On Thu, Feb 22, 2018 at 6:09 PM, Zenny <garbytr...@gmail.com> wrote:

> On Wed, Feb 21, 2018 at 8:28 PM, Tom Eastep <teas...@shorewall.net> wrote:
>
>> Resending this, as the SF mail list problems seemed to have lost the
>> original.
>>
>> On 02/19/2018 11:36 PM, Zenny wrote:
>> > Hi,
>> >
>> > I am planning to add wireguard.io <http://wireguard.io> interface (wg0)
>> > to the running three-interface shorewall (I do not use too complex
>> > vyatta-firewall with (net,loc and dmz) as explained
>> > at https://github.com/Lochnair/vyatta-wireguard
>> > and https://www.digitalocean.com/community/tutorials/how-to-
>> create-a-point-to-point-vpn-with-wireguard-on-ubuntu-16-04.
>> >
>> > I would like to create the router as a private VPN gateway to the
>> > upstream public VPN that supports fireguard, too. The purpose of the
>> > setup is to allow roaming as well as machines in loc zone to connect to
>> > this shorewall instance as a gateway to reach the internet.
>> >
>> > Adding a masq wg0 interface with shorewall rules and policy similar to
>> > loc may work, but inputs appreciated for the wireguard clients from
>> > outside?
>> >
>>
>> See http://www.shorewall.org/VPNBasics.html. Basically, you must:
>>
>> a) Add a zone for the remote host(s) behind the VPN (or make them
>>    part of the 'loc' zone).
>> b) Add an entry for the wg0 interface and the zone in a).
>>
>
> Thanks a lot for the pointer.
>
>
>> c) Add a tunnels entry for the port you choose for the VPN (a quick
>>    look at the WG documentation didn't indicate which protocol the
>>    port is associated with), *or* follow the steps in the above-linked
>>    document to add the appropriate rules for the encapsulating VPN
>>    packets.
>>
>
>
> The firewall configuration section in this tutorial
> (https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/)
> seems to be using udp:
>
> # iptables -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW
> -j ACCEPT
>

A glance at page 5 in  wireguard whitepaper at
https://www.wireguard.com/papers/wireguard.pdf
also confirms UDP protocol used. Just an update if that is something useful.


>
> Cheers,
>
>
>
>>
>> -Tom
>> --
>> Tom Eastep        \   Q: What do you get when you cross a mobster with
>> Shoreline,         \     an international standard?
>> Washington, USA     \ A: Someone who makes you an offer you can't
>> http://shorewall.org \   understand
>>                       \_______________________________________________
>>
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>
>
> --
> Cheers,
> /z
>
> -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-.
> CONFIDENTIALITY NOTICE AND DISCLAIMER: Access to this e-mail and its
> contents by anyone other than the intended recipient is unauthorized as it
> contains privileged and confidential information, and is subject to legal
> privilege. Please do not re/distribute it.  If you are not the intended
> recipient (or responsible for delivery of the message to such person), you
> may not use, copy, distribute or deliver the email and part of its contents
> to anyone this message (or any part of its contents or take any action in
> connection to it. In such case, you should destroy this message, and notify
> the sender immediately. If you have received this email in error, please
> notify the sender or your sysadmin immediately by e-mail or telephone, and
> delete the e-mail from any computer. If you or your employer does not
> consent to internet e-mail messages of this kind, please notify the sender
> immediately. All reasonable precautions have been taken to ensure no
> viruses are present in this e-mail and attachments included. As the sender
> cannot accept responsibility for any loss or damage arising from the use of
> this e-mail or attachments it is recommended that you are responsible to
> follow your virus checking procedures prior to use. The views, opinions,
> conclusions and other informations expressed in this electronic mail are
> not given or endorsed by any company including the network providers unless
> otherwise indicated by an authorized representative independent of this
> message.
> -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-.
>
>


-- 
Cheers,
/z

-.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-.
CONFIDENTIALITY NOTICE AND DISCLAIMER: Access to this e-mail and its
contents by anyone other than the intended recipient is unauthorized as it
contains privileged and confidential information, and is subject to legal
privilege. Please do not re/distribute it.  If you are not the intended
recipient (or responsible for delivery of the message to such person), you
may not use, copy, distribute or deliver the email and part of its contents
to anyone this message (or any part of its contents or take any action in
connection to it. In such case, you should destroy this message, and notify
the sender immediately. If you have received this email in error, please
notify the sender or your sysadmin immediately by e-mail or telephone, and
delete the e-mail from any computer. If you or your employer does not
consent to internet e-mail messages of this kind, please notify the sender
immediately. All reasonable precautions have been taken to ensure no
viruses are present in this e-mail and attachments included. As the sender
cannot accept responsibility for any loss or damage arising from the use of
this e-mail or attachments it is recommended that you are responsible to
follow your virus checking procedures prior to use. The views, opinions,
conclusions and other informations expressed in this electronic mail are
not given or endorsed by any company including the network providers unless
otherwise indicated by an authorized representative independent of this
message.
-.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to