From nobody Wed Mar 6 22:16:35 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tqn0C4Z2Sz5DVKx for ; Wed, 6 Mar 2024 22:19:07 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor.nl2k.ab.ca (doctor.nl2k.ab.ca [204.209.81.1]) by mx1.freebsd.org (Postfix) with SMTP id 4Tqn0C0YD8z4TDj for ; Wed, 6 Mar 2024 22:19:06 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Authentication-Results: mx1.freebsd.org; none Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.97.1 (FreeBSD)) (envelope-from ) id 1rhzYx-00000000PC6-3M3w; Wed, 06 Mar 2024 15:16:35 -0700 Date: Wed, 6 Mar 2024 15:16:35 -0700 From: The Doctor To: Christopher Waldbach Cc: FreeBSD Questions Subject: Re: Setting up a Wireguard router (with FreeBSD) Message-ID: References: <00f7b360407633f787f061b4d15740b9@airmail.cc> List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00f7b360407633f787f061b4d15740b9@airmail.cc> X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:6171, ipnet:204.209.81.0/24, country:CA] X-Rspamd-Queue-Id: 4Tqn0C0YD8z4TDj On Wed, Mar 06, 2024 at 08:50:35PM +0000, Christopher Waldbach wrote: > Good evening, guys and gals! > > I am currently trying to set up a Raspberry Pi 4 (4GB Model) as a > VPN-gateway with Wireguard. Since I got fibre channel for my internet > connection, I gained bandwidth but lost the public IPv4 address. So I can > access my computer again from the net (and maybe run a service or two), I > went to one of the 2?????? VPN providers and got a plan there - one that > includes port-forwarding. :-) > > I put FreeBSD on a smallish (128GB) SSD and it boots without a problem. I am > running FreeBSD 14. > > My problem probably isn't wireguard, but the routing concept of FreeBSD, > which I do not seem to understand completely. Once I added > > gateway_enable="YES" > > to the rc.conf, the Pi passed on packets that came in from other computers > on the same subnet to the internet. Meaning: If I set the Pi as the default > route for another computer, said computer still has full access to the > internet, mtr just shows an additional hop. > > When I fire up the wg0 interface, everything seems fine at first. The Pi > still has access to the web and mtr confirms that indeed the VPN-connection > is being used (the hops are completely different). The routes seem to be set > correctly. However, the computer that uses the Pi as its default route is > now without access to the net. mtr on that machine show exactly one hop: the > Pi. > > I would have expected that this should work like this - even without me > using one of the firewalls of FreeBSD. I get that I will _have_ to use pf or > something else once I want the port(s) to be forwarded and maybe this isn't > very secure, but I was taking this step by step - checking if the routing > works unfiltered and then I wanted to add the filters. > > Am I making a mistake in my reasoning? I know that what I want to do > requires NAT, but does NAT require a firewall? > > Do you have suggestions as to which firewall I should use? > > Thanks for reading! > > Best regards, > Chris > > Are you using Berkeley Packet Filtering? -- Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen What worth the power of law that won't stop lawlessness? -unknown