> > add 'wgrtable 0' to hostname.wg1, and search for wgrtable in `man > > ifconfig'. it > > sets which rdomain the actual wireguard packets transit. the wireguard > > network and interface will be isolated to rdomain 1 while the wireguard > > packets > > will traverse through rdomain 0. > > > > this is also how you achieve a default route over wireguard in openbsd. > > exactly; depending on the use-case you can either put the wg interface > itself in the default rdomain and a physical uplink interface in a > non-default (using wgrtable <rdomain of uplink>), or vice-versa (using > wgrtable 0).
Thank you both. This did the trick. I read the man pages and also plenty of other online resources, but I missed this detail. > > as a side note, your pf.conf could still use some work; one would > > traditionally > > start with 'block all' as pf uses the last matching rule (except for matches > > statements). the `quick' modifier causes pf to immediately match on that > > rule > > and ignore anything further. > > I like that approach too. There's an implicit default rule equivalent to > "pass flags any no state" - you don't want anything to match this in > normal use as a stateful firewall - so a simple "block all" or "block log > all" at the top of the ruleset makes that clear. I agree. This was my first pf firewall attempt. Will keep on studying and experimenting to improve my knowledge. My reasoning was the following: I am aware that many examples start with a `block all` rule, however, I don't always want to wait all rules to be evaluated to take most decisions, therefore I try to "push up" as many quick rules as possible, to speed up things. Anyway, there is just a single thing in your rules that does not fit my case: > # make sure you can ssh in > pass in on any proto tcp from any to self port 22 This, unless I am missing something again, allows ssh access also from within the wireguard network, which is why I was interested in moving them to an isolated rdomain in the first place. Wireguard networks should not have any access to SSH, etc.
