1 files changed, 21 insertions, 12 deletions

diff --git a/content/posts/openbsd-wireguard-vpn-gateway/index.org b/content/posts/openbsd-wireguard-vpn-gateway/index.org
index db478f5..fe8f614 100644
--- a/content/posts/openbsd-wireguard-vpn-gateway/index.org
+++ b/content/posts/openbsd-wireguard-vpn-gateway/index.org
@@ -7,36 +7,42 @@
 #+SLUG:
 #+SUMMARY:
 
-A couple of years ago I published a (link) blog post about creating an
+A couple of years ago I published a [[{{<ref "/posts/openbsd-vpn-gateway" >}}][blog post]] about creating an
 OpenBSD VPN gateway using OpenVPN.
 
 I've recently switched from an OpenVPN-based VPN provider to one that
 uses Wireguard. As a result I've had to redo my VPN gateway.
 
-One advantage this iteration has over my previous setup is that it no
+I'll only be highlighting the things I've changed since the last setup
+in this post, so please refer to the previous post for more details.
+
+One advantage this iteration has over the previous one is that it no
 longer requires third party software to be installed on the OpenBSD
-router. Everything required comes as part of the base install.
+router. Everything required comes as part of the base system. We will
+also be taking advantage of routing tables to restrict what we send
+through the VPN.
 
 The purpose of the VPN gateway is to allow any device on the network
 to send its traffic through a VPN without installing anything. Instead
 of installing one profile per device, the client just sets the VPN
 Gateway as its default route.
 
+Here's a diagram of what we're building.
+
+[[file:diagram.png]]
+
 Unlike the previous setup, in this version we're going to create a
-separate routing table for the VPN. This lets us set the VPN as the
-default route for the traffic we want to go through, while leaving the
-rest of the system unaffected. It also lets us selectively send
-traffic from the router through the VPN using the =route(8)= command.
+separate routing table for the VPN. This affords us a lot of
+flexibility, as we can be very explicit how we route our traffic. In
+this setup, only packets coming in one interface with a source
+address on the local network will be sent through, as opposed to all
+traffic leaving the router. We can also selectively send traffic from
+the router through the VPN using the =route(8)= command.
 
 #+begin_src
 route -T <rtable> exec <program>
 #+end_src
 
-Here's a diagram of what we're building.
-
-[[file:diagram.png]]
-(diagram of the network configuration)
-
 The first step in the process is getting the VPN profile from the VPN
 provider. It should look something like the following.
 
@@ -147,3 +153,6 @@ net.inet.ip.forwarding=1
 #+end_src
 
 We can change the variable without rebooting with the command =sysctl net.inet.ip.forwarding=1=
+
+Now all traffic coming from the network through this router should be
+NAT-ed and sent over the VPN.