Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:wireguard:road-warrior [2022/03/14 23:54] – check for non-empty NET_DEV6 in firewall script atownlededocs:guide-user:services:vpn:wireguard:road-warrior [2022/04/26 01:12] – fixed nftables counter; mark kmod-ipt-nat6 as 21.02 only atownlede
Line 60: Line 60:
 <code bash> <code bash>
 opkg update opkg update
-opkg install wireguard-tools qrencode kmod-ipt-nat6+opkg install wireguard-tools qrencode
 </code> </code>
 +For OpenWrt 21.02 series, also add in:
 +<code bash>
 +opkg install kmod-ipt-nat6
 +</code>
 +
 Optional packages for post-configuration management through LuCI: Optional packages for post-configuration management through LuCI:
  
Line 299: Line 304:
 chain srcnat_ula6_${WG_INTERFACE} { chain srcnat_ula6_${WG_INTERFACE} {
   type nat hook postrouting priority srcnat; policy accept;   type nat hook postrouting priority srcnat; policy accept;
-  oifname "\$${WG_WAN6_FWZONE}_devices" counter ip6 saddr ${interface6_ula}::/64 masquerade comment "!fw4: ULA masquerade6"+  oifname "\$${WG_WAN6_FWZONE}_devices" ip6 saddr ${interface6_ula}::/64 counter masquerade comment "!fw4: ULA masquerade6"
 } }
 EOF EOF
Line 459: Line 464:
      if [ -z "${ulamatch1}" -o -z "${ulamatch2}" ]; then      if [ -z "${ulamatch1}" -o -z "${ulamatch2}" ]; then
  export dns6_ula=${ipv6addr}  export dns6_ula=${ipv6addr}
 + export interface6_ula=${ipv6prefix}
      fi      fi
      DUAL_TUNNEL="yes"      DUAL_TUNNEL="yes"
Line 509: Line 515:
     if [ -z "${interface6_1}" -o \     if [ -z "${interface6_1}" -o \
  -z "${dns6_ula}" -o \  -z "${dns6_ula}" -o \
 + -z "${interface6_ula}" -o \
  -z "${WG_server_IP6_1}" ]  -z "${WG_server_IP6_1}" ]
     then     then
Line 515: Line 522:
     fi     fi
     allowed_ips6="${interface6_1}::${interface}.${peer_IP}/128"     allowed_ips6="${interface6_1}::${interface}.${peer_IP}/128"
 +    allowed_ips6_ula="${interface6_ula}::${interface}.${peer_IP}/128"
 else else
     allowed_ips6=""     allowed_ips6=""
Line 524: Line 532:
     ENDPOINT="$2"     ENDPOINT="$2"
     DNS="$3"     DNS="$3"
-    ALLOWEDIPS="$4"+    PEERIPS="$4"
     SERVERIPS="$5"     SERVERIPS="$5"
     # Create peer configuration     # Create peer configuration
Line 533: Line 541:
 [Interface] [Interface]
 # Name = ${username}-${CONFNAME} # Name = ${username}-${CONFNAME}
-Address = ${ALLOWEDIPS}+Address = ${PEERIPS}
 PrivateKey = $(cat /etc/wireguard/networks/${WG_INTERFACE}/peers/${peer_ID}_${WG_INTERFACE}_${username}/${peer_ID}_${WG_INTERFACE}_${username}_private.key) # Peer's private key PrivateKey = $(cat /etc/wireguard/networks/${WG_INTERFACE}/peers/${peer_ID}_${WG_INTERFACE}_${username}/${peer_ID}_${WG_INTERFACE}_${username}_private.key) # Peer's private key
 DNS = ${DNS} DNS = ${DNS}
Line 567: Line 575:
 done done
 allowed_ips="${allowed_ips4},${allowed_ips6}" allowed_ips="${allowed_ips4},${allowed_ips6}"
 +allowed_ips_ula="${allowed_ips4},${allowed_ips6_ula}"
  
 # Create directory for storing peers # Create directory for storing peers
Line 602: Line 611:
    # IPv4 tunnel endpoint, dual stack tunnel    # IPv4 tunnel endpoint, dual stack tunnel
    create_peer_config "${WG_DDNS}-dual" "${WG_DDNS}" "${WG_server_IP},${dns6_ula}" "${allowed_ips}" "0.0.0.0/0,::/0"    create_peer_config "${WG_DDNS}-dual" "${WG_DDNS}" "${WG_server_IP},${dns6_ula}" "${allowed_ips}" "0.0.0.0/0,::/0"
 +
 +   # IPv4 tunnel endpoint, dual stack (ULA only) tunnel
 +   create_peer_config "${WG_DDNS}-dual-ula" "${WG_DDNS}" "${WG_server_IP},${dns6_ula}" "${allowed_ips_ula}" "0.0.0.0/0,::/0"
  
    # IPv4 tunnel endpoint, IPv6 tunnel    # IPv4 tunnel endpoint, IPv6 tunnel
    create_peer_config "${WG_DDNS}-ipv6" "${WG_DDNS}" "${dns6_ula}" "${allowed_ips6}" "::/0"    create_peer_config "${WG_DDNS}-ipv6" "${WG_DDNS}" "${dns6_ula}" "${allowed_ips6}" "::/0"
 +
 +   # IPv4 tunnel endpoint, IPv6 ULA tunnel
 +   create_peer_config "${WG_DDNS}-ipv6-ula" "${WG_DDNS}" "${dns6_ula}" "${allowed_ips6_ula}" "::/0"
 fi fi
  
Line 613: Line 628:
 then then
     # IPv6 tunnel endpoint, dual stack tunnel     # IPv6 tunnel endpoint, dual stack tunnel
-    create_peer_config "${WG_DDNS6}-via6" "${WG_DDNS6}" "${WG_server_IP},${dns6_ula}" "${allowed_ips}" "0.0.0.0/0,::/0"+    create_peer_config "${WG_DDNS6}-dual-via6" "${WG_DDNS6}" "${WG_server_IP},${dns6_ula}" "${allowed_ips}" "0.0.0.0/0,::/0" 
 + 
 +    # IPv6 tunnel endpoint, dual stack (ULA only) tunnel 
 +    create_peer_config "${WG_DDNS6}-dual-ula-via6" "${WG_DDNS6}" "${WG_server_IP},${dns6_ula}" "${allowed_ips_ula}" "0.0.0.0/0,::/0"
 fi fi
  
Line 660: Line 678:
   * ''nnn-ipv4.conf'' and ''nnn-ipv4.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv4 traffic   * ''nnn-ipv4.conf'' and ''nnn-ipv4.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv4 traffic
  
-  * ''nnn-dual.conf'' and ''nnn-dual.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic+  * ''nnn-dual.conf'' and ''nnn-dual.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic, with client using IPv6 addresses from ULA and global prefixes
     * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh''     * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh''
  
-  * ''nnn-ipv6.conf'' and ''nnn-ipv6.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv6 traffic+  * ''nnn-dual-ula.conf'' and ''nnn-dual-ula.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic, with client using IPv6 address from ULA prefix only
     * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh''     * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh''
  
-  * ''nnn-via6.conf'' and ''nnn-via6.svg'': tunnel running via IPv6 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic+  * ''nnn-ipv6.conf'' and ''nnn-ipv6.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv6 traffic, with client using IPv6 addresses from ULA and global prefixes 
 +    * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' 
 + 
 +  * ''nnn-ipv6-ula.conf'' and ''nnn-ipv6-ula.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv6 traffic, with client using IPv6 address from ULA prefix only 
 +    * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' 
 + 
 +  * ''nnn-dual-via6.conf'' and ''nnn-dual-via6.svg'': tunnel running via IPv6 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic, with client using IPv6 addresses from ULA and global prefixes 
 +    * only created if you set WG_DDNS6  when running ''add_roadwarrior_peer.sh'' and you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' 
 + 
 +  * ''nnn-dual-ula-via6.conf'' and ''nnn-dual-ula-via6.svg'': tunnel running via IPv6 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic, with client using IPv6 address from ULA prefix only
     * only created if you set WG_DDNS6  when running ''add_roadwarrior_peer.sh'' and you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh''     * only created if you set WG_DDNS6  when running ''add_roadwarrior_peer.sh'' and you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh''
  
  • Last modified: 2023/10/14 09:07
  • by vgaetera