From 2b0ec1316497896c408701ea301309b6db7a5d94 Mon Sep 17 00:00:00 2001 From: RealStickman Date: Fri, 20 May 2022 21:17:33 +0200 Subject: [PATCH] (Grav GitSync) Automatic Commit from RealStickman --- pages/02.linux/13.wireguard/default.en.md | 136 ++++++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 pages/02.linux/13.wireguard/default.en.md diff --git a/pages/02.linux/13.wireguard/default.en.md b/pages/02.linux/13.wireguard/default.en.md new file mode 100644 index 0000000..b5a699b --- /dev/null +++ b/pages/02.linux/13.wireguard/default.en.md @@ -0,0 +1,136 @@ +--- +title: Wireguard +--- + +## Installation +`# pacman -S wireguard-tools` +*Enable backports for buster and older* +`# apt install wireguard` + +## Configuration +This command creates a private key and also a matching public key +`$ wg genkey | tee (name).key | wg pubkey > (name).pub` + +The network we will be using for wireguard will be 172.16.1.0/24 + +To activate a wireguard tunnel on boot use the following command +`# systemctl enable --now wg-quick@wg0.service` + +### VPN "Server" configuration +*Illustration only, don't share your private keys* +Private key: `oFlgQ3uq4tjgRILDV3Lbqdx0mVZv2VCWWRkhJA3gcX4=` +Public key: `/0LMRaQCx1oMIh+eU/v4T3YQ8gAb/Qf7ulYl0zzFAkQ=` + +This server needs to have a public IP. +All traffic between the different nodes will be routed through here. + +Kernel forwarding has to be enabled +SystemD only loads settings specified in the `/etc/sysctl.d/` directory +`# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/80-forwarding.conf` +`# sysctl -p /etc/sysctl.d/80-forwarding.conf` + +Note how the first peer has two allowed IPs. +`/etc/wireguard/wg0.conf` +``` +[Interface] +Address = 172.16.1.10/24 +ListenPort = 51900 +PrivateKey = oFlgQ3uq4tjgRILDV3Lbqdx0mVZv2VCWWRkhJA3gcX4= +MTU = 1420 +PostUp = /etc/wireguard/wg0-postup.sh +PostDown = /etc/wireguard/wg0-postdown.sh + +[Peer] +PublicKey = r+TAbAN1hGh4MaIk/J5I5L3ZSAn+kCo1MJJq5YxHrl0= +AllowedIPs = 172.16.1.100/32, 172.16.1.69/32 + +[Peer] +PublicKey = RYXavpsPkJ8jwiBI39kz1csqgMDtVK14Lo2u8pDL0UY= +AllowedIPs = 172.16.1.101/32 + +[Peer] +PublicKey = 0jDtfR5GlZAHWtwxVEpukjneVj/Ace40VVdHh/eZnwU= +AllowedIPs = 172.16.1.200/32 +``` + +`/etc/wireguard/wg0-postup.sh` +``` +WIREGUARD_INTERFACE=wg0 +WIREGUARD_LAN=172.16.1.0/24 +MASQUERADE_INTERFACE=ens33 + +iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN + +# Add a WIREGUARD_wg0 chain to the FORWARD chain +CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE" +iptables -N $CHAIN_NAME +iptables -A FORWARD -j $CHAIN_NAME + +# Accept related or established traffic +iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# Accept traffic from (source) to (destination) +#iptables -A $CHAIN_NAME -s 172.16.1.100 -i $WIREGUARD_INTERFACE -d 172.16.1.10 -j ACCEPT +#iptables -A $CHAIN_NAME -s 172.16.1.101 -i $WIREGUARD_INTERFACE -d 172.16.1.10 -j ACCEPT +#iptables -A $CHAIN_NAME -s 172.16.1.200 -i $WIREGUARD_INTERFACE -d 172.16.1.10 -j ACCEPT +#iptables -A $CHAIN_NAME -s 172.16.1.200 -i $WIREGUARD_INTERFACE -d 172.16.1.100 -j ACCEPT + +# Accept all traffic on the wireguard network +iptables -A $CHAIN_NAME -s 172.16.1.0/24 -i $WIREGUARD_INTERFACE -j ACCEPT + +# Drop everything else coming through the Wireguard interface +iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP + +# Return to FORWARD chain +iptables -A $CHAIN_NAME -j RETURN +``` + +`/etc/wireguard/wg0-postdown.sh` +``` +WIREGUARD_INTERFACE=wg0 +WIREGUARD_LAN=172.16.1.0/24 +MASQUERADE_INTERFACE=ens33 + +CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE" + +iptables -t nat -D POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s 172.16.1.0/24 + +# Remove and delete the WIREGUARD_wg0 chain +iptables -D FORWARD -j $CHAIN_NAME +iptables -F $CHAIN_NAME +iptables -X $CHAIN_NAME +``` + +### VPN "Client" configuration +*Illustration only, don't share your private keys* +Private key: `kAgCeU6l+RWlFxfpnGj19tzEDyYz3I4HuqHkaUmHX1Q=` +Public key: `r+TAbAN1hGh4MaIk/J5I5L3ZSAn+kCo1MJJq5YxHrl0=` + +Here we have two different interfaces configured under the same wireguard config +`/etc/wireguard/wg0.conf` +``` +[Interface] +Address = 172.16.1.100/24 +ListenPort = 51900 +PrivateKey = kAgCeU6l+RWlFxfpnGj19tzEDyYz3I4HuqHkaUmHX1Q= +MTU = 1420 + +[Interface] +Address = 172.16.1.69/24 +ListenPort = 51900 +PrivateKey = kAgCeU6l+RWlFxfpnGj19tzEDyYz3I4HuqHkaUmHX1Q= +MTU = 1420 + +[Peer] +PublicKey = /0LMRaQCx1oMIh+eU/v4T3YQ8gAb/Qf7ulYl0zzFAkQ= +AllowedIPs = 172.16.1.0/24 +Endpoint = 10.80.4.124:51900 #IPv4 +#Endpoint = 864f:909a:4779::b:5e1b:51900 #IPv6 +PersistentKeepalive = 5 +``` + +## Iptables no local access ssh user +> [Block outgoing network access for single user](https://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html) +> [Restrict internet access for user](https://unix.stackexchange.com/questions/21650/how-to-restrict-internet-access-for-a-particular-user-on-the-lan-using-iptables) +{.is-info} +