In addition to WireGuard also enable the FreeBSD packet filter pf using rc.conf tunables:
![Final set of Tunables](../../images/3838643382.webp)
iXsystems recommends wg0.conf
to live in /root
and a Post Init Script to copy it to a system location then start WireGuard:
mkdir -p /usr/local/etc/wireguard && cp /root/wg0.conf /usr/local/etc/wireguard/wg0.conf && /usr/local/etc/rc.d/wireguard start
By default pf is configured via /etc/pf.conf
, but we need to follow the above pattern and copy /root/pf.conf
to /usr/local/etc/pf.conf
on startup and have pf use that.
![Final scripts](../../images/3760196602.webp)
My pf.conf
follows. WireGuard IP addresses are arbitrary on an arbitrary subnet. pf will route and NAT from this subnet to the rest of the network. I don't know of a way to do this without these arbitrary, but static, IP addresses.
# Interfaces
ext_if = "igb0"
wireguard_if = "wg0"
# Wireguard Settings
wireguard_net_v4 = "192.168.222.0/24"
wireguard_net_v6 = "fc::0/64"
# Rules must be in order: options, normalization, queueing, translation, filtering
# Options
set skip on lo
# Translation
# Nat all wireguard to non-wireguard traffic
nat on $ext_if inet from $wireguard_net_v4 to { any, !$wireguard_net_v4 } -> ($ext_if)
#nat on $ext_if inet6 from $wireguard_net_v6 to { any, !$wireguard_net_v6 } -> {$ext_if}
# Filtering
pass inet all
pass inet6 all
(uncomment the ipv6 NAT if your ipv6 works)
My FreeNAS server's wg0.conf
:
[Interface]
PrivateKey = foofafi
ListenPort = 51820
Address = 192.168.222.1/32, fc::1/64
[Peer]
PublicKey = CLIENT1_PUBLIC_KEY
AllowedIPs = 192.168.222.2/32, fc::2/128
Laptop client configuration:
[Interface]
PrivateKey = blahblahblah
Address = 192.168.222.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = dynamicdns.example.com:51820
PersistentKeepalive = 25
Thanks to https://gist.github.com/apearson/168b244b4735cceff9809ef3d07f4df5 for a nearly working config!
See also pf docs and this.