On 02/22/2018 09:15 AM, Zenny wrote:
> On Thu, Feb 22, 2018 at 6:09 PM, Zenny <garbytr...@gmail.com
> <mailto:garbytr...@gmail.com>> wrote:
> 
>     On Wed, Feb 21, 2018 at 8:28 PM, Tom Eastep <teas...@shorewall.net
>     <mailto:teas...@shorewall.net>> wrote:
> 
>         Resending this, as the SF mail list problems seemed to have lost the
>         original.
> 
>         On 02/19/2018 11:36 PM, Zenny wrote:
>         > Hi,
>         >
>         > I am planning to add wireguard.io <http://wireguard.io> 
> <http://wireguard.io>
>         interface (wg0)
>         > to the running three-interface shorewall (I do not use too complex
>         > vyatta-firewall with (net,loc and dmz) as explained
>         > at https://github.com/Lochnair/vyatta-wireguard
>         <https://github.com/Lochnair/vyatta-wireguard>
>         > and 
> https://www.digitalocean.com/community/tutorials/how-to-create-a-point-to-point-vpn-with-wireguard-on-ubuntu-16-04
>         
> <https://www.digitalocean.com/community/tutorials/how-to-create-a-point-to-point-vpn-with-wireguard-on-ubuntu-16-04>.
>         >
>         > I would like to create the router as a private VPN gateway to the
>         > upstream public VPN that supports fireguard, too. The purpose of the
>         > setup is to allow roaming as well as machines in loc zone to 
> connect to
>         > this shorewall instance as a gateway to reach the internet.
>         >
>         > Adding a masq wg0 interface with shorewall rules and policy similar 
> to
>         > loc may work, but inputs appreciated for the wireguard clients from
>         > outside? 
>         >
> 
>         See http://www.shorewall.org/VPNBasics.html
>         <http://www.shorewall.org/VPNBasics.html>. Basically, you must:
> 
>         a) Add a zone for the remote host(s) behind the VPN (or make them
>            part of the 'loc' zone).
>         b) Add an entry for the wg0 interface and the zone in a).
> 
> 
>     Thanks a lot for the pointer.
>      
> 
>         c) Add a tunnels entry for the port you choose for the VPN (a quick
>            look at the WG documentation didn't indicate which protocol the
>            port is associated with), *or* follow the steps in the
>         above-linked
>            document to add the appropriate rules for the encapsulating VPN
>            packets.
> 
> 
> 
>     The firewall configuration section in this tutorial
>     (https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/
>     <https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/>)
>     seems to be using udp:
> 
>     # iptables -A INPUT -p udp -m udp --dport 51820 -m conntrack
>     --ctstate NEW -j ACCEPT
> 
> 
> A glance at page 5 in  wireguard whitepaper at
> https://www.wireguard.com/papers/wireguard.pdf
> also confirms UDP protocol used. Just an update if that is something useful.
>  

Sounds like you have everything you need then. Just be sure that the
port you specify in your tunnels file (or in a net->fw rule) is the same
one that you have configured in Wireguard.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to