Hello, I have a single homed VM and I'm trying to isolate a wireguard interface inside a dedicated rdomain. All my peers except this host are behind NAT, and this VM has a static IP. I would like to use it to connect the several LANs behind the peers. I don't necessarily trust all the peers, thus I would like to isolate the VPN inside an rdomain (say 1). The egress however, should stay on a different rdomain (say 0), where other services are running.
>From what I understand, pf can connect the different rdomains, and the way I find more intuitive is to declare my wg1 in rdomain 1, but I suppose this entails also the wgport will listen in the same rdomain. Therefore, I am trying to redirect the traffic destined to my wgport from rdomain 0 to the loopback interface in rdomain 1, hoping this will be handled correctly by the kernel, and my traffic would show up on wg1. Unfortunately, this is not the case, I don't see any traffic on lo1, when i ping my wg ip address (192.0.0.1) from my remote peer, and I don't understand why. Any help is appreciated. Thanks in advance and please bear with me because I am new to openbsd. /etc/hostname.lo1 > rdomain 1 > inet 127.1.0.1 255.0.0.0 /etc/hostname.wg1 > rdomain 1 > inet 192.0.0.1 255.255.255.0 > wgport 1025 > wgkey <redacted> > wgpeer <redacted> \ > wgaip 192.0.0.2/32 \ > wgpsk <redacted> \ > up /etc/pf.conf > WAN = "vio0" > set skip on lo > match in all scrub (random-id) > block in quick from urpf-failed to any > block in quick from no-route to any > pass in quick on $WAN proto tcp to ($WAN) port 22 > pass in quick on $WAN proto udp to ($WAN) port 1025 rdr-to (lo1) > block in quick proto tcp from any to self port 22 > block in quick proto udp from any to self port 1025 > block all > block out on $WAN from ! ($WAN) to any > pass in on wg1 from wg1:network > pass out on wg1 to wg1:network
