On 1/8/19 10:24 AM, Tom Eastep wrote:
> On 1/7/19 10:02 AM, C. Cook wrote:
>> I have a WireGuard server running in a KVM virtual machine in my LAN.
>> (CentOS 7.6) It accepts WG connections from the outside (phone, laptop)
>> and this is working fine with port-forarding, but I also intend it to be
>> the Azire VPN access to the outside for the LAN.
>>
>> This question is about the latter. I want every machine in the LAN to
>> go out through the Azire tunnel.
>>
>> The WG interface is running on the server:
>>
>> # ip address
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
>> group default qlen 1000
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 scope host lo
>> valid_lft forever preferred_lft forever
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP group default qlen 1000
>> link/ether 52:54:00:c0:46:30 brd ff:ff:ff:ff:ff:ff
>> inet 192.168.1.16/24 brd 192.168.1.255 scope global eth0
>> valid_lft forever preferred_lft forever
>> 5: outgoingWG-ca1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc
>> noqueue state UNKNOWN group default qlen 1000 link/none
>> inet 10.34.8.123/19 scope global outgoingWG-ca1
>> valid_lft forever preferred_lft forever
>>
>> But to start with I want to route all traffic from this server out the
>> WG interface, rather than eth0.
>>
>> # route
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric Ref Use
>> Iface
>> default gateway 0.0.0.0 UG 0 0 0 eth0
>> 10.34.0.0 0.0.0.0 255.255.224.0 U 0 0 0
>> outgoingWG-ca1
>> link-local 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
>> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
>>
>> How would this be done? There is no
>> /etc/sysconfig/network-scripts/ifcfg-outgoingWG-ca1 where I could set
>> gateway since the WG interface is created by a systemd service. Is
>> there a Shorewall trick I could use?
>>
>> Then, how would I route the rest of the LAN to this WG server and out
>> the WG interface to the greater internet?
> You also have to remember that the encapsulated VPN traffic must still
> be routed out of eth0, which further complicates your question. I'm
> afraid that I don't know enough about WG to advise you, and I also don't
> use systemd for network configuration.
>
> -Tom
That's cool Tom, thanks.
I've figured out the WG server now. Wireguard is almost as simple as
SSH. I have a daemon running in the server which is started with
# systemctl start wg-quick@{interfacename}
In /etc/wireguard/ you define your interfaces with a conf file for each
interface, and private/public keys for that interface.
In my case I have inWG.conf and inWG-publickey. (generated with a wg
command) This defines my incoming interface, inWG, which appears in
ifconfig and ip address along with the other interfaces.
In this conf file one thing you define is the port number it will listen
on, which can be anywhere in the non-prived range. So I've set my
-router- VM to forward that UDP port from the outside to my WireGuard VM
by DNAT. I set up my remote clients (phone, laptop, car) to aim at my
public IP:port, and the packets come in to the router, are passed to the
WG VM, and since the VM has the public key of the client it allows the
connection transparently. I have full access to my LAN remotely using
the most advanced encryption techs. This incoming part was no problem.
Setting up an outgoing channel to Azire (the only VPN provider with
WireGuard), was a problem. In the server's /etc/wireguard/ I set up
outWG-ca1.conf and outWG-publickey. Of course I'd previously sent my
public key to Azire's Canada server and gotten back salient info about
the connexion in the process.
My .conf file created the outWG-ca1 interface correctly with # systemctl
start wg-quick@outWG-ca1, but what I didn't know is that I need to set
AllowedIPs = 0.0.0.0/0. This causes the wg daemon to fix the routing
table for the server so that all traffic goes out the outWG-ca1
interface. Now it works in the WG server, and incoming still works
too. My .conf file looks like this:
[Interface]
PrivateKey = {my private key}
DNS = 91.231.153.2
#, 2001:67c:15ec:1337::2
Address = 10.30.6.167/19
#, 2a01:b5c0:5:4000::6a8/64
Table = auto
[Peer]
PublicKey = {their public key}
Endpoint = ca1.wg.azirevpn.net:{random port}
AllowedIPs = 0.0.0.0/0
#, ::/0
Azire gave me DNS, my Address, their public key, and EndPoint when I set
up the tunnel. And let me tell you, this thing is fast.
I've set this outgoing channel to pop out Azire's Canada location, using
an IP shared with their other clients. (I do InfoSec work) With my
Azire subscription, I can set up four more channels as I like, coming
out other PoPs, or using (free) fixed IP addresses, kept for as long as
that channel has my public key. I'm going to try to set up one more
channel to serve my websites and email through Azire. This way I no
longer need the OpenStack instance subscription for email, which I got
because Frontier blocks email ports. I trade $14/mo for $3.75/mo.
So my WG server is running fine. The only thing I haven't figured out
is how to route the rest of my LAN's traffic through outWG-ca1 on the WG
server.
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
