Wireguard on FreeBSD - a few questions

Kyle Evans kevans at freebsd.org
Wed Nov 3 16:39:19 UTC 2021 

On Wed, Nov 3, 2021 at 5:55 AM Frank Volf <frank at deze.org> wrote:
>
>
> Hi,
>
> This weekend I installed Wireguard on FreeBSD 13.0 and until now
> everything seems to work fine (I use the kernel module).
> Installation and configuration was easy and connecting with the Android
> app works great as well.
>

Excellent, that's good to hear! :-)

> I do have a few questions.
>
> 1) Is it possible on FreeBSD to enable some kind of logging? I did made
> a small configuration error with my first client and it was hard to find
> the error, because there does not seem to be any logging at all.  Some
> logging information would be appreciated and probably wold have pointed
> me faster to the fact that I needed to switch two keys in my config.
>

If you set 'debug' on the interface (`ifconfig wg0 debug`) then it'll
write some useful bits to syslog for your perusal.

> 2) I noticed that Wireguard uses a wildcard to listen to all IP
> addresses on my multi-homed machine on his dedicated UDP port. I would
> prefer if Wireguard would only bind to the specific IP address on the
> outside interface that is designated for that use. Is this possible?
>
> 3) Final question: is it possible on the server side to restrict the
> destinations that clients can connect to it? I know, that I can set the
> AllowedIPs on the client side to restrict that, but that setting can be
> changed at the client side. It would be nice if I could restrict
> destinations at the server side (so client X can only connect to an IP
> address of an internal server that it needs access to but nothing else).
> I can probably use a state full packet filtering firewall for this, but
> it would it be possible to configure this on the Wireguard server side
> as well?
>

For these last two, I'll defer to somebody else -- I'm not aware of
any such functionality on other platforms, but wireguard-freebsd will
follow suit if this is or will become an accepted concept elsewhere.

> That said, I'm pleased with the first test results of Wireguard on
> FreeBSD and hopefully it keeps on running fine. Great product!
>

Great, thanks for testing! =)

Kyle Evans

More information about the WireGuard mailing list