Wireguard
Jump to navigation
Jump to search
Based upon https://hurlster.com/wiki/index.php/Namespace
- init.d script
This init.d script creates a linux namespace (vpn) and builds a point to point interface between global namespace to (vpn) namespace for monitoring/polling.
This script then can fire up a specific process to be isolated to the namespace for security purposes.
- /usr/local/sbin/netns
#!/bin/sh
NETNS_NAME="vpn"
DEV_NAME="wg2"
case "$1" in
start)
NETNS_FILE=/var/run/netns/$NETNS_NAME
# Create a new network namespace.
if [ ! -f "$NETNS_FILE" ]; then
ip netns add $NETNS_NAME
fi
# Bring up NETNS Loopback interface
ip -n $NETNS_NAME link set dev lo up
# Add MAIN virtual interface to talk to NETNS
ip link add veth0 type veth peer name veth1
# Add IP to veth0
ip addr add 10.1.1.1/30 dev veth0
sleep 1
# Bring MAIN veth0 up
ip link set veth0 up
# Move veth1 in NETNS
ip link set veth1 netns $NETNS_NAME
sleep 1
# Add IP to veth1 in NETNS
ip -n $NETNS_NAME addr add 10.1.1.2/30 dev veth1
# Bring veth1 up in NETNS
ip -n $NETNS_NAME link set veth1 up
sleep 1
# Add NETNS route(s) back to MAIN
ip -n $NETNS_NAME route add 192.168.0.0/24 via 10.1.1.1 dev veth1
# Create a Wireguard network interface in the default namespace.
ip link add $DEV_NAME type wireguard
sleep 1
# Move the Wireguard interface to the network namespace.
ip link set $DEV_NAME netns $NETNS_NAME
sleep 1
# Load the Wireguard configuration.
ip netns exec $NETNS_NAME wg setconf $DEV_NAME /etc/wireguard/$DEV_NAME.conf
# Bring up the Wireguard interface.
ip -n $NETNS_NAME link set $DEV_NAME up
echo "ip -n $NETNS_NAME link set $DEV_NAME up"
sleep 1
# Set the IP address of the Wireguard interface from wirguard file
ADDR=`grep Address /etc/wireguard/$DEV_NAME.conf | awk -F " = " '{print $2}'`
#ip netns exec vpn $NETNS_NAME addr add 192.168.6.3/32 dev $DEV_NAME
ip -n $NETNS_NAME addr add "$ADDR" dev $DEV_NAME
echo "ip -n $NETNS_NAME addr add $ADDR dev $DEV_NAME"
# Make the Wireguard interface the default route.
ip -n $NETNS_NAME route add default dev $DEV_NAME
# Set DNS servers
DNS=`grep DNS /etc/wireguard/$DEV_NAME.conf | awk -F " = " '{print $2}'`
mkdir -p /etc/netns/vpn
echo "nameserver $DNS" > /etc/netns/vpn/resolv.conf
# Restart DELUGED
#service deluged restart
;;
stop)
FOUND=$(grep $DEV_NAME /proc/net/dev)
# Down NETNS wireguard interface
if [ -n "$FOUND" ]; then
ip -n $NETNS_NAME link delete dev $DEV_NAME
echo "ip -n $NETNS_NAME link delete dev $DEV_NAME"
fi
# Down NETNS veth1 and delete
#ip netns exec vpn ip link set veth1 down
ip -n $NETNS_NAME link delete veth1
echo "ip -n $NETNS_NAME link delete veth1"
# Down MAIN veth0 and delete
#ip link set veth0 down
#ip link delete veth0
# Delete NETNS vpn
ip netns delete $NETNS_NAME
echo "ip netns delete $NETNS_NAME"
;;
*)
echo "Usage: $0 {up|down}"
esac
exit 0
- /etc/systemd/system/netns.service
[Unit] Description=Namespace VPN Manager After=network-online.target [Service] Type=oneshot RemainAfterExit=true ExecStart=/usr/local/sbin/netns start ExecStop=/usr/local/sbin/netns stop # Time to wait before forcefully stopped. TimeoutStopSec=300 [Install] WantedBy=multi-user.target
Pfsense Wireguard
- Install WG package
- Configure Tunnel interface
- SSH to command line
- Make directory for remote peer files and cd to it
- Run:
wg genkey | tee privatekey | wg pubkey > publickey cat publickey
- Add peer configuration in GUI using the publickey shown above
- Back to CLI and create a client conf file
# Description: iPhoneW privatekey [Interface] Address = 192.168.100.3/32 DNS = 192.168.100.1 PrivateKey = '''privatekey-from-CLI''' # GatewayServer [Peer] PublicKey = '''publickey-from-server''' AllowedIPs = 192.168.100.3/32,0.0.0.0/0 Endpoint = '''serverip''':51821
- Copy and Paste the contents of file to:
https://www.wireguardconfig.com/qrcode
- Scan QR code with phone and connect!