PF Wireguard NAT from Bhyve VMs

C

c-c-c-c

I've been trying to use wireguard on my host machine (14.2-RELEASE) to route all VM traffic through wireguard but I can't get it to work.
When running tcpdump I see no traffic on the wg0 interface but I see traffic on bridge2. My machine has the external interface igb0.
10.10.10.0/24 is the VM subnet.

I also run a dhcpd server on the VM subnet to dynamically allocate IP's with this config

Code: 
subnet 10.10.10.0 netmask 255.255.255.0 {
  range 10.10.10.2 10.10.10.254;
  option subnet-mask 255.255.255.0;
  option routers 10.10.10.1;
}

I created a simple wg0.conf file with the following
Code: 
[Interface]
PrivateKey = (hidden)
[Peer]
PublicKey = (hidden)
AllowedIPs = 10.10.10.0/24
Endpoint = (wg-server-ip):51820

Then I create a bridge for the VM to create TAP interfaces to, the bridge is created like
Code: 
gateway_enable="YES"
cloned_interfaces="bridge2"
ifconfig_bridge2="inet 10.10.10.1/24 up"

And to enable NAT I do the following in pf.conf

Code: 
nat on wg0 from 10.10.10.0/24 to any -> (wg0)
block in
pass out
pass in on igb0 proto udp from any to igb0 port { 51820 } keep state
set skip on bridge2
set skip on wg0
pass in quick from 10.10.10.0/24 to any

Is this due to wireguard being layer 3 and is there some alternative method I can use to get a configuration like this working? Running wireguard in the vm itself works just fine when using NAT on my external interface.

I also get a conflict with wireguard attempting to edit the route table for 10.10.10.0/24 as bridge2 is trying to route the same IP's. I'm really confused as how to get this working.
 
You must log in or register to reply here.
Back
Top