On 2020-12-29, Thomas Bohl <openbsd-misc-518...@aloof.de> wrote: > Hi, > >> wgport 53 >> Unbound is configured to only listen on the loopback interface, so that >> shouldn't be interfering... > > But it does > https://www.mail-archive.com/misc@openbsd.org/msg175837.html > >
Right. You'll also find that some networks redirect all UDP port 53 traffic to some specific nameserver (they are wrong to do so, but that doesn't stop them) so 53 often won't work as well as some other ports. On 2020-12-28, Steve Williams <st...@williamsitconsulting.com> wrote: > My hostname.wg0: > > wgkey <OpenBSD_private_key> > wgport 53 > wgpeer <Windows10_public_key> wgpka 25 wgaip 192.168.126.2/32 > inet 192.168.126.1/24 > up > > I haven't put "wgendpoint" in the OpenBSD config file as I don't know > what the remote IP address is. I assumed that "the local interface" > would update after receiving a correctly authenticated packet from my > Windows 10 laptop... That is correct. > In my Windows WireGuard client: > > [Interface] > PrivateKey = <Windows10_private_key> > Address = 192.168.126.2/24 > > [Peer] > PublicKey = <OpenBSD_public_key> > AllowedIPs = 0.0.0.0/1 > Endpoint = <OpenBSD Server Public IP>:53 AllowedIPs is wrong. You have configured wg(4) to use IPs in 192.168.126.0/24 which is not covered by 0.0.0.0/1: $ ipcalc 0.0.0.1/1 address : 0.0.0.1 netmask : 128.0.0.0 (0x80000000) network : 0.0.0.0 /1 broadcast : 127.255.255.255 host min : 0.0.0.1 host max : 127.255.255.254 hosts/net : 2147483646 > Since I don't want to filter any of the Wireguard traffic, at the top of > the pf.conf, I have: > set skip on wg0 You might not want to _filter_ it, but for some configurations you may find it necessary to set max-mss in pf.conf and you can't do that if it's skipped either. This won't stop it connecting but experience has shown it's easy to forget about "set skip" if you try to add PF rules later.
