Fórum Root.cz
Hlavní témata => Sítě => Téma založeno: googler2 06. 08. 2021, 09:22:01
-
caute, nedari sa mi rozchodit WG pod debian 10 na RPI3 (cisty debian, nie raspbian), tipujem to na problem vo firewalle - bud v mikrotiku alebo v NFTables.
Na mikrotiku mam dve vlany - sukromnu a pre hosti. Na MT v ip addresses som pod sukromnu vlanu pridal dalsiu siet pre vpn peerov a pre wg0 (RPI3) pricom eth0 na RPI3 ma ip od povodnej sukromnej siete
Na MT som NATol WG port na ip eth0 v RPI a povolil som maskaradu pre vpn siet.
ip firewall filter vyzera takto:
0 chain=input action=accept connection-state=established,related
1 chain=input action=accept in-interface=fix_vlan log=no log-prefix=""
2 chain=input action=drop connection-state=invalid
3 chain=input action=jump jump-target=WAN>INPUT in-interface-list=WAN log=no log-prefix=""
4 chain=input action=drop log=yes
5 chain=forward action=accept connection-state=established,related
6 chain=forward action=accept in-interface=fix_vlan out-interface-list=WAN log=no log-prefix=""
7 chain=forward action=accept in-interface=host_vlan out-interface-list=WAN log=no log-prefix=""
8 ;;; DSTNAT
chain=forward action=accept connection-nat-state=dstnat log=no log-prefix=""
9 chain=forward action=accept src-address-list=host_ip dst-address-list=tlac in-interface=host_vlan log=no log-prefix=""
10 chain=forward action=accept src-address-list=vpn_ip in-interface=fix_vlan log=no log-prefix=""
11 chain=forward action=drop connection-state=invalid
12 chain=forward action=drop src-address-list=!fix_ip in-interface=fix_vlan log=no log-prefix=""
13 chain=forward action=drop src-address-list=!host_ip in-interface=host_vlan log=no log-prefix=""
14 chain=forward action=drop dst-address-list=bogon log=yes log-prefix="bogon"
15 chain=forward action=drop in-interface=host_vlan out-interface=fix_vlan log=no log-prefix=""
16 chain=forward action=drop log=yes log-prefix=""
17 chain=WAN>INPUT action=drop log=no log-prefix=""
nftables.conf na debiane (RPI) vyzera takto:
define WAN_IFC = eth0
define VPN_IFC = wg0
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets.
ct state established,related accept;
# Drop invalid packets.
ct state invalid drop;
# Allow loopback traffic.
iifname lo accept;
# Allow all ICMP and IGMP traffic, but enforce a rate limit
# to help prevent some types of flood attacks.
ip protocol icmp limit rate 4/second accept;
ip protocol igmp limit rate 4/second accept;
# Allow SSH specific IPs
tcp dport 22 ip saddr $SAFE_IPS accept;
# Allow WG
udp dport WG port accept;
# Deny WG
udp dport WG port ip saddr $HOST_NET drop;
# Allow DNS
udp dport 53 accept;
# Allow WWW specific IPs
tcp dport { http, https } ip saddr $SAFE_IPS accept;
udp dport { http, https } ip saddr $SAFE_IPS accept;
}
chain forward {
type filter hook forward priority 0; policy drop;
# forward WireGuard traffic, allowing it to access internet via WAN
iifname $VPN_IFC oifname $WAN_IFC ct state new accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table ip router {
# both prerouting and postrouting must be specified
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 100;
# masquerade wireguard traffic
# make wireguard traffic look like it comes from the server itself
oifname $WAN_IFC ip saddr $VPN_NET masquerade
}
}
wg0.conf na servery (RPI) vyzera takto:
[Interface]
Address = lan.ip.adresa.servera z rozsahu vpn_net vytvorenej v MT/24
ListenPort = WG port
PrivateKey = ...
[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0
client vyzera takto:
[Interface]
PrivateKey = ...
Address = lan.ip.adresa.clienta z rozsahu vpn_net vytvorenej v MT/32
DNS = lan.ip.adresa.mt (je na nom povoleny DNS)
[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = verejna.ip.adr.esa:WG port
PersistentKeepalive = 25
Stav je taky ze pripojenie sice funguje (tunel je aktivny) ale vzdialeny client nema pristup na internet ani k zariadeniam v lan sieti.
Ciel: chcem aby mal vzdialeny client pristup k lan zariadeniam a pristup na internet tak aby traffic "pochadzal z miesta vpn
PS: Dufam ze som to napisal zrozumitelne, v pripade potreby nieco upresnim.
Diky za rady
-
https://www.abclinuxu.cz/poradna/linux/show/471603
-
ten topic na abclinuxu som zalozil ja, ale v nom riesenie tiez este nie je takze neviem co si tym chcel naznacit
-
https://telekomunikace.cz/d/35603-domaci-wireguard-mikrotik-debian-nftables (https://telekomunikace.cz/d/35603-domaci-wireguard-mikrotik-debian-nftables)
-
ten topic na abclinuxu som zalozil ja, ale v nom riesenie tiez este nie je takze neviem co si tym chcel naznacit
To je proto, aby tu vasi "plachtu" nikdo neresil x-krat.. dokola.
-
A step by step návody jsi zkoušel?
https://jwcxz.com/notes/200702-simple-wireguard-vpn/ (https://jwcxz.com/notes/200702-simple-wireguard-vpn/)
Používám firewalld, takže v configu mám jen:
PostUp = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
PostDown = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --remove-masquerade
-
ano skusal, vlastne tu konfiguraciu v prvom prispevku som robil podla toho navodu z tvojho linku.
Vsimol som si mozno "zaujimavu" vec: Ked sa pripajam na server cez windows wireguard gui klienta tak sa sice pripoji a tunel je aktivny ale to gui rozhranie ukazuje nejaky nahodny listening port (pri kazdom pripojeni iny) a nie ten ktory som zadal do konfiiguracie toho clienta a servera
-
Vsimol som si mozno "zaujimavu" vec: Ked sa pripajam na server cez windows wireguard gui klienta tak sa sice pripoji a tunel je aktivny ale to gui rozhranie ukazuje nejaky nahodny listening port (pri kazdom pripojeni iny) a nie ten ktory som zadal do konfiiguracie toho clienta a servera
To je standartní chování
Tak edit. Blbě jsem se koukal do configu. Pokud ho nanstavim na win klientovy tak je porad tenn co je v configu:
[Interface]
PrivateKey = privatekey
Address = 10.10.10.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = publikey
AllowedIPs = 0.0.0.0/0
Endpoint = vpn.server.cz:51820
PersistentKeepalive = 25
-
skusim teda port v configoch zmenit na default a zmenim ho aj v NAT na mikrotiku, teraz mam "custom".
Inak co sa tyka configu servera tak ty mas v casti Peer v allowips tiez nulovu ip alebo nulova ip sa zadava len do client configu?
Inak ked som hladal riesenie tak som narazil na prispevky podla ktorych vpn casto nefungovala preto lebo v mikrotiku / v rotery nemali nastavenu routu. Routu som neriesil ani ja (mozno tam je chyba), ako ju mam nastavit? aku hodnotu?
-
AllowedIPs = 0.0.0.0/0
je pro to aby tam klient směroval veškerý provoz: Pokud chceme aby všechen traffic byl skrz VPN, nastavíme AllowedIPs = 0.0.0.0/0, ::/0.
https://ondrej-sika.cz/blog/wireguard/ (https://ondrej-sika.cz/blog/wireguard/)
-
som pripraveny na vlnu hateov ale az teraz som zistil ze ked bol na servery zapnuty wg0 tak na servery (RPI) nefungoval net vobec - nemohol som pingnut nic verejne ani cez ip a domenu. Ked som vypol wg0 cez
wg-quick down wg0
output bol takyto:
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[#] nft -f /dev/fd/63
a potom net fungoval na RPI normalne, ked som skusil znovu zapnut wg0 cez wg-quick up wg0
output bol takyto:
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.40.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
a potom zase net na RPI prestal fungovat. Po zapnuti debug wireguard cez echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
je v outpute dmesg
o wireguard iba toto:
[ 13.288343] wireguard: module verification failed: signature and/or required key missing - tainting kernel
[ 13.302966] wireguard: WireGuard 1.0.20210219 loaded. See www.wireguard.com for information.
[ 13.311941] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
-
riesenie bolo nahradit tieto pravidla v NFTables:
iifname $VPN_IFC oifname $WAN_IFC ct state new accept;
iifname $VPN_IFC oifname $WAN_IFC accept;
nahradil som ich tymito dvomi pravidlami a pripojenie peera uz funguje vratane pristupu do siete a smerovania vsetkeho trafficu cez wireguard VPN ip:
iifname $VPN_IFC accept;
oifname $VPN_IFC ct state established,related accept;
ale chcel by som este vediet ako mozem niektorych peerov limitovat tak ze nebudu mat pristup ku vsetkym zariadeniam v sieti ale len ku niektorym z nich?
Diky za odpoved.