to any
pass in on $wg_if from any to any
pass quick on $wg_if/etc/rc.conf:
sh:
clear_tmp_enable="YES"
sshd_enable="YES"
sendmail_enable="NONE"
qemu_guest_agent_enable="YES"
qemu_guest_agent_flags="-d -v -l /var/log/qemu-ga.log"
zfs_enable="YES"
hostname=REDACTED
ifconfig_vtnet0="inet REDACTED netmask 0xffffff00 broadcast REDACTED"
ntpd_enable="YES"
ipv6_activate_all_interfaces="YES"
ifconfig_vtnet0_ipv6="inet6 REDACTED prefixlen 64 alias"
blacklistd_enable="NO"
pf_enable="YES"
cloned_interfaces="lo1"
ifconfig_lo1_name="bastille0"
ifconfig_bastille0="inet 10.2.0.1 netmask 255.0.0.0"
bastille_enable="NO"
nginx_enable="NO"
haproxy_enable="YES"
wireguard_enable="NO"
wireguard_interfaces="wg0"
gateway_enable="YES"
nfs_client_enable="YES"
nfsuserd_enable="YES"
nfs_client_flags="-n 4"
nfsuserd_flags="-domain REDACTED"
nfscbd_enable="YES"
nfs_access_cache="86400"
defaultrouter="REDACTED"
ipv6_defaultrouter="REDACTED"
static_routes="wgnet0"
route_wgnet0="-net 10.0.0.0/8 10.0.0.1"B:
/etc/wireguard/wg0.conf:
INI:
[Interface]
Address = 10.1.0.0/8, fd00::1:0:0/8
DNS = 1.0.0.1, 2606:4700:4700::1001
PrivateKey = REDACTED
[Peer]
PublicKey = REDACTED
AllowedIPs = 10.0.0.0/8, fd00::/8
Endpoint = REDACTED:51820/etc/pf.conf:
Code:
ext_if="dwc0"
wg_if="wg0"
set skip on lo0
set block-policy return
scrub in on $ext_if all fragment reassemble
scrub in on $wg_if all fragment reassemble
nat on $ext_if from $wg_if:network to any -> ($ext_if)
rdr from any to $wg_if:network -> $wg_if
block in all
pass out all
antispoof for $ext_if
pass in proto tcp from any to any port ssh flags S/SA modulate state
pass proto ipv6-icmp from any to any
pass in on $wg_if from any to any
pass quick on $wg_if/etc/rc.conf:
sh:
hostname="generic"
ifconfig_dwc0="DHCP inet6 accept_rtadv"
sshd_enable="YES"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
growfs_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
ntpd_enable="YES"
zfs_enable="YES"
nfs_server_enable="YES"
nfsv4_server_enable="YES"
wireguard_enable=YES
wireguard_interfaces="wg0"
nfsuserd_enable="YES"
nfsuserd_flags="-domain REDACTED -manage-gids"
nfs_server_flags="-t --minthreads 5 --maxthreads 5"
ntpdate_enable="YES"
pf_enable="YES"
static_routes="wgnet0"
route_wgnet0="-net 10.0.0.0/8 10.0.0.1"