On 2021-01-05, Peter Fraser <[email protected]> wrote:
> I did get it work, but it took a lot of tries caused by my confusion.
> I hope this message speed up other who try to configure wireguard.
> I was trying to connect a windows 10 computer to an OpenBsd computer.
> The problem was the OpenBSD computer was a 20 minute drive away,
> And I didn't want to lock myself and others out if I made a mistake.
> Which I did once and had to make the drive.
>
> 1) Ifconfig wg0 debug is not useful
> 2) Ifconfig wg0 -debug is not documented, admittedly it is easy
> guess it existence, but the other - options are documented
It is documented, though only in ifconfig(8) not wg(4). It might be
worth adding this to wg(4) and saying where the debug messages will
appear.
> 3) If IP address give to wg0 on the server has to be available to the outside
> world to allow establishing connections
> This can be done by giving it an external IP address or using a rdr-to in
> PF.
> 4) the IP address of client interface is what will appear as the source
> address of client, independent of whatever NATing goes on.
Can you expand on this - appear where as the source address?
Are you skipping PF processing (which includes NAT) somewhere e.g. "set skip on
wg"?
> 5) You can't use the same wgpeer for multiple clients, each one has to be
> unique.
> 6) The wgpeer and wgaip have be set together, you cannot set the separately.
The WIREGUARD section in ifconfig is really required reading when
configuring wg(4), I think this covers both of these cases, it has:
wgpeer publickey
Select the peer to perform the subsequent operations on. This
creates a peer with the associated 32-byte, base64-encoded publickey
if it does not yet exist. This option can be specified multiple
times in a single command.
...
The following options configure peers for the interface. Each interface can
have multiple peers. In order to add a peer, a wgpeer option must be
specified, followed by its configuration options.
...
wgaip allowed-ip/prefix
