Route selected IP traffic across wg(4) tunnel

Mon, 06 Mar 2023 16:56:36 -0800 

Good afternoon,
Wondering if anyone has a "best practice" for pealing IP traffic off (in this case an AppleTV) and routing all the traffic across a Wireguard tunnel. I've looked at the pf(4) routing option **route-to** and tried setting this up to the best of my knowledge (I seem to be missing something). I have a working Wireguard tunnel up between my local OpenBSD 7.2 firewall and an OpenBSD 7.2 VPS server. I can confirm the connectivity by pining from the two local prefixes (the WG /30 prefix and my home prefix — 172.16.1.0/24), so I know the tunnel is healthy and working as expected. 


When I setup the **route-to** pf rule, I occasionally see (tcpdump) 
traffic hit the wg0 interface from 172.16.1.73 on the local firewall, 
but the traffic stops here and I dont see anything on the wg0 interface 
on the VPS server. It's like the traffic gets dropped (MTU issue?). I 
also feel like I should be seeing more IP traffic than I am. For the 
destination address in the route-to rule I've used the far side tunnel 
IP (172.31.255.254). From my understanding this is the right way to do 
it?


I appreciate any sight or advice you may have on this matter.

Cheers,
-Chris

## Local firewall

/etc/hostname.aggr0
-------------------
```
trunkport em0
trunkport em1
up
```

/etc/hostname.em0
-----------------
```
up
```

/etc/hostname.em1
-----------------
```
up
```

/etc/hostname.vlan99
--------------------
```
#! sleep 60
parent aggr0
vnetid 99
descr "Home Network"
inet 172.16.1.1/24
inet6 autoconf
```

/etc/hostname.vlan999
---------------------
```
#! sleep 30
parent aggr0
vnetid 999
descr "ISP"
inet autoconf
inet6 autoconf
```

/etc/hostname.wg0
-------------------
```
descr "WireGuard tunnel"
inet 172.31.255.253/30
wgkey <private_key>
wgport 51821

wgpeer <peer_public_key> wgendpoint <peer_endpoint_ip> 51821 wgaip 
172.31.255.254/32 wgaip 10.0.0.0/24

```

/etc/pf.conf
------------
```
### Macros

home_if = "vlan99"
#int_bridge = "em1"
guest_if = "vlan100"
kids_if = "vlan105"
#work_if = "vlan1000"
integration_if = "vlan2000"
tailscale = "tun0"
wg_seate1 = "wg0"
ifgrp_gre = "{ gre0, gre1, gre2, gre3 }"

appletv_livingroom = "172.16.1.73"

tcp_services = "{ ssh, auth }"
icmp_types = "echoreq"
icmp6_types = "{ unreach, toobig, timex, paramprob, echoreq, echorep, \
  routeradv, routersol, neighbradv, neighbrsol }"

### Tables

table <action_netgrp_admin> { 10.10.77.0/24, 10.10.70.32/27 }
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \

  172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 192.168.0.0/16   
\
  198.18.0.0/15 198.51.100.0/24 203.0.113.0/24                         
\
  ::/128 ::/96 ::1/128 ::ffff:0:0/96 100::/64 2001:10::/28 2001:2::/48 
\

  2001:db8::/32 3ffe::/16 fec0::/10 fc00::/7 }

### Options

set block-policy drop
set loginterface egress
#set state-defaults pflow
set skip on lo0

### Queues


#queue outq on em0 flows 1024 bandwidth 300M max 300M qlimit 1024 
default

#queue inq on em1 flows 1024 bandwidth 300M max 300M qlimit 1024 default

### Match Rules

match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)

### Filter Rules

## Protect against spoofing ##
antispoof quick for { egress $home_if $guest_if $kids_if }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>

block all
pass out quick inet
pass out quick inet6
pass out log (all) quick on enc0 keep state (if-bound)

##  Pass traffic for bridge members except home_if (vether0)  ##
#pass quick on $int_bridge

## Pass traffic on internal integration network between firewall and SRX
pass quick on $integration_if

##  Pass IPSec traffic on egress interface  ##
pass in on egress proto esp from any to (egress)

pass in on egress proto udp from any to (egress) \
  port {isakmp, ipsec-nat-t}

pass in on enc0 proto ipencap from any to (egress) \
  keep state (if-bound)

pass in log on enc0 from 10.255.255.1/32 to 10.255.255.10/32 \
  keep state (if-bound)
pass in log on enc0 from 10.199.0.4/32 to 10.199.0.7/32 \
  keep state (if-bound)
pass in log on enc0 from 10.255.0.2/32 to 10.255.0.1/32 \
  keep state (if-bound)
pass in log on enc0 from 10.198.0.2/32 to 10.198.0.1/32 \
  keep state (if-bound)

## Pass Wireguard traffic ##
pass in on $wg_seate1 from $wg_seate1:network

pass in log on $ifgrp_gre inet proto ospf
pass in log on $ifgrp_gre inet proto { tcp, udp } from any \
  to 10.1.1.1 port domain
pass in log on $ifgrp_gre inet proto udp from any \
  to 10.1.1.0/24 port tftp
pass in log (all) on $ifgrp_gre from <action_netgrp_admin> to any

pass in on $tailscale from 100.64.0.0/10

pass in log on $home_if inet from $home_if:network
pass in log on $kids_if inet from $kids_if:network
pass in log on $guest_if inet from $guest_if:network
pass in log on $home_if inet6
pass in on $home_if inet proto tcp from $home_if:network port ssh

#pass in log on $home_if inet proto udp from any to 172.16.1.0/24 port 
tftp

pass on $home_if from any to { 224.0.0.2, 239.0.0.0/8 }

pass in on egress inet proto tcp from any to (egress) \
  port $tcp_services
pass in on egress inet proto icmp all icmp-type echoreq
pass in log on egress inet6 proto icmp6 all icmp6-type $icmp6_types

#pass in log on egress inet6 proto udp from fe80::/10 port dhcpv6-server 
\

#  to fe80::/10 port dhcpv6-client no state

pass in quick log on egress proto udp from fe80::/10 port dhcpv6-server 
\

  to fe80::/10 port dhcpv6-client
pass in quick on egress proto udp to port { 51821 }


pass in log on $home_if from $appletv_livingroom to !($home_if:network) 
route-to 172.31.255.254


#anchor tunnelr
```

## Remote VPS firewall

/etc/hostname.vio0
-------------------
```
inet autoconf
```

/etc/hostname.wg0
-------------------
```
descr "WireGuard tunnel to Home"
inet 172.31.255.254/30
wgkey <private_key>
wgport 51821
wgpeer <peer_public_key> wgaip 172.31.255.253/32 wgaip 172.16.1.0/24
!route add -net 172.16.1.0/24 172.31.255.254
```

/etc/pf.conf
------------
```
wg_home = "wg0"
net_home = "172.16.1.0/24"

icmp_types = "echoreq"
tcp_services = "{ auth }"

table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \

  172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 192.168.0.0/16   
\
  198.18.0.0/15 198.51.100.0/24 203.0.113.0/24                         
\
  ::/128 ::/96 ::1/128 ::ffff:0:0/96 100::/64 2001:10::/28 2001:2::/48 
\

  2001:db8::/32 3ffe::/16 fec0::/10 fc00::/7 }
table <admin> { 172.16.1.0/24 }

set block-policy drop
set loginterface egress
set skip on lo

match in all scrub (no-df random-id max-mss 1440)

match out on egress inet from (wg_home:network) to !(wg_home:network) 
nat-to (egress:0) \

  scrub (max-mss 1380)
match out on egress inet from $net_home to any nat-to (egress:0) \
  scrub (max-mss 1380)

antispoof quick for { egress $internal }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass out quick inet
#pass in on $internal inet from <admin> to any
pass in on $wg_home from $wg_home:network
pass in on $wg_home from 172.16.1.0/24 to any
pass in inet proto icmp all icmp-type $icmp_types
pass in quick on egress proto udp to port { 51821 }
pass in on egress inet proto tcp from any to (egress) \
  port $tcp_services
pass in on egress inet proto tcp from any to (egress) port 55555
```






















					Reply via email to