# Wireguard



## Roman Voronov (Nov 17, 2021)

Hey! Configured VPN. IP 10.0.1.1 pings, but does not ping sites on the Internet. Please tell me where to look for the error?

wg0.conf                                        

```
[Interface]
Address = 10.0.1.1/24
PrivateKey=Removed by mod=
ListenPort = 51820
[Peer]
PublicKey = Removed by mod=
AllowedIPs = 10.0.1.2/32
Endpoint = 13.48.228.147:51820
```


----------



## SirDice (Nov 17, 2021)

Did you enable routing in rc.conf with `gateway_enable="YES"`?


----------



## Roman Voronov (Nov 17, 2021)

Yes

```
root@freebsd:/ # cat /etc/rc.conf
hostname="freebsd"
ec2_configinit_enable=YES
ec2_fetchkey_enable=YES
ec2_loghostkey_enable=YES
firstboot_freebsd_update_enable=YES
firstboot_pkgs_enable=YES
ntpd_enable=YES
dev_aws_disk_enable=YES
growfs_enable="YES"
ifconfig_DEFAULT="SYNCDHCP accept_rtadv"
sshd_enable="YES"
firstboot_pkgs_list="awscli"
ipv6_activate_all_interfaces="YES"
rtsold_enable="YES"
rtsold_flags="-M /usr/local/libexec/rtsold-M -a"
gateway_enable="YES"
wireguard_enable="YES"
wireguard_interfaces="wg0"
pf_enable="YES"
pf_rules="/etc/pf.conf"
```


----------



## SirDice (Nov 17, 2021)

So, then the next question becomes, how is the FreeBSD host connected to the internet? Does it have a direct connection? Or does it go through an external router? Also keep in mind that while it might _send_ out the packets to the internet, if you're not using NAT anywhere the return traffic to 10.0.1.2 will never, ever arrive back.


----------



## Roman Voronov (Nov 17, 2021)

This is a VPS. NAT settings

```
root@freebsd:/ # cat /etc/sysctl.conf
kern.smp.forward_signal_enabled: 1
net.inet.ip.forwarding: 1
net.inet6.ip6.forwarding: 1
```


----------



## SirDice (Nov 17, 2021)

Roman Voronov said:


> NAT settings


Those settings have nothing to do with NAT. That `net.inet.ip.forwarding` sysctl is the same one that's set with `gateway_enable="YES"`. This enables routing between interfaces.


----------



## Roman Voronov (Nov 17, 2021)

Please tell me what I need to do?


----------



## SirDice (Nov 17, 2021)

You're going to need to configure NAT to translate that 10.0.1.2 source address to your external internet IP address. Or else you will never get a response back. Have a look in the handbook, there are different firewalls you can use for that purpose. 

Chapter 31. Firewalls

Judging by your rc.conf I see you already enabled PF. That's good, use that to do the NAT. 

Something like this should do the trick:

```
nat on $ext_if from 10.0.1.0/24 to any -> ($ext_if)
```


----------



## Roman Voronov (Nov 17, 2021)

I configured the PF as follows:

```
root@freebsd:/ # cat /etc/pf.conf
ext_if="ena0"
int_if="wg0"
set skip on lo0
scrub in all
nat on $ext_if from $int_if:network to any -> ($ext_if)
pass all
```

But it doesn't work for me


----------



## SirDice (Nov 17, 2021)

Standard tool to diagnose this is tcpdump(1). Look on your ena0 interface and see if there's actually some traffic going out. Double check if that traffic is correctly being translated (you should not see the 10.0.1.2 source address in your _outgoing_ packets).

And what exactly do you mean by "does not ping sites on the Internet"? Can you ping IP addresses, like 8.8.8.8? Or do you have DNS name resolving issues? (`ping 8.8.8.8` works but `ping www.google.com` isn't able to find www.google.com)


----------



## Roman Voronov (Nov 17, 2021)

It works! Thank you very much for your help! I will study PF!


----------

