Add IPv6 NAT and firewall rules to OpenBSD PF configuration

Enable IPv6 support for WireGuard mesh network on OpenBSD gateways:
- Added NAT66 rule using NPTv6 to translate ULA addresses to public IPv6
- Added IPv6 UDP pass rule for WireGuard port 56709
- Maintains existing IPv4 NAT and firewall rules

This allows roaming clients to route IPv6 traffic through the VPN gateways
and access IPv6 internet resources using the gateway's public IPv6 address.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

1 files changed, 8 insertions, 2 deletions

diff --git a/frontends/etc/pf.conf.tpl b/frontends/etc/pf.conf.tpl
index 24c007e..5a33653 100644
--- a/frontends/etc/pf.conf.tpl
+++ b/frontends/etc/pf.conf.tpl
@@ -2,11 +2,16 @@
 #
 # See pf.conf(5) and /etc/examples/pf.conf
 
-# NAT for WireGuard clients to access internet
+# NAT for WireGuard clients to access internet (IPv4)
 # This allows roaming clients (earth, pixel7pro) to route all traffic
 # through the VPN and access the internet via the gateway's public IP
 match out on vio0 from 192.168.2.0/24 to any nat-to (vio0)
 
+# NAT66 for WireGuard clients to access internet (IPv6)
+# This allows roaming clients to route IPv6 traffic through the VPN
+# Uses NPTv6 (Network Prefix Translation) to translate ULA to public IPv6
+match out on vio0 inet6 from fd42:beef:cafe:2::/64 to any nat-to (vio0)
+
 set skip on lo
 
 block return	# block stateless traffic
@@ -22,6 +27,7 @@ block return out log proto {tcp udp} user _pbuild
 # This permits traffic from VPN clients to access services on this host
 pass in on wg0
 
-# Allow all UDP traffic on WireGuard port
+# Allow all UDP traffic on WireGuard port (IPv4 and IPv6)
 # This is required for WireGuard's encrypted tunnel communication
 pass in inet proto udp from any to any port 56709
+pass in inet6 proto udp from any to any port 56709