I am trying to get wireguard up and running to replace stunnel. I'm hoping to modernize my VPN and make it easier to setup across devices.
That said, I have my setup working on my Linux machines, but am hitting a snag somewhere with PF. This is what I have:
1. /usr/local/etc/wireguard/wg0.conf, server and client(s) with public keys added
2.pf/nat-anchor/wireguard
3. pf/anchor/external/vpn.conf
In order to limit traffic in, I have a table vpn_client which contains the public IP addresses of the clients that wish to connect. I have an app which publishes the client's IP address, then my server will add that IP upon receipt of the message.
As far as I understand, rules in PF are processed, NAT / RDR, anchors, then remaining rules (in which case for me is dropping all unmatched traffic).
I have a bunch of pflog interfaces which I use to determine what it is getting snagged, but as far as I can tell, it is getting to the firewall just fine. Additionally, I can ping the IP address of the client.
When I run tcpdump on wg0, I DO see traffic now.
I'm not sure what else to check for here, but I would think tcpdump should be telling me where to look.
EDIT:
I updated my configuration. I am now seeing traffic on wg0, but it isn't getting out. I would expect that with the pass in quick on wan from wg0, it should get out.
That said, I have my setup working on my Linux machines, but am hitting a snag somewhere with PF. This is what I have:
1. /usr/local/etc/wireguard/wg0.conf, server and client(s) with public keys added
2.pf/nat-anchor/wireguard
Code:
./nat-anchor/00.nat:nat on wg0 inet from 10.230.0.201/32 to any -> (wan) round-robin
./nat-anchor/00.nat:nat on wg0 inet from 10.230.0.202/32 to any -> (wan) round-robin
./nat-anchor/00.nat:nat on wg0 inet from 10.230.0.203/32 to any -> (wan) round-robin
./nat-anchor/00.nat:nat on wg0 inet from 10.230.0.204/32 to any -> (wan) round-robin
./nat-anchor/00.nat:nat on wg0 inet from 10.230.0.205/32 to any -> (wan) round-robin3. pf/anchor/external/vpn.conf
Code:
VPN_PORT=51820
pass in quick on wan proto udp from <vpn_client> to port $VPN_PORT
pass out quick on wan proto udp from port $VPN_PORT to <vpn_client>
pass in quick on wg0 from any to any
pass out quick on wg0 from any to any
pass in quick on wan from wg0
pass out quick on wan to wg0
pass in quick on wired from wg0
pass out quick on wired to wg0In order to limit traffic in, I have a table vpn_client which contains the public IP addresses of the clients that wish to connect. I have an app which publishes the client's IP address, then my server will add that IP upon receipt of the message.
As far as I understand, rules in PF are processed, NAT / RDR, anchors, then remaining rules (in which case for me is dropping all unmatched traffic).
I have a bunch of pflog interfaces which I use to determine what it is getting snagged, but as far as I can tell, it is getting to the firewall just fine. Additionally, I can ping the IP address of the client.
When I run tcpdump on wg0, I DO see traffic now.
I'm not sure what else to check for here, but I would think tcpdump should be telling me where to look.
EDIT:
I updated my configuration. I am now seeing traffic on wg0, but it isn't getting out. I would expect that with the pass in quick on wan from wg0, it should get out.
Last edited by a moderator: