Wireguard examples

From wikinotes

endpoint using DHCP

FreeBSD in jail

See https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-jail/

TODO:

Unfinished. Merge this content with FreeBSD jails: networking: vnet where I was able to successfully bring up the wg interface.

I can confirm that vnet jails DO work, at least as far as setting up.

jail.conf rules defined underneath may yet be important. do not delete.


create bridge, and an epair per jail

# /etc/rc.conf

# bridge becomes gateway for vnet jails.
# each jail receives an epair iface with it's own IP.
# The bridge/epair share a network, but have independent IPs.
# The jail itself can have any number of ip addresses, using bridge0 as it's gateway.
#
#
#                               / (a) +- epair0(192.168.20.2) --> (b) -> JAIL1(10.0.0.1, 192.168.1.200)
# bridge0(192.168.20.1/24) +----
#                               \ (a) +- epair1(192.168.20.3) --> (b) -> JAIL2(10.0.0.2, 192.168.1.201)
#
cloned_interfaces="bridge0 epair0"
ifconfig_bridge0="inet 192.168.20.1/24 addm epair0b up"
ifconfig_epair0b="up"

devfs rule to unhide bpf devices

# /etc/devfs.conf

[devfsrules_bpfjail=5]
add include $devfsrules_jail
add path 'bpf*' unhide

Configure jail for vtnet and custom devfs rule

# /etc/jail.conf

testjail {
    $vif = "epair0a";
    $epair_ip = "192.168.20.2";
    $vpn_ip = "192.168.250.0/24";

    mount.devfs;
    devfs_ruleset = "5";
    allow.chflags;

    host.hostname = "testjail";
    $route = "$vpn_ip $epair_ip";
    vnet;
    vnet.interface = $vif;
    exec.prestart += "route add $route";
    exec.poststop += "route delete $route";
  
    # workaround
    # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238326
    exec.prestop  += "ifconfig $vif -vnet $name";
  
}
}
Retrieved from "http://willpittman.net:8080/index.php?title=Wireguard_examples&oldid=19141"