wireguard remote access VPN using FreeBSD

I’m not one for following Linux kernel news but recently I saw a press release about Wireguard being included in the 5.6 kernel. Well if something network related merits being included in the kernel it is worth a look. There are plenty of examples of site-to-site configuration examples on Linux, so this post covers creating a remote access VPN setup using FreeBSD 12.1 .

# pkg search wireguard
wireguard-1.0.20200319_2       Fast, modern and secure VPN Tunnel
# sudo pkg install wireguard-1.0.20200319_2

The first step is to create the crypto key pair that will be used for encryption.

# cd /usr/local/etc/wireguard
# wg genkey | tee privatekey | wg pubkey > publickey
# chmod 600 privatekey

Now create a config file. (Note that you have to paste in the contents of the private and public keys as currently wireguard does not support using filepaths):

# /usr/local/etc/wireguard/wg0.conf
[Interface]
Address = 192.168.199.254/24
PrivateKey = <server_private_key>
ListenPort = 51845

[Peer]
PublicKey = <peer_public_key>
AllowedIPs = 192.168.199.2/32

As we want to use the FreeBSD server to route and forward on our VPN client packets we need to enable the following features; packet forwarding and NAT. Enabling packet forwarding is achieved by modifying /etc/rc.conf:

# sysrc gateway_enable="YES"

To perform NAT we need to configure a firewall and in doing so this gives us the opportunity to harden the server in the process. For the purpose of this post we want to:

  • permit all outbound traffic from our server
  • NAT traffic sourced from the wireguard subnet
  • permit inbound SSH
  • permit connections to our wireguard listening port.

FreeBSD offers two firewall options, for the purpose of this post I have opted to use pf.

# sysrc pf_enable="YES"
# sysrc pflog_enable="YES"
# sysrc pf_rules="/etc/pf.conf"

Our ruleset (/etc/pf.conf):

wireguard_clients="192.168.199.0/24"
wanint="em0"
wg_ports="{51845}"

set skip on lo0

nat on $wanint inet from $wireguard_clients to any -> $wanint

pass in on $wanint proto udp from any to $wanint port $wg_ports
pass in on $wanint proto tcp from any to $wanint port 22 keep state

pass out quick
pass in on wg0 from any to any
# service pf start
# service pflog start

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: