--- title: Wireguard firewalling on FreeBSD description: How to configure pf for wireguard on FreeBSD date: 2023-03-15 tags: - pf - vpn - wireguard --- ## Introduction There are multiple firewall solutions available on FreeBSD, but I only ever used pf. If you are a ipfw or ipfilter user I am sorry but I trust you will know how to translate the firewalling rules. ## Template for this article ```cfg scrub in all table persist table const { self } table const { 10/8, 172.16/12, 192.168/16, fd00::/8 fe80::/10 } table const { 0.0.0.0/0, !10/8, !172.16/12, !192.168/16, ::/0, fe80::/10, !fd00::/8 } ##### Basic rules ##### nat pass on egress from to -> (egress:0) rdr-anchor "rdr/*" set skip on lo block return log ##### This firewall ##### block drop in on egress pass inet proto icmp all icmp-type unreach code needfrag # MTU path discovery pass inet proto icmp all icmp-type { echoreq, unreach } # echo reply pass inet6 proto icmp6 all pass in on egress proto tcp from to port { ssh, http, https, smtp, smtps, submission } pass out from to any ``` A pre-requisite of this configuration is to have set an `egress` group for your egress interface(s) like so in your `/etc/rc.conf`: ```cfg ifconfig_vtnet0="DHCP group egress" ``` ## Client only With our template, you can already use your wireguard vpn as a client without any changes because of the `pass out from to any` rule. It cover all outgoing traffic for us: - egress udp to port 342 (the port we used as example in our previous articles) to establish the tunnel with our peers - egress from interface wg0 to send packets into the tunnel. - conveniently, it covers both ipv4 and ipv6 ## Reachable client To make your client reachable over wireguard, add the following: ``` pass in on wg0 from to ``` ## Server A server's configuration just need to accept wireguard connections in addition of the previous rule: ```cfg pass in on egress proto udp from to port 342 pass in on wg0 from to ``` ## Hub As seen in a previous routing article, a hub is a server that can route traffic to another one over wireguard: ```cfg pass in on egress proto udp from to port 342 pass in on wg0 from to ``` Note that you will need to have set `gateway_enable="YES"` in your `/etc/sysctl.conf` to route traffic.