From b464b0c03907ce2bae54e885ee23afa4bdd1e84f Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 22 Nov 2021 18:35:58 +0100 Subject: [PATCH] Add support for WireGuard. --- conf/default_ports.conf | 1 + conf/interfaces_ipv4.conf.sample | 8 +++ conf/interfaces_ipv6.conf.sample | 8 +++ conf/main_ipv4.conf.sample | 34 ++++++++++ conf/main_ipv6.conf.sample | 34 ++++++++++ conf/post_decalrations.conf | 19 ++++++ ip6t-firewall-gateway | 100 +++++++++++++++++++++++++++++ ipt-firewall-gateway | 106 +++++++++++++++++++++++++++++++ 8 files changed, 310 insertions(+) diff --git a/conf/default_ports.conf b/conf/default_ports.conf index 6a6b475..7b09c2f 100644 --- a/conf/default_ports.conf +++ b/conf/default_ports.conf @@ -35,6 +35,7 @@ standard_telnet_port=23 standard_tftp_udp_port=69 standard_timeserver_port=37 standard_vpn_port=1194 +standard_wg_port=51820 standard_whois_port=43 standard_xymon_port=1984 diff --git a/conf/interfaces_ipv4.conf.sample b/conf/interfaces_ipv4.conf.sample index 43127e1..f9d5bda 100644 --- a/conf/interfaces_ipv4.conf.sample +++ b/conf/interfaces_ipv4.conf.sample @@ -22,9 +22,17 @@ ext_if_static_3="" ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3" # - VPN Interfaces +# - # - (blank separated list) +# - vpn_ifs="tun+" +# - WireGuard Interfaces +# - +# - (blank separated list) +# - +wg_ifs="wg+" + # - Local Interfaces local_if_1="" local_if_2="" diff --git a/conf/interfaces_ipv6.conf.sample b/conf/interfaces_ipv6.conf.sample index b306637..9aedb2e 100644 --- a/conf/interfaces_ipv6.conf.sample +++ b/conf/interfaces_ipv6.conf.sample @@ -26,9 +26,17 @@ ext_if_static_3="" ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3" # - VPN Interfaces +# - # - (blank separated list) +# - vpn_ifs="tun+" +# - WireGuard Interfaces +# - +# - (blank separated list) +# - +wg_ifs="wg+" + # - Local Interfaces local_if_1="" local_if_2="" diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 40e4ac6..1cbe68c 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -536,6 +536,36 @@ declare -A vpn_server_dmz_arr vpn_local_net_ports="1194" +# ====== +# - WireGuard Service +# ====== + +# - WireGuard Service on Gateway? +# - +local_wg_service=true +wg_gw_ports="$standard_wg_port" + +# - WireGuard Services DMZ (reachable also from WAN) +# - +# - wg_server_dmz_arr=[]= +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - wg_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 +# - wg_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 +# - +# - Multiple settins of this parameter is possible +# - +declare -A wg_server_dmz_arr + +# - Local WireGuard Ports +# - +# - Blank separated list +# - +wg_local_net_ports="$standard_wg_port" + + # ====== # - DHCP Service # ====== @@ -1530,6 +1560,10 @@ allow_samba_requests_out=true allow_vpn_out=true vpn_out_ports="1194 1195 1196" +# WireGuard +# +allow_wg_out=true +wg_out_ports="$standard_wg_port" allow_cisco_vpn_out=true cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t" diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index d8afa5b..422b00f 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -521,6 +521,36 @@ declare -A vpn_server_dmz_arr vpn_local_net_ports="1194" +# ====== +# - WireGuard Service +# ====== + +# - WireGuard Service on Gateway? +# - +local_wg_service=true +wg_gw_ports="$standard_wg_port" + +# - WireGuard Services DMZ (reachable also from WAN) +# - +# - wg_server_dmz_arr=[]= +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - wg_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_2 +# - wg_server_dmz_arr[2001:6f8:107e:63::40]=$ext_if_dsl_1 +# - +# - Multiple settins of this parameter is possible +# - +declare -A wg_server_dmz_arr + +# - Local WireGuard Ports +# - +# - Blank separated list +# - +wg_local_net_ports="$standard_wg_port" + + # ====== # - DHCP Service # ====== @@ -1445,6 +1475,10 @@ allow_samba_requests_out=true allow_vpn_out=true vpn_out_ports="1194 1195 1196" +# WireGuard +# +allow_wg_out=true +wg_out_ports="$standard_wg_port" allow_cisco_vpn_out=true cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t" diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 89a1f16..ca72864 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -542,6 +542,25 @@ for _port in $vpn_out_ports ; do vpn_out_port_arr+=("$_port") done +# --- +# - WireGuard Ports +# --- +declare -a wg_gw_port_arr +for _port in $wg_gw_ports ; do + wg_gw_port_arr+=("$_port") +done +declare -a wg_local_net_port_arr +for _port in $wg_local_net_ports ; do + wg_local_net_port_arr+=("$_port") +done +declare -a wg_out_port_arr +if [[ -z "$wg_out_ports" ]] ; then + wg_out_ports="$standard_wg_port" +fi +for _port in $wg_out_ports ; do + wg_out_port_arr+=("$_port") +done + # --- # - Rsync Out Ports # -- diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index b3454ad..2b1ca90 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -808,6 +808,21 @@ done echo_done +# --- +# - Permit all traffic through WireGuard lines +# --- +echononl "\tPermit all traffic through WireGuard lines.." +for _wg_if in ${wg_if_arr[@]} ; do + $ip6t -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + for _local_dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT + done + fi +done +echo_done + + # --- # - Telefon Systems @@ -1949,6 +1964,91 @@ else fi +# --- +# - WireGuard Service only out +# --- + +echononl "\t\tWireGuard Service only out" + +if $allow_wg_out && [[ ${#wg_out_port_arr[@]} -gt 0 ]]; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${wg_out_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + + for _wg_if in ${wg_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - WireGuard Service Gateway +# --- + +echononl "\t\tWireGuard Service Gateway" + +if $local_wg_service ; then + + # - Cconnection establishment + # - + for _port in ${wg_gw_port_arr[@]} ; do + $ip6t -A INPUT -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done + +else + echo_skipped +fi + + +# --- +# - WireGuard Service DMZ +# --- + +echononl "\t\tWireGuard Service DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#wg_server_dmz_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${!wg_server_dmz_arr[@]} ; do + + # - Skip if no interface is given + # - + if [[ -z "${wg_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${wg_local_net_port_arr[@]} ; do + $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + # --- # - HTTP(S) OUT # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index be04350..47f75e1 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -1393,6 +1393,21 @@ done echo_done +# --- +# - Permit all traffic through WireGuard lines +# --- +echononl "\tPermit all traffic through WireGuard lines.." +for _wg_if in ${wg_if_arr[@]} ; do + $ipt -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + for _local_dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT + done + fi +done +echo_done + + # --- # - Telefon Systems @@ -2651,6 +2666,97 @@ else fi +# --- +# - WireGuard Service only out +# --- + +echononl "\t\tWireGuard Service only out" + +if $allow_wg_out && [[ ${#wg_out_port_arr[@]} -gt 0 ]]; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${wg_out_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + + for _wg_if in ${wg_if_arr[@]} ; do + $ipt -A OUTPUT -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - WireGuard Service Gateway +# --- + +echononl "\t\tWireGuard Service Gateway" + +if $local_wg_service ; then + + # - Cconnection establishment + # - + for _port in ${wg_gw_port_arr[@]} ; do + $ipt -A INPUT -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done + +else + echo_skipped +fi + + +# --- +# - WireGuard Service DMZ +# --- + +echononl "\t\tWireGuard Service DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#wg_server_dmz_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${!wg_server_dmz_arr[@]} ; do + + # - Skip if no interface is given + # - + if [[ -z "${wg_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${wg_local_net_port_arr[@]} ; do + $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + # - Nat if interface is on a dsl line + # - + if containsElement "${wg_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${wg_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port + fi + done + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + # --- # - HTTP(S) OUT # ---