Jail as a Wireguard Gateway for local network

[notanumba]

Hi,

i am trying to setup a VPN gateway for my local LAN. I don`t want to connect from WAN to my network, i want to use the VPN-Tunnel in the Jail as gateway for my local devices, that don`t have a VPN option. The used Jail release version is 13.1-RELEASE-p5, VNET, BPF, allow_tun are enabled.

So for my understanding i need to setup a working WG tunnel in my Jail (already done!) and have to route the traffic through my jail`s IP from local network nat-ed to the WG IP. And for the routing i have use ipfw rules. A "kill-switch" if no VPN tunnel is active should be configured, too.

I tried several days now and i am stuck.

So i setup a jail similar to https://cdn.truenas.com/community/resources/how-to-setup-a-wireguard-vpn-server-in-a-jail.147/.

• WG in the jail works so far:
  
• In the jail I can ping the 10.5.0.2 internal WG interface an the 10.5.0.1 of the WG VPN provider server
• A traceroute in the jail shows me, that the jail uses the wg tunnel.
• I can ping the jail from my local network 192.168.8.48.

My Jail`s /etc/sysctl.conf:

# $FreeBSD$
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0

My Jail`s rc.conf:

cron_flags="$cron_flags -J 15"

# Disable Sendmail by default
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Run secure syslog
syslogd_flags="-c -ss"

# Enable IPv6
ipv6_activate_all_interfaces="YES"
ifconfig_epair0b="SYNCDHCP"
wireguard_interfaces="wg0"
wireguard_enable="YES"

gateway_enable="YES"
ipv6_gateway_enable="YES"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
firewall_enable="YES"
firewall_type="/usr/local/etc/ipf.rules"

My /usr/local/etc/ipf.rules (afaik they get never applied):

ipfw -q add 02000 allow IP from 192.168.8.0/24 to 10.5.0.0/32 keep-state
ipfw -q add 04000 allow IP from 127.0.0.1 to any keep-state
ipfw -q add 05000 allow IP from 10.5.0.0/32 to any keep-state
ipfw -q add 05002 allow IP from any to 10.5.0.0/8 keep-state

Jail`s "ipfw show" gives:

00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 deny ip from any to ::1
00500 0 0 deny ip from ::1 to any
00600 0 0 allow ipv6-icmp from :: to ff02::/16
00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 1 56 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 0 0 allow ipv6-icmp from any to any icmp6types 1
01000 0 0 allow ipv6-icmp from any to any icmp6types 2,135,136
65535 1773 477241 allow ip from any to any

Any help is appreciated, thank you!

 

[notanumba]

In jail: sysctl net.inet.ip.forwarding gives:

net.inet.ip.forwarding: 1

My corrected /usr/local/etc/ipf.rules (now they get applied):

-f flush
add 00001 allow all from any to any via lo0
add 00010 allow all from any to any via wg0
add 00101 allow all from 192.168.8.0/24 to 10.5.0.2/32 keep-state
add 00102 allow all from 10.5.0.2/32 to 192.168.8.0/24 keep-state
add 00105 allow all from 10.5.0.2/32 to 185.219.140.15 keep-state
add 00110 deny all from any to any

 

[notanumba]

ok, i guess my rules file ist now ok, but what am i missing ? How do i route all IP traffic through wg0 ? Any ideas ?

root@cryptgate:~ # ipfw list
00001 allow ip from any to any via lo0
00010 allow ip from any to any via wg0
00101 allow ip from 192.168.8.48 to 192.168.8.0/24 keep-state :default
00101 allow ip from 192.168.8.0/24 to 192.168.8.48 keep-state :default
00101 allow ip from 192.168.8.0 to 10.5.0.2 keep-state :default
00101 allow ip from 10.5.0.2 to 192.168.8.0 keep-state :default
65535 allow ip from any to any

/usr/local/etc/ipf.rules:

-f flush

add 00001 allow all from any to any via lo0
add 00010 allow all from any to any via wg0


#allow traffix through jail`s external if
add 00101 allow all from 192.168.8.48/32 to 192.168.8.0/24 keep-state
add 00101 allow all from 192.168.8.0/24 to 192.168.8.48/32 keep-state

#allow traffic to the wg if(s), local and extern
add 00101 allow all from 192.168.8.0/32 to 10.5.0.2 keep-state
add 00101 allow all from 10.5.0.2 to 192.168.8.0/32 keep-state

allow traffic to VPN server
add 00105 allow all from 10.5.0.2/32 to 185.219.140.15 keep-state

#add 00110 deny all from any to any

 

[notanumba]

Noone running a gateway in a jail and has a running config for me?

 

[trish]

I have a gateway in a jail for the rest of my network. I have just set it up. You need to add the nat rules to your ipfw. I think you need

ipfw -q -f flush
ipfw -q nat 1 config if wg0
ipfw -q add nat 1 all from 192.168.8.0/24 to any via wg0
ipfw -q add nat 1 all from any to any in via wg0

All the other things seem to be correct on your system.

I found help here: https://forums.freebsd.org/threads/jail-as-a-gateway-for-external-devices.58038/