kjuulh/wireguard-setup
1
0
Fork 0
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

Open WireGuard port in wg0.conf

Browse Source
This commit is contained in:
Héctor Molinero Fernández 2020-01-27 20:01:21 +01:00
parent 0c59442e07
commit 6a82dbb688
3 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
rootfs/etc/wireguard/wg0.conf
View File

@ -6,13 +6,24 @@ PostUp = [ -e '/etc/wireguard/%i-privatekey' ] || (umask 077 && wg genkey > '/et
PostUp = [ -e '/etc/wireguard/%i-publickey' ] || (umask 022 && wg pubkey < '/etc/wireguard/%i-privatekey' > '/etc/wireguard/%i-publickey')
PostUp = wg set '%i' private-key '/etc/wireguard/%i-privatekey'
# Load peers
PostUp = [ -e '/etc/wireguard/%i-peers.conf' ] && wg addconf '%i' '/etc/wireguard/%i-peers.conf'
# Store the internet-facing interface in a file for later use
PostUp = ip route show default | awk '/^default/{print $5}' > '/etc/wireguard/%i-iface'
PostUp = [ -e '/etc/wireguard/%i-peers.conf' ] || (umask 022 && touch '/etc/wireguard/%i-peers.conf')
PostUp = wg addconf '%i' '/etc/wireguard/%i-peers.conf'
# Enable IPv4/IPv6 forwarding
PostUp = grep -Fxq '1' /proc/sys/net/ipv4/ip_forward || printf 1 > /proc/sys/net/ipv4/ip_forward
PostUp = grep -Fxq '1' /proc/sys/net/ipv6/conf/all/forwarding || printf 1 > /proc/sys/net/ipv6/conf/all/forwarding
PostUp = grep -Fxq '1' /proc/sys/net/ipv6/conf/default/forwarding || printf 1 > /proc/sys/net/ipv6/conf/default/forwarding
# Store the internet-facing interface in a file for later use
PostUp = ip route show default | awk '/^default/{print $5}' > '/etc/wireguard/%i-iface'
# Allow access WireGuard via port 51820/UDP on the internet-facing interface
PostUp = iptables -A INPUT -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 51820 -j ACCEPT
PostUp = ip6tables -A INPUT -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D INPUT -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 51820 -j ACCEPT
PostDown = ip6tables -D INPUT -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 51820 -j ACCEPT
# Allow access WireGuard via port 53/UDP on the internet-facing interface (to circumvent some firewalls)
PostUp = iptables -t nat -A PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostUp = ip6tables -t nat -A PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostDown = iptables -t nat -D PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostDown = ip6tables -t nat -D PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
# Allow packet forwarding on the WireGuard interface
PostUp = iptables -A FORWARD -i '%i' -j ACCEPT && iptables -t nat -A POSTROUTING -o "$(cat '/etc/wireguard/%i-iface')" -j MASQUERADE
PostUp = ip6tables -A FORWARD -i '%i' -j ACCEPT && ip6tables -t nat -A POSTROUTING -o "$(cat '/etc/wireguard/%i-iface')" -j MASQUERADE
@ -23,8 +34,3 @@ PostUp = iptables -A INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && iptables -
PostUp = ip6tables -A INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && ip6tables -A INPUT -i '%i' -p udp --dport 53 -j ACCEPT
PostDown = iptables -D INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && iptables -D INPUT -i '%i' -p udp --dport 53 -j ACCEPT
PostDown = ip6tables -D INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && ip6tables -D INPUT -i '%i' -p udp --dport 53 -j ACCEPT
# Allow access WireGuard via port 53/UDP (to circumvent some firewalls)
PostUp = iptables -t nat -A PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostUp = ip6tables -t nat -A PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostDown = iptables -t nat -D PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostDown = ip6tables -t nat -D PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820

2
start-qemu.sh
View File

@ -29,6 +29,6 @@ kvm \
-smp 1 -m 512 \
-nographic -serial mon:stdio \
-device e1000,netdev=n0 \
-netdev user,id=n0,hostfwd=tcp::2222-:22,hostfwd=udp::5353-:53 \
-netdev user,id=n0,hostfwd=tcp::2222-:22,hostfwd=udp::51820-:51820 \
-drive file="${SNAPSHOT_DISK:?}",if=virtio,format=qcow2 \
-drive file="${USERDATA_DISK:?}",if=virtio,format=raw

3
wireguard.pkr.hcl
View File

@ -107,8 +107,7 @@ build {
"ufw --force enable",
"ufw default deny incoming",
"ufw default allow outgoing",
"ufw allow from any to any port 22 proto tcp",
"ufw allow from any to any port 51820 proto udp"
"ufw allow from any to any port 22 proto tcp"
]
}