diff options
| author | Paul Buetow <paul@buetow.org> | 2026-01-11 21:21:50 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-01-11 21:21:50 +0200 |
| commit | 27d65006f97b75d51b63ee3113dae4c812f11905 (patch) | |
| tree | 1444614b0b42232160be693e004e3de2b616606b /frontends | |
| parent | 0da2732ec248cb8373d24b6876cae5a6329a84a7 (diff) | |
Add WireGuard roaming client support and OpenBSD NAT configuration
- Add pf.conf template with WireGuard NAT rules for roaming clients (earth, pixel7pro)
- Add Rex task to deploy pf.conf to both OpenBSD frontends (blowfish, fishfinger)
- Document WireGuard roaming client implementation plan and limitations
- NAT rules enable roaming clients to route all traffic through VPN gateways
- Firewall rules allow incoming WireGuard connections on UDP port 56709
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Diffstat (limited to 'frontends')
| -rw-r--r-- | frontends/Rexfile | 17 | ||||
| -rw-r--r-- | frontends/etc/pf.conf.tpl | 27 |
2 files changed, 44 insertions, 0 deletions
diff --git a/frontends/Rexfile b/frontends/Rexfile index 0d7bc4f..5194265 100644 --- a/frontends/Rexfile +++ b/frontends/Rexfile @@ -631,6 +631,22 @@ task 'ircbouncer', service 'znc', ensure => 'started'; }; +desc 'Setup PF firewall with WireGuard NAT rules'; +task 'pf', + group => 'frontends', + sub { + # Deploy pf.conf with NAT rules for WireGuard VPN clients + file '/etc/pf.conf', + content => template('./etc/pf.conf.tpl'), + owner => 'root', + group => 'wheel', + mode => '600', + on_change => sub { + # Reload PF configuration + run 'pfctl -f /etc/pf.conf'; + }; + }; + # COMBINED TASKS SECTION desc 'Common configs of all hosts'; @@ -638,6 +654,7 @@ task 'commons', group => 'frontends', sub { run_task 'base'; + run_task 'pf'; run_task 'nsd'; run_task 'nsd_failover'; run_task 'uptimed'; diff --git a/frontends/etc/pf.conf.tpl b/frontends/etc/pf.conf.tpl new file mode 100644 index 0000000..24c007e --- /dev/null +++ b/frontends/etc/pf.conf.tpl @@ -0,0 +1,27 @@ +# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ +# +# See pf.conf(5) and /etc/examples/pf.conf + +# NAT for WireGuard clients to access internet +# This allows roaming clients (earth, pixel7pro) to route all traffic +# through the VPN and access the internet via the gateway's public IP +match out on vio0 from 192.168.2.0/24 to any nat-to (vio0) + +set skip on lo + +block return # block stateless traffic +pass # establish keep-state + +# By default, do not permit remote connections to X11 +block return in on ! lo0 proto tcp to port 6000:6010 + +# Port build user does not need network +block return out log proto {tcp udp} user _pbuild + +# Allow inbound traffic on WireGuard interface +# This permits traffic from VPN clients to access services on this host +pass in on wg0 + +# Allow all UDP traffic on WireGuard port +# This is required for WireGuard's encrypted tunnel communication +pass in inet proto udp from any to any port 56709 |