Tuesday, October 31, 2023

Re: Wireguard Port Forwarding

On 2023-10-31, Benjamin Stürz <benni+openbsd@stuerz.xyz> wrote:
> HOME /etc/pf.conf
>> set skip on lo
>>
>> block return # block stateless traffic
>> pass # establish keep-state
>>
>> # By default, do not permit remote connections to X11
>> block return in on ! lo0 proto tcp to port 6000:6010
>>
>> # Port build user does not need network
>> block return out log proto {tcp udp} user _pbuild
>>
>> pass out on egress inet from (wg0:network) nat-to (vio0:0)
> VPS /etc/pf.conf
>> set skip on lo
>>
>> block all
>> pass out
>>
>> # Wireguard
>> pass in on wg0
>> pass in inet proto udp from any to any port 51820
>> pass out on egress inet from (wg0:network) nat-to (vio0:0)
>>
>> pass in on egress proto tcp from any to any port ssh
>> pass in on vio0 proto tcp from any to any port 80 rdr-to 192.168.64.2

Currently packets sent to the home machine have the original source
address on the internet, and you do nothing to ensure they're routed
back via wg, so they'll be routed via your standard connection.

You could try something like "pass in on wg0 proto tcp to port 80
reply-to 192.168.64.1" on the home machine. If that doesn't help,
watch tcpdump on the various interfaces and try to figure out what's
happening.

Alternatively you could set wg in a different rdomain "rdomain 2",
add a default route via the VPS "route -T 2 add default 192.168.64.1"
and set the daemons you want to run via tunnel to use the matching
rtable, "somedaemon_rtable=2" in rc.conf.local.

No comments:

Post a Comment