From 8887849da860f23a623861fcf63e875f1f07059c Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Wed, 15 Mar 2023 22:39:33 +0100 Subject: Added wireguard firewalling on FreeBSD blog article --- content/blog/freebsd/wireguard-firewall.md | 76 ++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 content/blog/freebsd/wireguard-firewall.md (limited to 'content/blog/freebsd') diff --git a/content/blog/freebsd/wireguard-firewall.md b/content/blog/freebsd/wireguard-firewall.md new file mode 100644 index 0000000..e05ba69 --- /dev/null +++ b/content/blog/freebsd/wireguard-firewall.md @@ -0,0 +1,76 @@ +--- +title: Wireguard firewalling on FreeBSD +description: How to configure pf for wireguard on FreeBSD +date: 2023-03-15 +tage: +- pf +- vpn +- wireguard +--- + +## Introduction + +There are multiple firewall solutions available on FreeBSD, but I only ever used pf. If you are a ipfw or ipfilter user I am sorry but I trust you will know how to translate the firewalling rules. + +## Template for this article + +```cfg +scrub in all + +table persist +table const { self } +table const { 10/8, 172.16/12, 192.168/16, fd00::/8 fe80::/10 } +table const { 0.0.0.0/0, !10/8, !172.16/12, !192.168/16, ::/0, fe80::/10, !fd00::/8 } + +##### Basic rules ##### +nat pass on egress from to -> (egress:0) +rdr-anchor "rdr/*" +set skip on lo +block return log + +##### This firewall ##### +block drop in on egress +pass inet proto icmp all icmp-type unreach code needfrag # MTU path discovery +pass inet proto icmp all icmp-type { echoreq, unreach } # echo reply +pass inet6 proto icmp6 all + +pass in on egress proto tcp from to port { ssh, http, https, smtp, smtps, submission } +pass out from to any +``` + +A pre-requisite of this configuration is to have set an `egress` group for your egress interface(s) like so in your `/etc/rc.conf`: +```cfg +ifconfig_vtnet0="DHCP group egress" +``` + +## Client only + +With our template, you can already use your wireguard vpn as a client without any changes because of the `pass out from to any` rule. It cover all outgoing traffic for us: +- egress udp to port 342 (the port we used as example in our previous articles) to establish the tunnel with our peers +- egress from interface wg0 to send packets into the tunnel. +- conveniently, it covers both ipv4 and ipv6 + +## Reachable client + +To make your client reachable over wireguard, add the following: +``` +pass in on wg0 from to +``` + +## Server + +A server's configuration just need to accept wireguard connections in addition of the previous rule: +```cfg +pass in on egress proto udp from to port 342 +pass in on wg0 from to +``` + +## Hub + +As seen in a previous routing article, a hub is a server that can route traffic to another one over wireguard: +```cfg +pass in on egress proto udp from to port 342 +pass in on wg0 from to +``` + +Note that you will need to have set `gateway_enable="YES"` in your `/etc/sysctl.conf` to route traffic. \ No newline at end of file -- cgit v1.2.3