Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
Dear OpenBSD Mailing List Community, I hope this email finds you well. I am writing to seek your expertise and guidance regarding a Wireguard VPN configuration and pf rules on my OpenBSD 7.3 system. I have successfully set up a Wireguard VPN using the provided interface configuration, and the VPN is operational as intended. However, I have encountered a challenge while attempting to implement pf rules to restrict access to SSH login and port number 80 based on specific IP addresses. Below is the pf rule settings I have applied: set skip on lo block return# block stateless traffic pass# establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # Port build user does not need network block return in quick on bwfm0 proto tcp from ! 192.168.0.229 to bwfm0 port ssh block return in quick on wg0 proto udp from ! 10.0.8.2 to wg0 port 80 block return in quick on bwfm0 proto tcp from ! 192.168.0.229 to bwfm0 port 80 block return out log proto {tcp udp} user _pbuild pass in on egress proto tcp from any to any port 22 pass out on egress inet from (wg0:network) nat-to (bwfm0:0) The objective of these rules is to restrict SSH login and access to port 80 exclusively for the machine with the IP address 192.168.0.229 when the OpenBSD system is connected to the bwfm0 network interface. While the rule for SSH login and IP address 192.168.0.229 is functioning as expected, I have encountered an issue with the rule pertaining to port 80 and IP address 10.0.8.2, which is allocated by Wireguard (wg0) during active Wireguard connections. The problem arises when attempting to enforce the restriction on port 80 with IP address 10.0.8.2. Despite the pf rule in place, it seems that Wireguard is overriding the restriction. For instance, devices with assigned IP addresses such as 10.0.8.3 or 10.0.8.4, which are within the Wireguard network, can access both SSH login and port 80, contrary to the intended restriction. I am providing the Wireguard configuration below for your reference: [Interface] ListenPort = 51820 PrivateKey = oPernzzF+Kl499z2TMU6wDdrDpnDN6/e630Q= [Peer] PublicKey = yyhY5Blx+PxCHu/wK7QgrXHQ34RmTi//zynVA= AllowedIPs = 10.0.8.2/32 PersistentKeepalive = 25 [Peer] PublicKey = dQO6ACctkgepDtWxGrHuGFdvaO9qfrL4mmjA= AllowedIPs = 10.0.8.3/32 PersistentKeepalive = 25 I would greatly appreciate your insights, suggestions, and expertise in resolving this issue. Your assistance will be invaluable in helping me achieve the desired access restrictions while maintaining the functionality of the Wireguard VPN. Thank you for your time and consideration. -- Soubheek Nath Fifth Estate Kolkata, India soubheekn...@gmail.com
Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
First off, unless you faked your private and public keys, please change them as soon as possible. You've just made yourself volunerable to cyber attacks! If I understand you correctly, you want to be able to SSH and HTTP only over WireGuard, right? In that case, on your WireGuard server: # Block access to SSH and HTTP from everyone except for your WireGuard network pass in quick on wg0 proto tcp from 10.0.8.0/24 to any port {22, 80} block in quick on egress proto tcp from any to any port {22, 80} >From your specifications, it's not quite clear whether your network is accessible from the outside or not, whether you're using a dynamic IP or static IP, how your router is configured, and all else, because requirements change depending on these details. If you're using a dynamic IP, and both your server and clienbts are within the same network, there's a good chance that this setup is unnecessary, given that using a WireGuard VPN makes sense if the server is remote and normally accessible from the outside, and you want to make it only accessible from the inside. As for your WireGuard config, you might want to add the Address to your "[Interface]" block like this for example: Address = 10.0.8.1/24 Not necessarily required to get it working, but would still add an extra layer of security if you generate a preshared key on each peer, then on both your server and peers: [Peer] ... PreSharedKey = (output) ... To generate the preshared key (only do this on your peers): wg genpsk > preshared.key On 2023年08月12日 20:30, SOUBHEEK NATH wrote: > Dear OpenBSD Mailing List Community, > > I hope this email finds you well. I am writing to seek your expertise > and guidance regarding a Wireguard VPN configuration and pf rules on my > OpenBSD 7.3 system. I have successfully set up a Wireguard VPN using > the provided interface configuration, and the VPN is operational as > intended. However, I have encountered a challenge while attempting to > implement pf rules to restrict access to SSH login and port number 80 > based on specific IP addresses. > > Below is the pf rule settings I have applied: > > set skip on lo > block return# block stateless traffic > pass# establish keep-state > > # By default, do not permit remote connections to X11 > block return in on ! lo0 proto tcp to port 6000:6010 > > # Port build user does not need network > block return in quick on bwfm0 proto tcp from ! 192.168.0.229 to bwfm0 > port ssh > block return in quick on wg0 proto udp from ! 10.0.8.2 to wg0 port 80 > block return in quick on bwfm0 proto tcp from ! 192.168.0.229 to bwfm0 > port 80 > block return out log proto {tcp udp} user _pbuild > > pass in on egress proto tcp from any to any port 22 > > pass out on egress inet from (wg0:network) nat-to (bwfm0:0) > > The objective of these rules is to restrict SSH login and access to port > 80 exclusively for the machine with the IP address 192.168.0.229 when > the OpenBSD system is connected to the bwfm0 network interface. While > the rule for SSH login and IP address 192.168.0.229 is functioning as > expected, I have encountered an issue with the rule pertaining to port > 80 and IP address 10.0.8.2, which is allocated by Wireguard (wg0) > during active Wireguard connections. > > The problem arises when attempting to enforce the restriction on port 80 > with IP address 10.0.8.2. Despite the pf rule in place, it seems that > Wireguard is overriding the restriction. For instance, devices with > assigned IP addresses such as 10.0.8.3 or 10.0.8.4, which are within > the Wireguard network, can access both SSH login and port 80, contrary > to the intended restriction. > > I am providing the Wireguard configuration below for your reference: > > [Interface] > ListenPort = 51820 > PrivateKey = oPernzzF+Kl499z2TMU6wDdrDpnDN6/e630Q= > > [Peer] > PublicKey = yyhY5Blx+PxCHu/wK7QgrXHQ34RmTi//zynVA= > AllowedIPs = 10.0.8.2/32 > PersistentKeepalive = 25 > > [Peer] > PublicKey = dQO6ACctkgepDtWxGrHuGFdvaO9qfrL4mmjA= > AllowedIPs = 10.0.8.3/32 > PersistentKeepalive = 25 > > I would greatly appreciate your insights, suggestions, and expertise in > resolving this issue. Your assistance will be invaluable in helping me > achieve the desired access restrictions while maintaining the > functionality of the Wireguard VPN. > > Thank you for your time and consideration. > -- > Soubheek Nath > Fifth Estate > Kolkata, India > soubheekn...@gmail.com > -- lain. Did you know that? 90% of all emails sent on a daily basis are being sent in plain text, and it's super easy to intercept emails as they flow over the internet? Never send passwords, tokens, personal information, or other volunerable information without proper PGP encryption! If you're writing your emails unencrypted, please consider sending PGP encrypted emails for security reasons. You can find my PGP public key at: https://fair.moe/lain.asc Every good email client is able to send encrypted emails. If yours can't, then you shoul
Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
I failed to come up with reasons for using a preshared key, so I've let ChatGPT generate reasons for me: Certainly! WireGuard's use of a preshared key (PSK) adds an additional layer of symmetric encryption to the standard asymmetric encryption. Here's a brief explanation of the advantage: 1. **Symmetric vs. Asymmetric Encryption**: WireGuard primarily uses asymmetric encryption, where each party has a pair of keys (public and private). Symmetric encryption, on the other hand, utilizes the same key for both encryption and decryption. By adding a PSK, WireGuard incorporates both types of encryption. 2. **Additional Security Layer**: The PSK is mixed into the encryption process along with the standard public and private keys. Even if an attacker could somehow compromise the asymmetric part (though practically very difficult), they would still need the PSK to decrypt the communication. 3. **Protection Against Quantum Attacks**: Though still theoretical at this point, quantum computers could eventually break the Diffie-Hellman key exchange used in many encryption protocols. By using a PSK, WireGuard adds protection against this potential future vulnerability. 4. **Simplicity**: WireGuard's design is intended to be simple and easy to implement. The use of a PSK aligns with this philosophy by providing a straightforward way to bolster security. Here's an example of how you would generate and implement a preshared key in WireGuard: Generate the PSK: ```bash wg genpsk ``` You would then add the generated key to both the client and server configurations: Server's `wg0.conf`: ```ini [Peer] PublicKey = CLIENT_PUBLIC_KEY PresharedKey = GENERATED_PRESHARED_KEY AllowedIPs = CLIENT_IP/32 ``` Client's `wg0.conf`: ```ini [Peer] PublicKey = SERVER_PUBLIC_KEY PresharedKey = GENERATED_PRESHARED_KEY AllowedIPs = 0.0.0.0/0 Endpoint = SERVER_IP:PORT ``` In summary, adding a PSK provides an extra layer of security that complements the existing asymmetric encryption, protects against potential quantum attacks, and adheres to WireGuard's principles of simplicity and effectiveness. On 2023年08月13日 10:22, lain. wrote: > First off, unless you faked your private and public keys, please change > them as soon as possible. > You've just made yourself volunerable to cyber attacks! > > If I understand you correctly, you want to be able to SSH and HTTP only > over WireGuard, right? > In that case, on your WireGuard server: > > # Block access to SSH and HTTP from everyone except for your WireGuard network > pass in quick on wg0 proto tcp from 10.0.8.0/24 to any port {22, 80} > block in quick on egress proto tcp from any to any port {22, 80} > > From your specifications, it's not quite clear whether your network is > accessible from the outside or not, whether you're using a dynamic IP or > static IP, how your router is configured, and all else, because > requirements change depending on these details. > If you're using a dynamic IP, and both your server and clienbts are > within the same network, there's a good chance that this setup is > unnecessary, given that using a WireGuard VPN makes sense if the server > is remote and normally accessible from the outside, and you want to make > it only accessible from the inside. > > As for your WireGuard config, you might want to add the Address to your > "[Interface]" block like this for example: > Address = 10.0.8.1/24 > > Not necessarily required to get it working, but would still add an extra > layer of security if you generate a preshared key on each peer, then on > both your server and peers: > [Peer] > ... > PreSharedKey = (output) > ... > > To generate the preshared key (only do this on your peers): > wg genpsk > preshared.key > > On 2023年08月12日 20:30, SOUBHEEK NATH wrote: > > Dear OpenBSD Mailing List Community, > > > > I hope this email finds you well. I am writing to seek your expertise > > and guidance regarding a Wireguard VPN configuration and pf rules on my > > OpenBSD 7.3 system. I have successfully set up a Wireguard VPN using > > the provided interface configuration, and the VPN is operational as > > intended. However, I have encountered a challenge while attempting to > > implement pf rules to restrict access to SSH login and port number 80 > > based on specific IP addresses. > > > > Below is the pf rule settings I have applied: > > > > set skip on lo > > block return# block stateless traffic > > pass# establish keep-state > > > > # By default, do not permit remote connections to X11 > > block return in on ! lo0 proto tcp to port 6000:6010 > > > > # Port build user does not need network > > block return in quick on bwfm0 proto tcp from ! 192.168.0.229 to bwfm0 > > port ssh > > block return in quick on wg0 proto udp from ! 10.0.8.2 to wg0 port 80 > > block return in quick on bwfm0 proto tcp from ! 192.168.0.229 to bwfm0 > > port 80 > > block return out log proto {tcp udp} user _pbuild > > > > pass in on egress proto tcp from any
Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
Hello Lain, I appreciate your feedback and the time you took to provide it. 1. I set up OpenBSD 7.3 on a Raspberry Pi 4B with 4GB of RAM, which is running from a USB drive. 2. This is not a production environment, it is solely for educational purposes. 3. The router is currently using its default settings and three other devices are connected to it. 4. The wireless router is currently using its default settings to assign IP addresses to three other devices that are connected to it. You are correct, with this setup and pf rule, the wireguard VPN server is accessible from within the local area network. However, I believe that in the future, I can use the same setup and pf rule to remotely access the server's ports exclusively through the wireguard VPN from outside the network. 5. Your configuration is functioning correctly, allowing only devices within the wireguard network to access ports 22 and 80, while blocking access for others. 6. However, I cannot allow only one device with the IP address 10.0.8.4. All devices in the wireguard network are able to access ports 22 and 80. I have attempted to use the following pf rule: set skip on lo block return# block stateless traffic pass# establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # Port build user does not need network pass in quick on wg0 proto tcp from 10.0.8.4 to any port {22, 80} block in quick on egress proto tcp from any to any port {22, 80} block return out log proto {tcp udp} user _pbuild pass in on egress proto tcp from any to any port 22 pass out on egress inet from (wg0:network) nat-to (bwfm0:0) Based on my understanding of the OpenBSD PF-Packet filtering document (https://www.openbsd.org/faq/pf/filter.html), the intention of this pf rule is to allow only the IP address 10.0.8.4 to access ports 22 and 80. However, currently both machines with IP addresses 10.0.8.2 and 10.0.8.3 are able to access ports 22 and 80. 7. I have already falsified the private and public keys when submitting this question. I attempted to include 'Address = 10.0.8.1/32' in the wireguard [Interface] block earlier as you suggested, but encountered an error. $ doas sh /etc/netstart wg0 Line unrecognized: `Address=10.0.8.1/24' Configuration parsing error I've gone through this link while setting up wireguard: https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/ Despite its absence, wireguard is functioning properly. 8. I greatly appreciate your suggestion regarding the PreShareKey in wireguard configuration. It would be a valuable addition to my knowledge and will benefit me in the future. Thanks again. -- Soubheek Nath Fifth Estate Kolkata, India soubheekn...@gmail.com On Sun, Aug 13, 2023 at 7:04 AM lain. wrote: > > I failed to come up with reasons for using a preshared key, so I've let > ChatGPT generate reasons for me: > > Certainly! WireGuard's use of a preshared key (PSK) adds an additional layer > of symmetric encryption to the standard asymmetric encryption. Here's a brief > explanation of the advantage: > > 1. **Symmetric vs. Asymmetric Encryption**: WireGuard primarily uses > asymmetric encryption, where each party has a pair of keys (public and > private). Symmetric encryption, on the other hand, utilizes the same key for > both encryption and decryption. By adding a PSK, WireGuard incorporates both > types of encryption. > > 2. **Additional Security Layer**: The PSK is mixed into the encryption > process along with the standard public and private keys. Even if an attacker > could somehow compromise the asymmetric part (though practically very > difficult), they would still need the PSK to decrypt the communication. > > 3. **Protection Against Quantum Attacks**: Though still theoretical at this > point, quantum computers could eventually break the Diffie-Hellman key > exchange used in many encryption protocols. By using a PSK, WireGuard adds > protection against this potential future vulnerability. > > 4. **Simplicity**: WireGuard's design is intended to be simple and easy to > implement. The use of a PSK aligns with this philosophy by providing a > straightforward way to bolster security. > > Here's an example of how you would generate and implement a preshared key in > WireGuard: > > Generate the PSK: > ```bash > wg genpsk > ``` > > You would then add the generated key to both the client and server > configurations: > > Server's `wg0.conf`: > ```ini > [Peer] > PublicKey = CLIENT_PUBLIC_KEY > PresharedKey = GENERATED_PRESHARED_KEY > AllowedIPs = CLIENT_IP/32 > ``` > > Client's `wg0.conf`: > ```ini > [Peer] > PublicKey = SERVER_PUBLIC_KEY > PresharedKey = GENERATED_PRESHARED_KEY > AllowedIPs = 0.0.0.0/0 > Endpoint = SERVER_IP:PORT > ``` > > In summary, adding a PSK provides an extra layer of security t
Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
>Based on my understanding of the OpenBSD PF-Packet filtering document >(https://www.openbsd.org/faq/pf/filter.html), the intention of this >pf rule is to allow only the IP address 10.0.8.4 to access ports 22 >and 80. However, currently both machines with IP addresses 10.0.8.2 >and 10.0.8.3 are able to access ports 22 and 80. Maybe try something like set skip on lo block log match out on bwfm0 inet received-on wg0 nat-to (bwfm0) pass out pass in on wg0 block log in to (self) pass proto tcp from 10.0.8.4 to port {22 80} I recommend ignoring the pf faq and use https://man.openbsd.org/pf.conf instead. >https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/ what a mess of things from the base OS and unneeded third-party tools. > On Sun, Aug 13, 2023 at 7:04 AM lain. wrote: >> >> I failed to come up with reasons for using a preshared key, so I've let >> ChatGPT generate reasons for me: oh $deitt please do not.
Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
6. In that case, simply change "10.0.8.0/24" to "10.0.8.4/32". For explanation sake, .0/24 means "everything connected to this network", whereas ".4/32" means "only this specific machine", so does ".3/32", ".2/32", ".5/32", and so on. 7. If you've followed Vultr's post, you might consider changing the /etc/hostname.wg0 file to just this one liner: !/usr/local/bin/wg-quick up wg0 On 2023年08月13日 16:57, SOUBHEEK NATH wrote: > Hello Lain, > > I appreciate your feedback and the time you took to provide it. > > 1. I set up OpenBSD 7.3 on a Raspberry Pi 4B with 4GB of RAM, which is >running from a USB drive. > 2. This is not a production environment, it is solely for educational >purposes. > 3. The router is currently using its default settings and three other >devices are connected to it. > 4. The wireless router is currently using its default settings to >assign IP addresses to three other devices that are connected to it. >You are correct, with this setup and pf rule, the wireguard VPN >server is accessible from within the local area network. However, I >believe that in the future, I can use the same setup and pf rule to >remotely access the server's ports exclusively through the wireguard >VPN from outside the network. > 5. Your configuration is functioning correctly, allowing only devices >within the wireguard network to access ports 22 and 80, while >blocking access for others. > 6. However, I cannot allow only one device with the IP address 10.0.8.4. >All devices in the wireguard network are able to access ports 22 and >80. >I have attempted to use the following pf rule: > >set skip on lo > >block return# block stateless traffic >pass# establish keep-state > ># By default, do not permit remote connections to X11 >block return in on ! lo0 proto tcp to port 6000:6010 > ># Port build user does not need network > >pass in quick on wg0 proto tcp from 10.0.8.4 to any port {22, 80} >block in quick on egress proto tcp from any to any port {22, 80} > >block return out log proto {tcp udp} user _pbuild > >pass in on egress proto tcp from any to any port 22 > >pass out on egress inet from (wg0:network) nat-to (bwfm0:0) > >Based on my understanding of the OpenBSD PF-Packet filtering document >(https://www.openbsd.org/faq/pf/filter.html), the intention of this >pf rule is to allow only the IP address 10.0.8.4 to access ports 22 >and 80. However, currently both machines with IP addresses 10.0.8.2 >and 10.0.8.3 are able to access ports 22 and 80. > > 7. I have already falsified the private and public keys when submitting >this question. >I attempted to include 'Address = 10.0.8.1/32' in the wireguard >[Interface] block earlier as you suggested, but encountered an error. > >$ doas sh /etc/netstart wg0 >Line unrecognized: `Address=10.0.8.1/24' >Configuration parsing error > >I've gone through this link while setting up wireguard: >https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/ >Despite its absence, wireguard is functioning properly. > > 8. I greatly appreciate your suggestion regarding the PreShareKey in >wireguard configuration. It would be a valuable addition to my >knowledge and will benefit me in the future. > > Thanks again. > -- > Soubheek Nath > Fifth Estate > Kolkata, India > soubheekn...@gmail.com > > On Sun, Aug 13, 2023 at 7:04 AM lain. wrote: > > > > I failed to come up with reasons for using a preshared key, so I've let > > ChatGPT generate reasons for me: > > > > Certainly! WireGuard's use of a preshared key (PSK) adds an additional > > layer of symmetric encryption to the standard asymmetric encryption. Here's > > a brief explanation of the advantage: > > > > 1. **Symmetric vs. Asymmetric Encryption**: WireGuard primarily uses > > asymmetric encryption, where each party has a pair of keys (public and > > private). Symmetric encryption, on the other hand, utilizes the same key > > for both encryption and decryption. By adding a PSK, WireGuard incorporates > > both types of encryption. > > > > 2. **Additional Security Layer**: The PSK is mixed into the encryption > > process along with the standard public and private keys. Even if an > > attacker could somehow compromise the asymmetric part (though practically > > very difficult), they would still need the PSK to decrypt the communication. > > > > 3. **Protection Against Quantum Attacks**: Though still theoretical at this > > point, quantum computers could eventually break the Diffie-Hellman key > > exchange used in many encryption protocols. By using a PSK, WireGuard adds > > protection against this potential future vulnerability. > > > > 4. **Simplicity**: WireGuard's design is intended to be simple and easy to > > implement. The use of a PSK aligns with this philosophy by providing a > > straightforward way to bolster secu
Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
On 2023年08月13日 12:17, Stuart Henderson wrote: > >https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/ > > what a mess of things from the base OS and unneeded third-party tools. > List of tools: wireguard-tools (required), nano (vim would have been enough), and the rest is everything OpenBSD ships with. Oh the horror, that's far too much, the sky is falling! > > On Sun, Aug 13, 2023 at 7:04 AM lain. wrote: > >> > >> I failed to come up with reasons for using a preshared key, so I've let > >> ChatGPT generate reasons for me: > > oh $deitt please do not. > What matters is not who or what answered, what matters is the answer, and the answer it provided is good, but I guess autists gonna autist.
Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
Hello, The solution you both provided, worked well. 1. I do not use nano! I use the vi editor for my tasks. 2. Please have a look at the configuration I have implemented. pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80} block in on wg0 proto tcp from any to any port {22 80} block in quick on bwfm0 proto tcp from any to any port {22 80} This configuration is functioning well and your suggestions have greatly assisted me in achieving it. I would like to discuss my insights on this configuration and would appreciate your feedback on it. I. I use the word "quick" in the first line to prevent the "block" rules in the second line from taking precedence over it. II. The second line effectively prevents any devices in the wireguard network from accessing ports 22 and 80. However, because the 'quick' command is used in the first line, the rule in the first line takes precedence and allows access to ports 22 and 80 for the machine with IP address 10.0.8.3. III. The third line is used to prevent any devices outside of the wireguard network from accessing ports 22 and 80. I appreciate the time and effort you dedicated to this. Thank you so much. -- Soubheek Nath Fifth Estate Kolkata, India soubheekn...@gmail.com On Mon, Aug 14, 2023 at 7:35 AM lain. wrote: > > On 2023年08月13日 12:17, Stuart Henderson wrote: > > >https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/ > > > > what a mess of things from the base OS and unneeded third-party tools. > > > List of tools: > wireguard-tools (required), nano (vim would have been enough), and the > rest is everything OpenBSD ships with. > Oh the horror, that's far too much, the sky is falling! > > > > On Sun, Aug 13, 2023 at 7:04 AM lain. wrote: > > >> > > >> I failed to come up with reasons for using a preshared key, so I've let > > >> ChatGPT generate reasons for me: > > > > oh $deitt please do not. > > > What matters is not who or what answered, what matters is the answer, > and the answer it provided is good, but I guess autists gonna autist.
Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
On Mon, Aug 14, 2023 at 05:54:55PM +0530, SOUBHEEK NATH said: 2. Please have a look at the configuration I have implemented. pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80} block in on wg0 proto tcp from any to any port {22 80} block in quick on bwfm0 proto tcp from any to any port {22 80} [ snip ] I. I use the word "quick" in the first line to prevent the "block" rules in the second line from taking precedence over it. In general I prefer in my pf ruleset to block first and then explicitly allow things through. I find this causes far less mistakes. The very first rule in my ruleset is: ``block log all label "Default block"'' I try to avoid ``quick'' rules unless there is a really good reason to use them. They can introduce some unintended side-effects if you aren't careful and if you find yourself using many of them you probably should re-think your rules. For example, directly after the default block I also block bogon IP addresse from my WAN interface and I do it with quick so I don't accidentally unblock them later: ``block drop in quick log on egress inet from to any'' (I have a table populated with bogon addresses) You may wish to review the PF handbook, the filter section seems a good place to start. https://www.openbsd.org/faq/pf/filter.html -- Please direct replies to the list.
Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
On 2023-08-14, SOUBHEEK NATH wrote: > 2. Please have a look at the configuration I have implemented. > > pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80} > block in on wg0 proto tcp from any to any port {22 80} > block in quick on bwfm0 proto tcp from any to any port {22 80} > >This configuration is functioning well and your suggestions have >greatly assisted me in achieving it. > >I would like to discuss my insights on this configuration and would >appreciate your feedback on it. > >I. I use the word "quick" in the first line to prevent the "block" >rules in the second line from taking precedence over it. That's one way to do it. Personally I don't like writing "quick" on all these lines so I normally order them for "last match wins" rather than "first match wins". This is mostly down to personal preference. >II. The second line effectively prevents any devices in the wireguard >network from accessing ports 22 and 80. However, because the 'quick' >command is used in the first line, the rule in the first line takes >precedence and allows access to ports 22 and 80 for the machine with >IP address 10.0.8.3. This also blocks forwarded traffic from machines on wg0 (other than 10.0.8.3) to port 22/80 on the internet, not just to the machine running PF. If this is what you want, that's ok, if not then you.may want "self" instead of "any". > On Mon, Aug 14, 2023 at 7:35 AM lain. wrote: >> >> On 2023年08月13日 12:17, Stuart Henderson wrote: >> > > >> > > https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/ >> > >> > what a mess of things from the base OS and unneeded third-party tools. >> > >> List of tools: >> wireguard-tools (required), nano (vim would have been enough), and the >> rest is everything OpenBSD ships with. wireguard-tools is not required, everything you need for wg(4) is in the base OS. >> Oh the horror, that's far too much, the sky is falling! After some OS upgrades, some packages (especially those interfacing with the kernel for things like networking) will be broken until packages are updated. This is a problem if you rely on wg(4) to access the machine. I suggest replacing use of wireguard-tools with the native configuration direct in hostname.wg0, see the wg(4) and ifconfig(8) manuals. >> > > On Sun, Aug 13, 2023 at 7:04 AM lain. wrote: >> > >> >> > >> I failed to come up with reasons for using a preshared key, so I've let >> > >> ChatGPT generate reasons for me: >> > >> > oh $deitt please do not. >> > >> What matters is not who or what answered, what matters is the answer, >> and the answer it provided is good, but I guess autists gonna autist. chatgpt often makes the answer sound good but the answer is not necessarily reliable, so still needs vetting by someone who understands the area. better leave it to someone who understands in the first place. if you want to quote something, there's a perfectly good explanation in the wg(4) manual. -- Please keep replies on the mailing list.
Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
Hi, I appreciate the valuable advices you provided about pf rules in OpenBSD. I am currently away on a trip, but once I return, I will thoroughly test those rules and provide you with feedback. On Wed, Aug 16, 2023 at 3:50 PM Stuart Henderson wrote: > > On 2023-08-14, SOUBHEEK NATH wrote: > > 2. Please have a look at the configuration I have implemented. > > > > pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80} > > block in on wg0 proto tcp from any to any port {22 80} > > block in quick on bwfm0 proto tcp from any to any port {22 80} > > > >This configuration is functioning well and your suggestions have > >greatly assisted me in achieving it. > > > >I would like to discuss my insights on this configuration and would > >appreciate your feedback on it. > > > >I. I use the word "quick" in the first line to prevent the "block" > >rules in the second line from taking precedence over it. > > That's one way to do it. Personally I don't like writing "quick" on all > these lines so I normally order them for "last match wins" rather than > "first match wins". This is mostly down to personal preference. > > >II. The second line effectively prevents any devices in the wireguard > >network from accessing ports 22 and 80. However, because the 'quick' > >command is used in the first line, the rule in the first line takes > >precedence and allows access to ports 22 and 80 for the machine with > >IP address 10.0.8.3. > > This also blocks forwarded traffic from machines on wg0 (other than > 10.0.8.3) to port 22/80 on the internet, not just to the machine running > PF. If this is what you want, that's ok, if not then you.may want "self" > instead of "any". > > > On Mon, Aug 14, 2023 at 7:35 AM lain. wrote: > >> > >> On 2023年08月13日 12:17, Stuart Henderson wrote: > >> > > > >> > > https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/ > >> > > >> > what a mess of things from the base OS and unneeded third-party tools. > >> > > >> List of tools: > >> wireguard-tools (required), nano (vim would have been enough), and the > >> rest is everything OpenBSD ships with. > > wireguard-tools is not required, everything you need for wg(4) is in > the base OS. > > >> Oh the horror, that's far too much, the sky is falling! > > After some OS upgrades, some packages (especially those interfacing > with the kernel for things like networking) will be broken until > packages are updated. > This is a problem if you rely on wg(4) to access the machine. > > I suggest replacing use of wireguard-tools with the native configuration > direct in hostname.wg0, see the wg(4) and ifconfig(8) manuals. > > >> > > On Sun, Aug 13, 2023 at 7:04 AM lain. wrote: > >> > >> > >> > >> I failed to come up with reasons for using a preshared key, so I've > >> > >> let > >> > >> ChatGPT generate reasons for me: > >> > > >> > oh $deitt please do not. > >> > > >> What matters is not who or what answered, what matters is the answer, > >> and the answer it provided is good, but I guess autists gonna autist. > > chatgpt often makes the answer sound good but the answer is not > necessarily reliable, so still needs vetting by someone who understands > the area. better leave it to someone who understands in the first place. > > if you want to quote something, there's a perfectly good explanation > in the wg(4) manual. > > -- > Please keep replies on the mailing list. >
Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
(Sorry, I just realized I replied to just your email address, replying again to the mailing list this time.) On 2023年08月16日 10:05, Stuart Henderson wrote: > wireguard-tools is not required, everything you need for wg(4) is in > the base OS. Oh, I didn't know that. In that case, valid point. > After some OS upgrades, some packages (especially those interfacing > with the kernel for things like networking) will be broken until > packages are updated. > This is a problem if you rely on wg(4) to access the machine. Not sure how frequent this is, but this only happened for me once on a ThinkPad T43, and it was just a matter of running pkg_add -ui both before and after an OS upgrade. > chatgpt often makes the answer sound good but the answer is not > necessarily reliable, so still needs vetting by someone who understands > the area. better leave it to someone who understands in the first place. Yes, but in my case it was more about how to phrase it, not a matter of "what the fuck am I even talking about". I understood why, I just didn't know how to explain in a way that sounds reasonable. I still stand by that the answer itself is more important than the person (or thing) answering. I would have expected the OpenBSD userbase to be much more merit-based rather than leftist-leaning as seen in most other BSD's and Linux distro's nowadays. -- lain.