On 31.10.23 16:07, Stuart Henderson wrote:
> On 2023-10-31, Benjamin Stürz <benni+openbsd@stuerz.xyz> wrote:
>> HOME /etc/pf.conf
>>> set skip on lo
>>>
>>> block return # block stateless traffic
>>> pass # establish keep-state
>>>
>>> # By default, do not permit remote connections to X11
>>> block return in on ! lo0 proto tcp to port 6000:6010
>>>
>>> # Port build user does not need network
>>> block return out log proto {tcp udp} user _pbuild
>>>
>>> pass out on egress inet from (wg0:network) nat-to (vio0:0)
>> VPS /etc/pf.conf
>>> set skip on lo
>>>
>>> block all
>>> pass out
>>>
>>> # Wireguard
>>> pass in on wg0
>>> pass in inet proto udp from any to any port 51820
>>> pass out on egress inet from (wg0:network) nat-to (vio0:0)
>>>
>>> pass in on egress proto tcp from any to any port ssh
>>> pass in on vio0 proto tcp from any to any port 80 rdr-to 192.168.64.2
>
> Currently packets sent to the home machine have the original source
> address on the internet, and you do nothing to ensure they're routed
> back via wg, so they'll be routed via your standard connection.
>
> You could try something like "pass in on wg0 proto tcp to port 80
> reply-to 192.168.64.1" on the home machine.
Thanks, that did it.
Such a simple thing, but I struggled for hours.
> If that doesn't help,
> watch tcpdump on the various interfaces and try to figure out what's
> happening.
>
> Alternatively you could set wg in a different rdomain "rdomain 2",
> add a default route via the VPS "route -T 2 add default 192.168.64.1"
> and set the daemons you want to run via tunnel to use the matching
> rtable, "somedaemon_rtable=2" in rc.conf.local.
>
>
Thanks,
Benjamin Stürz
No comments:
Post a Comment