From 0831f26891ddd48bd26e94fa1acf027a23fdfb7b Mon Sep 17 00:00:00 2001 From: ckubu Date: Thu, 11 Aug 2022 10:43:04 +0200 Subject: [PATCH] Add support for WireGuard VPN Service. --- conf/default_ports.conf | 1 + conf/interfaces_ipv4.conf.sample | 8 ++++- conf/interfaces_ipv6.conf.sample | 8 ++++- conf/main_ipv4.conf.sample | 16 +++++++++ conf/main_ipv6.conf.sample | 16 +++++++++ conf/post_decalrations.conf | 41 +++++++++++++++++++++++ ip6t-firewall-server | 55 ++++++++++++++++++++++++++++++ ipt-firewall-server | 57 ++++++++++++++++++++++++++++++++ 8 files changed, 200 insertions(+), 2 deletions(-) diff --git a/conf/default_ports.conf b/conf/default_ports.conf index f6b509e..75a68f3 100644 --- a/conf/default_ports.conf +++ b/conf/default_ports.conf @@ -35,6 +35,7 @@ standard_telnet_port=23 standard_tftp_udp_port=69 standard_timeserver_port=37 standard_vpn_port=1194 +standard_wireguard_port=51820 standard_whois_port=43 standard_xymon_port=1984 diff --git a/conf/interfaces_ipv4.conf.sample b/conf/interfaces_ipv4.conf.sample index 021334f..31fb1e8 100644 --- a/conf/interfaces_ipv4.conf.sample +++ b/conf/interfaces_ipv4.conf.sample @@ -16,7 +16,13 @@ ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3" # - VPN Interfaces # - (comma separated list) -vpn_ifs="" +vpn_ifs="tun+" + + +# - Wireguard Interfaces +# - (comma separated list) +wg_ifs="wg+" + # - Local Interfaces local_if_1="" diff --git a/conf/interfaces_ipv6.conf.sample b/conf/interfaces_ipv6.conf.sample index 082fa5b..1937a08 100644 --- a/conf/interfaces_ipv6.conf.sample +++ b/conf/interfaces_ipv6.conf.sample @@ -16,7 +16,13 @@ ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3" # - VPN Interfaces # - (comma separated list) -vpn_ifs="" +vpn_ifs="tun+" + + +# - Wireguard Interfaces +# - (comma separated list) +wg_ifs="wg+" + # - Local Interfaces local_if_1="" diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index a1f45a1..8f6827f 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -224,6 +224,22 @@ forward_vpn_server_ips="" vpn_ports="$standard_vpn_port" +# - WireGuard Service +# - +wireguard_server_ips="" +forward_wireguard_server_ips="" + +# - Local WireGuard Ports +# - +# - Blank separated list +# - +wireguard_server_ports="$standard_wireguard_port" + +# - Remote WireGuard Ports +# - +wireguard_out_ports="$standard_wireguard_port" + + # local NTP Server # local_ntp_service=false diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 05e4f10..6bd5fa3 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -237,6 +237,22 @@ forward_vpn_server_ips="" vpn_ports="$standard_vpn_port" +# - WireGuard Service +# - +wireguard_server_ips="" +forward_wireguard_server_ips="" + +# - Local WireGuard Ports +# - +# - Blank separated list +# - +wireguard_server_ports="$standard_wireguard_port" + +# - Remote WireGuard Ports +# - +wireguard_out_ports="$standard_wireguard_port" + + # local NTP Server # local_ntp_service=false diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index e240585..417e1ff 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -37,6 +37,14 @@ for _dev in $vpn_ifs ; do vpn_if_arr+=("$_dev") done +# --- +# - WireGuard Interfaces +# --- +declare -a wg_if_arr +for _dev in $wg_ifs ; do + wg_if_arr+=("$_dev") +done + # --- # - Local Network Interfaces # --- @@ -178,6 +186,20 @@ for _ip in $forward_vpn_server_ips ; do forward_vpn_server_ip_arr+=("$_ip") done +# --- +# - IP Addresses WireGuard Service +# --- +# local +declare -a wireguard_server_ip_arr +for _ip in $wireguard_server_ips ; do + wireguard_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_wireguard_server_ip_arr +for _ip in $forward_wireguard_server_ips ; do + forward_wireguard_server_ip_arr+=("$_ip") +done + # --- # - IP Addresses SSH Server # --- @@ -428,6 +450,25 @@ for _port in $vpn_ports ; do vpn_port_arr+=("$_port") done +# --- +# - Wireguard Ports (local Service) +# --- +# local +declare -a wireguard_server_port_arr +for _port in $wireguard_server_ports ; do + wireguard_server_port_arr+=("$_port") +done + +# --- +# - Wireguard out Ports +# --- +# local +declare -a wireguard_out_port_port_arr +for _port in $wireguard_out_ports ; do + wireguard_out_port_port_arr+=("$_port") +done + + # --- # - Rsync Out Ports # -- diff --git a/ip6t-firewall-server b/ip6t-firewall-server index ca677a1..3782427 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -1023,6 +1023,21 @@ done echo_done +# --- +# - Permit all traffic through WireGuard lines +# --- +echononl "\tPermit all traffic through WireGuard lines.." +for _wg_if in ${wg_if_arr[@]} ; do + $ip6t -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + for _local_dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT + done + fi +done +echo_done + + # --- # - Don't allow traffik into Unique local network (ULA) # --- @@ -1376,6 +1391,46 @@ else fi +# --- +# - Wireguard +# --- + +echononl "\t\tWireguard Service only out" +if [[ ${#wireguard_out_port_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${wireguard_out_port_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + +echononl "\t\tWireguard Services.." +if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_wireguard_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${wireguard_server_ip_arr[@]} ; do + for _port in ${wireguard_server_port_arr[@]} ; do + $ip6t -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_wireguard_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_wireguard_server_ip_arr[@]} ; do + $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + # --- # - Rsync Out # --- diff --git a/ipt-firewall-server b/ipt-firewall-server index dd0dfa7..b91fcaa 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -1184,6 +1184,21 @@ done echo_done +# --- +# - Permit all traffic through WireGuard lines +# --- +echononl "\tPermit all traffic through WireGuard lines.." +for _wg_if in ${wg_if_arr[@]} ; do + $ipt -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + for _local_dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT + done + fi +done +echo_done + + # --- # - Don't allow traffic into private networks # --- @@ -1547,6 +1562,48 @@ else fi +# --- +# - Wireguard +# --- + +echononl "\t\tWireGuard Service only out" +if [[ ${#wireguard_out_port_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${wireguard_out_port_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + +echononl "\t\tWireGuard Services.." +if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] || [[ ${forward_wireguard_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${wireguard_server_ip_arr[@]} ; do + for _port in ${wireguard_server_ports[@]} ; do + $ipt -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${forward_wireguard_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_wireguard_server_ip_arr[@]} ; do + for _port in ${wireguard_server_ports[@]} ; do + $ipt -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + + # --- # - Rsync Out # ---