Portál AbcLinuxu, 5. května 2024 10:05
caute, nedari sa mi rozchodit WG pod debian 10 na RPI3 (cisty debian, nie raspbian), tipujem to na problem vo firewalle - bud v mikrotiku alebo v NFTables.
Na mikrotiku mam dve vlany - sukromnu a pre hosti. Na MT v ip addresses som pod sukromnu vlanu pridal dalsiu siet pre vpn peerov a pre wg0 (RPI3) pricom eth0 na RPI3 ma ip od povodnej sukromnej siete
Na MT som NATol WG port na ip eth0 v RPI a povolil som maskaradu pre vpn siet.
ip firewall filter vyzera takto:
0 chain=input action=accept connection-state=established,related
1 chain=input action=accept in-interface=fix_vlan log=no log-prefix=""
2 chain=input action=drop connection-state=invalid
3 chain=input action=jump jump-target=WAN>INPUT in-interface-list=WAN log=no log-prefix=""
4 chain=input action=drop log=yes
5 chain=forward action=accept connection-state=established,related
6 chain=forward action=accept in-interface=fix_vlan out-interface-list=WAN log=no log-prefix=""
7 chain=forward action=accept in-interface=host_vlan out-interface-list=WAN log=no log-prefix=""
8 ;;; DSTNAT
chain=forward action=accept connection-nat-state=dstnat log=no log-prefix=""
9 chain=forward action=accept src-address-list=host_ip dst-address-list=tlac in-interface=host_vlan log=no log-prefix=""
10 chain=forward action=accept src-address-list=vpn_ip in-interface=fix_vlan log=no log-prefix=""
11 chain=forward action=drop connection-state=invalid
12 chain=forward action=drop src-address-list=!fix_ip in-interface=fix_vlan log=no log-prefix=""
13 chain=forward action=drop src-address-list=!host_ip in-interface=host_vlan log=no log-prefix=""
14 chain=forward action=drop dst-address-list=bogon log=yes log-prefix="bogon"
15 chain=forward action=drop in-interface=host_vlan out-interface=fix_vlan log=no log-prefix=""
16 chain=forward action=drop log=yes log-prefix=""
17 chain=WAN>INPUT action=drop log=no log-prefix=""
define WAN_IFC = eth0
define VPN_IFC = wg0
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets.
ct state established,related accept;
# Drop invalid packets.
ct state invalid drop;
# Allow loopback traffic.
iifname lo accept;
# Allow all ICMP and IGMP traffic, but enforce a rate limit
# to help prevent some types of flood attacks.
ip protocol icmp limit rate 4/second accept;
ip protocol igmp limit rate 4/second accept;
# Allow SSH specific IPs
tcp dport 22 ip saddr $SAFE_IPS accept;
# Allow WG
udp dport WG port accept;
# Deny WG
udp dport WG port ip saddr $HOST_NET drop;
# Allow DNS
udp dport 53 accept;
# Allow WWW specific IPs
tcp dport { http, https } ip saddr $SAFE_IPS accept;
udp dport { http, https } ip saddr $SAFE_IPS accept;
}
chain forward {
type filter hook forward priority 0; policy drop;
# forward WireGuard traffic, allowing it to access internet via WAN
iifname $VPN_IFC oifname $WAN_IFC ct state new accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table ip router {
# both prerouting and postrouting must be specified
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 100;
# masquerade wireguard traffic
# make wireguard traffic look like it comes from the server itself
oifname $WAN_IFC ip saddr $VPN_NET masquerade
}
}
[Interface]
Address = lan.ip.adresa.servera z rozsahu vpn_net vytvorenej v MT/24
ListenPort = WG port
PrivateKey = ...
[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0
[Interface]
PrivateKey = ...
Address = lan.ip.adresa.clienta z rozsahu vpn_net vytvorenej v MT/32
DNS = lan.ip.adresa.mt (je na nom povoleny DNS)
[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = verejna.ip.adr.esa:WG port
PersistentKeepalive = 25
Řešení dotazu:
[Interface] Address = 10.0.0.1/24 ListenPort = WG port PrivateKey = ... [Peer] PublicKey = ... PresharedKey = ... AllowedIPs = 10.0.0.2/32client:
[Interface] PrivateKey = ... Address = 10.0.0.2/24 DNS = lan.ip.adresa.mt (je na nom povoleny DNS) [Peer] PublicKey = ... PresharedKey = ... AllowedIPs = 0.0.0.0/0 Endpoint = verejna.ip.adr.esa:WG port PersistentKeepalive = 25
wg-quick down wg0output bol takyto:
[#] ip -4 rule delete table 51820 [#] ip -4 rule delete table main suppress_prefixlength 0 [#] ip link delete dev wg0 [#] nft -f /dev/fd/63a potom net fungoval na RPI normalne, ked som skusil znovu zapnut wg0 cez
wg-quick up wg0output bol takyto:
[#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.0.40.1/24 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] wg set wg0 fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 [#] nft -f /dev/fd/63a potom zase net na RPI prestal fungovat. Po zapnuti debug wireguard cez
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/controlje v outpute
dmesgo wireguard iba toto:
[ 13.288343] wireguard: module verification failed: signature and/or required key missing - tainting kernel [ 13.302966] wireguard: WireGuard 1.0.20210219 loaded. See www.wireguard.com for information. [ 13.311941] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld Jason@zx2c4.com. All Rights Reserved.
AllowedIPs = 0.0.0.0/0Zpusobi, ze se veskery provoz presmeruje do tunelu:
ip -4 route add 0.0.0.0/0 dev wg0 table 51820Predpokladam, ze tam ma byt spravne sit 10.0.40.0/24 vyhrazena pro tunel. Dale v konfiguraci, kterou jsi sem poslal mas sit 10.0.0.0/24, ale v debug vystupu Wireguard je 10.0.40.0/24. Takze bud jsi sem napsal nespravne udaje, nebo je neco dalsiho spatne.
9.8.2021 19:43
vencour | skóre: 56
| blog: Tady je Vencourovo
| Praha+západní Čechy
9.8.2021 20:55
vencour | skóre: 56
| blog: Tady je Vencourovo
| Praha+západní Čechy
# ip -s li sh dev <interfejs_pro_wireguard>
9.8.2021 21:36
vencour | skóre: 56
| blog: Tady je Vencourovo
| Praha+západní Čechy
# ip -s li sh dev wgint
10: wgint: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/none
RX: bytes packets errors dropped missed mcast
36844320 288504 0 0 0 0
TX: bytes packets errors dropped carrier collsns
37081740 291066 39 0 0 0
takhle tak nějak vypadá funkční statistika u testovacího spoje, občas možná něco vypadne, proto nějaký errory jsou.toto je output po tom ako bol tunel nedzi serverom a peerom aktivny cca minutu (server a peer boli v rovnakej lan, ale internet peerovi nefungoval):
ip -s li sh dev wg0
10: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/none
RX: bytes packets errors dropped overrun mcast
162300 1052 0 0 0 0
TX: bytes packets errors dropped carrier collsns
4660 51 1 0 0 0
9.8.2021 22:19
vencour | skóre: 56
| blog: Tady je Vencourovo
| Praha+západní Čechy
A co je to "internet peerovi nefungoval"?
No peer nemohol pingnut nic verejne ani cez domenu (napr. google.com) ani ip (8.8.8.8), mohol pingnut iba lan ip WG servera
sorry, neuvedomil som si ze si hovoril asi o tychto pravidlach v nftables.conf
iifname $VPN_IFC oifname $WAN_IFC ct state new accept;
iifname $VPN_IFC oifname $WAN_IFC accept;
nahradil som ich tymito dvomi pravidlami a pripojenie peera uz funguje vratane pristupu do siete a smerovania vsetkeho trafficu cez wireguard VPN ip:
iifname $VPN_IFC accept;
oifname $VPN_IFC ct state established,related accept;
ale chcel by som este vediet ako mozem niektorych peerov limitovat tak ze nebudu mat pristup ku vsetkym zariadeniam v sieti ale len ku niektorym z nich?
Diky za odpoved.
nevim jek se chova specielne wireguard, ale kvuliva normalni konfiguraci ipsecu se musi na mikrotikovi vyrobit plonkovy iface a na nej se musi nastavit routa.Wireguard vyrábí plonkový interface také. Už z návrhu.
Tiskni
Sdílej:
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.