Sorcus, vvviperrr.
Сервер openwrt (lede):
: wireguard-bin
#!/bin/sh
/sbin/ip link add dev wg0 type wireguard
/sbin/ip address add 192.168.4.1/24 dev wg0
/usr/bin/wg setconf wg0 /etc/config/wireguard-server.conf
/sbin/ip link set up dev wg0
: wireguard
#!/bin/sh /etc/rc.common
START=95
STOP=10
boot() {
return 0
}
restart() {
stop
sleep 1
start
}
start() {
/etc/config/wireguard-bin 2>/dev/null
}
stop() {
/sbin/ip link del dev wg0 2>/dev/null
return 0
}
: wireguard-server.conf
[Interface]
PrivateKey = key=
ListenPort = 30546
[Peer]
PublicKey = key=
AllowedIPs = 192.168.4.5/32
:firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
# С работающим openvpn тут `option input 'REJECT'`
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan henet tun6 vpn0 wireguard'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option src 'wan'
option proto '41'
option target 'ACCEPT'
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
# С работающим openvpn тут: option src 'lan', хотя по сути правило лишнее
# Правило изначально использовалось для доступа с wan c `option src 'wan'`
option proto 'udp'
option dest_port '30546'
config rule
option name 'Allow-WireGuard-Client'
option target 'ACCEPT'
option src '*'
# Eще одно лишнее по-сути правило
option proto 'udp'
option src_port '21841'
config redirect
option src 'wan'
option src_dport 'x'
option dest_port '22'
option proto 'tcp'
option dest 'lan'
option dest_ip '10.x.x.x'
:network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd29:x:x::/48'
config interface 'lan'
option ifname 'eth0'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option accept_ra '1'
option send_rs '0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option type 'bridge'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 4'
#config interface 'vpn'
#option proto ''
#option server ''
#option username ''
#option password ''
#option mtu '1460'
#option peerdns '0'
#option dns '77.88.8.1'
#option type 'bridge'
config interface 'tun6'
option proto 'none'
option ifname 'tun1'
config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
config interface 'wireguard'
option ifname 'wg0'
option proto 'none'
config interface 'henet'
option proto '6in4'
option peeraddr 'x'
option ip6addr '2001:x::x/64'
option ip6prefix '2001:x/64'
option tunnelid 'x'
option username 'x'
option password 'x'
config route 'x'
option interface 'lan'
option target '10.x'
option netmask '255.255.255.0'
option gateway '192.168.1.x'
# Где '192.168.1.x' ip-адрес получаемый от роутера по DHCP
#config route 'wg'
#option interface 'lan'
#option target '192.168.4.0'
#option netmask '255.255.255.0'
#option gateway '192.168.1.x'
# Не нужно достаточно `/bin/ip route add 192.168.4.1/32 via 192.168.1.1 dev eth0` на клиенте
Клиент (Ubuntu Xenial):
:client.conf
[Interface]
PrivateKey = anotherkey=
ListenPort = 21841
[Peer]
PublicKey = anotherkey=
AllowedIPs = 0.0.0.0/0
# Скорей всего будет заменено на ip сервера в дальнейшем
Endpoint = 192.168.4.1:30546
PersistentKeepalive = 25
# Пока тестирую, systemd unit не создавал
:wireguard-client
#! /bin/bash
/bin/ip link add dev wg0 type wireguard
/bin/ip address add 192.168.4.5/24 dev wg0
/usr/bin/wg setconf wg0 /etc/wireguard/client.conf
/bin/ip link set up dev wg0
/bin/ip route add 192.168.4.1/32 via 192.168.1.1 dev eth0
/bin/ip route add 0/1 dev wg0
/bin/ip route add 128/1 dev wg0
:wg part
endpoint: 192.168.4.1:30546
allowed ips: 0.0.0.0/0
bandwidth: 0 B received, 8.78 KiB sent
persistent keepalive: every 25 seconds
Если сделать nmap -p 30546 -sU 192.168.4.1 (или 192.168.1.1)
покажет open/filtered. Для несуществующего порта покажет closed. От клиента пакеты на сервер идут и на этом все. Пробовал добавлять wireguard в lan в том числе. И отключать firewall, до handshake не доходит.
