🦔
メモ: WireguardでのVPN(nftables)
メモ
nftablesのルール例
table inet filter {
set tcp_accepted {
type inet_service
flags interval
elements = { 53, 80, 443, 22 }
}
set udp_accepted {
type inet_service
flags interval
elements = { 53, 51820, 60000-60100 }
}
chain input {
type filter hook input priority 0;
ct state invalid drop comment "early drop of invalid connections"
ct state { established, related } accept comment "allow tracked connections"
iifname "lo" accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
type filter hook input priority filter; policy drop;
iifname "ens3" tcp dport @tcp_accepted ct state new accept
iifname "ens3" udp dport @udp_accepted ct state new accept
iifname "wghub" tcp dport @tcp_accepted ct state new accept
iifname "wghub" udp dport @udp_accepted ct state new accept
meta pkttype host limit rate 5/second counter packets 9350 bytes 511030 reject with icmpx admin-prohibited
counter packets 126637 bytes 13036675
}
}
wireguardの設定ファイル例
wghub.conf
[Interface]
Address = 10.125.239.1/24, fd25:2406:4086:8834::1/64
ListenPort = 37371
PrivateKey =
SaveConfig = false
MTU = 1280
PostUp = nft add table inet filter
PostUp = nft add table inet nat
PostUp = nft add chain inet filter %i-postrouting "{ type nat hook postrouting priority srcnat ; }"
PostUp = nft add chain inet filter %i-forward "{ type filter hook forward priority filter; policy accept ; }"
PostUp = nft add chain inet nat %i-postrouting "{ type nat hook postrouting priority srcnat ; }"
PostUp = nft add rule inet filter %i-postrouting meta nfproto ipv4 tcp flags "&(syn|rst)" == syn oifname ens3 tcp option maxseg size set rt mtu
PostUp = nft add rule inet filter %i-postrouting meta nfproto ipv6 tcp flags "&(syn|rst)" == syn oifname ens3 tcp option maxseg size set rt mtu
#PostUp = nft add chain inet filter %i-prerouting "{ type nat hook prerouting priority dstnat ; }"
#PostUp = nft add chain inet nat %i-prerouting "{ type nat hook prerouting priority dstnat ; }"
#PostUp = nft add rule inet nat %i-prerouting udp dport 53 redirect to 53
#PostUp = nft add rule inet nat %i-prerouting tcp dport 53 redirect to 53
PostUp = nft add rule inet nat %i-postrouting oifname ens3 meta nfproto ipv4 masquerade
PostUp = nft add rule inet nat %i-postrouting oifname ens3 meta nfproto ipv6 masquerade
PostUp = nft add rule inet filter %i-forward iifname %i accept
PostUp = nft add rule inet filter %i-forward oifname %i ct state related,established accept
PostDown = nft delete chain inet filter %i-postrouting
PostDown = nft delete chain inet filter %i-forward
PostDown = nft delete chain inet nat %i-postrouting
#PostDown = nft delete chain inet filter %i-prerouting
#PostDown = nft delete chain inet nat %i-prerouting
PostDown = nft delete table inet nat
PostUp = sysctl -q -w net.ipv4.ip_forward=1
PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0
# 11: 11 > wgclient_11.conf
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.125.239.11/32, fd25:2406:4086:8834::11/128
PostDownでwghub関連のみルールを削除するためには、nft -aコマンドでhandleを確認して、それを用いるみたい。一応メモ。
nft -a list table inet filter | grep "wghub" | sed 's/.*handle \(.*\)/\1/'|xargs -I{} nft 'delete rule inet filter input handle {}'; nft 'flush table ip nat'; nft 'flush table ip6 nat'
wgclient_11.conf
[Interface]
Privatekey =
Address = 10.125.239.11/24, fd25:2406:4086:8834::11/64
DNS =
[Peer]
Publickey =
PresharedKey =
EndPoint =
AllowedIPs = 0.0.0.0/0,::/0
PostUpでnftコマンドにより、以下のようなルールが追加されます。
一部抜粋
chain forward {
type filter hook forward priority filter; policy drop;
iifname "wghub" counter packets 0 bytes 0 accept
oifname "wghub" counter packets 0 bytes 0 accept
}
}
table inet nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "ens3" ip counter packets 0 bytes 0 masquerade
oifname "ens3" ip6 counter packets 0 bytes 0 masquerade
}
}
その他
- easy-wg-quick
GitHub - burghardt/easy-wg-quick: Creates Wireguard configuration for hub and peers with ease
easy-wg-quickを用いた設定例
firewallはnftablesを用いる。
DNSは指定しない。
git clone https://github.com/burghardt/easy-wg-quick.git
./easy-wg-quick
echo "nft" > fwtype.txt
echo > intnetdns.txt
echo > intnet6dns.txt
./easy-wg-quick
sudo cp wghub.conf /etc/wireguard
[Interface]
Address = 10.125.239.1/24, fd25:2406:4086:8834::1/64
ListenPort = 37371
PrivateKey =
SaveConfig = false
MTU = 1280
PostUp = nft add table inet filter
PostUp = nft add table ip nat
PostUp = nft add chain inet filter %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add chain inet filter %i-forward "{ type filter hook forward priority 0; }"
PostUp = nft add chain ip nat %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add rule inet filter %i-postrouting ip protocol tcp tcp flags "&(syn|rst)" == syn oifname ens3 tcp option maxseg size set rt mtu
PostUp = nft add rule ip nat %i-postrouting oifname ens3 masquerade
PostUp = nft add rule inet filter %i-forward iifname %i accept
PostUp = nft add rule inet filter %i-forward oifname %i ct state related,established accept
PostDown = nft delete chain inet filter %i-postrouting
PostDown = nft delete chain inet filter %i-forward
PostDown = nft delete chain ip nat %i-postrouting
PostUp = nft add table ip6 nat
PostUp = nft add chain ip6 nat %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add rule ip6 nat %i-postrouting oifname ens3 masquerade
PostDown = nft delete chain ip6 nat %i-postrouting
PostUp = sysctl -q -w net.ipv4.ip_forward=1
PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0
# 11: 11 > wgclient_11.conf
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.125.239.11/32, fd25:2406:4086:8834::11/128
クライアント側がGNOMEならVPNの設定でファイルからのインポートを選び、wgclient_11.confを読み込ませれば、VPNの追加ができます。
Discussion