Solved Wireguard setup (with PF problems)


Deleted member 59529

Hi there,

I'm sort of a new user with FreeBSD, so please excuse me if you see some glaring error in my thinking/configs (I'm a Linux admin so there are differences I'm counting on). :)

So here is my problem - I would like to set up Wireguard on FreeBSD 12, which is mostly done, I think, the last part is the relevant firewall adjustment I can't seem to tackle. Here is what I have:

- the gateway is enabled in rc.conf (gateway_enable="YES")
- Wireguard installed and set up, it is listening, it's 'wg0' interface is online
- when the interface comes up, the routing table gets populated with that
- and otherwise fully. functioning PF ruleset
- the traffic does not seem to reach if wg0 - I even monitored it with tcpdump and nothing, no traffic whatsoever
- the designated WG port is open, I checked it from outside, no problem on that side
- as a bonus, I set up the service on Linux, and in a few minutes I had it up and running (I know how to adjust the firewall there :)) - this is only so I could see that it could be done and I was not deemed to complete and utter failure :)

What I can't seem to solve is to "pass" certain traffic, namely on a specific port (WG's) to wg0 (WG's interface). I have only one interface otherwise, this is a VPS, so my ext_if is vtnet0. I have two interface macros defined in pf, ext_if (vtnet0) and vpn_if (wg0). I've tried many combinations, rdr, nat, simple pass rules but up until this point none of them seemed to do the trick, I'm stuck. I feel like I'm missing some fundamental part of pf that would help me solve this problem, as I tried to set up OpenVPN before and got stuck at the same point.

Could anyone please help me out with this? It's a pet project of mine so nothing critical but it does irk me a bit that I just can't figure this out. :)

Deleted member 59529

The problem is solved by now (my initial nat rule needed to be appended and an additional pass out rule was missing, but that's all), so the topic can even be closed now by an admin.
Hi ibenny
I'm at the same point you were. Wireguard is up and running but traffic is not passing through the interface. Would you mind posting your PF nat rules? TIA
My simple /etc/pf.conf
set skip on lo0
scrub in all
nat on $ext_if from $int_if:network to any -> ($ext_if)
pass all