Re: WireGuard, Windows mobile laptop and pf.conf?

[Stuart Henderson]

On 2020-12-29, Thomas Bohl  wrote:
> Hi,
>
>>     wgport 53
>> Unbound is configured to only listen on the loopback interface, so that 
>> shouldn't be interfering...
>
> But it does
> https://www.mail-archive.com/misc@openbsd.org/msg175837.html
>
>

Right.

You'll also find that some networks redirect all UDP port 53 traffic to
some specific nameserver (they are wrong to do so, but that doesn't stop
them) so 53 often won't work as well as some other ports.


On 2020-12-28, Steve Williams  wrote:
> My hostname.wg0:
>
> wgkey 
> wgport 53
> wgpeer  wgpka 25 wgaip 192.168.126.2/32
> inet 192.168.126.1/24
> up
>
> I haven't put "wgendpoint" in the OpenBSD config file as I don't know 
> what the remote IP address is.  I assumed that "the local interface" 
> would update after receiving a correctly authenticated packet from my 
> Windows 10 laptop...

That is correct.

> In my Windows WireGuard client:
>
> [Interface]
> PrivateKey = 
> Address = 192.168.126.2/24
>
> [Peer]
> PublicKey = 
> AllowedIPs = 0.0.0.0/1
> Endpoint = :53

AllowedIPs is wrong. You have configured wg(4) to use IPs in 192.168.126.0/24
which is not covered by 0.0.0.0/1:

$ ipcalc 0.0.0.1/1
address   : 0.0.0.1 
netmask   : 128.0.0.0   (0x8000)
network   : 0.0.0.0 /1
broadcast : 127.255.255.255 
host min  : 0.0.0.1 
host max  : 127.255.255.254 
hosts/net : 2147483646

> Since I don't want to filter any of the Wireguard traffic, at the top of 
> the pf.conf, I have:
> set skip on wg0

You might not want to _filter_ it, but for some configurations you may
find it necessary to set max-mss in pf.conf and you can't do that if it's
skipped either. This won't stop it connecting but experience has shown
it's easy to forget about "set skip" if you try to add PF rules later.

[OT] Re: WireGuard, Windows mobile laptop and pf.conf?

[Marcus MERIGHI]

Hello!

hamdi201...@gmail.com (Andreas X), 2020.12.29 (Tue) 13:53 (CET):
> > > I happen to come across this blog today that may help
> > > you clarify some of your questions:
> >
> > https://ozgur.kazancci.com/secure-fast-vpn-server-wireguard-setup-on-openbsd-and-configure-windows-10-clients-to-connect-through-it/
> >
> > I hope it helps. I am planning to set up one myself in the near future.
> > Please keep us posted how yours turn out.
> >
> > Hakan Duran
> > 
> Hi Hakan, thank you for this!
> It works nicely, and has helped me a lot!

I recently got it to work, too, after some fiddling, with this client:

https://download.wireguard.com/windows-client/wireguard-installer.exe

But... this requires admin rights under windows. Not for the
installation, which would be natural, but for connecting, too. 

There's talk about workarounds:

https://www.reddit.com/r/WireGuard/comments/frizel/solution_managing_wireguard_on_windows_as_a/

Which are... ugly?

So, my question is: do you have a non-admin way to connect or are you
just taking the risk?

Sorry for the non-OpenBSD talk here, we should take this elsewhere;
better reply privately, thanks!

Marcus

Re: WireGuard, Windows mobile laptop and pf.conf?

[Andreas X]

>
>
>
> > I happen to come across this blog today that may help
> > you clarify some of your questions:
> >
>


>
> https://ozgur.kazancci.com/secure-fast-vpn-server-wireguard-setup-on-openbsd-and-configure-windows-10-clients-to-connect-through-it/
>
> I hope it helps. I am planning to set up one myself in the near future.
> Please keep us posted how yours turn out.
>
> Hakan Duran
>

Hi Hakan, thank you for this!
It works nicely, and has helped me a lot!

Re: WireGuard, Windows mobile laptop and pf.conf?

[Thomas Bohl]

Hi,


    wgport 53
Unbound is configured to only listen on the loopback interface, so that 
shouldn't be interfering...


But it does
https://www.mail-archive.com/misc@openbsd.org/msg175837.html

Re: WireGuard, Windows mobile laptop and pf.conf?

[Hakan E. Duran]

Hi Steve,

On 20/12/28 04:14PM, Steve Williams wrote:
> ...
>
> I am not sure where my issue is...

I am going to cut to the chase here since I am no wireguard or OpenBSD
expert; however, I happen to come across this blog today that may help
you clarify some of your questions:

https://ozgur.kazancci.com/secure-fast-vpn-server-wireguard-setup-on-openbsd-and-configure-windows-10-clients-to-connect-through-it/

I hope it helps. I am planning to set up one myself in the near future.
Please keep us posted how yours turn out.

Hakan Duran

WireGuard, Windows mobile laptop and pf.conf?

[Steve Williams]

Hi,

I am not sure where my issue is...

As I understand, WireGuard is strictly UDP.

I am working on a road warrior setup, where one end of the tunnel is my 
OpenBSD server with a static public IP address and the other end will be 
Windows 7/10 laptops with random public IP addresses.


My hostname.wg0:

   wgkey 
   wgport 53
   wgpeer  wgpka 25 wgaip 192.168.126.2/32
   inet 192.168.126.1/24
   up

I haven't put "wgendpoint" in the OpenBSD config file as I don't know 
what the remote IP address is.  I assumed that "the local interface" 
would update after receiving a correctly authenticated packet from my 
Windows 10 laptop...but perhaps the issue?


from ifcon|fig(8):
||wgendpoint| ip port
Set the IP address and port to send the encapsulated packets to. If the 
peer changes address, the local interface will update the address after 
receiving a correctly authenticated packet. The IP address can be either 
IPv4 or IPv6, and the port is a regular 16-bit UDP port.



In my Windows WireGuard client:

   [Interface]
   PrivateKey = 
   Address = 192.168.126.2/24

   [Peer]
   PublicKey = 
   AllowedIPs = 0.0.0.0/1
   Endpoint = :53



Since I don't want to filter any of the Wireguard traffic, at the top of 
the pf.conf, I have:

set skip on wg0

Then I am allowing incoming traffic to port 53.
# Wireguard running on DNS port
pass in on egress inet proto udp from any to (egress) port { domain }


When I initiate a connection from my road warrior setup (Windows 7, 
WireGuard client which has the IP / Port configured of my OpenBSD 
server), it is just continually retrying.
2020-12-28 12:22:54.401: [TUN] [OpenBSD] peer(IQsw…D4W8) - Handshake did 
not complete after 5 seconds, retrying (try 2)


On my OpenBSD box, I can tcpdump -i em0 (egress, public IP address) and 
see the packets getting to the OpenBSD box from the Windows laptop..


However, when I doing a tcpdump -i wg0, there is no traffic at all.

Unbound is configured to only listen on the loopback interface, so that 
shouldn't be interfering...


(/var/unbound/etc/unbound.conf)
server:a
    interface: 127.0.0.1
    interface: ::1


Hum... now that I am thinking about it...how does it all work?

   1.  A packet leaves wg0 interface with 192.168.126.1 ip address
   2.  The packet is routed to the default gateway (egress)
   3.  The packet hits the Internet and is dropped as a non-routable IP
   address

or...
Does the packet get routed out my external interface, whereby the NAT 
rule would apply?

match out on egress inet from !(egress:network) to any nat-to (egress:0)

I'm just a little bit lost on how to configure pf for this all.

Thanks,
Steve W.