Wireguard Pre and Post Routing for OpenBSD

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Wireguard Pre and Post Routing for OpenBSD

Larry Gadallah
Hi all:

Does anyone know how to accomplish the equivalent of the Linux:

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACC
EPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j A
CCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

in the OpenBSD pf dialect? Does this trick even work for the
user-space Wireguard implementation?

Thank you,
--
Larry Gadallah, lgadallah AT gmail DOT com
PGP Sig: AE93 1785 6874 7111 48AD  63A6 2136 3651 981C F87B

Reply | Threaded
Open this post in threaded view
|

Re: Wireguard Pre and Post Routing for OpenBSD

Claudio Jeker
On Mon, Feb 04, 2019 at 10:58:31PM -0800, Larry Gadallah wrote:

> Hi all:
>
> Does anyone know how to accomplish the equivalent of the Linux:
>
> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACC
> EPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j A
> CCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>
> in the OpenBSD pf dialect? Does this trick even work for the
> user-space Wireguard implementation?
>

Not really knowing iptables I would think you want somthing like:

pass in on wg0
pass out on eth0 received-on wg0 nat-to (eth0)

Guess wg0 would be more like tun0 and eth0 could be egress so

pass in on tun0
pass out on egress received-on tun0 nat-to (egress)

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: Wireguard Pre and Post Routing for OpenBSD

Tom Smyth
In reply to this post by Larry Gadallah
Hi Larry

From looking at your config it looks like when the wiregusrd interface
comes up
You want to allow forward traffic
And you want masqurade traffic leaving on eth0

1)You dont really need to add and remove those rules as the wireguard
tunnel comes up id suggest just adding firewall rules statically

2) the firewall implementation in openbsd is pf (packet filter) the pf
config file  is in /etc/pf.conf

3)to check pf.conf syntax after editing pf.conf run the command pfctl -nvvf
/etc/pf.conf

4)to commit  pf configuration drop n from the command above eg   pfctl -vvf
/etc/pf.conf

5) to learn more about pf config check out Peter Hansteen's pf tutorial and
his book of pf  and  man pf.conf for more details

All the best





On Tue 5 Feb 2019, 07:04 Larry Gadallah <[hidden email] wrote:

> Hi all:
>
> Does anyone know how to accomplish the equivalent of the Linux:
>
> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0
> -j ACC
> EPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o
> wg0 -j A
> CCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>
> in the OpenBSD pf dialect? Does this trick even work for the
> user-space Wireguard implementation?
>
> Thank you,
> --
> Larry Gadallah, lgadallah AT gmail DOT com
> PGP Sig: AE93 1785 6874 7111 48AD  63A6 2136 3651 981C F87B
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Wireguard Pre and Post Routing for OpenBSD

Peter Nicolai Mathias Hansteen
In reply to this post by Claudio Jeker
On Tue, Feb 05, 2019 at 08:20:20AM +0100, Claudio Jeker wrote:
> Not really knowing iptables I would think you want somthing like:
>
> pass in on wg0
> pass out on eth0 received-on wg0 nat-to (eth0)
>
> Guess wg0 would be more like tun0 and eth0 could be egress so
>
> pass in on tun0
> pass out on egress received-on tun0 nat-to (egress)

I was going to write much what Claudio said here but also (after looking
it up in  the iptables man page on a nearby system) it looks like your
application needs to insert and delete rules in a running rule set,
so you might consider inserting somewhere in the basic setup for your
application that you set up an anchor in the system's pf.conf where
it can do just that.

- Peter

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: Wireguard Pre and Post Routing for OpenBSD

Peter Nicolai Mathias Hansteen
In reply to this post by Tom Smyth
On Tue, Feb 05, 2019 at 07:40:30AM +0000, Tom Smyth wrote:
 
> >From looking at your config it looks like when the wiregusrd interface
> comes up
> You want to allow forward traffic
> And you want masqurade traffic leaving on eth0
>
> 1)You dont really need to add and remove those rules as the wireguard
> tunnel comes up id suggest just adding firewall rules statically

I'm sort of clueless about the application, but I agree that it may not
be worth the bother to insert and remove rules dynamically in most cases.
If you really need to do that dance, ftp-proxy (shudder) is a prime example
of one that does.

> 5) to learn more about pf config check out Peter Hansteen's pf tutorial and
> his book of pf  and  man pf.conf for more details

Thanks for the recommendations :)

Direct links at the end

All the best,
Peter

PS: -

> > in the OpenBSD pf dialect?

I was going to ignore that but really: OpenBSD is the upstream for everyone
else for PF and lots of other stuff (see eg[1]), so if there are such things
as "dialect"s in play, they come from somewhere else.

[1] https://home.nuug.no/~peter/openbsd_and_you (My "OpenBSD and you"
    propaganda-ish presentation)

[2] https://home.nuug.no/~peter/pftutorial/ (The most recent version of the PF
    tutorial, slides refresh after each new session)

[3] https://nostarch.com/pf3 (The Book of PF, 3rd ed by yours truly)

[4] https://man.openbsd.org/pf.conf (The pf.conf(5) man page)

[5] https://man.openbsd.org/ftp-proxy (the ftp-proxy(8) man page, if you really
    need to)

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.