On Thu Feb 27, 2025 at 4:35 PM CST, alpha beta wrote: > Hello, I have a single homed VM and I'm trying to isolate a wireguard > interface inside a dedicated rdomain. All my peers except this host > are behind NAT, and this VM has a static IP. I would like to use it > to connect the several LANs behind the peers. I don't necessarily > trust all the peers, thus I would like to isolate the VPN inside an > rdomain (say 1). The egress however, should stay on a different > rdomain (say 0), where other services are running. > > From what I understand, pf can connect the different rdomains, and > the way I find more intuitive is to declare my wg1 in rdomain 1, but > I suppose this entails also the wgport will listen in the same rdomain. > Therefore, I am trying to redirect the traffic destined to my wgport > from rdomain 0 to the loopback interface in rdomain 1, hoping this will > be handled correctly by the kernel, and my traffic would show up on > wg1. > > Unfortunately, this is not the case, I don't see any traffic on lo1, > when i ping my wg ip address (192.0.0.1) from my remote peer, > and I don't understand why. Any help is appreciated. Thanks in advance > and please bear with me because I am new to openbsd. > > /etc/hostname.lo1 >> rdomain 1 >> inet 127.1.0.1 255.0.0.0 > > /etc/hostname.wg1 >> rdomain 1 >> inet 192.0.0.1 255.255.255.0 >> wgport 1025 >> wgkey <redacted> >> wgpeer <redacted> \ >> wgaip 192.0.0.2/32 \ >> wgpsk <redacted> \ >> up > > /etc/pf.conf >> WAN = "vio0" >> set skip on lo >> match in all scrub (random-id) >> block in quick from urpf-failed to any >> block in quick from no-route to any >> pass in quick on $WAN proto tcp to ($WAN) port 22 >> pass in quick on $WAN proto udp to ($WAN) port 1025 rdr-to (lo1) >> block in quick proto tcp from any to self port 22 >> block in quick proto udp from any to self port 1025 >> block all >> block out on $WAN from ! ($WAN) to any >> pass in on wg1 from wg1:network >> pass out on wg1 to wg1:network
remove the rdr-to portion of the rule in pf.conf; it won't be needed (and won't work anyways). add 'wgrtable 0' to hostname.wg1, and search for wgrtable in `man ifconfig'. it sets which rdomain the actual wireguard packets transit. the wireguard network and interface will be isolated to rdomain 1 while the wireguard packets will traverse through rdomain 0. this is also how you achieve a default route over wireguard in openbsd. as a side note, your pf.conf could still use some work; one would traditionally start with 'block all' as pf uses the last matching rule (except for matches statements). the `quick' modifier causes pf to immediately match on that rule and ignore anything further. a (very trimmed) example based on my local pf.conf: #### begin pf.conf #### set reassemble yes no-df set skip on lo WAN="vio0" antispoof quick for $WAN antispoof quick for wg1 # since we're dropping all packets by default, we don't need to explicitly worry # about non-routable packets. block drop all match in all scrub (no-df random-id reassemble tcp) # people like blocking ICMP, but it breaks parts of IPv4, and really breaks IPv6 # if you must, you can block echo-request and echo-reply, but it really doesn't # gain you anything except making it harder to troubleshoot things. pass in on any inet proto icmp from any to any pass in on any inet6 proto icmp from any to any # make sure you can ssh in pass in on any proto tcp from any to self port 22 # your almost identical rule will work, but using parentheses will allow pf to # gracefully handle interface address changes. even if you don't think it'll # happen, i like having this. we don't need an explicit pass out for wg1, since # that is handled below. pass in on wg1 from (wg1:network) # i've had issues with tcp mss detection on wireguard interfaces in the past, so # i generally clamp the mss. ymmv; if you have issues with ssh over the # wireguard tunnel, try this. if you don't, you can leave it out. match out on wg1 from any to any scrub (max-mss 1380 random-id) pass out modulate state #### end pf.conf ##### i really recommend reading most of the ifconfig man page and the _entire_ pf.conf man page. i've been using pf for years, and still make silly mistakes, and there are no guarantees there aren't silly mistakes in the example i've put in here.
