Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:wireguard:road-warrior [2022/03/11 00:48] – created atownlededocs:guide-user:services:vpn:wireguard:road-warrior [2022/04/26 01:12] – fixed nftables counter; mark kmod-ipt-nat6 as 21.02 only atownlede
Line 60: Line 60:
 <code bash> <code bash>
 opkg update opkg update
-opkg install wireguard-tools qrencode kmod-ipt-nat6+opkg install wireguard-tools qrencode
 </code> </code>
 +For OpenWrt 21.02 series, also add in:
 +<code bash>
 +opkg install kmod-ipt-nat6
 +</code>
 +
 Optional packages for post-configuration management through LuCI: Optional packages for post-configuration management through LuCI:
  
Line 299: Line 304:
 chain srcnat_ula6_${WG_INTERFACE} { chain srcnat_ula6_${WG_INTERFACE} {
   type nat hook postrouting priority srcnat; policy accept;   type nat hook postrouting priority srcnat; policy accept;
-  oifname "\$${WG_WAN6_FWZONE}_devices" counter ip6 saddr ${interface6_ula}::/64 masquerade comment "!fw4: ULA masquerade6"+  oifname "\$${WG_WAN6_FWZONE}_devices" ip6 saddr ${interface6_ula}::/64 counter masquerade comment "!fw4: ULA masquerade6"
 } }
 EOF EOF
Line 314: Line 319:
 network_find_wan6 NET_IF6 network_find_wan6 NET_IF6
 network_get_device NET_DEV6 "\${NET_IF6}" network_get_device NET_DEV6 "\${NET_IF6}"
-logger -t firewall.${WG_NAT6_name} -p info -- adding NAT/MASQUERADE for source net "\${NET_PFX6}" through "\${NET_DEV6}" +if [ -n "\${NET_DEV6}" ]; 
-ip6tables -t nat -A POSTROUTING -s "\${NET_PFX6}" -o "\${NET_DEV6}" -j MASQUERADE+then 
 +  logger -t firewall.${WG_NAT6_name} -p info -- adding NAT/MASQUERADE for source net "\${NET_PFX6}" through "\${NET_DEV6}" 
 +  ip6tables -t nat -A POSTROUTING -s "\${NET_PFX6}" -o "\${NET_DEV6}" -j MASQUERADE 
 +fi 
 exit 0 exit 0
 EOF EOF
Line 455: Line 464:
      if [ -z "${ulamatch1}" -o -z "${ulamatch2}" ]; then      if [ -z "${ulamatch1}" -o -z "${ulamatch2}" ]; then
  export dns6_ula=${ipv6addr}  export dns6_ula=${ipv6addr}
 + export interface6_ula=${ipv6prefix}
      fi      fi
      DUAL_TUNNEL="yes"      DUAL_TUNNEL="yes"
Line 505: Line 515:
     if [ -z "${interface6_1}" -o \     if [ -z "${interface6_1}" -o \
  -z "${dns6_ula}" -o \  -z "${dns6_ula}" -o \
 + -z "${interface6_ula}" -o \
  -z "${WG_server_IP6_1}" ]  -z "${WG_server_IP6_1}" ]
     then     then
Line 511: Line 522:
     fi     fi
     allowed_ips6="${interface6_1}::${interface}.${peer_IP}/128"     allowed_ips6="${interface6_1}::${interface}.${peer_IP}/128"
 +    allowed_ips6_ula="${interface6_ula}::${interface}.${peer_IP}/128"
 else else
     allowed_ips6=""     allowed_ips6=""
Line 520: Line 532:
     ENDPOINT="$2"     ENDPOINT="$2"
     DNS="$3"     DNS="$3"
-    ALLOWEDIPS="$4"+    PEERIPS="$4"
     SERVERIPS="$5"     SERVERIPS="$5"
     # Create peer configuration     # Create peer configuration
Line 529: Line 541:
 [Interface] [Interface]
 # Name = ${username}-${CONFNAME} # Name = ${username}-${CONFNAME}
-Address = ${ALLOWEDIPS}+Address = ${PEERIPS}
 PrivateKey = $(cat /etc/wireguard/networks/${WG_INTERFACE}/peers/${peer_ID}_${WG_INTERFACE}_${username}/${peer_ID}_${WG_INTERFACE}_${username}_private.key) # Peer's private key PrivateKey = $(cat /etc/wireguard/networks/${WG_INTERFACE}/peers/${peer_ID}_${WG_INTERFACE}_${username}/${peer_ID}_${WG_INTERFACE}_${username}_private.key) # Peer's private key
 DNS = ${DNS} DNS = ${DNS}
Line 563: Line 575:
 done done
 allowed_ips="${allowed_ips4},${allowed_ips6}" allowed_ips="${allowed_ips4},${allowed_ips6}"
 +allowed_ips_ula="${allowed_ips4},${allowed_ips6_ula}"
  
 # Create directory for storing peers # Create directory for storing peers
Line 598: Line 611:
    # IPv4 tunnel endpoint, dual stack tunnel    # IPv4 tunnel endpoint, dual stack tunnel
    create_peer_config "${WG_DDNS}-dual" "${WG_DDNS}" "${WG_server_IP},${dns6_ula}" "${allowed_ips}" "0.0.0.0/0,::/0"    create_peer_config "${WG_DDNS}-dual" "${WG_DDNS}" "${WG_server_IP},${dns6_ula}" "${allowed_ips}" "0.0.0.0/0,::/0"
 +
 +   # IPv4 tunnel endpoint, dual stack (ULA only) tunnel
 +   create_peer_config "${WG_DDNS}-dual-ula" "${WG_DDNS}" "${WG_server_IP},${dns6_ula}" "${allowed_ips_ula}" "0.0.0.0/0,::/0"
  
    # IPv4 tunnel endpoint, IPv6 tunnel    # IPv4 tunnel endpoint, IPv6 tunnel
    create_peer_config "${WG_DDNS}-ipv6" "${WG_DDNS}" "${dns6_ula}" "${allowed_ips6}" "::/0"    create_peer_config "${WG_DDNS}-ipv6" "${WG_DDNS}" "${dns6_ula}" "${allowed_ips6}" "::/0"
 +
 +   # IPv4 tunnel endpoint, IPv6 ULA tunnel
 +   create_peer_config "${WG_DDNS}-ipv6-ula" "${WG_DDNS}" "${dns6_ula}" "${allowed_ips6_ula}" "::/0"
 fi fi
  
Line 609: Line 628:
 then then
     # IPv6 tunnel endpoint, dual stack tunnel     # IPv6 tunnel endpoint, dual stack tunnel
-    create_peer_config "${WG_DDNS6}-via6" "${WG_DDNS6}" "${WG_server_IP},${dns6_ula}" "${allowed_ips}" "0.0.0.0/0,::/0"+    create_peer_config "${WG_DDNS6}-dual-via6" "${WG_DDNS6}" "${WG_server_IP},${dns6_ula}" "${allowed_ips}" "0.0.0.0/0,::/0" 
 + 
 +    # IPv6 tunnel endpoint, dual stack (ULA only) tunnel 
 +    create_peer_config "${WG_DDNS6}-dual-ula-via6" "${WG_DDNS6}" "${WG_server_IP},${dns6_ula}" "${allowed_ips_ula}" "0.0.0.0/0,::/0"
 fi fi
  
Line 656: Line 678:
   * ''nnn-ipv4.conf'' and ''nnn-ipv4.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv4 traffic   * ''nnn-ipv4.conf'' and ''nnn-ipv4.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv4 traffic
  
-  * ''nnn-dual.conf'' and ''nnn-dual.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic+  * ''nnn-dual.conf'' and ''nnn-dual.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic, with client using IPv6 addresses from ULA and global prefixes
     * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh''     * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh''
  
-  * ''nnn-ipv6.conf'' and ''nnn-ipv6.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv6 traffic+  * ''nnn-dual-ula.conf'' and ''nnn-dual-ula.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic, with client using IPv6 address from ULA prefix only
     * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh''     * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh''
  
-  * ''nnn-via6.conf'' and ''nnn-via6.svg'': tunnel running via IPv6 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic+  * ''nnn-ipv6.conf'' and ''nnn-ipv6.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv6 traffic, with client using IPv6 addresses from ULA and global prefixes 
 +    * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' 
 + 
 +  * ''nnn-ipv6-ula.conf'' and ''nnn-ipv6-ula.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv6 traffic, with client using IPv6 address from ULA prefix only 
 +    * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' 
 + 
 +  * ''nnn-dual-via6.conf'' and ''nnn-dual-via6.svg'': tunnel running via IPv6 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic, with client using IPv6 addresses from ULA and global prefixes 
 +    * only created if you set WG_DDNS6  when running ''add_roadwarrior_peer.sh'' and you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' 
 + 
 +  * ''nnn-dual-ula-via6.conf'' and ''nnn-dual-ula-via6.svg'': tunnel running via IPv6 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic, with client using IPv6 address from ULA prefix only
     * only created if you set WG_DDNS6  when running ''add_roadwarrior_peer.sh'' and you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh''     * only created if you set WG_DDNS6  when running ''add_roadwarrior_peer.sh'' and you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh''
  
  • Last modified: 2023/10/14 09:07
  • by vgaetera