blob: 5a33653941041f5c01344080a9000f4192f65086 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
# NAT for WireGuard clients to access internet (IPv4)
# This allows roaming clients (earth, pixel7pro) to route all traffic
# through the VPN and access the internet via the gateway's public IP
match out on vio0 from 192.168.2.0/24 to any nat-to (vio0)
# NAT66 for WireGuard clients to access internet (IPv6)
# This allows roaming clients to route IPv6 traffic through the VPN
# Uses NPTv6 (Network Prefix Translation) to translate ULA to public IPv6
match out on vio0 inet6 from fd42:beef:cafe:2::/64 to any nat-to (vio0)
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
# Allow inbound traffic on WireGuard interface
# This permits traffic from VPN clients to access services on this host
pass in on wg0
# Allow all UDP traffic on WireGuard port (IPv4 and IPv6)
# This is required for WireGuard's encrypted tunnel communication
pass in inet proto udp from any to any port 56709
pass in inet6 proto udp from any to any port 56709
|
