🦔

メモ: WireguardでのVPN(nftables)

2023/01/16に公開

メモ

nftablesのルール例

table inet filter {
  set tcp_accepted {
    type inet_service
      flags interval
      elements = { 53, 80, 443, 22 }
  }

  set udp_accepted {
    type inet_service
      flags interval
      elements = { 53, 51820,  60000-60100 }
  }

  chain input {
    type filter hook input priority 0;
    ct state invalid drop comment "early drop of invalid connections"
      ct state { established, related } accept comment "allow tracked connections"
      iifname "lo" accept comment "allow from loopback"
      ip protocol icmp accept comment "allow icmp"
      meta l4proto ipv6-icmp accept comment "allow icmp v6"
      type filter hook input priority filter; policy drop;
      iifname "ens3" tcp dport @tcp_accepted ct state new accept
      iifname "ens3" udp dport @udp_accepted ct state new accept
      iifname "wghub" tcp dport @tcp_accepted ct state new accept
      iifname "wghub" udp dport @udp_accepted ct state new accept
      meta pkttype host limit rate 5/second counter packets 9350 bytes 511030 reject with icmpx admin-prohibited
      counter packets 126637 bytes 13036675
  }
}

wireguardの設定ファイル例
wghub.conf

[Interface]
Address = 10.125.239.1/24, fd25:2406:4086:8834::1/64
ListenPort = 37371
PrivateKey = 
SaveConfig = false
MTU = 1280
PostUp = nft add table inet filter
PostUp = nft add table inet nat
PostUp = nft add chain inet filter %i-postrouting "{ type nat hook postrouting priority srcnat ; }"
PostUp = nft add chain inet filter %i-forward "{ type filter hook forward priority filter; policy accept ; }"
PostUp = nft add chain inet nat %i-postrouting "{ type nat hook postrouting priority srcnat ; }"
PostUp = nft add rule inet filter %i-postrouting meta nfproto ipv4 tcp flags "&(syn|rst)" == syn oifname ens3 tcp option maxseg size set rt mtu
PostUp = nft add rule inet filter %i-postrouting meta nfproto ipv6 tcp flags "&(syn|rst)" == syn oifname ens3 tcp option maxseg size set rt mtu
#PostUp = nft add chain inet filter %i-prerouting "{ type nat hook prerouting priority dstnat ; }"
#PostUp = nft add chain inet nat %i-prerouting "{ type nat hook prerouting priority dstnat ; }"
#PostUp = nft add rule inet nat %i-prerouting udp dport 53 redirect to 53
#PostUp = nft add rule inet nat %i-prerouting tcp dport 53 redirect to 53
PostUp = nft add rule inet nat %i-postrouting oifname ens3 meta nfproto ipv4 masquerade
PostUp = nft add rule inet nat %i-postrouting oifname ens3 meta nfproto ipv6 masquerade
PostUp = nft add rule inet filter %i-forward iifname %i accept
PostUp = nft add rule inet filter %i-forward oifname %i ct state related,established accept
PostDown = nft delete chain inet filter %i-postrouting
PostDown = nft delete chain inet filter %i-forward
PostDown = nft delete chain inet nat %i-postrouting
#PostDown = nft delete chain inet filter %i-prerouting
#PostDown = nft delete chain inet nat %i-prerouting
PostDown = nft delete table inet nat
PostUp = sysctl -q -w net.ipv4.ip_forward=1
PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0

# 11: 11 > wgclient_11.conf
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.125.239.11/32, fd25:2406:4086:8834::11/128

PostDownでwghub関連のみルールを削除するためには、nft -aコマンドでhandleを確認して、それを用いるみたい。一応メモ。

nft -a list table inet filter | grep "wghub" | sed 's/.*handle \(.*\)/\1/'|xargs -I{} nft 'delete rule inet filter input handle {}'; nft 'flush table ip nat';  nft 'flush table ip6 nat'

wgclient_11.conf

[Interface]
Privatekey = 
Address = 10.125.239.11/24, fd25:2406:4086:8834::11/64
DNS = 

[Peer]
Publickey = 
PresharedKey = 
EndPoint = 
AllowedIPs = 0.0.0.0/0,::/0

PostUpでnftコマンドにより、以下のようなルールが追加されます。
一部抜粋

	chain forward {
		type filter hook forward priority filter; policy drop;
		iifname "wghub" counter packets 0 bytes 0 accept
		oifname "wghub" counter packets 0 bytes 0 accept
	}
}
table inet nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "ens3" ip counter packets 0 bytes 0 masquerade
		oifname "ens3" ip6 counter packets 0 bytes 0 masquerade
	}
}

その他

easy-wg-quickを用いた設定例
firewallはnftablesを用いる。
DNSは指定しない。

git clone https://github.com/burghardt/easy-wg-quick.git
./easy-wg-quick
echo "nft" > fwtype.txt
echo > intnetdns.txt
echo > intnet6dns.txt
./easy-wg-quick
sudo cp wghub.conf /etc/wireguard
[Interface]
Address = 10.125.239.1/24, fd25:2406:4086:8834::1/64
ListenPort = 37371
PrivateKey = 
SaveConfig = false
MTU = 1280
PostUp = nft add table inet filter
PostUp = nft add table ip nat
PostUp = nft add chain inet filter %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add chain inet filter %i-forward "{ type filter hook forward priority 0; }"
PostUp = nft add chain ip nat %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add rule inet filter %i-postrouting ip protocol tcp tcp flags "&(syn|rst)" == syn oifname ens3 tcp option maxseg size set rt mtu
PostUp = nft add rule ip nat %i-postrouting oifname ens3 masquerade
PostUp = nft add rule inet filter %i-forward iifname %i accept
PostUp = nft add rule inet filter %i-forward oifname %i ct state related,established accept
PostDown = nft delete chain inet filter %i-postrouting
PostDown = nft delete chain inet filter %i-forward
PostDown = nft delete chain ip nat %i-postrouting
PostUp = nft add table ip6 nat
PostUp = nft add chain ip6 nat %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add rule ip6 nat %i-postrouting oifname ens3 masquerade
PostDown = nft delete chain ip6 nat %i-postrouting
PostUp = sysctl -q -w net.ipv4.ip_forward=1
PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0

# 11: 11 > wgclient_11.conf
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.125.239.11/32, fd25:2406:4086:8834::11/128

クライアント側がGNOMEならVPNの設定でファイルからのインポートを選び、wgclient_11.confを読み込ませれば、VPNの追加ができます。

Discussion