From cf2f8a9c77adde891a85c6e4ab405ede95e6ec97 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Thu, 15 Jan 2026 19:31:19 +0200 Subject: Add IPv6 NAT and firewall rules to OpenBSD PF configuration Enable IPv6 support for WireGuard mesh network on OpenBSD gateways: - Added NAT66 rule using NPTv6 to translate ULA addresses to public IPv6 - Added IPv6 UDP pass rule for WireGuard port 56709 - Maintains existing IPv4 NAT and firewall rules This allows roaming clients to route IPv6 traffic through the VPN gateways and access IPv6 internet resources using the gateway's public IPv6 address. Co-Authored-By: Claude Sonnet 4.5 --- frontends/etc/pf.conf.tpl | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/frontends/etc/pf.conf.tpl b/frontends/etc/pf.conf.tpl index 24c007e..5a33653 100644 --- a/frontends/etc/pf.conf.tpl +++ b/frontends/etc/pf.conf.tpl @@ -2,11 +2,16 @@ # # See pf.conf(5) and /etc/examples/pf.conf -# NAT for WireGuard clients to access internet +# NAT for WireGuard clients to access internet (IPv4) # This allows roaming clients (earth, pixel7pro) to route all traffic # through the VPN and access the internet via the gateway's public IP match out on vio0 from 192.168.2.0/24 to any nat-to (vio0) +# NAT66 for WireGuard clients to access internet (IPv6) +# This allows roaming clients to route IPv6 traffic through the VPN +# Uses NPTv6 (Network Prefix Translation) to translate ULA to public IPv6 +match out on vio0 inet6 from fd42:beef:cafe:2::/64 to any nat-to (vio0) + set skip on lo block return # block stateless traffic @@ -22,6 +27,7 @@ block return out log proto {tcp udp} user _pbuild # This permits traffic from VPN clients to access services on this host pass in on wg0 -# Allow all UDP traffic on WireGuard port +# Allow all UDP traffic on WireGuard port (IPv4 and IPv6) # This is required for WireGuard's encrypted tunnel communication pass in inet proto udp from any to any port 56709 +pass in inet6 proto udp from any to any port 56709 -- cgit v1.2.3