From nobody Wed Mar 06 20:50:35 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tql2G2ghHz5DHgn for ; Wed, 6 Mar 2024 20:50:46 +0000 (UTC) (envelope-from dracolich@airmail.cc) Received: from mail.cock.li (mail.cock.li [37.120.193.123]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Tql2D0Gdfz4JfS for ; Wed, 6 Mar 2024 20:50:43 +0000 (UTC) (envelope-from dracolich@airmail.cc) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=airmail.cc header.s=mail header.b="CRBKde//"; dmarc=none; spf=pass (mx1.freebsd.org: domain of dracolich@airmail.cc designates 37.120.193.123 as permitted sender) smtp.mailfrom=dracolich@airmail.cc List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=airmail.cc; s=mail; t=1709758235; bh=BzRG0TA52NdhANr22bO/kdGiKcyqzQanvnMcmTlZzQ8=; h=Date:From:To:Subject:From; b=CRBKde//LWROqnSdmEYbHbdDv27FFfjD7TWIqQOQiJsTIazpQeS7DlAfJFFkl9yo0 0QKtUHXBEeFhMCQLaLiXGPVnTGrpfDhx/2lTD3ph/ky6ClIOCEONUHhkbqMm5t3o19 wPxCy/239Ndf1Si/z379iqV4lhOAJe/zLMee7EMA6cVRhh0uNU8kJ6HFoKRBxT1i4W F0xJIyPCV5Z4bRoGts6VfiKmJ5faWaCU9yTcX9y86P55PsuSnYbW/SlHm9MDZfCgUb ed18jATSqElQBPYCZo2a+MZ+O9VI72mE9JIbQDoltNurxJKMsJtksexAixJMsp9lz7 H86NqrLuDeZbQ== Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Wed, 06 Mar 2024 20:50:35 +0000 From: Christopher Waldbach To: FreeBSD Questions Subject: Setting up a Wireguard router (with FreeBSD) User-Agent: Roundcube Webmail/1.4.15 Message-ID: <00f7b360407633f787f061b4d15740b9@airmail.cc> X-Sender: dracolich@airmail.cc X-Spamd-Bar: / X-Spamd-Result: default: False [-0.98 / 15.00]; RBL_VIRUSFREE_BOTNET(2.00)[37.120.193.123:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-0.997]; NEURAL_HAM_SHORT(-0.98)[-0.981]; BAD_REP_POLICIES(0.10)[]; MIME_GOOD(-0.10)[text/plain]; R_SPF_ALLOW(0.00)[+ip4:37.120.193.120/29]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:9009, ipnet:37.120.193.0/24, country:RO]; ARC_NA(0.00)[]; DMARC_NA(0.00)[airmail.cc]; RCVD_COUNT_ZERO(0.00)[0]; MID_RHS_MATCH_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_ALLOW(0.00)[airmail.cc:s=mail]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[airmail.cc:+] X-Rspamd-Queue-Id: 4Tql2D0Gdfz4JfS Good evening, guys and gals! I am currently trying to set up a Raspberry Pi 4 (4GB Model) as a VPN-gateway with Wireguard. Since I got fibre channel for my internet connection, I gained bandwidth but lost the public IPv4 address. So I can access my computer again from the net (and maybe run a service or two), I went to one of the 2⁶⁴ VPN providers and got a plan there - one that includes port-forwarding. :-) I put FreeBSD on a smallish (128GB) SSD and it boots without a problem. I am running FreeBSD 14. My problem probably isn't wireguard, but the routing concept of FreeBSD, which I do not seem to understand completely. Once I added gateway_enable="YES" to the rc.conf, the Pi passed on packets that came in from other computers on the same subnet to the internet. Meaning: If I set the Pi as the default route for another computer, said computer still has full access to the internet, mtr just shows an additional hop. When I fire up the wg0 interface, everything seems fine at first. The Pi still has access to the web and mtr confirms that indeed the VPN-connection is being used (the hops are completely different). The routes seem to be set correctly. However, the computer that uses the Pi as its default route is now without access to the net. mtr on that machine show exactly one hop: the Pi. I would have expected that this should work like this - even without me using one of the firewalls of FreeBSD. I get that I will _have_ to use pf or something else once I want the port(s) to be forwarded and maybe this isn't very secure, but I was taking this step by step - checking if the routing works unfiltered and then I wanted to add the filters. Am I making a mistake in my reasoning? I know that what I want to do requires NAT, but does NAT require a firewall? Do you have suggestions as to which firewall I should use? Thanks for reading! Best regards, Chris