kjuulh/wireguard-setup
1
0
Fork 0
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

Open WireGuard port in wg0.conf

Browse Source
This commit is contained in:
Héctor Molinero Fernández 2020-01-27 20:01:21 +01:00
parent 0c59442e07
commit 6a82dbb688
3 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
rootfs/etc/wireguard/wg0.conf
View File

@ -6,13 +6,24 @@ PostUp = [ -e '/etc/wireguard/%i-privatekey' ] || (umask 077 && wg genkey > '/et
PostUp = [ -e '/etc/wireguard/%i-publickey' ] || (umask 022 && wg pubkey < '/etc/wireguard/%i-privatekey' > '/etc/wireguard/%i-publickey') PostUp = [ -e '/etc/wireguard/%i-publickey' ] || (umask 022 && wg pubkey < '/etc/wireguard/%i-privatekey' > '/etc/wireguard/%i-publickey')
PostUp = wg set '%i' private-key '/etc/wireguard/%i-privatekey' PostUp = wg set '%i' private-key '/etc/wireguard/%i-privatekey'
# Load peers # Load peers
PostUp = [ -e '/etc/wireguard/%i-peers.conf' ] && wg addconf '%i' '/etc/wireguard/%i-peers.conf' PostUp = [ -e '/etc/wireguard/%i-peers.conf' ] || (umask 022 && touch '/etc/wireguard/%i-peers.conf')
# Store the internet-facing interface in a file for later use PostUp = wg addconf '%i' '/etc/wireguard/%i-peers.conf'
PostUp = ip route show default | awk '/^default/{print $5}' > '/etc/wireguard/%i-iface'
# Enable IPv4/IPv6 forwarding # Enable IPv4/IPv6 forwarding
PostUp = grep -Fxq '1' /proc/sys/net/ipv4/ip_forward || printf 1 > /proc/sys/net/ipv4/ip_forward PostUp = grep -Fxq '1' /proc/sys/net/ipv4/ip_forward || printf 1 > /proc/sys/net/ipv4/ip_forward
PostUp = grep -Fxq '1' /proc/sys/net/ipv6/conf/all/forwarding || printf 1 > /proc/sys/net/ipv6/conf/all/forwarding PostUp = grep -Fxq '1' /proc/sys/net/ipv6/conf/all/forwarding || printf 1 > /proc/sys/net/ipv6/conf/all/forwarding
PostUp = grep -Fxq '1' /proc/sys/net/ipv6/conf/default/forwarding || printf 1 > /proc/sys/net/ipv6/conf/default/forwarding PostUp = grep -Fxq '1' /proc/sys/net/ipv6/conf/default/forwarding || printf 1 > /proc/sys/net/ipv6/conf/default/forwarding
# Store the internet-facing interface in a file for later use
PostUp = ip route show default | awk '/^default/{print $5}' > '/etc/wireguard/%i-iface'
# Allow access WireGuard via port 51820/UDP on the internet-facing interface
PostUp = iptables -A INPUT -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 51820 -j ACCEPT
PostUp = ip6tables -A INPUT -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D INPUT -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 51820 -j ACCEPT
PostDown = ip6tables -D INPUT -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 51820 -j ACCEPT
# Allow access WireGuard via port 53/UDP on the internet-facing interface (to circumvent some firewalls)
PostUp = iptables -t nat -A PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostUp = ip6tables -t nat -A PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostDown = iptables -t nat -D PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostDown = ip6tables -t nat -D PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
# Allow packet forwarding on the WireGuard interface # Allow packet forwarding on the WireGuard interface
PostUp = iptables -A FORWARD -i '%i' -j ACCEPT && iptables -t nat -A POSTROUTING -o "$(cat '/etc/wireguard/%i-iface')" -j MASQUERADE PostUp = iptables -A FORWARD -i '%i' -j ACCEPT && iptables -t nat -A POSTROUTING -o "$(cat '/etc/wireguard/%i-iface')" -j MASQUERADE
PostUp = ip6tables -A FORWARD -i '%i' -j ACCEPT && ip6tables -t nat -A POSTROUTING -o "$(cat '/etc/wireguard/%i-iface')" -j MASQUERADE PostUp = ip6tables -A FORWARD -i '%i' -j ACCEPT && ip6tables -t nat -A POSTROUTING -o "$(cat '/etc/wireguard/%i-iface')" -j MASQUERADE
@ -23,8 +34,3 @@ PostUp = iptables -A INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && iptables -
PostUp = ip6tables -A INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && ip6tables -A INPUT -i '%i' -p udp --dport 53 -j ACCEPT PostUp = ip6tables -A INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && ip6tables -A INPUT -i '%i' -p udp --dport 53 -j ACCEPT
PostDown = iptables -D INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && iptables -D INPUT -i '%i' -p udp --dport 53 -j ACCEPT PostDown = iptables -D INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && iptables -D INPUT -i '%i' -p udp --dport 53 -j ACCEPT
PostDown = ip6tables -D INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && ip6tables -D INPUT -i '%i' -p udp --dport 53 -j ACCEPT PostDown = ip6tables -D INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && ip6tables -D INPUT -i '%i' -p udp --dport 53 -j ACCEPT
# Allow access WireGuard via port 53/UDP (to circumvent some firewalls)
PostUp = iptables -t nat -A PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostUp = ip6tables -t nat -A PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostDown = iptables -t nat -D PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostDown = ip6tables -t nat -D PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820

2
start-qemu.sh
View File

@ -29,6 +29,6 @@ kvm \
-smp 1 -m 512 \ -smp 1 -m 512 \
-nographic -serial mon:stdio \ -nographic -serial mon:stdio \
-device e1000,netdev=n0 \ -device e1000,netdev=n0 \
-netdev user,id=n0,hostfwd=tcp::2222-:22,hostfwd=udp::5353-:53 \ -netdev user,id=n0,hostfwd=tcp::2222-:22,hostfwd=udp::51820-:51820 \
-drive file="${SNAPSHOT_DISK:?}",if=virtio,format=qcow2 \ -drive file="${SNAPSHOT_DISK:?}",if=virtio,format=qcow2 \
-drive file="${USERDATA_DISK:?}",if=virtio,format=raw -drive file="${USERDATA_DISK:?}",if=virtio,format=raw

3
wireguard.pkr.hcl
View File

@ -107,8 +107,7 @@ build {
"ufw --force enable", "ufw --force enable",
"ufw default deny incoming", "ufw default deny incoming",
"ufw default allow outgoing", "ufw default allow outgoing",
"ufw allow from any to any port 22 proto tcp", "ufw allow from any to any port 22 proto tcp"
"ufw allow from any to any port 51820 proto udp"
] ]
} }