On 2025-02-28, B. Atticus Grobe <grobe...@gmail.com> wrote: > On Thu Feb 27, 2025 at 4:35 PM CST, alpha beta wrote: > > add 'wgrtable 0' to hostname.wg1, and search for wgrtable in `man ifconfig'. > it > sets which rdomain the actual wireguard packets transit. the wireguard > network and interface will be isolated to rdomain 1 while the wireguard > packets > will traverse through rdomain 0. > > this is also how you achieve a default route over wireguard in openbsd.
exactly; depending on the use-case you can either put the wg interface itself in the default rdomain and a physical uplink interface in a non-default (using wgrtable <rdomain of uplink>), or vice-versa (using wgrtable 0). > as a side note, your pf.conf could still use some work; one would > traditionally > start with 'block all' as pf uses the last matching rule (except for matches > statements). the `quick' modifier causes pf to immediately match on that rule > and ignore anything further. I like that approach too. There's an implicit default rule equivalent to "pass flags any no state" - you don't want anything to match this in normal use as a stateful firewall - so a simple "block all" or "block log all" at the top of the ruleset makes that clear. > # i've had issues with tcp mss detection on wireguard interfaces in the past, > so > # i generally clamp the mss. ymmv; if you have issues with ssh over the > # wireguard tunnel, try this. if you don't, you can leave it out. > match out on wg1 from any to any scrub (max-mss 1380 random-id) should be ok for packets to/from the machine with the wg interface, but definitely a concern if you are forwarding to another machine. > pass out modulate state modulate state is mainly useful if you are protecting machines with a truly awful TCP stack. -- Please keep replies on the mailing list.
