WireGuard and NFS
Among the brilliant features of WireGuard is the ability to classify traffic based on peer public keys. This means that packets can be filtered by interface or require that each peer use a specific tunnel address.
Bootstrapping
wg(4) from the wireguard-tools package is optional, but is helpful for generating a public key
PRIVATE_KEY=$(wg genkey) PUBLIC_KEY=$(printf $PRIVATE_KEY | wg pubkey)
Alternatively, assign a private key to an interface with then look up the public key by listing interface properties.
ifconfig wg0 create wgkey `openssl rand -base64 32` ifconfig wg0 | awk '$1=="wgpubkey" { print $2 }'
OpenBSD
# /etc/hostname.wg0 wgport 7111 wgkey STATIC_PRIVATE_KEY wgpeer ROAMING_PUBLIC_KEY wgaip 10.0.0.21/32 wgdescr t14-1260p wgpeer ROAMING_PUBLIC_KEY wgaip 10.0.0.22/32 wgdescr nuc-1360p inet 10.0.0.1/24
The remote peer is similar
# /etc/hostname.wg0 wgkey ROAMING_PRIVATE_KEY wgpeer STATIC_PUBLIC_KEY wgendpoint 192.168.0.2 7111 wgaip 0.0.0.0/0 inet 10.0.0.21/24
FreeBSD
# /etc/rc.conf network_interfaces="vtnet0 wg0" ifconfig_wg0="inet 10.0.0.20/24"
# /etc/start_if.wg0
ifconfig wg0 create
wg syncconf wg0 /etc/wg0.conf
Where
wg0.conf
is formatted
[Interface] PrivateKey = ROAMING_PRIVATE_KEY ListenPort = 7111 [Peer] PublicKey = STATIC_PUBLIC_KEY Endpoint = 192.168.2.2:7111 AllowedIPs = 10.0.0.0/24
Fedora
Create
/etc/NetworkManager/system-connections/wg0.nmconnection
[connection] id=wg0 type=wireguard interface-name=wg0 [wireguard] listen-port=7111 private-key=ROAMING_PRIVATE_KEY [wireguard-peer.STATIC_PUBLIC_KEY] endpoint=192.168.2.2:7111 allowed-ips=10.0.0.0/24; [ipv4] address1=10.0.0.22/24 method=manual
NFS
NFSv4 is a
monstrosity to configure,
mainly it is built on
Kerberos.
Instead we can lock down NFSv3 using a basic access list in
/etc/exports
since a source address from WireGuard may be
roaming
and
validated!
/var/www/htdocs -alldirs -ro -network=10.0.0.0 -mask=255.255.255.0
Now we can mount it from the client using
mount -t nfs 10.0.0.1:/var/www/htdocs /mnt