From ffd59c77f763a2e26d8568c68df8a2878d682005 Mon Sep 17 00:00:00 2001 From: Dante Catalfamo Date: Sat, 30 Dec 2023 02:03:33 -0500 Subject: openbsd-wireguard-gateway: add references --- .../posts/openbsd-wireguard-vpn-gateway/index.org | 33 ++++++++++++++-------- 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/content/posts/openbsd-wireguard-vpn-gateway/index.org b/content/posts/openbsd-wireguard-vpn-gateway/index.org index db478f5..fe8f614 100644 --- a/content/posts/openbsd-wireguard-vpn-gateway/index.org +++ b/content/posts/openbsd-wireguard-vpn-gateway/index.org @@ -7,36 +7,42 @@ #+SLUG: #+SUMMARY: -A couple of years ago I published a (link) blog post about creating an +A couple of years ago I published a [[{{}}][blog post]] about creating an OpenBSD VPN gateway using OpenVPN. I've recently switched from an OpenVPN-based VPN provider to one that uses Wireguard. As a result I've had to redo my VPN gateway. -One advantage this iteration has over my previous setup is that it no +I'll only be highlighting the things I've changed since the last setup +in this post, so please refer to the previous post for more details. + +One advantage this iteration has over the previous one is that it no longer requires third party software to be installed on the OpenBSD -router. Everything required comes as part of the base install. +router. Everything required comes as part of the base system. We will +also be taking advantage of routing tables to restrict what we send +through the VPN. The purpose of the VPN gateway is to allow any device on the network to send its traffic through a VPN without installing anything. Instead of installing one profile per device, the client just sets the VPN Gateway as its default route. +Here's a diagram of what we're building. + +[[file:diagram.png]] + Unlike the previous setup, in this version we're going to create a -separate routing table for the VPN. This lets us set the VPN as the -default route for the traffic we want to go through, while leaving the -rest of the system unaffected. It also lets us selectively send -traffic from the router through the VPN using the =route(8)= command. +separate routing table for the VPN. This affords us a lot of +flexibility, as we can be very explicit how we route our traffic. In +this setup, only packets coming in one interface with a source +address on the local network will be sent through, as opposed to all +traffic leaving the router. We can also selectively send traffic from +the router through the VPN using the =route(8)= command. #+begin_src route -T exec #+end_src -Here's a diagram of what we're building. - -[[file:diagram.png]] -(diagram of the network configuration) - The first step in the process is getting the VPN profile from the VPN provider. It should look something like the following. @@ -147,3 +153,6 @@ net.inet.ip.forwarding=1 #+end_src We can change the variable without rebooting with the command =sysctl net.inet.ip.forwarding=1= + +Now all traffic coming from the network through this router should be +NAT-ed and sent over the VPN. -- cgit v1.2.3