On 2023-05-04, Odd Martin Baanrud <mar...@lb7ye.net> wrote: > Hello, > > Ok, now I finally got it running. > I decided to bring up the wg interface using hostname.wg0, and start > WireGuard from /etc/rc.local.
You don't need anything from rc.local, or the wireguard-tools package, the whole thing can be done using tools built-in to the OS. And that is what you want, because after updating the OS, you might have problems running old packages until they're updated too. > This machine also acts as the router for my lan/wlan, so I already have a > “match out” rule to enable NAT for those interfaces in pf. > Will this rule also do NAT from the wg if? > The rule is: > “match out on egress inet from !egress nat-to (egress) The "egress" interface group is an automatic group to which interfaces are added when a default route points via them. Firstly the "on egress" will be expanded by pfctl when loading the ruleset, so that route would need to exist at the right time. Secondly the "nat-to (egress)" will dynamically look up members of the egress group when a packet is tested against the ruleset, and if more than one interface is in "egress" will round-robin between them, which is not what you want. Say you have the main internet connection on ixl0 and wireguard on wg0 and want to NAT packets on both. In that case you could use match out on em0 inet from !egress nat-to (em0) match out on wg0 inet from !egress nat-to (wg0) Or, as the wg interface is probably not going to change address unexpectedly you can cut out the repeated runtime address lookup by omitting the brackets match out on em0 inet from !egress nat-to (em0) match out on wg0 inet from !egress nat-to wg0 (similarly if em0 has a fixed address not dhcp, you can skip the runtime lookup there too). But you don't _have_ to nat packets going over wg, that depends on what you want to do with it and how your onfigure it. > I have also added a pass in rule for external connections. > “pass in quick inet proto udp to $wg_port” wg packets can flow in either direction and there might sometimes be a delay between packets (say if there are network prpblems) long enough for the firewall state entry to timeout. So you might like to remove the "in". > I have a default block policy, so I guess I’ll need to open for traffic in > both directions on the wg interface? Yes. > I have a server running behind the router. > Will I be able to access it from the VPN with this setup, or do I need to > implement rules for that purpoce? You'll need firewall rules that permit the traffic to the server (wg doesn't bypass the firewall). You'll also need to decide whether you want to use nat/rdr rules using a single router address over the wg tunnel, or whether you want to carry a range of addresses and access the server using its own address.
