On 02/22/2018 09:15 AM, Zenny wrote: > On Thu, Feb 22, 2018 at 6:09 PM, Zenny <garbytr...@gmail.com > <mailto:garbytr...@gmail.com>> wrote: > > On Wed, Feb 21, 2018 at 8:28 PM, Tom Eastep <teas...@shorewall.net > <mailto:teas...@shorewall.net>> wrote: > > Resending this, as the SF mail list problems seemed to have lost the > original. > > On 02/19/2018 11:36 PM, Zenny wrote: > > Hi, > > > > I am planning to add wireguard.io <http://wireguard.io> > <http://wireguard.io> > interface (wg0) > > to the running three-interface shorewall (I do not use too complex > > vyatta-firewall with (net,loc and dmz) as explained > > at https://github.com/Lochnair/vyatta-wireguard > <https://github.com/Lochnair/vyatta-wireguard> > > and > https://www.digitalocean.com/community/tutorials/how-to-create-a-point-to-point-vpn-with-wireguard-on-ubuntu-16-04 > > <https://www.digitalocean.com/community/tutorials/how-to-create-a-point-to-point-vpn-with-wireguard-on-ubuntu-16-04>. > > > > I would like to create the router as a private VPN gateway to the > > upstream public VPN that supports fireguard, too. The purpose of the > > setup is to allow roaming as well as machines in loc zone to > connect to > > this shorewall instance as a gateway to reach the internet. > > > > Adding a masq wg0 interface with shorewall rules and policy similar > to > > loc may work, but inputs appreciated for the wireguard clients from > > outside? > > > > See http://www.shorewall.org/VPNBasics.html > <http://www.shorewall.org/VPNBasics.html>. Basically, you must: > > a) Add a zone for the remote host(s) behind the VPN (or make them > part of the 'loc' zone). > b) Add an entry for the wg0 interface and the zone in a). > > > Thanks a lot for the pointer. > > > c) Add a tunnels entry for the port you choose for the VPN (a quick > look at the WG documentation didn't indicate which protocol the > port is associated with), *or* follow the steps in the > above-linked > document to add the appropriate rules for the encapsulating VPN > packets. > > > > The firewall configuration section in this tutorial > (https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/ > <https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/>) > seems to be using udp: > > # iptables -A INPUT -p udp -m udp --dport 51820 -m conntrack > --ctstate NEW -j ACCEPT > > > A glance at page 5 in wireguard whitepaper at > https://www.wireguard.com/papers/wireguard.pdf > also confirms UDP protocol used. Just an update if that is something useful. >
Sounds like you have everything you need then. Just be sure that the port you specify in your tunnels file (or in a net->fw rule) is the same one that you have configured in Wireguard. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
