Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux_router:wireguard [2021-01-03 Sun wk53 14:25] – [Full NFTables Code] baumkplinux_router:wireguard [2025-05-24 Sat wk21 21:09] (current) baumkp
Line 1: Line 1:
 {{tag>linux router vpn wireguard Docker "qr code" QR}} {{tag>linux router vpn wireguard Docker "qr code" QR}}
-=====Wireguard VPN======+=====Wireguard VPN access from WAN to LAN====== 
 +<fc #ff0000>I use a Docker instance for my Wireguard server now.</fc>
  
 +I use 2 forms of vpn (virtual private network) on my home server.
 +  - VPN to gain remote secure private access to my home LAN from the WAN (internet). //This is the one I am describing here.//
 +  - VPN to anonymize my public internet access, making it more difficult for others to track my online behavior.   //This is where I describe this [[https://wiki.kptree.net/doku.php?id=tech_notes:docker-deluge#vpn_setup_including_nftable_force_vpn_usage|VPN setup including nftable force to anonymize WAN usage]]//
  
 WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry. WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
Line 27: Line 31:
  
 ===Greatest Difficulties in Setting=== ===Greatest Difficulties in Setting===
-Wireguard is not chatty.  It is important that the setup information is done correctly, in particular the private and public keys.  Also the allowed ips is important. On the server side it is set to the main VPN ip address. On the client side it needs to be set to include ip addresses that are allowed to be access on the client side.+Wireguard is not chatty, this actually is a security feature.  It is important that the setup information is done correctly, in particular the private and public keys.  Also the allowed ips is important. On the server side it is set to the main VPN ip address. On the client side it needs to be set to include ip addresses that are allowed to be access on the client side.
 Some tools that help fault find: Some tools that help fault find:
   * On the server side: ''sudo tcpdump -i wan_device -c 5 port vpn_port'', where wan_device is the wan device, in my case ppp1 and vpn_port is the port number wireguard is set to, in my case 51914, the default is 51820.  This lets you see if the packets are coming in to the wan.   * On the server side: ''sudo tcpdump -i wan_device -c 5 port vpn_port'', where wan_device is the wan device, in my case ppp1 and vpn_port is the port number wireguard is set to, in my case 51914, the default is 51820.  This lets you see if the packets are coming in to the wan.
Line 341: Line 345:
 <tab9>       type nat hook prerouting priority 0; policy accept;\\  <tab9>       type nat hook prerouting priority 0; policy accept;\\ 
 <tab9><color #000060/#F0F0FF>       #iifname </color><color #060000/#FFF0F0>$wan</color><color #000060/#F0F0FF> jump wan_in</color>\\  <tab9><color #000060/#F0F0FF>       #iifname </color><color #060000/#FFF0F0>$wan</color><color #000060/#F0F0FF> jump wan_in</color>\\ 
-<tab9><color blue>       # Allow internal clients to correctly see external address "hairpin dnat"</color>\\ +<tab9><color blue>       # dnat - direct allowed by port number wan incoming services to correct lan server ip.</color>\\ 
 <tab9>       ip daddr <color red>$wan_ip4</color> tcp dport {http, https} counter dnat to <color red>$http_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the http or https ports are preroute dnat to the webserver IP address.</color>++\\  <tab9>       ip daddr <color red>$wan_ip4</color> tcp dport {http, https} counter dnat to <color red>$http_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the http or https ports are preroute dnat to the webserver IP address.</color>++\\ 
 <tab9>       ip daddr <color red>$wan_ip4</color> tcp dport {pop3s, imaps, smtp} counter dnat to <color red>$mail_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the mail ports, pop3s, imaps or smtp ports are preroute dnat to the mail server IP address.</color>++\\  <tab9>       ip daddr <color red>$wan_ip4</color> tcp dport {pop3s, imaps, smtp} counter dnat to <color red>$mail_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the mail ports, pop3s, imaps or smtp ports are preroute dnat to the mail server IP address.</color>++\\ 
Line 350: Line 354:
 <tab9>       type nat hook postrouting priority 0; policy accept;\\  <tab9>       type nat hook postrouting priority 0; policy accept;\\ 
 <tab9> \\  <tab9> \\ 
-<tab9><color blue>      #Allow internal clients to correctly see external address "hairpin dnat"</color>\\ +<tab9><color blue>      #Allow internal clients to correctly see external address "hairpin dnat"</color>   ++ | \\ + <color #202000/#F0F0E0> Hairpin nat is dicussed in greater death at [[https://wiki.kptree.net/doku.php?id=linux_router:nftables#hairpin_nat|hairpin nat]].</color>++\\ 
 <tab9>       ip saddr 192.168.1.0/24 ip daddr <color red>$http_server</color> tcp dport {http, https} counter snat <color red>$router_ip4</color>\\  <tab9>       ip saddr 192.168.1.0/24 ip daddr <color red>$http_server</color> tcp dport {http, https} counter snat <color red>$router_ip4</color>\\ 
 <tab9>       ip saddr 192.168.1.0/24 ip daddr <color red>$mail_server</color> tcp dport {http, https, pop3s, imaps, smtp} counter snat <color red>$router_ip4</color>\\  <tab9>       ip saddr 192.168.1.0/24 ip daddr <color red>$mail_server</color> tcp dport {http, https, pop3s, imaps, smtp} counter snat <color red>$router_ip4</color>\\ 
 <tab9>\\  <tab9>\\ 
-<tab9><color #000060/#F0F0FF>       #oifname </color><color #060000/#FFF0F0>$modem</color><color #000060/#F0F0FF> counter masquerade</color>\\ +<tab9><color blue>      #Standard postrouting nat</color>  ++ | \\ + <color #202000/#F0F0E0> The examples below show different levels of granularity in control.</color>++\\ 
 +<tab9><color #000060/#F0F0FF>       #oifname </color><color #060000/#FFF0F0>$modem</color><color #000060/#F0F0FF> counter masquerade  #needed with dynamic wan ip address</color>\\ 
 <tab9>       ip saddr <color red>$lan_ip4</color> oifname <color red>$modem</color> counter snat <color red>$modem_ip</color>\\  <tab9>       ip saddr <color red>$lan_ip4</color> oifname <color red>$modem</color> counter snat <color red>$modem_ip</color>\\ 
 <tab9>       ip saddr <color red>$vpn_ip</color> oifname <color red>$modem</color> counter snat <color red>$modem_ip</color>\\  <tab9>       ip saddr <color red>$vpn_ip</color> oifname <color red>$modem</color> counter snat <color red>$modem_ip</color>\\ 
-<tab9>\\  +<tab9><color #000060/#F0F0FF>       #oifname </color><color #060000/#FFF0F0>$wan</color><color #000060/#F0F0FF> counter masquerade #needed with dynamic wan ip address</color>\\ 
-<tab9><color #000060/#F0F0FF>       #oifname </color><color #060000/#FFF0F0>$wan</color><color #000060/#F0F0FF> counter masquerade</color>\\ +
 <tab9>       ip saddr <color red>$lan_ip4</color> oifname $wan</color> counter snat $wan_ip4</color>\\  <tab9>       ip saddr <color red>$lan_ip4</color> oifname $wan</color> counter snat $wan_ip4</color>\\ 
 <tab9>       ip saddr <color red>$vpn_ip</color> oifname $wan</color> counter snat $wan_ip4</color>\\  <tab9>       ip saddr <color red>$vpn_ip</color> oifname $wan</color> counter snat $wan_ip4</color>\\ 
-<tab9><color #000060/#F0F0FF>       #ip saddr { </color><color #060000/#FFF0F0>$lan_ip4, $vpn_ip4 </color><color #000060/#F0F0FF>}oifname </color><color #060000/#FFF0F0>$wan</color><color #000060/#F0F0FF> counter snat </color><color #060000/#FFF0F0>$wan_ip4</color>\\  +<tab9><color #000060/#F0F0FF>       #ip saddr { </color><color #060000/#FFF0F0>$lan_ip4, $vpn_ip4 </color><color #000060/#F0F0FF>}oifname </color><color #060000/#FFF0F0>$wan</color><color #000060/#F0F0FF> counter snat </color><color #060000/#FFF0F0>$wan_ip4  #with ip set</color>\\  
-<tab9>\\ +<tab9><color #000060/#F0F0FF>        #oifname { </color><color #060000/#FFF0F0>$wan, $modem</color><color #000060/#F0F0FF> } counter masquerade #with device set</color> \\ 
-<tab9><color #000060/#F0F0FF>        #oifname { </color><color #060000/#FFF0F0>$wan, $modem</color><color #000060/#F0F0FF> } counter masquerade</color> \\ +
 <tab9>\\ <tab9>\\
 <tab6>    }\\  <tab6>    }\\ 
Line 387: Line 390:
       - ''-c 5'' limits the scan to 5 packets captured,  ''^C'' can also exit the scan at any time       - ''-c 5'' limits the scan to 5 packets captured,  ''^C'' can also exit the scan at any time
       - ''port 51914'' requires to listen only to port 51914       - ''port 51914'' requires to listen only to port 51914
 +    - ''sudo tcpdump -c 5 -i eno1 host 112.213.222.38 and port 51914'' to see on specific host
 I used my iPhone Wireguard app as the other end.  It is important that the app is correctly configured.  Also the Persistent keepalive is set a 1 second.  As the Wireguard is not very chatty this can make it difficult to error check. I used my iPhone Wireguard app as the other end.  It is important that the app is correctly configured.  Also the Persistent keepalive is set a 1 second.  As the Wireguard is not very chatty this can make it difficult to error check.
 The iOS app seems to send 20 keep alive packets waiting 5 seconds for a response after which it stops the keep alive attempts.  The iOS VPN for Wireguard seems to immediately fall back from the VPN if a connection is not made. The iOS app seems to send 20 keep alive packets waiting 5 seconds for a response after which it stops the keep alive attempts.  The iOS VPN for Wireguard seems to immediately fall back from the VPN if a connection is not made.
 +
 +''sudo ip a show wg0'' :
 +<code>14: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
 +    link/none 
 +    inet 192.168.6.1/24 scope global wg0
 +       valid_lft forever preferred_lft forever</code>
 +
 +For some reason my system would not link the IP address even though the wg script was clearly running the commands, ''sudo systemctl status wg-quick@wg0'':
 +<code>Jul 03 21:25:44 Router systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
 +Jul 03 21:25:44 Router wg-quick[3483]: [#] ip link add wg0 type wireguard
 +Jul 03 21:25:44 Router wg-quick[3483]: [#] wg setconf wg0 /dev/fd/63
 +Jul 03 21:25:44 Router wg-quick[3483]: [#] ip -4 address add 192.168.6.1/24 dev wg0
 +Jul 03 21:25:44 Router wg-quick[3483]: [#] ip link set mtu 1420 up dev wg0
 +Jul 03 21:25:44 Router wg-quick[3483]: [#] ip -4 route add 192.168.6.3/32 dev wg0
 +Jul 03 21:25:44 Router wg-quick[3483]: [#] ip -4 route add 192.168.6.2/32 dev wg0
 +Jul 03 21:25:44 Router systemd[1]: Started WireGuard via wg-quick(8) for wg0.</code>
 +then\\
 +''sudo ip a show wg0''<code>7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
 +    link/none 
 +</code>
 +
 +After updating to Debian 11 the following quick fix caused an error so I simply removed and rebooted. ''PostUp = ip -4 address add 192.168.6.1/24 dev wg0'' before PrivateKey to in ''/etc/wireguard/wg0.conf'': <code>[Interface]
 +Address = 192.168.6.1/24
 +SaveConfig = true
 +ListenPort = 51914
 +PrivateKey = censored=
 +
 +[Peer]
 +PublicKey = censored=
 +AllowedIPs = 192.168.6.2/32
 +Endpoint = 1.127.16.49:8898
 +
 +[Peer]
 +PublicKey = censored=
 +AllowedIPs = 192.168.6.3/32
 +Endpoint = 192.168.1.34:63009
 +</code>
 +
 +
  
 ---- ----
Line 455: Line 498:
   *[[https://www.the-digital-life.com/wireguard-docker/|Create your own VPN server with WireGuard in Docker]]   *[[https://www.the-digital-life.com/wireguard-docker/|Create your own VPN server with WireGuard in Docker]]
   *[[https://www.linuxserver.io/|Building and maintaining community {Docker} images]]   *[[https://www.linuxserver.io/|Building and maintaining community {Docker} images]]
 +  *[[https://hub.docker.com/r/linuxserver/wireguard|Dockerhub linuxserver.io wireguard]]
  
  
-<-  linux_router:misc|Prev page ^ linux_router:start|Start page ^ ->+<-  linux_router:misc|Prev page ^ linux_router:start|Start page ^ ->  ^ linux_router:nmap|Next page  ->