🦔

メモ: WireguardでのVPN(nftables)

2023/01/16に公開

memo

VPN

nftables

WireGuard

idea

メモ

nftablesのルール例

table inet filter {
	set tcp_accepted {
		type inet_service
		flags interval
		elements = { 53, 80, 443, 22 }
	}

	set udp_accepted {
		type inet_service
		flags interval
		elements = { 53, 51820,  60000-60100 }
	}

	chain input {
		type filter hook input priority filter; policy drop;
		ct state invalid drop comment "early drop of invalid connections"
		ct state { established, related } accept comment "allow tracked connections"
		iifname "lo" accept comment "allow from loopback"
		ip protocol icmp accept comment "allow icmp"
		meta l4proto ipv6-icmp accept comment "allow icmp v6"
		iifname "ens3" tcp dport @tcp_accepted ct state new accept
		iifname "ens3" udp dport @udp_accepted ct state new accept
		iifname "wg0" tcp dport @tcp_accepted ct state new accept
		iifname "wg0" udp dport @udp_accepted ct state new accept
		meta pkttype host limit rate 5/second counter packets 9350 bytes 511030 reject with icmpx admin-prohibited
		counter packets 126637 bytes 13036675
	}
}

wireguardの設定ファイル例
wg0.conf

[Interface]
Address = 10.0.0.1/32
Address = fd86:ea04:1119::1/64
Table = auto
SaveConfig = true
PostUp = nft add table inet filter
PostUp = nft add table ip nat
PostUp = nft add chain inet filter %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add chain inet filter %i-forward "{ type filter hook forward priority 0; }"
PostUp = nft add chain ip nat %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add rule inet filter %i-postrouting ip protocol tcp tcp flags "&(syn|rst)" == syn oifname ens3 tcp option maxseg size set rt mtu
PostUp = nft add rule ip nat %i-postrouting oifname ens3 masquerade
PostUp = nft add rule inet filter %i-forward iifname %i accept
PostUp = nft add rule inet filter %i-forward oifname %i ct state related,established accept
PostDown = nft delete chain inet filter %i-postrouting
PostDown = nft delete chain inet filter %i-forward
PostDown = nft delete chain ip nat %i-postrouting
PostUp = nft add table ip6 nat
PostUp = nft add chain ip6 nat %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add rule ip6 nat %i-postrouting oifname ens3 masquerade
PostDown = nft delete chain ip6 nat %i-postrouting
PostUp = sysctl -q -w net.ipv4.ip_forward=1
PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0
ListenPort = 
PrivateKey = 

[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.0.0.2/32, fd86:ea04:1119::/64
Endpoint =

PostDownでwg0関連のみルールを削除するためには、nft -aコマンドでhandleを確認して、それを用いるみたい。一応メモ。

nft -a list chain inet filter forward|grep "wg0"|sed 's/.*handle \(.*\)/\1/'|xargs -I{} nft 'delete rule inet filter forward handle {}';nft 'flush chain inet nat postrouting'

wg1.conf

[Interface]
Privatekey = 
Address = 10.0.0.2/32
DNS = 

[Peer]
Publickey = 
PresharedKey = 
EndPoint = 
AllowedIPs = 0.0.0.0/0,::/0

PostUpでnftコマンドにより、以下のようなルールが追加されます。
一部抜粋

	chain forward {
		type filter hook forward priority filter; policy drop;
		iifname "wg0" counter packets 0 bytes 0 accept
		oifname "wg0" counter packets 0 bytes 0 accept
	}
}
table inet nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "ens3" ip saddr 10.0.0.0/24 counter packets 0 bytes 0 masquerade
		oifname "ens3" ip6 saddr fd86:ea04:1119::/64 counter packets 0 bytes 0 masquerade
	}
}

その他

easy-wg-quick
GitHub - burghardt/easy-wg-quick: Creates Wireguard configuration for hub and peers with ease

easy-wg-quickを用いた設定例

[Interface]
Address = 10.166.195.1/24, fd43:7093:7940:7575::1/64
ListenPort = 
PrivateKey = 
SaveConfig = false
MTU = 1280
PostUp = nft add table inet filter
PostUp = nft add table ip nat
PostUp = nft add chain inet filter %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add chain inet filter %i-forward "{ type filter hook forward priority 0; }"
PostUp = nft add chain ip nat %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add rule inet filter %i-postrouting ip protocol tcp tcp flags "&(syn|rst)" == syn oifname ens3 tcp option maxseg size set rt mtu
PostUp = nft add rule ip nat %i-postrouting oifname ens3 masquerade
PostUp = nft add rule inet filter %i-forward iifname %i accept
PostUp = nft add rule inet filter %i-forward oifname %i ct state related,established accept
PostDown = nft delete chain inet filter %i-postrouting
PostDown = nft delete chain inet filter %i-forward
PostDown = nft delete chain ip nat %i-postrouting
PostUp = nft add table ip6 nat
PostUp = nft add chain ip6 nat %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add rule ip6 nat %i-postrouting oifname ens3 masquerade
PostDown = nft delete chain ip6 nat %i-postrouting
PostUp = sysctl -q -w net.ipv4.ip_forward=1
PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0

# 12: 12 > wgclient_12.conf
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.166.195.12/32, fd43:7093:7940:7575::12/128

# 13: 13 > wgclient_13.conf
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.166.195.13/32, fd43:7093:7940:7575::13/128

その他

Discussion