Add WireGuard roaming client support and OpenBSD NAT configuration

- Add pf.conf template with WireGuard NAT rules for roaming clients (earth, pixel7pro)
- Add Rex task to deploy pf.conf to both OpenBSD frontends (blowfish, fishfinger)
- Document WireGuard roaming client implementation plan and limitations
- NAT rules enable roaming clients to route all traffic through VPN gateways
- Firewall rules allow incoming WireGuard connections on UDP port 56709

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

1 files changed, 17 insertions, 0 deletions

diff --git a/frontends/Rexfile b/frontends/Rexfile
index 0d7bc4f..5194265 100644
--- a/frontends/Rexfile
+++ b/frontends/Rexfile
@@ -631,6 +631,22 @@ task 'ircbouncer',
     service 'znc', ensure => 'started';
   };
 
+desc 'Setup PF firewall with WireGuard NAT rules';
+task 'pf',
+  group => 'frontends',
+  sub {
+    # Deploy pf.conf with NAT rules for WireGuard VPN clients
+    file '/etc/pf.conf',
+      content => template('./etc/pf.conf.tpl'),
+      owner   => 'root',
+      group   => 'wheel',
+      mode    => '600',
+      on_change => sub {
+        # Reload PF configuration
+        run 'pfctl -f /etc/pf.conf';
+      };
+  };
+
 # COMBINED TASKS SECTION
 
 desc 'Common configs of all hosts';
@@ -638,6 +654,7 @@ task 'commons',
   group => 'frontends',
   sub {
     run_task 'base';
+    run_task 'pf';
     run_task 'nsd';
     run_task 'nsd_failover';
     run_task 'uptimed';