On 2023-08-14, SOUBHEEK NATH <soubheekn...@gmail.com> wrote:
> 2. Please have a look at the configuration I have implemented.
>
> pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80}
> block in on wg0 proto tcp from any to any port {22 80}
> block in quick on bwfm0 proto tcp from any to any port {22 80}
>
> This configuration is functioning well and your suggestions have
> greatly assisted me in achieving it.
>
> I would like to discuss my insights on this configuration and would
> appreciate your feedback on it.
>
> I. I use the word "quick" in the first line to prevent the "block"
> rules in the second line from taking precedence over it.
That's one way to do it. Personally I don't like writing "quick" on all
these lines so I normally order them for "last match wins" rather than
"first match wins". This is mostly down to personal preference.
> II. The second line effectively prevents any devices in the wireguard
> network from accessing ports 22 and 80. However, because the 'quick'
> command is used in the first line, the rule in the first line takes
> precedence and allows access to ports 22 and 80 for the machine with
> IP address 10.0.8.3.
This also blocks forwarded traffic from machines on wg0 (other than
10.0.8.3) to port 22/80 on the internet, not just to the machine running
PF. If this is what you want, that's ok, if not then you.may want "self"
instead of "any".
> On Mon, Aug 14, 2023 at 7:35 AM lain. <l...@fair.moe> wrote:
>>
>> On 2023年08月13日 12:17, Stuart Henderson wrote:
>> > >
>> > > https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/
>> >
>> > what a mess of things from the base OS and unneeded third-party tools.
>> >
>> List of tools:
>> wireguard-tools (required), nano (vim would have been enough), and the
>> rest is everything OpenBSD ships with.
wireguard-tools is not required, everything you need for wg(4) is in
the base OS.
>> Oh the horror, that's far too much, the sky is falling!
After some OS upgrades, some packages (especially those interfacing
with the kernel for things like networking) will be broken until
packages are updated.
This is a problem if you rely on wg(4) to access the machine.
I suggest replacing use of wireguard-tools with the native configuration
direct in hostname.wg0, see the wg(4) and ifconfig(8) manuals.
>> > > On Sun, Aug 13, 2023 at 7:04 AM lain. <l...@fair.moe> wrote:
>> > >>
>> > >> I failed to come up with reasons for using a preshared key, so I've let
>> > >> ChatGPT generate reasons for me:
>> >
>> > oh $deitt please do not.
>> >
>> What matters is not who or what answered, what matters is the answer,
>> and the answer it provided is good, but I guess autists gonna autist.
chatgpt often makes the answer sound good but the answer is not
necessarily reliable, so still needs vetting by someone who understands
the area. better leave it to someone who understands in the first place.
if you want to quote something, there's a perfectly good explanation
in the wg(4) manual.
--
Please keep replies on the mailing list.
