I beat my head against the wall on OpenBSD wg clients. I gave up and
switched to using wireguard-tools and prefer it. It uses the standard
wgX.conf and I find it easier to turn on/off since I don't want it
always on. You could also run it (I think the binary command is
wg-quick) and test that it works and then try to match the output to
hostname.wgX.
On 8/8/22 05:12, Rachel Roch wrote:
TL;DR I've got wg(4) working great on the router itself (i.e. VPN up, all
localhost traffic routes across VPN). But I can't get it working with external
clients (i.e. devices that use the router as their default gateway).
ip.forwarding is on:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
I've tried various combinations of pf rules, e.g. :
pass out inet from 10.0.0.0/8 to !<router_interfaces> nat-to (wg0)
My hostname.wg0 looks like this:
inet 172.16.111.25 255.255.255.255
wgkey <REDACTED>
wgpeer <REDACTED> wgendpoint <REDACTED> <REDACTED> wgaip 0.0.0.0/0 wgaip ::/0
wgpka 20up
The only reference I've found to this issue is a brief thread on Reddit which suggests
maybe there are some shortcomings in the wg(4) implementation
(https://www.reddit.com/r/openbsd/comments/hy8lv0/routing_vmm4_guest_traffic_via_a_wg4_tunnel/?utm_source=share&utm_medium=web2x&context=3)
Personally I think its more likely I've missed something simple in my config,
but I don't know what or where.
