wireguard vpn を手作業で作る
openwrt がv6のアドレスに対して wireguard を作成すると、インタフェースの設定ではなぜかエラーになったので、手作業でコマンドを打ち込んでwireguard を起動する必要があってめんどくさかった。wg-quick もそのままインストールできないし。
マニュアルで接続する
ip link set wg0 down
ip link delete dev wg0
ip link add dev wg0 type wireguard
ip addr add 172.16.3.2/32 dev wg0
wg set wg0 listen-port 51821 \
private-key /etc/config/custom/wireguard/wg0.server.key
wg set wg0 \
peer ebnSbJVE5zppRomBNWYh70cl3CNibSP1sSE0R1JvYH8=\
preshared-key /etc/config/custom/wireguard/wg_psk.psk\
endpoint 2xxx:xxx:8383:a300:5054:ff:fxxx:xxxx:51821\
allowed-ips 172.16.3.1/32
ip link set wg0 up
必要に応じて routing を設定する。
172.16.3.1/32 側
ip route add 172.16.3.2/32 dev wg0
172.16.3.2/32 側
ip route add 172.16.3.1/32 dev wg0
/etc/config/custom/wireguard/wg0-start.sh
WG_NATv6_ENABLED=1
function restart(){
stop;start;
}
function stop(){
if ip link show $WG_IF 1>/dev/null 2>&1 ; then
ip link set $WG_IF down
ip link delete dev $WG_IF
fi
}
function start_wg(){
if ip link show $WG_IF 1>/dev/null 2>&1 ; then
echo already up.
return 0;
fi
set_NTTflets_NGN_route;
ip link add dev $WG_IF type wireguard
ip addr add $WG_LOCAL_IPv4 dev $WG_IF
ip addr add $WG_LOCAL_IPv6 dev $WG_IF
ip link set mtu 1420 up dev $WG_IF
cmd="wg set $WG_IF listen-port $WG_LOCAL_LISTEN_PORT \
private-key $WG_LOCAL_SECRETKEY_PATH"
$cmd;
ip link set $WG_IF up
}
function add_peer(){
cmd="wg set wg0
peer $WG_PEER_PUBKEY
preshared-key $WG_PEER_PSK_PATH
persistent-keepalive $WG_PEER_KEEPALIVE
allowed-ips $WG_PEER_IPv4_NET_ADDR,$WG_PEER_IPv6_NET_ADDR,$(IFS=,; printf '%s' "${REMOTE_NETWORK[*]}")
"
if [[ ! -z $WG_PEER_ENDPOINT ]]; then
cmd="$cmd endpoint $WG_PEER_ENDPOINT ";
fi
$cmd;
allow_forwardings_v4
add_route
}
function start(){
start_wg;
add_peer
}
function allow_forwardings_v6(){
enable_v6_forwarding
allow_v6_forwarding
}
function allow_v6_forwarding(){
echo WG_NATv6_ENABLED=$WG_NATv6_ENABLED
if [[ -z $WG_NATv6_ENABLED ]] ; then
ip6tables -I INPUT -i $WG_IF -j ACCEPT
ip6tables -I FORWARD -i $WG_IF -j ACCEPT
ip6tables -I OUTPUT -o $WG_IF -j ACCEPT
ip6tables -I FORWARD -o $WG_IF -j ACCEPT
else
allow_v6_masquerade
fi
}
function allow_v6_masquerade(){
WG_IF=wg0
NGN_IF=eth1
LAN_IF=eth0
DEFAULT_v6_GW=$( [[ $(ip neigh show dev $NGN_IF ) =~ (fe80[0-9a-f:]+) ]] ; echo ${BASH_REMATCH} )
NGN_Adr=$([[ $(ip -6 addr show dev $NGN_IF ) =~ (2001|2400)[a-f0-9:/]+ ]]; echo $BASH_REMATCH)
NGN_NAdr=${NGN_v6%:*:*:*:*}::/64
WG_Adr=$([[ $(ip -6 addr show dev $WG_IF ) =~ fd([a-f0-9:]{1,4})+/[0-9]+ ]]; echo $BASH_REMATCH)
WG_NAdr=$(owipcalc $WG_Adr network)
ip6tables -A FORWARD -i $WG_IF -o $NGN_IF -j ACCEPT
ip6tables -A FORWARD -i $NGN_IF -o $WG_IF -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
ip6tables -t nat -A POSTROUTING -o $NGN_IF -d ::/0 -j MASQUERADE
ip6tables -I FORWARD -i $WG_IF -o $LAN_IF -j ACCEPT
ip6tables -t nat -A POSTROUTING -o $WG_IF -d ::/0 -j MASQUERADE
}
function allow_forwardings_v4(){
enable_v4_forwarding
allow_v4_forwarding
}
function allow_v4_forwarding(){
iptables -I INPUT -i $WG_IF -j ACCEPT
iptables -I FORWARD -i $WG_IF -j ACCEPT
iptables -I OUTPUT -o $WG_IF -j ACCEPT
iptables -I FORWARD -o $WG_IF -j ACCEPT
}
function enable_v4_forwarding(){
sysctl net.ipv4.conf.all.forwarding=1 > /dev/null
}
function enable_v6_forwarding(){
sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
}
function add_route(){
ip route add ${WG_PEER_IPv6%/*} from ${WG_LOCAL_IPv6%/*} dev $WG_IF metric 499 onlink
if [[ $ENABLE_ROUTING != 1 ]]; then
return;
fi
for e in ${REMOTE_NETWORK[@]} ; do
GATEWAY=''
if [[ $e =~ : ]] ; then
v6='-6'
GATEWAY=${WG_PEER_IPv6%/*}
else
v6=''
GATEWAY=${WG_PEER_IPv4%/*}
fi
if [[ $e == 0.0.0.0/0 && ! $ENABLE_DEFAULT_GW == 1 ]]; then
return
fi
if [[ $e == ::/0 && ! $ENABLE_DEFAULT_GW == 1 ]]; then
return
fi
echo ip route add $e dev $WG_IF via $GATEWAY metric 499 onlink
ip route add $e dev $WG_IF via $GATEWAY metric 499 onlink
done
}
function set_NTTflets_NGN_route(){
/etc/config/custom/ipip6/v6_default_route.sh add $WG_PEER_ENDPOINT_IP
}
function main(){
case $1 in
start*)
echo "start interface $WG_IF";
start;
;;
stop*)
echo "stop interface $WG_IF";
stop;
;;
restart*)
echo "restart interface $WG_IF";
restart;
;;
*)
echo $0 'start|stop|restart';
;;
esac
}
接続する側(クライアント)
scripts=$(echo $(dirname $0)/../wg-start.sh)
source $scripts
WG_IF=wg0
WG_PORT=51821
WG_LOCAL_LISTEN_PORT=$WG_PORT
WG_LOCAL_IPv4=172.16.3.1/24
WG_LOCAL_IPv6=fd00:baba:afac:4610::1/64
WG_LOCAL_v4_NETADDR="${WG_LOCAL_IPv4%.*}.0/24"
WG_LOCAL_v6_NETADDR="${WG_LOCAL_IPv6%:*}:/64"
CONFIG_PATH=/etc/config/custom/wireguard/$WG_IF
WG_LOCAL_SECRETKEY_PATH=$CONFIG_PATH/secret.key
WG_PEER_PUBKEY=$(cat $CONFIG_PATH/peer.pub)
WG_PEER_PSK_PATH=$CONFIG_PATH/peer.psk
WG_PEER_KEEPALIVE=60
WG_PEER_IPv4="${WG_LOCAL_IPv4%.*}.2/24"
WG_PEER_IPv6="${WG_LOCAL_IPv6%:*}:2/64"
WG_PEER_IPv4_NET_ADDR=$WG_LOCAL_v4_NETADDR
WG_PEER_IPv6_NET_ADDR=$WG_LOCAL_v6_NETADDR
REMOTE_NETWORK=( 192.168.1.0/24 ::/0 )
ENABLE_ROUTING=1
main $@
接続を貰う側(サーバー)
scripts=$(echo $(dirname $0)/../wg-start.sh)
source $scripts
WG_IF=wg0
WG_PORT=51821
WG_LOCAL_LISTEN_PORT=$WG_PORT
WG_LOCAL_IPv4=172.16.3.2/24
WG_LOCAL_IPv6=fd00:baba:afac:4610::2/64
WG_LOCAL_v4_NETADDR="${WG_LOCAL_IPv4%.*}.0/24"
WG_LOCAL_v6_NETADDR="${WG_LOCAL_IPv6%:*}:/64"
CONFIG_PATH=/etc/config/custom/wireguard/$WG_IF
WG_LOCAL_SECRETKEY_PATH=$CONFIG_PATH/secret.key
WG_PEER_PUBKEY=$(cat $CONFIG_PATH/peer.pub)
WG_PEER_PSK_PATH=$CONFIG_PATH/peer.psk
WG_PEER_KEEPALIVE=60
WG_PEER_ENDPOINT_IP=2xxx:xxxx:a300:5054:ff:fea9:xxxxx
WG_PEER_ENDPOINT_PORT=$WG_PORT
WG_PEER_ENDPOINT=$WG_PEER_ENDPOINT_IP:$WG_PEER_ENDPOINT_PORT
WG_PEER_IPv4="${WG_LOCAL_IPv4%.*}.1/24"
WG_PEER_IPv6="${WG_LOCAL_IPv6%:*}:1/64"
WG_PEER_IPv4_NET_ADDR=$WG_LOCAL_v4_NETADDR
WG_PEER_IPv6_NET_ADDR=$WG_LOCAL_v6_NETADDR
REMOTE_NETWORK=( 192.168.2.0/24 192.168.100.0/24 ::/0 )
ENABLE_ROUTING=1
main $@
参考資料
https://qiita.com/fluo10/items/78e91884042645b08fb9