Difference between revisions of "Wireguard"
From Steak Wiki
Jump to navigationJump to search (→owrt) |
|||
| Line 48: | Line 48: | ||
===windows to windows=== | ===windows to windows=== | ||
===owrt to debian=== | ===owrt to debian=== | ||
| + | <pre> | ||
| + | CLIENT: openwrt | ||
| + | config interface 'vpn' | ||
| + | option proto 'wireguard' | ||
| + | option private_key ' | ||
| + | list addresses 'youraddress' | ||
| + | |||
| + | config wireguard_vpn | ||
| + | option description 'name' | ||
| + | option endpoint_host 'ipaddress' | ||
| + | option endpoint_port 'port' | ||
| + | list allowed_ips 'debiansubnetsyouwanttoaccess/24' | ||
| + | list allowed_ips 'debianvpnaddress/32' | ||
| + | option public_key ' | ||
| + | option preshared_key ' | ||
| + | option route_allowed_ips '1' | ||
| + | |||
| + | the allowed ips and route allowed ips are important here. if this was a fullon vpn, the allowed ips would be 0.0.0.0/0 | ||
| + | |||
| + | SERVER: debian 10 | ||
| + | ==================== | ||
| + | (etc network interfaces) | ||
| + | (note: see debian wiki for an alternative configuration) | ||
| + | auto wg-p2p | ||
| + | iface wg-p2p inet static | ||
| + | address anyip | ||
| + | netmask 255.255.255.0 | ||
| + | pre-up wg-quick up $IFACE | ||
| + | post-down wg-quick down $IFACE | ||
| + | |||
| + | (/etc/wireguard/wg-p2p.conf) | ||
| + | |||
| + | [Interface] | ||
| + | PrivateKey = | ||
| + | ListenPort = portnumber | ||
| + | |||
| + | [Peer] | ||
| + | PublicKey = | ||
| + | PreSharedKey = | ||
| + | AllowedIPs = owrtvpn/32 | ||
| + | |||
| + | with these two settings, the iface will be visible on the specified udp port | ||
| + | |||
| + | and ping between will work. this is p2p. | ||
| + | if ping doesnt work, make sure there are routes between each box on the vpn interface | ||
| + | |||
| + | next | ||
| + | |||
| + | DEBIAN requires firewall rules | ||
| + | AND | ||
| + | ipv4 forwarding enabled. | ||
| + | |||
| + | its NOT masquerade | ||
| + | it's this: | ||
| + | iptables-legacy -t nat -A POSTROUTING -s vpnsubnet/24 -o vpsoutputiface -j SNAT --to-source vpswanip | ||
| + | the outputiface is eth0 or eth1 | ||
| + | convert to nft with iptables-translate if necessary | ||
| + | |||
| + | in my VPS, ipv4 forwarding was not enabled by default. TRAP. | ||
| + | so do that right too. | ||
| + | |||
| + | vpns will bite you here: | ||
| + | |||
| + | firewall rules must change traffic from vpn to appear like its coming from vps. yes, even wireguard (sometimes... depends what distro you use) | ||
| + | forwarding must be enabled (depends upon distro again, but don't forget this) | ||
| + | wireguard: routes must be properly setup | ||
| + | wireguard: ping to start interface conversation from client. when in doubt use tcpdump. | ||
| + | |||
| + | |||
| + | firewall on client owrt: must add vpn to WAN (not lan zone) to minimize setup (i.e. so you don't make its own interface) | ||
| + | once you do this last step, clients will be able to connect in the client pool. not just the owrt router. | ||
| + | |||
| + | Troubleshooting: | ||
| + | make sure docker isn't causing trouble. if you install docker, it disables the | ||
| + | default forwarding policy of accept. (makes it reject). | ||
| + | </pre> | ||
Revision as of 11:29, 28 July 2023
wireguard has a few setup scenarios. each are unique.
windows client to owrt split tunnel
windows
this setup assumes you are using it as a traditional vpn to access resources. not to hide your ip address / internet traffic.
download, run installer, add empty tunnel
[Interface] PrivateKey = (it should auto populate this for you)(public key is above in text field) Address = (the ip you want on the vpn net/32 for one ip) [Peer] PublicKey = (find it on server) AllowedIPs = (what you want to be able to connect to on vpn lan)(usually its the vpn router's ip, and then the lan range behind the router) Endpoint = (ipaddress:port)
Optional: If you have a windows server w/dns (i.e. domain) don't use the vpn router but the windows server as the DNS. However, you may want to also add some other dns (level 4 / google) as backups. e.g.
[Interface] PrivateKey = Address = DNS = (windows server and the subnet should be on allowed ips, if it isn't already), 4.2.2.2, 8.8.8.8
troubleshoot that with nslookup. You might think you can avoid this and hardcode the dns in window's /etc/hosts but that won't properly resolve the domain controller. and everytime you access a domain share you have to enter a password. bad idea.
owrt
config interface 'vpn'
option proto 'wireguard'
option private_key
option listen_port someport
list addresses ipofvpnhost
config wireguard_vpn 'anyname'
list allowed_ips 'onlyoneip/32'
option public_key
option route_allowed_ips '1'
only tricky thing here is you need route_allowed_ips so the client knows to look for it's specified allowedips on the vpn iface the good news about this setup, is that owrt handles some of the routing / forwarding on its side. so you don't have to worry about a source nat command. you do have the follow the owrt install docs for wg though.
todo
alpine to owrt
debian to owrt
windows to windows
owrt to debian
CLIENT: openwrt
config interface 'vpn'
option proto 'wireguard'
option private_key '
list addresses 'youraddress'
config wireguard_vpn
option description 'name'
option endpoint_host 'ipaddress'
option endpoint_port 'port'
list allowed_ips 'debiansubnetsyouwanttoaccess/24'
list allowed_ips 'debianvpnaddress/32'
option public_key '
option preshared_key '
option route_allowed_ips '1'
the allowed ips and route allowed ips are important here. if this was a fullon vpn, the allowed ips would be 0.0.0.0/0
SERVER: debian 10
====================
(etc network interfaces)
(note: see debian wiki for an alternative configuration)
auto wg-p2p
iface wg-p2p inet static
address anyip
netmask 255.255.255.0
pre-up wg-quick up $IFACE
post-down wg-quick down $IFACE
(/etc/wireguard/wg-p2p.conf)
[Interface]
PrivateKey =
ListenPort = portnumber
[Peer]
PublicKey =
PreSharedKey =
AllowedIPs = owrtvpn/32
with these two settings, the iface will be visible on the specified udp port
and ping between will work. this is p2p.
if ping doesnt work, make sure there are routes between each box on the vpn interface
next
DEBIAN requires firewall rules
AND
ipv4 forwarding enabled.
its NOT masquerade
it's this:
iptables-legacy -t nat -A POSTROUTING -s vpnsubnet/24 -o vpsoutputiface -j SNAT --to-source vpswanip
the outputiface is eth0 or eth1
convert to nft with iptables-translate if necessary
in my VPS, ipv4 forwarding was not enabled by default. TRAP.
so do that right too.
vpns will bite you here:
firewall rules must change traffic from vpn to appear like its coming from vps. yes, even wireguard (sometimes... depends what distro you use)
forwarding must be enabled (depends upon distro again, but don't forget this)
wireguard: routes must be properly setup
wireguard: ping to start interface conversation from client. when in doubt use tcpdump.
firewall on client owrt: must add vpn to WAN (not lan zone) to minimize setup (i.e. so you don't make its own interface)
once you do this last step, clients will be able to connect in the client pool. not just the owrt router.
Troubleshooting:
make sure docker isn't causing trouble. if you install docker, it disables the
default forwarding policy of accept. (makes it reject).
