| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| docs:guide-user:services:vpn:wireguard:road-warrior [2022/03/14 23:54] – check for non-empty NET_DEV6 in firewall script atownlede | docs:guide-user:services:vpn:wireguard:road-warrior [2022/04/26 01:12] – fixed nftables counter; mark kmod-ipt-nat6 as 21.02 only atownlede |
|---|
| <code bash> | <code bash> |
| opkg update | opkg update |
| opkg install wireguard-tools qrencode kmod-ipt-nat6 | opkg install wireguard-tools qrencode |
| </code> | </code> |
| | For OpenWrt 21.02 series, also add in: |
| | <code bash> |
| | opkg install kmod-ipt-nat6 |
| | </code> |
| | |
| Optional packages for post-configuration management through LuCI: | Optional packages for post-configuration management through LuCI: |
| |
| chain srcnat_ula6_${WG_INTERFACE} { | chain srcnat_ula6_${WG_INTERFACE} { |
| type nat hook postrouting priority srcnat; policy accept; | type nat hook postrouting priority srcnat; policy accept; |
| oifname "\$${WG_WAN6_FWZONE}_devices" counter ip6 saddr ${interface6_ula}::/64 masquerade comment "!fw4: ULA masquerade6" | oifname "\$${WG_WAN6_FWZONE}_devices" ip6 saddr ${interface6_ula}::/64 counter masquerade comment "!fw4: ULA masquerade6" |
| } | } |
| EOF | EOF |
| if [ -z "${ulamatch1}" -o -z "${ulamatch2}" ]; then | if [ -z "${ulamatch1}" -o -z "${ulamatch2}" ]; then |
| export dns6_ula=${ipv6addr} | export dns6_ula=${ipv6addr} |
| | export interface6_ula=${ipv6prefix} |
| fi | fi |
| DUAL_TUNNEL="yes" | DUAL_TUNNEL="yes" |
| if [ -z "${interface6_1}" -o \ | if [ -z "${interface6_1}" -o \ |
| -z "${dns6_ula}" -o \ | -z "${dns6_ula}" -o \ |
| | -z "${interface6_ula}" -o \ |
| -z "${WG_server_IP6_1}" ] | -z "${WG_server_IP6_1}" ] |
| then | then |
| fi | fi |
| allowed_ips6="${interface6_1}::${interface}.${peer_IP}/128" | allowed_ips6="${interface6_1}::${interface}.${peer_IP}/128" |
| | allowed_ips6_ula="${interface6_ula}::${interface}.${peer_IP}/128" |
| else | else |
| allowed_ips6="" | allowed_ips6="" |
| ENDPOINT="$2" | ENDPOINT="$2" |
| DNS="$3" | DNS="$3" |
| ALLOWEDIPS="$4" | PEERIPS="$4" |
| SERVERIPS="$5" | SERVERIPS="$5" |
| # Create peer configuration | # Create peer configuration |
| [Interface] | [Interface] |
| # Name = ${username}-${CONFNAME} | # Name = ${username}-${CONFNAME} |
| Address = ${ALLOWEDIPS} | Address = ${PEERIPS} |
| PrivateKey = $(cat /etc/wireguard/networks/${WG_INTERFACE}/peers/${peer_ID}_${WG_INTERFACE}_${username}/${peer_ID}_${WG_INTERFACE}_${username}_private.key) # Peer's private key | PrivateKey = $(cat /etc/wireguard/networks/${WG_INTERFACE}/peers/${peer_ID}_${WG_INTERFACE}_${username}/${peer_ID}_${WG_INTERFACE}_${username}_private.key) # Peer's private key |
| DNS = ${DNS} | DNS = ${DNS} |
| done | done |
| allowed_ips="${allowed_ips4},${allowed_ips6}" | allowed_ips="${allowed_ips4},${allowed_ips6}" |
| | allowed_ips_ula="${allowed_ips4},${allowed_ips6_ula}" |
| |
| # Create directory for storing peers | # Create directory for storing peers |
| # IPv4 tunnel endpoint, dual stack tunnel | # IPv4 tunnel endpoint, dual stack tunnel |
| create_peer_config "${WG_DDNS}-dual" "${WG_DDNS}" "${WG_server_IP},${dns6_ula}" "${allowed_ips}" "0.0.0.0/0,::/0" | create_peer_config "${WG_DDNS}-dual" "${WG_DDNS}" "${WG_server_IP},${dns6_ula}" "${allowed_ips}" "0.0.0.0/0,::/0" |
| | |
| | # IPv4 tunnel endpoint, dual stack (ULA only) tunnel |
| | create_peer_config "${WG_DDNS}-dual-ula" "${WG_DDNS}" "${WG_server_IP},${dns6_ula}" "${allowed_ips_ula}" "0.0.0.0/0,::/0" |
| |
| # IPv4 tunnel endpoint, IPv6 tunnel | # IPv4 tunnel endpoint, IPv6 tunnel |
| create_peer_config "${WG_DDNS}-ipv6" "${WG_DDNS}" "${dns6_ula}" "${allowed_ips6}" "::/0" | create_peer_config "${WG_DDNS}-ipv6" "${WG_DDNS}" "${dns6_ula}" "${allowed_ips6}" "::/0" |
| | |
| | # IPv4 tunnel endpoint, IPv6 ULA tunnel |
| | create_peer_config "${WG_DDNS}-ipv6-ula" "${WG_DDNS}" "${dns6_ula}" "${allowed_ips6_ula}" "::/0" |
| fi | fi |
| |
| then | then |
| # IPv6 tunnel endpoint, dual stack tunnel | # IPv6 tunnel endpoint, dual stack tunnel |
| create_peer_config "${WG_DDNS6}-via6" "${WG_DDNS6}" "${WG_server_IP},${dns6_ula}" "${allowed_ips}" "0.0.0.0/0,::/0" | create_peer_config "${WG_DDNS6}-dual-via6" "${WG_DDNS6}" "${WG_server_IP},${dns6_ula}" "${allowed_ips}" "0.0.0.0/0,::/0" |
| | |
| | # IPv6 tunnel endpoint, dual stack (ULA only) tunnel |
| | create_peer_config "${WG_DDNS6}-dual-ula-via6" "${WG_DDNS6}" "${WG_server_IP},${dns6_ula}" "${allowed_ips_ula}" "0.0.0.0/0,::/0" |
| fi | fi |
| |
| * ''nnn-ipv4.conf'' and ''nnn-ipv4.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv4 traffic | * ''nnn-ipv4.conf'' and ''nnn-ipv4.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv4 traffic |
| |
| * ''nnn-dual.conf'' and ''nnn-dual.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic | * ''nnn-dual.conf'' and ''nnn-dual.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic, with client using IPv6 addresses from ULA and global prefixes |
| * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' | * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' |
| |
| * ''nnn-ipv6.conf'' and ''nnn-ipv6.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv6 traffic | * ''nnn-dual-ula.conf'' and ''nnn-dual-ula.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic, with client using IPv6 address from ULA prefix only |
| * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' | * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' |
| |
| * ''nnn-via6.conf'' and ''nnn-via6.svg'': tunnel running via IPv6 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic | * ''nnn-ipv6.conf'' and ''nnn-ipv6.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv6 traffic, with client using IPv6 addresses from ULA and global prefixes |
| | * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' |
| | |
| | * ''nnn-ipv6-ula.conf'' and ''nnn-ipv6-ula.svg'': tunnel running via IPv4 ingress to WireGuard service; tunnels only IPv6 traffic, with client using IPv6 address from ULA prefix only |
| | * only created if you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' |
| | |
| | * ''nnn-dual-via6.conf'' and ''nnn-dual-via6.svg'': tunnel running via IPv6 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic, with client using IPv6 addresses from ULA and global prefixes |
| | * only created if you set WG_DDNS6 when running ''add_roadwarrior_peer.sh'' and you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' |
| | |
| | * ''nnn-dual-ula-via6.conf'' and ''nnn-dual-ula-via6.svg'': tunnel running via IPv6 ingress to WireGuard service; tunnels IPv4 and IPv6 traffic, with client using IPv6 address from ULA prefix only |
| * only created if you set WG_DDNS6 when running ''add_roadwarrior_peer.sh'' and you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' | * only created if you set WG_DDNS6 when running ''add_roadwarrior_peer.sh'' and you configured IPv6 when creating the WireGuard interface with ''wg_roadwarrior.sh'' |
| |