Re: Setting up a Wireguard router (with FreeBSD)

On Thu, Mar 07, 2024 at 05:36:28PM +0000, Christopher Waldbach wrote:

>This practice is so common in Germany and in other European countries, 
>that I assumed my (rather brief) reference would be enough to let 
>people know what I was going on about. I thought it was well known.
>
>In Germany just about all ISPs use this method - some better than 
>others. The only ISP who still gives out public IPv4 addresses (that I 
>know of) to consumers is Deutsche Telekom...

I see.  It's news to me.  I'm in the US, where home connections still 
get a single public IPv4 address (assigned through DHCP, so it could change).

>You are making it sound much more complicated than it is. :-)
>
>The CGN and everything my ISP does is completely transparent to me. It 
>works fine.

Good, but that doesn't mean it's not complicated, or that it works when 
you add more complication.  Also, I seem to remember that carrier-grade 
NAT sometimes includes more than one level of NAT.

I don't have any new ideas about the problem.  Debug, I guess, grind it 
out -- details of NATs and tunnels, and look around in the Pi, routing 
table and such.  Maybe compare its routing table with and without the 
VPN.  Look for log messages, do experiments.

A bug in FreeBSD's routing is not my first suspect.  Maybe something in 
Wireguard specifically...it's relatively new, and Lexi told us about 
that panic on arm64 under load...I guess you could try some other VPN code...