Skip to content

Instantly share code, notes, and snippets.

@cmabastar

cmabastar/client.conf

Created July 22, 2020 08:08
Show Gist options
  • Save cmabastar/ef29bed13e453e2da6fb1cb4a12a83e8 to your computer and use it in GitHub Desktop.
Save cmabastar/ef29bed13e453e2da6fb1cb4a12a83e8 to your computer and use it in GitHub Desktop.
Download ZIP
Wireguard on FreeBSD with pf
Raw
client.conf
[Interface]
PrivateKey = ***********************
Address = 192.168.10.2/32, fc::2/128
DNS = 1.1.1.1, 2606:4700:4700::1111
[Peer]
PublicKey = ***********************
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = endpoint.domain.tld:51820
Raw
pf.conf
# Interfaces
ext_if = "eth0"
wireguard_if = "wg0"
# Wireguard Settings
wireguard_net_v4 = "192.168.10.0/24"
wireguard_net_v6 = "fc::0/64"
# Rules must be in order: options, normalization, queueing, translation, filtering
# Options
set skip on lo
# Translation
# Nat all wireguard to non-wireguard traffic
nat on $ext_if inet from $wireguard_net_v4 to { any, !$wireguard_net_v4 } -> ($ext_if)
nat on $ext_if inet6 from $wireguard_net_v6 to { any, !$wireguard_net_v6 } -> {$ext_if}
# Filtering
pass inet all
pass inet6 all
Raw
rc.conf
# Wireguard
wireguard_enable="YES"
wireguard_interfaces="wg0"
# Networking
pf_enable="YES"
pflog_enable="YES"
gateway_enable="YES"
ipv6_gateway_enable="YES"
Raw
wg0.conf
[Interface]
PrivateKey = ***********************
Address = 192.168.10.1/24, fc::1/64
ListenPort = 51820
[Peer]
# Name = Client
PublicKey = ***********************
AllowedIPs = 192.168.10.2/32, fc::2/128
@cmabastar
Copy link
Author

cmabastar commented Jul 22, 2020
edited
Loading

Had a similar setup but I had to require the vpn client access other network via ssh or other machines in the network.

To this.
Add in sysctl

net.inet.ip.redirect=0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment