The basic question is per the subject line, filling in the details here
I have wireguard working with each peer having ipv4 and ipv6 addresses
and all of them are able to ping each other and also to the WAN through
the central peer.
The central peer is a vultr VPS and has a /64 prefix ipv6.
What I want to do:
- give each peer their own global ipv6/128 address
- use case
anyone on those peers can host their own simple services
e.g. nextcloud, syncthing, rubywarden, etc
So currently my solution is to do a binat to each wireguard peer
by using pf binat-to
Given that one of the best uses ipv6 is to remove NAT, I'd like to
know how to do this without using binat-to.
I'm attaching my pf and wireguard configuration files
/etc/pf.conf -
##########
open_tcp="{ 80, 443 }" # 6942 is ssh port
flood_tcp="{ 6942, 42069 }"
open_udp="{ 161 }" # use 161 for wireguard
# stop bruteforce attackers that try to hug of death
table <bruteforce> persist
table <pfbadhost> persist file "/etc/pf-badhost.txt"
# options for pf performance
set loginterface egress
set block-policy drop
set syncookies adaptive (start 25%, end 12%)
set skip on {lo, wg0}
block in quick on egress from <bruteforce>
block out quick on egress from <bruteforce>
block in quick on egress from <pfbadhost>
block out quick on egress to <pfbadhost>
block drop
pass in on wg0
pass proto icmp
pass proto icmp6
pass in on egress proto tcp from any to any port $flood_tcp \
flags S/SA keep state \
(max-src-conn-rate 1/3, \
overload <bruteforce> flush global)
pass in on egress proto tcp from any to any port $open_tcp
pass in on egress proto udp from any to any port $open_udp
pass out
pass out on egress inet from wg0:network to any nat-to vio0
# nat to wireguard peers
anchor "wireguard/nat"
load anchor "wireguard" from "/etc/pf.conf.anchor.wireguard"
pf.conf.anchor.wireguard -
##########
anchor "nat" {
pass on egress inet6 from fc00::6942:1 to any binat-to
2001:19f0:5:5cd5::1
pass on egress inet6 from fc00::6942:2 to any binat-to
2001:19f0:5:5cd5::2
}
/etc/hostname.wg0 -
##########
inet alias 10.7.0.17 255.255.255.0 10.7.0.255
inet6 alias fc00::6942:17 112
inet6 alias 2001:19f0:5:5cd5::4269 64
mtu 1420
up
!route -n add -inet6 fc00::6942:1/128 -iface fc00::6942:17
!route -n add -inet6 fc00::6942:2/128 -iface fc00::6942:17
/etc/hostname.vio0 -
##########
dhcp
inet6 autoconf -autoconfprivacy -soii
inet6 alias 2001:19f0:5:5cd5::17 64
inet6 alias 2001:19f0:5:5cd5::1 64
inet6 alias 2001:19f0:5:5cd5::2 64
/etc/wireguard/bsdac-wg-central.conf (central peer file) -
##########
[Interface]
PrivateKey = MCdzcLt9EZ8ej5vQTHq9Ig6UM4L3C38aXgLebLIxyGw=
#Address = 10.7.0.17/24,fc00::6942:17/112
ListenPort = 161
[Peer]
PublicKey = <hidden>
PresharedKey = <hidden>
AllowedIps = 10.7.0.1/32,fc00::6942:1/128
[Peer]
PublicKey = <hidden>
PresharedKey = <hidden>
AllowedIps = 10.7.0.2/32,fc00::6942:2/128
/etc/wireguard/bsdac-wg-peer.conf -
##########
[Interface]
PrivateKey = <hidden>
Address = 10.7.0.1/32,fc00::6942:1/128
ListenPort = 161
[Peer]
# WireGuard server public key
PublicKey = <hidden>
PresharedKey = <hidden>
Endpoint = <hidden>
AllowedIPs = 10.7.0.0/24,fc00::6942:0/112
PersistentKeepalive = 25
