I have a FreeNAS 11.3 system and followed iXsystems' instructions on setting up WireGuard. With a simple wg0.conf I'm now able to connect successfully. I'd like to be able to use this setup as a proper VPN, meaning that I can use the tunnel to browse the local network as well as the internet.
On Linux the solution is to use iptables
to set up a NAT:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
What is the FreeNAS/FreeBSD equivalent?
Best Answer
In addition to WireGuard also enable the FreeBSD packet filter pf using rc.conf tunables:
wireguard_enable="YES"
wireguard_interfaces="wg0"
pf_enable="YES"
pf_rules="/usr/local/etc/pf.conf"
pflog_enable="YES"
gateway_enable="YES"
ipv6_gateway_enable="YES"
iXsystems recommends
wg0.conf
to live in/root
and a Post Init Script to copy it to a system location then start WireGuard:By default pf is configured via
/etc/pf.conf
, but we need to follow the above pattern and copy/root/pf.conf
to/usr/local/etc/pf.conf
on startup and have pf use that.Add another Post Init Script to feed pf our configuration:
My
pf.conf
follows. WireGuard IP addresses are arbitrary on an arbitrary subnet. pf will route and NAT from this subnet to the rest of the network. I don't know of a way to do this without these arbitrary, but static, IP addresses.(uncomment the ipv6 NAT if your ipv6 works)
My FreeNAS server's
wg0.conf
:Laptop client configuration:
Thanks to https://gist.github.com/apearson/168b244b4735cceff9809ef3d07f4df5 for a nearly working config!
See also pf docs and this.