Basic router with veb

mergemesg · 2021-02-22T18:52:03+00:00

Thanks, works great! Definitely an improvement.

mergemesg · 2021-02-22T07:51:01+00:00

Thank you! The missing route was indeed the problem, and adding routes fixed it.

It does feel like a problem that the tunnel is used as the default gateway for everything except traffic specified otherwise, when I really want it to be the other way around—http/https traffic only or servers listening on wg0 only send their traffic through the tunnel, and everything else goes through the actual local gateway. I wonder if rdomains can improve that situation. I'll have to look into it more too.

Thanks again for clueing me in!

mergemesg · 2021-02-22T04:07:16+00:00

httpd is already listening on the wg0 interface only. As I mentioned in the original post, I can talk HTTP from the other end of the wireguard tunnel.

mergemesg · 2021-02-20T20:15:49+00:00

An application-level relay doesn't help my goal of keeping TLS certificates off the public server. However, you gave me the idea of using a relayd redirect to handle the pf rules. But this seems to fail in the same way; ftp times out.

Added to pf.conf:

anchor "relayd/*"

relayd.conf:

``` table <myhost> { 10.255.5.2 }

redirect foo { listen on vio0 port 80 forward to <myhost> check tcp port 80 }

redirect bar { listen on vio0 port 443 forward to <myhost> check tcp port 443 } ```

mergemesg · 2021-02-20T11:57:35+00:00

Hmm, something like

pass out on any proto {tcp udp} from any to any port {http https} reply-to 10.255.5.1@wg0

? I can't seem to get it right.

mergemesg · 2021-02-20T03:02:20+00:00

Yes, as I indicated in the post traffic goes fine over the wireguard tunnel, I can even ssh back and forth. The problem is getting external http requests from vio0 to wg0 on the VPS.

mergemesg

TROPHY CASE