Created
October 16, 2020 18:29
-
-
Save OvertCoffee/67f030bcf30406d306daeffd7cfa611c to your computer and use it in GitHub Desktop.
Revisions
-
insdavm revised this gist
Nov 10, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -110,4 +110,4 @@ PersistentKeepalive = 25 ``` **You're finished.** Make sure **WireGuard** is running on both HOSTS A and B, and then on the smartphone (HOST C), after connecting to HOST B with **WireGuard** you should be able to ping ```10.200.200.5```. -
Oct 24, 2019 . 1 changed file with 12 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -44,6 +44,12 @@ Here's what we need to add to Host A's ```iptables``` rules, *expressed as the c # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ``` Finally, we need to make sure IP forwarding is enabled in Host A's kernel: ``` $ sysctl net.ipv4.ip_forward=1 ``` #### Host 'B' Host B's ```/etc/wireguard/wg0.conf```: @@ -79,6 +85,12 @@ PublicKey = <Additional peer pubkey> AllowedIPs = 10.200.200.4/32 ``` Like we did with Host A, IP forwarding must also be enabled on Host B: ``` $ sysctl net.ipv4.ip_forward=1 ``` #### Host C Host C's configuration file: -
Jan 17, 2019 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -66,7 +66,7 @@ PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING - [Peer] PublicKey = <HOST 'A' PUBLIC KEY> AllowedIPs = 10.200.200.5/32, 100.10.202.0/24 # The smartphone [Peer] @@ -98,4 +98,4 @@ PersistentKeepalive = 25 ``` **You're finished.** Make sure **WireGuard** is running on both HOSTS A and B, and then on the smartphone (HOST C), after connecting to HOST B with **WireGuard** you should be able to ping ```100.10.202.1```. -
Jan 17, 2019 . 1 changed file with 1 addition and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -62,7 +62,7 @@ PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING - # # Notice the AllowedIPs... without this part, WireGuard will drop the # packets destined for the HOST 'A' subnet. AllowedIPs is acting like # a routing table and ACL here. [Peer] PublicKey = <HOST 'A' PUBLIC KEY> @@ -79,10 +79,6 @@ PublicKey = <Additional peer pubkey> AllowedIPs = 10.200.200.4/32 ``` #### Host C Host C's configuration file: -
Jan 17, 2019 . 1 changed file with 1 addition and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -79,11 +79,7 @@ PublicKey = <Additional peer pubkey> AllowedIPs = 10.200.200.4/32 ``` The only other thing we need to do on Host B is set up a route so the kernel knows to send traffic destined for Host A's subnet through Host A on the **WireGuard** interface: ```# ip route add 100.101.102.0/24 via 10.200.200.5 dev wg0``` -
Jan 17, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -106,4 +106,4 @@ PersistentKeepalive = 25 ``` **You're finished.** Make sure **WireGuard** is running on both HOSTS A and B, and then on the smartphone (HOST C), after connecting to HOST B with **WireGuard** you should be able to ping ```100.101.102.1```. -
Jan 17, 2019 . 1 changed file with 9 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -39,8 +39,10 @@ PersistentKeepalive = 25 # to keep connections alive across NA Here's what we need to add to Host A's ```iptables``` rules, *expressed as the commands you would use to ADD them*: ``` # iptables -A FORWARD -i wg0-client -j ACCEPT # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ``` #### Host 'B' @@ -93,12 +95,15 @@ Host C's configuration file: [Interface] PrivateKey = <HOST 'C' PRIVATE KEY> Address = 10.200.200.3/24 DNS = 1.1.1.1 [Peer] PublicKey = <HOST 'B' PUBLIC KEY> AllowedIPs = 0.0.0.0/0 Endpoint = host-b-fqdn.tld:51820 PersistentKeepalive = 25 ``` **You're finished.** Makesure **WireGuard** is running on both HOSTS A and B, and then on the smartphone (HOST C), after connecting to HOST B with **WireGuard** you should be able to ping ```100.101.102.1```. -
Jan 17, 2019 . 1 changed file with 71 additions and 12 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,38 +8,97 @@ We want to access a local subnet remotely, but it is behind a NAT firewall and w #### Solution Summary We'll create a site-to-site connection with **WireGuard** allowing us to access the local subnet on a remote device (smartphone, in this example) by connecting through a cloud server in the middle. ## Working Example First let's define our three hosts. They all have **WireGuard** installed. ```A``` the Linux machine on the *local subnet*, **behind the NAT/firewall** ```B``` the Linux cloud server (*VPS, like an Amazon EC2 instance*) ```C``` a third **WireGuard** client; a smartphone in this example #### Host 'A' The Host A's ```/etc/wireguard/wg0-client.conf```: ```conf [Interface] Address = 10.200.200.5/24 PrivateKey = <HOST 'A' PRIVATE-KEY> ListenPort = 27836 # optional; will be randomly assigned otherwise DNS = 1.1.1.1 # or your own DNS server if you're running one [Peer] PublicKey = <PUBLIC KEY OF HOST 'B'> Endpoint = host-b-fqdn.tld:51820 AllowedIPs = 0.0.0.0/0, ::/0 PersistentKeepalive = 25 # to keep connections alive across NAT ``` Here's what we need to add to Host A's ```iptables``` rules, *expressed as the commands you would use to ADD them*: ```# iptables -A FORWARD -i wg0-client -j ACCEPT``` ```# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE``` #### Host 'B' Host B's ```/etc/wireguard/wg0.conf```: ```conf [Interface] Address = 10.200.200.1/24 PrivateKey = <HOST 'B' PRIVATE KEY> ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE # This is the peer that is on the private subnet that we want to access. # # Notice the AllowedIPs... without this part, WireGuard will drop the # packets destined for the HOST 'A' subnet. AllowedIPs is acting like # and Access Control List (ACL) here. [Peer] PublicKey = <HOST 'A' PUBLIC KEY> AllowedIPs = 10.200.200.5/32, 100.101.102.0/24 # The smartphone [Peer] PublicKey = <HOST 'C' PUBLIC KEY> AllowedIPs = 10.200.200.3/32 # An additional peer... [Peer] PublicKey = <Additional peer pubkey> AllowedIPs = 10.200.200.4/32 ``` Additional rules for Host B that we need to add, again expressed as the commands used to add them: ```# iptables -t nat -A POSTROUTING -d 100.101.102.0/24 -j MASQUERADE``` The last thing we need to do on Host B is set up a route so the kernel knows to send traffic destined for Host A's subnet through Host A on the **WireGuard** interface: ```# ip route add 100.101.102.0/24 via 10.200.200.5 dev wg0``` #### Host C Host C's configuration file: ```conf [Interface] PrivateKey = <HOST 'C' PRIVATE KEY> Address = 10.200.200.3/24 DNS = 1.1.1.1 # set it to Host B's WireGuard IP if the server is running its own DNS [Peer] PublicKey = <HOST 'B' PUBLIC KEY> AllowedIPs = 0.0.0.0/0 Endpoint = host-b-fqdn.tld:51820 PersistentKeepalive = 25 ``` -
Jan 17, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,45 @@ # WireGuard Site-to-Site *Accessing a subnet that is behind a WireGuard client using a site-to-site setup* #### Problem Summary We want to access a local subnet remotely, but it is behind a NAT firewall and we can't setup port forwarding. Outgoing connections work, but all incoming connections get DROPPED by the ISP's routing policy. #### Solution Summary We'll create a site-to-site connection with **WireGuard** allowing us to access the local subnet by connecting through a cloud server in the middle. ## Working Example First let's define our three hosts. They all have **WireGuard** installed. ```A``` the Linux machine on the *local subnet*, **behind the NAT/firewall** ```B``` the Linux cloud server (*VPS, like an Amazon EC2 instance*) ```C``` a third **WireGuard** client; a smartphone in this example #### Host 'A' The local machine's ```/etc/wireguard/wg0-client.conf```: ```conf [Interface] Address = 10.200.200.5/24 PrivateKey = <LOCAL MACHINE PRIVATE-KEY> ListenPort = 27836 # optional; will be randomly assigned otherwise DNS = 1.1.1.1 # or your own DNS server if you're running one [Peer] PublicKey = <PUBLIC KEY OF MACHINE 'B'> Endpoint = machine-b-fqdn.tld:51820 AllowedIPs = 0.0.0.0/0, ::/0 PersistentKeepalive = 25 # to keep connections alive across NAT ``` The local machine's ```iptables``` rules, *expressed as the commands you would use to ADD them*: ```bash # iptables -A FORWARD -i wg0-client -j ACCEPT # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ```
insdavm
revised
this gist