Hi,
I am not sure where my issue is...
As I understand, WireGuard is strictly UDP.
I am working on a road warrior setup, where one end of the tunnel is my
OpenBSD server with a static public IP address and the other end will be
Windows 7/10 laptops with random public IP addresses.
My hostname.wg0:
wgkey <OpenBSD_private_key>
wgport 53
wgpeer <Windows10_public_key> wgpka 25 wgaip 192.168.126.2/32
inet 192.168.126.1/24
up
I haven't put "wgendpoint" in the OpenBSD config file as I don't know
what the remote IP address is. I assumed that "the local interface"
would update after receiving a correctly authenticated packet from my
Windows 10 laptop...but perhaps the issue?
from ifcon|fig(8):
||wgendpoint| <https://man.openbsd.org/ifconfig#wgendpoint>ip port
Set the IP address and port to send the encapsulated packets to. If the
peer changes address, the local interface will update the address after
receiving a correctly authenticated packet. The IP address can be either
IPv4 or IPv6, and the port is a regular 16-bit UDP port.
In my Windows WireGuard client:
[Interface]
PrivateKey = <Windows10_private_key>
Address = 192.168.126.2/24
[Peer]
PublicKey = <OpenBSD_public_key>
AllowedIPs = 0.0.0.0/1
Endpoint = <OpenBSD Server Public IP>:53
Since I don't want to filter any of the Wireguard traffic, at the top of
the pf.conf, I have:
set skip on wg0
Then I am allowing incoming traffic to port 53.
# Wireguard running on DNS port
pass in on egress inet proto udp from any to (egress) port { domain }
When I initiate a connection from my road warrior setup (Windows 7,
WireGuard client which has the IP / Port configured of my OpenBSD
server), it is just continually retrying.
2020-12-28 12:22:54.401: [TUN] [OpenBSD] peer(IQsw…D4W8) - Handshake did
not complete after 5 seconds, retrying (try 2)
On my OpenBSD box, I can tcpdump -i em0 (egress, public IP address) and
see the packets getting to the OpenBSD box from the Windows laptop..
However, when I doing a tcpdump -i wg0, there is no traffic at all.
Unbound is configured to only listen on the loopback interface, so that
shouldn't be interfering...
(/var/unbound/etc/unbound.conf)
server:a
interface: 127.0.0.1
interface: ::1
Hum... now that I am thinking about it...how does it all work?
1. A packet leaves wg0 interface with 192.168.126.1 ip address
2. The packet is routed to the default gateway (egress)
3. The packet hits the Internet and is dropped as a non-routable IP
address
or...
Does the packet get routed out my external interface, whereby the NAT
rule would apply?
match out on egress inet from !(egress:network) to any nat-to (egress:0)
I'm just a little bit lost on how to configure pf for this all.
Thanks,
Steve W.
