caute, nedari sa mi rozchodit WG pod debian 10 na RPI3 (cisty debian, nie raspbian), tipujem to na problem vo firewalle - bud v mikrotiku alebo v NFTables.
Na mikrotiku mam dve vlany - sukromnu a pre hosti. Na MT v ip addresses som pod sukromnu vlanu pridal dalsiu siet pre vpn peerov a pre wg0 (RPI3) pricom eth0 na RPI3 ma ip od povodnej sukromnej siete
Na MT som NATol WG port na ip eth0 v RPI a povolil som maskaradu pre vpn siet.
ip firewall filter vyzera takto:
0 chain=input action=accept connection-state=established,related
1 chain=input action=accept in-interface=fix_vlan log=no log-prefix=""
2 chain=input action=drop connection-state=invalid
3 chain=input action=jump jump-target=WAN>INPUT in-interface-list=WAN log=no log-prefix=""
4 chain=input action=drop log=yes
5 chain=forward action=accept connection-state=established,related
6 chain=forward action=accept in-interface=fix_vlan out-interface-list=WAN log=no log-prefix=""
7 chain=forward action=accept in-interface=host_vlan out-interface-list=WAN log=no log-prefix=""
8 ;;; DSTNAT
chain=forward action=accept connection-nat-state=dstnat log=no log-prefix=""
9 chain=forward action=accept src-address-list=host_ip dst-address-list=tlac in-interface=host_vlan log=no log-prefix=""
10 chain=forward action=accept src-address-list=vpn_ip in-interface=fix_vlan log=no log-prefix=""
11 chain=forward action=drop connection-state=invalid
12 chain=forward action=drop src-address-list=!fix_ip in-interface=fix_vlan log=no log-prefix=""
13 chain=forward action=drop src-address-list=!host_ip in-interface=host_vlan log=no log-prefix=""
14 chain=forward action=drop dst-address-list=bogon log=yes log-prefix="bogon"
15 chain=forward action=drop in-interface=host_vlan out-interface=fix_vlan log=no log-prefix=""
16 chain=forward action=drop log=yes log-prefix=""
17 chain=WAN>INPUT action=drop log=no log-prefix=""
nftables.conf na debiane (RPI) vyzera takto:
define WAN_IFC = eth0
define VPN_IFC = wg0
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets.
ct state established,related accept;
# Drop invalid packets.
ct state invalid drop;
# Allow loopback traffic.
iifname lo accept;
# Allow all ICMP and IGMP traffic, but enforce a rate limit
# to help prevent some types of flood attacks.
ip protocol icmp limit rate 4/second accept;
ip protocol igmp limit rate 4/second accept;
# Allow SSH specific IPs
tcp dport 22 ip saddr $SAFE_IPS accept;
# Allow WG
udp dport WG port accept;
# Deny WG
udp dport WG port ip saddr $HOST_NET drop;
# Allow DNS
udp dport 53 accept;
# Allow WWW specific IPs
tcp dport { http, https } ip saddr $SAFE_IPS accept;
udp dport { http, https } ip saddr $SAFE_IPS accept;
}
chain forward {
type filter hook forward priority 0; policy drop;
# forward WireGuard traffic, allowing it to access internet via WAN
iifname $VPN_IFC oifname $WAN_IFC ct state new accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table ip router {
# both prerouting and postrouting must be specified
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 100;
# masquerade wireguard traffic
# make wireguard traffic look like it comes from the server itself
oifname $WAN_IFC ip saddr $VPN_NET masquerade
}
}
wg0.conf na servery (RPI) vyzera takto:
[Interface]
Address = lan.ip.adresa.servera z rozsahu vpn_net vytvorenej v MT/24
ListenPort = WG port
PrivateKey = ...
[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0
client vyzera takto:
[Interface]
PrivateKey = ...
Address = lan.ip.adresa.clienta z rozsahu vpn_net vytvorenej v MT/32
DNS = lan.ip.adresa.mt (je na nom povoleny DNS)
[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = verejna.ip.adr.esa:WG port
PersistentKeepalive = 25
Stav je taky ze pripojenie sice funguje (tunel je aktivny) ale vzdialeny client nema pristup na internet ani k zariadeniam v lan sieti.
Ciel: chcem aby mal vzdialeny client pristup k lan zariadeniam a pristup na internet tak aby traffic "pochadzal z miesta vpn
PS: Dufam ze som to napisal zrozumitelne, v pripade potreby nieco upresnim.
Diky za rady