-
-
Save beevk/ca7eda7595afc79113f73da2758d3d4d to your computer and use it in GitHub Desktop.
Revisions
-
beevk renamed this gist
Nov 24, 2022 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
qdm12 revised this gist
May 23, 2021 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -63,7 +63,7 @@ This should fit most setups (not mine though :wink:) iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Accept traffic from any Wireguard IP address connected to the Wireguard server iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -j ACCEPT # Drop everything else coming through the Wireguard interface iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP @@ -78,8 +78,9 @@ This should fit most setups (not mine though :wink:) WIREGUARD_INTERFACE=wg0 WIREGUARD_LAN=10.0.0.0/24 MASQUERADE_INTERFACE=enp4s0 CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE" iptables -t nat -D POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN # Remove and delete the WIREGUARD_wg0 chain iptables -D FORWARD -j $CHAIN_NAME -
Jul 16, 2020 . 1 changed file with 14 additions and 14 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -43,7 +43,7 @@ This should fit most setups (not mine though :wink:) PostDown = /etc/wireguard/postdown.sh ``` **Don't forget** to replace the `PrivateKey` value with the one you generated 1. Create a file **/etc/wireguard/postup.sh** with content: @@ -136,7 +136,7 @@ Let's setup a client with full access to Internet and your LAN through Wireguard Let's add a user who should only have access to the LAN. 1. Repeat steps 1 to 5 from the First admin client section above. 1. Use the public key shown in step 4 to add the following block to **/etc/wireguard/wg0.conf** on your server: ```conf @@ -148,23 +148,23 @@ Let's add a user who should only have access to the LAN. 1. Shutdown Wireguard: `wg-quick down wg0` 1. Modify **/etc/wireguard/postup.sh**: - Limit full access to our first admin client `10.0.0.2` only by changing: ```sh iptables -A $CHAIN_NAME -s 10.0.0.0/24 -i $WIREGUARD_INTERFACE -j ACCEPT ``` to ```sh iptables -A $CHAIN_NAME -s 10.0.0.2 -i $WIREGUARD_INTERFACE -j ACCEPT ``` - Add a new line to allow our new user to LAN access only ```sh iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.1.0/24 -j ACCEPT ``` 1. Start Wireguard: `wg-quick up wg0` 1. Note that the client should set its `AllowedIPs = 0.0.0.0/0, ::/0` to `AllowedIPs = 192.168.1.0/24` so it tunnels only to when trying to reach an address on the LAN. -
Jul 16, 2020 . 1 changed file with 75 additions and 75 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -18,74 +18,74 @@ This should fit most setups (not mine though :wink:) 1. Ensure your iptables firewall has its FORWARD table policy set to `DROP`: ```sh iptables -P FORWARD -j DROP ``` 1. Generate a Wireguard private key ```sh echo "Private key: $(wg genkey)" ``` ```text Private key: OM5BUrGVAswOm/r8asLtdUgJB8rrXflD6TVFL5aGAHk= ``` 1. Create a file **/etc/wireguard/wg0.conf** (or any other name than `wg0`) with content: ```conf [Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = OM5BUrGVAswOm/r8asLtdUgJB8rrXflD6TVFL5aGAHk= PostUp = /etc/wireguard/postup.sh PostDown = /etc/wireguard/postdown.sh ``` **Don't forget** to replace the `PrivateKey` value with the one you generated 1. Create a file **/etc/wireguard/postup.sh** with content: ```sh WIREGUARD_INTERFACE=wg0 WIREGUARD_LAN=10.0.0.0/24 MASQUERADE_INTERFACE=enp4s0 iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN # Add a WIREGUARD_wg0 chain to the FORWARD chain CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE" iptables -N $CHAIN_NAME iptables -A FORWARD -j $CHAIN_NAME # Accept related or established traffic iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Accept traffic from any Wireguard IP address connected to the Wireguard server iptables -A $CHAIN_NAME -s 10.0.0.0/24 -i $WIREGUARD_INTERFACE -j ACCEPT # Drop everything else coming through the Wireguard interface iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP # Return to FORWARD chain iptables -A $CHAIN_NAME -j RETURN ``` 1. Create a file **/etc/wireguard/postdown.sh** with content: ```sh WIREGUARD_INTERFACE=wg0 WIREGUARD_LAN=10.0.0.0/24 MASQUERADE_INTERFACE=enp4s0 iptables -t nat -D POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s 10.0.0.0/24 # Remove and delete the WIREGUARD_wg0 chain iptables -D FORWARD -j $CHAIN_NAME iptables -F $CHAIN_NAME iptables -X $CHAIN_NAME ``` ## First admin client @@ -94,18 +94,18 @@ Let's setup a client with full access to Internet and your LAN through Wireguard 1. Install Wireguard on your client device 1. On your client device, create a configuration file **client.conf** with content: ```conf [Interface] Address = 10.0.0.2/32 DNS = 192.168.1.1 PrivateKey = YOUR_CLIENT_PRIVATE_KEY [Peer] AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = 192.168.1.10:51820 PersistentKeepalive = 25 PublicKey = YOUR_SERVER_PUBLIC_KEY ``` 1. Replace in the configuration above `YOUR_SERVER_PUBLIC_KEY` with the key shown using `wg show wg0 public-key` on your server. For example: `p6aGalk69yCM8vNhbvC5mEH/HhJr1c8f55UaeJSChX0=`. 1. Generate keys for your client: @@ -176,15 +176,15 @@ Let's re-use the user we previously created. Let's only allow him to access port 1. Shutdown Wireguard: `wg-quick down wg0` 1. Modify ```sh iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.1.0/24 -j ACCEPT ``` to ```sh iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.10.20 -p tcp --dport 445 -j ACCEPT ``` 1. Start Wireguard: `wg-quick up wg0` @@ -195,20 +195,20 @@ That's useful for our friends who want to stream restricted content on Netflix w 1. Shutdown Wireguard: `wg-quick down wg0` 1. Modify ```sh iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.10.20 -p tcp --dport 445 -j ACCEPT ``` to ```sh # DNS iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.1.1 -p udp --dport 53 -j ACCEPT # Drop traffic to your any private IP address iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -j DROP # Accept outgoing connections to HTTP(S) ports to any IP address (public because of rule above) iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 0.0.0.0/0 -p tcp -m multiport --dports 80,443 -j ACCEPT ``` 1. Start Wireguard: `wg-quick up wg0` 1. Don't forget to set back the client to `AllowedIPs = 0.0.0.0/0, ::/0` -
Jul 16, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,220 @@ # Wireguard and iptables restrictions for multiple users If you don't know what Wireguard is, well, you should. It's fast, easy to setup and highly configurable. We will configure Wireguard for multiple users with various restrictions using *iptables*. ## Assumptions This should fit most setups (not mine though :wink:) - LAN network: `192.168.1.0/24` (`192.168.1.1` => `192.168.1.254`) - LAN DNS server address: `192.168.1.1` - Wireguard is installed (kernel and tools) on a Linux host (it should also work on other platforms though). - The Linux host address: `192.168.1.10` - The Linux host main interface: `enp4s0` (find it with `ip a`) ## Initial server setup 1. Ensure your iptables firewall has its FORWARD table policy set to `DROP`: ```sh iptables -P FORWARD -j DROP ``` 1. Generate a Wireguard private key ```sh echo "Private key: $(wg genkey)" ``` ```text Private key: OM5BUrGVAswOm/r8asLtdUgJB8rrXflD6TVFL5aGAHk= ``` 1. Create a file **/etc/wireguard/wg0.conf** (or any other name than `wg0`) with content: ```conf [Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = OM5BUrGVAswOm/r8asLtdUgJB8rrXflD6TVFL5aGAHk= PostUp = /etc/wireguard/postup.sh PostDown = /etc/wireguard/postdown.sh ``` **Don't forget** to replace the `PrivateKey` value with the one you generated 1. Create a file **/etc/wireguard/postup.sh** with content: ```sh WIREGUARD_INTERFACE=wg0 WIREGUARD_LAN=10.0.0.0/24 MASQUERADE_INTERFACE=enp4s0 iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN # Add a WIREGUARD_wg0 chain to the FORWARD chain CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE" iptables -N $CHAIN_NAME iptables -A FORWARD -j $CHAIN_NAME # Accept related or established traffic iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Accept traffic from any Wireguard IP address connected to the Wireguard server iptables -A $CHAIN_NAME -s 10.0.0.0/24 -i $WIREGUARD_INTERFACE -j ACCEPT # Drop everything else coming through the Wireguard interface iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP # Return to FORWARD chain iptables -A $CHAIN_NAME -j RETURN ``` 1. Create a file **/etc/wireguard/postdown.sh** with content: ```sh WIREGUARD_INTERFACE=wg0 WIREGUARD_LAN=10.0.0.0/24 MASQUERADE_INTERFACE=enp4s0 iptables -t nat -D POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s 10.0.0.0/24 # Remove and delete the WIREGUARD_wg0 chain iptables -D FORWARD -j $CHAIN_NAME iptables -F $CHAIN_NAME iptables -X $CHAIN_NAME ``` ## First admin client Let's setup a client with full access to Internet and your LAN through Wireguard. 1. Install Wireguard on your client device 1. On your client device, create a configuration file **client.conf** with content: ```conf [Interface] Address = 10.0.0.2/32 DNS = 192.168.1.1 PrivateKey = YOUR_CLIENT_PRIVATE_KEY [Peer] AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = 192.168.1.10:51820 PersistentKeepalive = 25 PublicKey = YOUR_SERVER_PUBLIC_KEY ``` 1. Replace in the configuration above `YOUR_SERVER_PUBLIC_KEY` with the key shown using `wg show wg0 public-key` on your server. For example: `p6aGalk69yCM8vNhbvC5mEH/HhJr1c8f55UaeJSChX0=`. 1. Generate keys for your client: ```sh priv=`wg genkey` && printf "Private key: $priv\nPublic key: `echo "$priv" | wg pubkey`\n" && unset -v priv ``` ```text Private key: 2L4L8YwusK4Ot4jVoo/1wwQfLAeRM6kJ/WWxzfnWKm4= Public key: GmVyaj+K36xEk7ko/8jijMB9XX9dFgi4mJxsAEFMHmA= ``` 1. Replace in client.conf `YOUR_CLIENT_PRIVATE_KEY` with the private key just generated above. 1. Use the public key shown above to add the following block to **/etc/wireguard/wg0.conf** on your server: ```conf [Peer] # Your first admin client PublicKey = GmVyaj+K36xEk7ko/8jijMB9XX9dFgi4mJxsAEFMHmA= AllowedIPs = 10.0.0.2/32 ``` 1. On your server, start Wireguard: `wg-quick up wg0`. 1. You should now be able to connect to the Wireguard server from your client. You can check on the server with `wg` and it should show a `latest handshake` line. ## LAN only user Let's add a user who should only have access to the LAN. 1. Repeat steps 1 to 5 from [First admin client](#First admin client) 1. Use the public key shown in step 4 to add the following block to **/etc/wireguard/wg0.conf** on your server: ```conf [Peer] # LAN only user PublicKey = 7GneIV/Od7WEKfTpIXr+rTzPf3okaQTBwsfBs5Eqiyw= AllowedIPs = 10.0.0.3/32 ``` 1. Shutdown Wireguard: `wg-quick down wg0` 1. Modify **/etc/wireguard/postup.sh**: - Limit full access to our first admin client `10.0.0.2` only by changing: ```sh iptables -A $CHAIN_NAME -s 10.0.0.0/24 -i $WIREGUARD_INTERFACE -j ACCEPT ``` to ```sh iptables -A $CHAIN_NAME -s 10.0.0.2 -i $WIREGUARD_INTERFACE -j ACCEPT ``` - Add a new line to allow our new user to LAN access only ```sh iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.1.0/24 -j ACCEPT ``` 1. Start Wireguard: `wg-quick up wg0` 1. Note that the client should set its `AllowedIPs = 0.0.0.0/0, ::/0` to `AllowedIPs = 192.168.1.0/24` so it tunnels only to when trying to reach an address on the LAN. ## Restrict the user to a port Let's re-use the user we previously created. Let's only allow him to access port 445 (Samba) on a server `192.168.1.20` for example. 1. Shutdown Wireguard: `wg-quick down wg0` 1. Modify ```sh iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.1.0/24 -j ACCEPT ``` to ```sh iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.10.20 -p tcp --dport 445 -j ACCEPT ``` 1. Start Wireguard: `wg-quick up wg0` ## Restrict the user to limited Web browsing only That's useful for our friends who want to stream restricted content on Netflix without allowing them on your LAN 😉 1. Shutdown Wireguard: `wg-quick down wg0` 1. Modify ```sh iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.10.20 -p tcp --dport 445 -j ACCEPT ``` to ```sh # DNS iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.1.1 -p udp --dport 53 -j ACCEPT # Drop traffic to your any private IP address iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -j DROP # Accept outgoing connections to HTTP(S) ports to any IP address (public because of rule above) iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 0.0.0.0/0 -p tcp -m multiport --dports 80,443 -j ACCEPT ``` 1. Start Wireguard: `wg-quick up wg0` 1. Don't forget to set back the client to `AllowedIPs = 0.0.0.0/0, ::/0` ## More rules Feel free to comment, I'll try my best to make you a rule 😉 Enjoy!