diff options
Diffstat (limited to 'content/posts/openbsd-wireguard-vpn-gateway/index.org')
| -rw-r--r-- | content/posts/openbsd-wireguard-vpn-gateway/index.org | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/content/posts/openbsd-wireguard-vpn-gateway/index.org b/content/posts/openbsd-wireguard-vpn-gateway/index.org new file mode 100644 index 0000000..3e064fb --- /dev/null +++ b/content/posts/openbsd-wireguard-vpn-gateway/index.org @@ -0,0 +1,86 @@ +#+TITLE: OpenBSD Wireguard VPN Gateway +#+DATE: 2023-12-29T16:35:36-05:00 +#+DRAFT: true +#+DESCRIPTION: +#+TAGS[]: openbsd wireguard vpn +#+KEYWORDS[]: openbsd wireguard vpn +#+SLUG: +#+SUMMARY: + +A couple of years ago I published a (link) blog post about creating an +OpenBSD VPN gateway using OpenVPN. + +I've recently switched from an OpenVPN-based VPN provider to one that +uses Wireguard. As a result I've had to redo my VPN gateway. + +One advantage this iteration has over my previous setup is that it no +longer requires third party software to be installed on the OpenBSD +router. Everything required comes as part of the base install. + +The purpose of the VPN gateway is to allow any device on the network +to send its traffic through a VPN without installing anything. Instead +of installing one profile per device, the client just sets the VPN +Gateway as its default route. + +Unlike the previous setup, in this version we're going to create a +separate routing table for the VPN. This lets us set the VPN as the +default route for the traffic we want to go through, while leaving the +rest of the system unaffected. It also lets us selectively send +traffic from the router through the VPN using the =route= command. + +#+begin_src +route -T <rtable> exec <program> +#+end_src + +Here's a diagram of what we're building. + +The first step in the process is getting the VPN profile from the VPN +provider. It should look something like the following. + +#+CAPTION: wireguard.conf +#+begin_src conf +[Interface] +PrivateKey = PRIVATEKEY +Address = XX.XX.XX.XX/32,YYYY:YYYY:YYYY:YYYY:YYYY:YYYY:YYYY/128 +DNS = ZZ.ZZ.ZZ.ZZ + +[Peer] +PublicKey = PUBLICKEY +AllowedIPs = 0.0.0.0/0,::0/0 +Endpoint = ENDPOINT:51820 +#+end_src + +We then have to rewrite it into OpenBSD's =hostname.if(5)= format. + +#+begin_src conf +inet XX.XX.XX.XX/32 +inet6 YYYY:YYYY:YYYY:YYYY:YYYY:YYYY:YYYY/128 +wgkey PRIVATEKEY +wgpeer PUBLICKEY wgaip 0.0.0.0/0 wgaip ::0/0 wgendpoint ENDPOINT 51820 +#+end_src + + + +#+begin_src conf +inet XX.XX.XX.XX/32 +inet6 YYYY:YYYY:YYYY:YYYY:YYYY:YYYY:YYYY/128 +wgkey PRIVATEKEY +wgpeer PUBLICKEY wgaip 0.0.0.0/0 wgaip ::0/0 wgendpoint ENDPOINT 51820 + +!route -T 1 add -inet default XX.XX.XX.XX +!route -T 1 add -inet6 default YYYY:YYYY:YYYY:YYYY:YYYY:YYYY:YYYY +#+end_src + +#+begin_src conf +ext_if = "vio0" +vpn_if = "wg0" + +pass in on $ext_if +pass in on $ext_if from $ext_if:network rtable 1 +pass out on $ext_if from self # ($ext_if) + +match out on $vpn_if from $ext_if:network to any nat-to $vpn_if +pass out on $vpn_if +#+end_src + +sysctl thing |