Wireguard

Hey! Configured VPN. IP 10.0.1.1 pings, but does not ping sites on the Internet. Please tell me where to look for the error?

wg0.conf
Code:
[Interface]
Address = 10.0.1.1/24
PrivateKey=Removed by mod=
ListenPort = 51820
[Peer]
PublicKey = Removed by mod=
AllowedIPs = 10.0.1.2/32
Endpoint = 13.48.228.147:51820
 
Did you enable routing in rc.conf with gateway_enable="YES"?
 
Yes
Code:
root@freebsd:/ # cat /etc/rc.conf
hostname="freebsd"
ec2_configinit_enable=YES
ec2_fetchkey_enable=YES
ec2_loghostkey_enable=YES
firstboot_freebsd_update_enable=YES
firstboot_pkgs_enable=YES
ntpd_enable=YES
dev_aws_disk_enable=YES
growfs_enable="YES"
ifconfig_DEFAULT="SYNCDHCP accept_rtadv"
sshd_enable="YES"
firstboot_pkgs_list="awscli"
ipv6_activate_all_interfaces="YES"
rtsold_enable="YES"
rtsold_flags="-M /usr/local/libexec/rtsold-M -a"
gateway_enable="YES"
wireguard_enable="YES"
wireguard_interfaces="wg0"
pf_enable="YES"
pf_rules="/etc/pf.conf"
 
So, then the next question becomes, how is the FreeBSD host connected to the internet? Does it have a direct connection? Or does it go through an external router? Also keep in mind that while it might send out the packets to the internet, if you're not using NAT anywhere the return traffic to 10.0.1.2 will never, ever arrive back.
 
This is a VPS. NAT settings
Code:
root@freebsd:/ # cat /etc/sysctl.conf
kern.smp.forward_signal_enabled: 1
net.inet.ip.forwarding: 1
net.inet6.ip6.forwarding: 1
 
You're going to need to configure NAT to translate that 10.0.1.2 source address to your external internet IP address. Or else you will never get a response back. Have a look in the handbook, there are different firewalls you can use for that purpose.

Chapter 31. Firewalls

Judging by your rc.conf I see you already enabled PF. That's good, use that to do the NAT.

Something like this should do the trick:
Code:
nat on $ext_if from 10.0.1.0/24 to any -> ($ext_if)
 
I configured the PF as follows:
Code:
root@freebsd:/ # cat /etc/pf.conf
ext_if="ena0"
int_if="wg0"
set skip on lo0
scrub in all
nat on $ext_if from $int_if:network to any -> ($ext_if)
pass all

But it doesn't work for me
 
Standard tool to diagnose this is tcpdump(1). Look on your ena0 interface and see if there's actually some traffic going out. Double check if that traffic is correctly being translated (you should not see the 10.0.1.2 source address in your outgoing packets).

And what exactly do you mean by "does not ping sites on the Internet"? Can you ping IP addresses, like 8.8.8.8? Or do you have DNS name resolving issues? ( ping 8.8.8.8 works but ping www.google.com isn't able to find www.google.com)
 
Back
Top