Allow access WireGuard via port 53/UDP

This commit is contained in:
Héctor Molinero Fernández 2020-01-26 21:17:52 +01:00
parent 3fcd038fdf
commit 40631b7876
4 changed files with 9 additions and 4 deletions

View File

@ -6,4 +6,4 @@ DNS = 10.10.10.1
[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = XXX.XXX.XXX.XXX:80
Endpoint = XXX.XXX.XXX.XXX:51820

View File

@ -1,6 +1,6 @@
[Interface]
Address = 10.10.10.1/24
ListenPort = 80
ListenPort = 51820
# Load keys
PostUp = [ -e '/etc/wireguard/%i-privatekey' ] || (umask 077 && wg genkey > '/etc/wireguard/%i-privatekey')
PostUp = [ -e '/etc/wireguard/%i-publickey' ] || (umask 022 && wg pubkey < '/etc/wireguard/%i-privatekey' > '/etc/wireguard/%i-publickey')
@ -23,3 +23,8 @@ PostUp = iptables -A INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && iptables -
PostUp = ip6tables -A INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && ip6tables -A INPUT -i '%i' -p udp --dport 53 -j ACCEPT
PostDown = iptables -D INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && iptables -D INPUT -i '%i' -p udp --dport 53 -j ACCEPT
PostDown = ip6tables -D INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && ip6tables -D INPUT -i '%i' -p udp --dport 53 -j ACCEPT
# Allow access WireGuard via port 53/UDP (to circumvent some firewalls)
PostUp = iptables -t nat -A PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostUp = ip6tables -t nat -A PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostDown = iptables -t nat -D PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostDown = ip6tables -t nat -D PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820

View File

@ -29,6 +29,6 @@ kvm \
-smp 1 -m 512 \
-nographic -serial mon:stdio \
-device e1000,netdev=n0 \
-netdev user,id=n0,hostfwd=tcp::2222-:22,hostfwd=tcp::8080-:80 \
-netdev user,id=n0,hostfwd=tcp::2222-:22,hostfwd=udp::5353-:53 \
-drive file="${SNAPSHOT_DISK:?}",if=virtio,format=qcow2 \
-drive file="${USERDATA_DISK:?}",if=virtio,format=raw

View File

@ -108,7 +108,7 @@ build {
"ufw default deny incoming",
"ufw default allow outgoing",
"ufw allow from any to any port 22 proto tcp",
"ufw allow from any to any port 80 proto udp"
"ufw allow from any to any port 51820 proto udp"
]
}