Re: Setting up a Wireguard router (with FreeBSD)

From: The Doctor <doctor_at_doctor.nl2k.ab.ca>
Date: Wed, 06 Mar 2024 22:16:35 UTC
On Wed, Mar 06, 2024 at 08:50:35PM +0000, Christopher Waldbach wrote:
> Good evening, guys and gals!
> 
> I am currently trying to set up a Raspberry Pi 4 (4GB Model) as a
> VPN-gateway with Wireguard. Since I got fibre channel for my internet
> connection, I gained bandwidth but lost the public IPv4 address. So I can
> access my computer again from the net (and maybe run a service or two), I
> went to one of the 2?????? VPN providers and got a plan there - one that
> includes port-forwarding. :-)
> 
> I put FreeBSD on a smallish (128GB) SSD and it boots without a problem. I am
> running FreeBSD 14.
> 
> My problem probably isn't wireguard, but the routing concept of FreeBSD,
> which I do not seem to understand completely. Once I added
> 
> gateway_enable="YES"
> 
> to the rc.conf, the Pi passed on packets that came in from other computers
> on the same subnet to the internet. Meaning: If I set the Pi as the default
> route for another computer, said computer still has full access to the
> internet, mtr just shows an additional hop.
> 
> When I fire up the wg0 interface, everything seems fine at first. The Pi
> still has access to the web and mtr confirms that indeed the VPN-connection
> is being used (the hops are completely different). The routes seem to be set
> correctly. However, the computer that uses the Pi as its default route is
> now without access to the net. mtr on that machine show exactly one hop: the
> Pi.
> 
> I would have expected that this should work like this - even without me
> using one of the firewalls of FreeBSD. I get that I will _have_ to use pf or
> something else once I want the port(s) to be forwarded and maybe this isn't
> very secure, but I was taking this step by step - checking if the routing
> works unfiltered and then I wanted to add the filters.
> 
> Am I making a mistake in my reasoning? I know that what I want to do
> requires NAT, but does NAT require a firewall?
> 
> Do you have suggestions as to which firewall I should use?
> 
> Thanks for reading!
> 
> Best regards,
> Chris
> 
> 

Are you using Berkeley Packet Filtering?

-- 
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness?  -unknown