🦔
メモ: WireguardでのVPN(nftables)
メモ
nftablesのルール例
table inet filter {
set tcp_accepted {
type inet_service
flags interval
elements = { 53, 80, 443, 22 }
}
set udp_accepted {
type inet_service
flags interval
elements = { 53, 51820, 60000-60100 }
}
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop comment "early drop of invalid connections"
ct state { established, related } accept comment "allow tracked connections"
iifname "lo" accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
iifname "ens3" tcp dport @tcp_accepted ct state new accept
iifname "ens3" udp dport @udp_accepted ct state new accept
iifname "wg0" tcp dport @tcp_accepted ct state new accept
iifname "wg0" udp dport @udp_accepted ct state new accept
meta pkttype host limit rate 5/second counter packets 9350 bytes 511030 reject with icmpx admin-prohibited
counter packets 126637 bytes 13036675
}
}
wireguardの設定ファイル例
wg0.conf
[Interface]
Address = 10.0.0.1/32
Address = fd86:ea04:1119::1/64
Table = auto
SaveConfig = true
PostUp = nft add table inet filter
PostUp = nft add table ip nat
PostUp = nft add chain inet filter %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add chain inet filter %i-forward "{ type filter hook forward priority 0; }"
PostUp = nft add chain ip nat %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add rule inet filter %i-postrouting ip protocol tcp tcp flags "&(syn|rst)" == syn oifname ens3 tcp option maxseg size set rt mtu
PostUp = nft add rule ip nat %i-postrouting oifname ens3 masquerade
PostUp = nft add rule inet filter %i-forward iifname %i accept
PostUp = nft add rule inet filter %i-forward oifname %i ct state related,established accept
PostDown = nft delete chain inet filter %i-postrouting
PostDown = nft delete chain inet filter %i-forward
PostDown = nft delete chain ip nat %i-postrouting
PostUp = nft add table ip6 nat
PostUp = nft add chain ip6 nat %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add rule ip6 nat %i-postrouting oifname ens3 masquerade
PostDown = nft delete chain ip6 nat %i-postrouting
PostUp = sysctl -q -w net.ipv4.ip_forward=1
PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0
ListenPort =
PrivateKey =
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.0.0.2/32, fd86:ea04:1119::/64
Endpoint =
PostDownでwg0関連のみルールを削除するためには、nft -aコマンドでhandleを確認して、それを用いるみたい。一応メモ。
nft -a list chain inet filter forward|grep "wg0"|sed 's/.*handle \(.*\)/\1/'|xargs -I{} nft 'delete rule inet filter forward handle {}';nft 'flush chain inet nat postrouting'
wg1.conf
[Interface]
Privatekey =
Address = 10.0.0.2/32
DNS =
[Peer]
Publickey =
PresharedKey =
EndPoint =
AllowedIPs = 0.0.0.0/0,::/0
PostUpでnftコマンドにより、以下のようなルールが追加されます。
一部抜粋
chain forward {
type filter hook forward priority filter; policy drop;
iifname "wg0" counter packets 0 bytes 0 accept
oifname "wg0" counter packets 0 bytes 0 accept
}
}
table inet nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "ens3" ip saddr 10.0.0.0/24 counter packets 0 bytes 0 masquerade
oifname "ens3" ip6 saddr fd86:ea04:1119::/64 counter packets 0 bytes 0 masquerade
}
}
その他
- easy-wg-quick
GitHub - burghardt/easy-wg-quick: Creates Wireguard configuration for hub and peers with ease
easy-wg-quickを用いた設定例
[Interface]
Address = 10.166.195.1/24, fd43:7093:7940:7575::1/64
ListenPort =
PrivateKey =
SaveConfig = false
MTU = 1280
PostUp = nft add table inet filter
PostUp = nft add table ip nat
PostUp = nft add chain inet filter %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add chain inet filter %i-forward "{ type filter hook forward priority 0; }"
PostUp = nft add chain ip nat %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add rule inet filter %i-postrouting ip protocol tcp tcp flags "&(syn|rst)" == syn oifname ens3 tcp option maxseg size set rt mtu
PostUp = nft add rule ip nat %i-postrouting oifname ens3 masquerade
PostUp = nft add rule inet filter %i-forward iifname %i accept
PostUp = nft add rule inet filter %i-forward oifname %i ct state related,established accept
PostDown = nft delete chain inet filter %i-postrouting
PostDown = nft delete chain inet filter %i-forward
PostDown = nft delete chain ip nat %i-postrouting
PostUp = nft add table ip6 nat
PostUp = nft add chain ip6 nat %i-postrouting "{ type nat hook postrouting priority 100 ; }"
PostUp = nft add rule ip6 nat %i-postrouting oifname ens3 masquerade
PostDown = nft delete chain ip6 nat %i-postrouting
PostUp = sysctl -q -w net.ipv4.ip_forward=1
PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0
# 12: 12 > wgclient_12.conf
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.166.195.12/32, fd43:7093:7940:7575::12/128
# 13: 13 > wgclient_13.conf
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.166.195.13/32, fd43:7093:7940:7575::13/128
Discussion