On 2022-08-08, Rachel Roch <[email protected]> wrote: > TL;DR I've got wg(4) working great on the router itself (i.e. VPN up, all > localhost traffic routes across VPN). But I can't get it working with > external clients (i.e. devices that use the router as their default gateway). > > ip.forwarding is on: > net.inet.ip.forwarding=1 > net.inet6.ip6.forwarding=1 > > I've tried various combinations of pf rules, e.g. : > pass out inet from 10.0.0.0/8 to !<router_interfaces> nat-to (wg0) > > My hostname.wg0 looks like this: > inet 172.16.111.25 255.255.255.255 > wgkey <REDACTED> > wgpeer <REDACTED> wgendpoint <REDACTED> <REDACTED> wgaip 0.0.0.0/0 wgaip ::/0 > wgpka 20up > > The only reference I've found to this issue is a brief thread on Reddit which > suggests maybe there are some shortcomings in the wg(4) implementation > (https://www.reddit.com/r/openbsd/comments/hy8lv0/routing_vmm4_guest_traffic_via_a_wg4_tunnel/?utm_source=share&utm_medium=web2x&context=3) > > Personally I think its more likely I've missed something simple in my config, > but I don't know what or where.
Check that the packets from "external clients" are actually hitting your pf nat-to rule. You can check the state table (pfctl -ss -v) - if packets are hitting the nat-to rule you will see the natted address - if not then check the rule number from the state output and lookup with "pfctl -sr -R $rule_number -v" to see which rule they really are hitting. Or you can use "log" in pf.conf, maybe with "match log(matches)", and check "tcpdump -nettipflog0". I like using "match ... nat-to" rather than putting nat-to on a "pass" rule. I find it's easier to deal with. -- Please keep replies on the mailing list.
