Dear OpenBSD Mailing List Community,
I hope this email finds you well. I am writing to seek your expertise
and guidance regarding a Wireguard VPN configuration and pf rules on my
OpenBSD 7.3 system. I have successfully set up a Wireguard VPN using
the provided interface configuration, and the VPN is operational as
intended. However, I have encountered a challenge while attempting to
implement pf rules to restrict access to SSH login and port number 80
based on specific IP addresses.
Below is the pf rule settings I have applied:
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return in quick on bwfm0 proto tcp from ! 192.168.0.229 to bwfm0
port ssh
block return in quick on wg0 proto udp from ! 10.0.8.2 to wg0 port 80
block return in quick on bwfm0 proto tcp from ! 192.168.0.229 to bwfm0
port 80
block return out log proto {tcp udp} user _pbuild
pass in on egress proto tcp from any to any port 22
pass out on egress inet from (wg0:network) nat-to (bwfm0:0)
The objective of these rules is to restrict SSH login and access to port
80 exclusively for the machine with the IP address 192.168.0.229 when
the OpenBSD system is connected to the bwfm0 network interface. While
the rule for SSH login and IP address 192.168.0.229 is functioning as
expected, I have encountered an issue with the rule pertaining to port
80 and IP address 10.0.8.2, which is allocated by Wireguard (wg0)
during active Wireguard connections.
The problem arises when attempting to enforce the restriction on port 80
with IP address 10.0.8.2. Despite the pf rule in place, it seems that
Wireguard is overriding the restriction. For instance, devices with
assigned IP addresses such as 10.0.8.3 or 10.0.8.4, which are within
the Wireguard network, can access both SSH login and port 80, contrary
to the intended restriction.
I am providing the Wireguard configuration below for your reference:
[Interface]
ListenPort = 51820
PrivateKey = oPernzzF+Kl499z2TMU6wDdrDpnDN6/e630Q=
[Peer]
PublicKey = yyhY5Blx+PxCHu/wK7QgrXHQ34RmTi//zynVA=
AllowedIPs = 10.0.8.2/32
PersistentKeepalive = 25
[Peer]
PublicKey = dQO6ACctkgepDtWxGrHuGFdvaO9qfrL4mmjA=
AllowedIPs = 10.0.8.3/32
PersistentKeepalive = 25
I would greatly appreciate your insights, suggestions, and expertise in
resolving this issue. Your assistance will be invaluable in helping me
achieve the desired access restrictions while maintaining the
functionality of the Wireguard VPN.
Thank you for your time and consideration.
--
Soubheek Nath
Fifth Estate
Kolkata, India
soubheekn...@gmail.com
