Wireguard: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= Namespace VPN = | |||
Based upon https://hurlster.com/wiki/index.php/Namespace | Based upon https://hurlster.com/wiki/index.php/Namespace | ||
* init.d script<br> | * init.d script<br> | ||
| Line 70: | Line 71: | ||
# Set DNS servers | # Set DNS servers | ||
DNS=`grep DNS /etc/wireguard/$DEV_NAME.conf | awk -F " = " '{print $2}'` | DNS=`grep DNS /etc/wireguard/$DEV_NAME.conf | awk -F " = " '{print $2}'` | ||
mkdir -p /etc/netns/vpn | |||
echo "nameserver $DNS" > /etc/netns/vpn/resolv.conf | |||
# Restart DELUGED | # Restart DELUGED | ||
| Line 118: | Line 120: | ||
WantedBy=multi-user.target | WantedBy=multi-user.target | ||
</pre> | </pre> | ||
= Pfsense Wireguard = | |||
* Install WG package | |||
* Configure Tunnel interface | |||
* SSH to command line | |||
* Make directory for remote peer files and cd to it | |||
* Run: | |||
wg genkey | tee privatekey | wg pubkey > publickey | |||
cat publickey | |||
cat privatekey | |||
* Add peer configuration in GUI using the publickey shown above | |||
* Back to CLI and create a client conf file | |||
# Description: iPhoneW privatekey | |||
[Interface] | |||
Address = 192.168.100.3/32 | |||
DNS = 192.168.100.1 | |||
PrivateKey = '''privatekey-from-CLI''' | |||
# GatewayServer | |||
[Peer] | |||
PublicKey = '''publickey-from-server''' | |||
AllowedIPs = 192.168.100.3/32,0.0.0.0/0 | |||
Endpoint = '''serverip:port''' | |||
* Copy and Paste the contents of file to: | |||
https://www.wireguardconfig.com/qrcode | |||
* Scan QR code with phone and connect! | |||
[[Category:Linux]] | [[Category:Linux]] | ||
Latest revision as of 19:14, 1 January 2023
Namespace VPN
Based upon https://hurlster.com/wiki/index.php/Namespace
- init.d script
This init.d script creates a linux namespace (vpn) and builds a point to point interface between global namespace to (vpn) namespace for monitoring/polling.
This script then can fire up a specific process to be isolated to the namespace for security purposes.
- /usr/local/sbin/netns
#!/bin/sh
NETNS_NAME="vpn"
DEV_NAME="wg2"
case "$1" in
start)
NETNS_FILE=/var/run/netns/$NETNS_NAME
# Create a new network namespace.
if [ ! -f "$NETNS_FILE" ]; then
ip netns add $NETNS_NAME
fi
# Bring up NETNS Loopback interface
ip -n $NETNS_NAME link set dev lo up
# Add MAIN virtual interface to talk to NETNS
ip link add veth0 type veth peer name veth1
# Add IP to veth0
ip addr add 10.1.1.1/30 dev veth0
sleep 1
# Bring MAIN veth0 up
ip link set veth0 up
# Move veth1 in NETNS
ip link set veth1 netns $NETNS_NAME
sleep 1
# Add IP to veth1 in NETNS
ip -n $NETNS_NAME addr add 10.1.1.2/30 dev veth1
# Bring veth1 up in NETNS
ip -n $NETNS_NAME link set veth1 up
sleep 1
# Add NETNS route(s) back to MAIN
ip -n $NETNS_NAME route add 192.168.0.0/24 via 10.1.1.1 dev veth1
# Create a Wireguard network interface in the default namespace.
ip link add $DEV_NAME type wireguard
sleep 1
# Move the Wireguard interface to the network namespace.
ip link set $DEV_NAME netns $NETNS_NAME
sleep 1
# Load the Wireguard configuration.
ip netns exec $NETNS_NAME wg setconf $DEV_NAME /etc/wireguard/$DEV_NAME.conf
# Bring up the Wireguard interface.
ip -n $NETNS_NAME link set $DEV_NAME up
echo "ip -n $NETNS_NAME link set $DEV_NAME up"
sleep 1
# Set the IP address of the Wireguard interface from wirguard file
ADDR=`grep Address /etc/wireguard/$DEV_NAME.conf | awk -F " = " '{print $2}'`
#ip netns exec vpn $NETNS_NAME addr add 192.168.6.3/32 dev $DEV_NAME
ip -n $NETNS_NAME addr add "$ADDR" dev $DEV_NAME
echo "ip -n $NETNS_NAME addr add $ADDR dev $DEV_NAME"
# Make the Wireguard interface the default route.
ip -n $NETNS_NAME route add default dev $DEV_NAME
# Set DNS servers
DNS=`grep DNS /etc/wireguard/$DEV_NAME.conf | awk -F " = " '{print $2}'`
mkdir -p /etc/netns/vpn
echo "nameserver $DNS" > /etc/netns/vpn/resolv.conf
# Restart DELUGED
#service deluged restart
;;
stop)
FOUND=$(grep $DEV_NAME /proc/net/dev)
# Down NETNS wireguard interface
if [ -n "$FOUND" ]; then
ip -n $NETNS_NAME link delete dev $DEV_NAME
echo "ip -n $NETNS_NAME link delete dev $DEV_NAME"
fi
# Down NETNS veth1 and delete
#ip netns exec vpn ip link set veth1 down
ip -n $NETNS_NAME link delete veth1
echo "ip -n $NETNS_NAME link delete veth1"
# Down MAIN veth0 and delete
#ip link set veth0 down
#ip link delete veth0
# Delete NETNS vpn
ip netns delete $NETNS_NAME
echo "ip netns delete $NETNS_NAME"
;;
*)
echo "Usage: $0 {up|down}"
esac
exit 0
- /etc/systemd/system/netns.service
[Unit] Description=Namespace VPN Manager After=network-online.target [Service] Type=oneshot RemainAfterExit=true ExecStart=/usr/local/sbin/netns start ExecStop=/usr/local/sbin/netns stop # Time to wait before forcefully stopped. TimeoutStopSec=300 [Install] WantedBy=multi-user.target
Pfsense Wireguard
- Install WG package
- Configure Tunnel interface
- SSH to command line
- Make directory for remote peer files and cd to it
- Run:
wg genkey | tee privatekey | wg pubkey > publickey cat publickey cat privatekey
- Add peer configuration in GUI using the publickey shown above
- Back to CLI and create a client conf file
# Description: iPhoneW privatekey [Interface] Address = 192.168.100.3/32 DNS = 192.168.100.1 PrivateKey = privatekey-from-CLI # GatewayServer [Peer] PublicKey = publickey-from-server AllowedIPs = 192.168.100.3/32,0.0.0.0/0 Endpoint = serverip:port
- Copy and Paste the contents of file to:
https://www.wireguardconfig.com/qrcode
- Scan QR code with phone and connect!