> cd /

Make your server available through a VPN endpoint IP

Let's say your ISP don't provide static IP and you want to self host your website, emails and stuff at home. Or you can't setup a rDNS. Or your usual Internet access is down and you want to keep your server up using your smartphone connection sharing capabilities.

Or reasons...

One may setup a VPN tunnel between its home server and a remote endpoint. To reach the home server from the endpoint, we'll have to configure appropriate redirections.

What will be described below can work with IKEv2, OpenVPN, Wireguard... Actually, you just need a working tunnel.

Good news, default routes are unchanged, it is not a RoadWarrior setup -- unless you want to.

Even better, it is very easy to achieve with OpenBSD. 😊


VPN Tunnel summary

As example, we show a minimal wireguard configuration.

For more, see solene's amazing tutorial (⚠️ default routes are modified)

Endpoint setup

# cat /etc/sysctl.conf

# cat /etc/hostname.wg0
inet6 fd19:6f4d:bea8:f63a::1/64
wgkey [...] # run ''openssl rand -base64 32'' to get it
wgport 4545
wgpeer [...] \
        wgaip \
        wgaip fd19:6f4d:bea8:f63a::2/128

# cat /etc/pf.conf
# wireguard tunnel
pass in proto udp to port 4545
pass in on wg0
pass out

Server (client) setup

# cat /etc/pf.conf
pass in quick on wg0 from
pass out

# cat /etc/hostname.wg0
wgkey [...]
wgpeer [...] \
        wgendpoint 4545 \
        wgaip \
        wgaip ::0/0 \
wgpka 25
inet6 fd19:6f4d:bea8:f63a::2/64

Generate wgkey with ''openssl rand -base64 32''.

Get wg pubkey for wgpeer with ''ifconfig wg0''.

Redirect traffic from endpoint to server

Edit endpoint's ''/etc/pf.conf'' and add appropriate ''nat-to'' and ''rdr-to'' rules.

serv_int = ""
serv_ext = ""
int_if = "wg0"
ext_if = "vio0"


# allow ssh on altenate port
pass in quick on egress proto tcp from any to port 4242

# wireguard tunnel
pass in proto udp to port 4545
pass in on wg0

# vpn ext to int redirection
pass in on $ext_if proto tcp from any to $serv_ext rdr-to $serv_int

match out on $ext_if from $serv_int to any \
       nat-to $serv_ext static-port

# or
#  match on $ext_if from $serv_int to any binat-to $serv_ext

match out on $int_if from any to $serv_int \
        received-on $ext_if nat-to $int_if
pass out

As you can see, we first set macros.

Then, incoming ssh on an alternate port is ''quick''ly allowed. It is necessary since all traffic will be directed to your server, so you won't be able to remotely configure the endpoint. Make sure you edited ''/etc/ssh/sshd_config''.

As before, we let the wireguard tunnel in.

Then, two rules redirect traffic from the outside to your server, and back : ''rdr-to'' and ''nat-to''. It is equivalent to ''binat-to''. If you need to, you can add port range to the ''rdr-to'' rule.

Finally, we have to add a ''match'' rule since traffic is redirected between two different interfaces.

Reload pf and check it is working:

nc -zv 80
Connection to 80 port [tcp/www] succeeded!

Yay \o/

Comments ?

Say something to the mailing list (anonymous)

List howto