Wireguard: Difference between revisions

From Hurlster Wiki
Jump to navigation Jump to search
No edit summary
 
Line 129: Line 129:
  wg genkey | tee privatekey | wg pubkey > publickey
  wg genkey | tee privatekey | wg pubkey > publickey
  cat publickey
  cat publickey
cat privatekey
* Add peer configuration in GUI using the publickey shown above
* Add peer configuration in GUI using the publickey shown above
* Back to CLI and create a client conf file
* Back to CLI and create a client conf file

Latest revision as of 19:14, 1 January 2023

Namespace VPN

Based upon https://hurlster.com/wiki/index.php/Namespace

  • init.d script

This init.d script creates a linux namespace (vpn) and builds a point to point interface between global namespace to (vpn) namespace for monitoring/polling.
This script then can fire up a specific process to be isolated to the namespace for security purposes.

  • /usr/local/sbin/netns
#!/bin/sh
NETNS_NAME="vpn"
DEV_NAME="wg2"
case "$1" in
        start)
                NETNS_FILE=/var/run/netns/$NETNS_NAME
                # Create a new network namespace.
                if [ ! -f "$NETNS_FILE" ]; then
                        ip netns add $NETNS_NAME
                fi
                # Bring up NETNS Loopback interface
                ip -n $NETNS_NAME link set dev lo up

                # Add MAIN virtual interface to talk to NETNS
                ip link add veth0 type veth peer name veth1

                # Add IP to veth0
                ip addr add 10.1.1.1/30 dev veth0

                sleep 1

                # Bring MAIN veth0 up
                ip link set veth0 up

                # Move veth1 in NETNS
                ip link set veth1 netns $NETNS_NAME

                sleep 1

                # Add IP to veth1 in NETNS
                ip -n $NETNS_NAME addr add 10.1.1.2/30 dev veth1

                # Bring veth1 up in NETNS
                ip -n $NETNS_NAME link set veth1 up
                sleep 1

                # Add NETNS route(s) back to MAIN
                ip -n $NETNS_NAME route add 192.168.0.0/24 via 10.1.1.1 dev veth1

                # Create a Wireguard network interface in the default namespace.
                ip link add $DEV_NAME type wireguard
                sleep 1
                # Move the Wireguard interface to the network namespace.
                ip link set $DEV_NAME netns $NETNS_NAME
                sleep 1

                # Load the Wireguard configuration.
                ip netns exec $NETNS_NAME wg setconf $DEV_NAME /etc/wireguard/$DEV_NAME.conf

                # Bring up the Wireguard interface.
                ip -n $NETNS_NAME link set $DEV_NAME up
                echo "ip -n $NETNS_NAME link set $DEV_NAME up"
                sleep 1

                # Set the IP address of the Wireguard interface from wirguard file
                ADDR=`grep Address /etc/wireguard/$DEV_NAME.conf | awk -F " = " '{print $2}'`
                #ip netns exec vpn $NETNS_NAME addr add 192.168.6.3/32 dev $DEV_NAME
                ip -n $NETNS_NAME addr add "$ADDR" dev $DEV_NAME
                echo "ip -n $NETNS_NAME addr add $ADDR dev $DEV_NAME"

                # Make the Wireguard interface the default route.
                ip -n $NETNS_NAME route add default dev $DEV_NAME

                # Set DNS servers
                DNS=`grep DNS /etc/wireguard/$DEV_NAME.conf | awk -F " = " '{print $2}'`
               mkdir -p /etc/netns/vpn
               echo "nameserver $DNS" > /etc/netns/vpn/resolv.conf

                # Restart DELUGED
                #service deluged restart
                ;;
        stop)
                FOUND=$(grep $DEV_NAME /proc/net/dev)
                # Down NETNS wireguard interface
                if [ -n "$FOUND" ]; then
                        ip -n $NETNS_NAME link delete dev $DEV_NAME
                        echo "ip -n $NETNS_NAME link delete dev $DEV_NAME"
                fi
                # Down NETNS veth1 and delete
                #ip netns exec vpn ip link set veth1 down
                ip -n $NETNS_NAME link delete veth1
                echo "ip -n $NETNS_NAME link delete veth1"

                # Down MAIN veth0 and delete
                #ip link set veth0 down
                #ip link delete veth0

                # Delete NETNS vpn
                ip netns delete $NETNS_NAME
                echo "ip netns delete $NETNS_NAME"
                ;;
*)
        echo "Usage: $0 {up|down}"
esac
exit 0
  • /etc/systemd/system/netns.service
[Unit]
Description=Namespace VPN Manager
After=network-online.target

[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/usr/local/sbin/netns start
ExecStop=/usr/local/sbin/netns stop
# Time to wait before forcefully stopped.
TimeoutStopSec=300

[Install]
WantedBy=multi-user.target

Pfsense Wireguard

  • Install WG package
  • Configure Tunnel interface
  • SSH to command line
  • Make directory for remote peer files and cd to it
  • Run:
wg genkey | tee privatekey | wg pubkey > publickey
cat publickey
cat privatekey
  • Add peer configuration in GUI using the publickey shown above
  • Back to CLI and create a client conf file
# Description: iPhoneW privatekey
[Interface]
Address = 192.168.100.3/32
DNS = 192.168.100.1
PrivateKey = privatekey-from-CLI

# GatewayServer
[Peer]
PublicKey = publickey-from-server
AllowedIPs = 192.168.100.3/32,0.0.0.0/0
Endpoint = serverip:port
  • Copy and Paste the contents of file to:
https://www.wireguardconfig.com/qrcode
  • Scan QR code with phone and connect!
Retrieved from "https://hurlster.com/wiki/index.php?title=Wireguard&oldid=2714"