<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p><span>Hi everyone,</span></p>
<div> </div>
<div>I've set up a Wireguard server on a Mac Mini and can remotely connect with no problems. However, all attempts to access anything else on my server's LAN while connected have been unsuccessful.</div>
<div> </div>
<div>Most guides and documentation I've found to get this routing working are <a href="https://www.stavros.io/posts/how-to-configure-wireguard/" target="_blank" rel="noreferrer">written with the assumption Linux's `iptables` are available</a>, but on macOS the only available option appears to be `pf`. My attempts thus far to get those `iptables` rules ported correctly to `pf` have failed.</div>
<div> </div>
<div>Have any of you gotten LAN access working correctly on macOS with `pf`? If so, I'd greatly appreciate your guidance!</div>
<div> </div>
<div>-----</div>
<div> </div>
<div>My server config</div>
<div> </div>
<div>```</div>
<div>
<div>[Interface]</div>
<div>Address = 10.0.0.3</div>
<div>PrivateKey = ${SERVER_PRIVATE_KEY}</div>
<div>ListenPort = 51820</div>
<div> </div>
<div>[Peer]</div>
<div>PublicKey = ${CLIENT_PUBLIC_KEY}</div>
<div>AllowedIPs = 10.0.0.200/32</div>
</div>
<div>```</div>
<div> </div>
<div>-----</div>
<div> </div>
<div>My peer config</div>
<div> </div>
<div>```</div>
<div>[Interface]</div>
<div>
<div>Address = 10.0.0.200</div>
<div>PrivateKey = ${CLIENT_PRIVATE_KEY}</div>
<div>ListenPort = 51820</div>
<div> </div>
<div>[Peer]</div>
<div>PublicKey = ${SERVER_PUBLIC_KEY}</div>
<div>Endpoint = ${SERVER_PUBLIC_IP}:51820</div>
<div>AllowedIPs = 0.0.0.0/0, ::/0</div>
<div>PersistentKeepalive = 25</div>
</div>
<div>```</div>
<div> </div>
<div>-----</div>
<div> </div>
<div>The script to load my `pf` rules (run before starting Wireguard on the server), using this article as a guide: <a href="https://blog.netnerds.net/2016/11/share-vpn-with-os-x-sierra-internet-sharing/" target="_blank" rel="noreferrer">https://blog.netnerds.net/2016/11/share-vpn-with-os-x-sierra-internet-sharing/</a></div>
<div> </div>
<div>```</div>
<div>sysctl -w net.inet.ip.forwarding=1<br /><br /># Disable pfctl<br />pfctl -d<br />sleep 1<br /><br /># Flushe all pfctl rules<br />pfctl -F all<br />sleep 1<br /><br /># Starts pfctl and loads the rules from the nat-rules file<br />pfctl -f /private/etc/nat-rules -e</div>
<div>```</div>
<div> </div>
<div>-----</div>
<div> </div>
<div>The rules themselves, saved at `/private/etc/nat-rules`.</div>
<div>I've confirmed that `en0` is my server's ethernet interface, and `utun1` is the interface WireGuard uses (printed on WireGuard startup)</div>
<div> </div>
<div>```</div>
<div>nat on en0 from 10.0.0.0/24 to any -> (en0)<br />nat on utun1 from 10.0.0.0/24 to any -> (utun1)</div>
<div>``` </div>
<div> </div>
<div>Cheers,</div>
<div> </div>
<div>—Marc</div>
<div> </div>
<div>(Apologies for the duplicate message, I didn't receive any reject/accept response, and the confirmation string for canceling the message expired. Giving this another try...)</div>
<div> </div>
</body></html>