Gentoo Forums :: View topic - Wireguard interface questions

Wireguard interface questions

View unanswered posts
View posts from last 24 hours

Gentoo Forums Forum Index

Networking & Security

View previous topic :: View next topic

Author

Message

krumpf
Apprentice

Joined: 15 Jul 2018
Posts: 189

Posted: Wed Nov 20, 2024 3:53 pm Post subject: Wireguard interface questions

Hi. For a while, my goal was to use my VPN connection only for torrenting while using my real IP for net browsing. Recently, I've found this script that creates and setups a wgclient network interface without setting it as default gateway for net access.
Script source

Code:

#!/bin/bash

CFG_FILE=$1
ALIAS_IDX=$2
IP_TABLE=4421${ALIAS_IDX}

# address aliases if needed
# not used unless ALIAS_IDX is set
ALIAS_V4=10.44.${ALIAS_IDX}.2
ALIAS_V6=fc00:44:${ALIAS_IDX}::2

DEV=wgclient${ALIAS_IDX}
NFT_TABLE=wgclient${ALIAS_IDX}

echo === using $CFG_FILE

echo === creating wireguard device ...
sudo ip link add $DEV type wireguard

echo === setting VPN addresses for device ...
#cat $CFG_FILE | grep "^ *Address *= *"
ADDRESSES=`cat $CFG_FILE | grep "^ *Address *= *" | sed -e "s@ @@" | sed -e "s@Address=@@" | sed -e "s@,@ @"`
echo ADDRESSES=$ADDRESSES

for a in $ADDRESSES; do
proto=4
if echo $a | grep -q ":"; then
proto=6;
fi
if [ $proto == 4 ]; then
LOCAL_V4_PREF=$a
LOCAL_V4=`echo $LOCAL_V4_PREF | sed -e "s@/[0-9]*@@"`
echo === LOCAL_V4=$LOCAL_V4
echo === adding IPv4 address $LOCAL_V4_PREF ...
sudo ip -4 addr add $LOCAL_V4_PREF dev $DEV
else
LOCAL_V6_PREF=$a
LOCAL_V6=`echo $LOCAL_V6_PREF | sed -e "s@/[0-9]*@@"`
echo === LOCAL_V6=$LOCAL_V6
echo === adding IPv6 address $LOCAL_V6_PREF ...
sudo ip -6 addr add $LOCAL_V6_PREF dev $DEV
fi
done

echo === configuring wireguard for device ...
TMP_DIR=/tmp/wireguard_exe_up
mkdir -p $TMP_DIR
TMP_CFG=$TMP_DIR/$DEV.conf
cat $CFG_FILE > $TMP_CFG
chmod o-r $TMP_CFG
wg-quick strip $TMP_CFG | sudo wg setconf $DEV /dev/stdin
rm $TMP_CFG
rmdir $TMP_DIR
#wg-quick strip $CFG_FILE | sudo wg setconf $DEV /dev/stdin
#sudo wg showconf $DEV

echo === starting device ...
sudo ip link set $DEV up

echo === showing device
ip link show dev $DEV

echo === showing device addresses
ip addr show dev $DEV

echo === showing wireguard status for device
#sudo wg showconf $DEV
sudo wg show $DEV

# retrieve info for route to Wireguard server
SERVER_IP=$(sudo wg showconf $DEV | grep "^ *Endpoint *= *" | \
sed -e "s@ @@g" | sed -e "s@Endpoint=@@" | sed -e "s@:[0-9]*\$@@" | sed -e "s@^\[@@" | sed -e "s@\]\$@@")
echo SERVER_IP=$SERVER_IP
SERVER_PROTO=4
if echo $SERVER_IP | grep -q ":"; then
SERVER_PROTO=6;
fi
echo SERVER_PROTO=$SERVER_PROTO
ROUTE=`ip -${SERVER_PROTO} route show default`
#echo ROUTE=$ROUTE
token () {
N=$1
shift
eval echo \$${N}
}
SERVER_GW=`token 3 $ROUTE`
echo SERVER_GW=$SERVER_GW
SERVER_IF=`token 5 $ROUTE`
echo SERVER_IF=$SERVER_IF

###########################################################

if [ "$LOCAL_V4" != "" ]; then

echo === adding IPV4 default route for table $IP_TABLE ...
sudo ip -4 route add default dev $DEV table $IP_TABLE
if [ "$SERVER_PROTO" == "4" ]; then
echo === adding IPV4 route for server for table $IP_TABLE ...
sudo ip -4 route add $SERVER_IP via $SERVER_GW dev $SERVER_IF table $IP_TABLE
fi
#sudo ip -4 route show table $IP_TABLE

if [ "$ALIAS_IDX" == "" ]; then
echo === adding IPV4 rule for VPN address $LOCAL_V4 for table $IP_TABLE ...
#sudo ip -4 rule del from $LOCAL_V4
sudo ip -4 rule add from $LOCAL_V4 table $IP_TABLE
#sudo ip -4 rule list
fi

if [ "$ALIAS_IDX" != "" ]; then
# set up IPv4 address alias
echo === using $ALIAS_V4 as IPv4 address alias ...
echo === adding IPv4 alias address ${ALIAS_V4} for device ...
sudo ip -4 addr add ${ALIAS_V4} dev $DEV
echo === adding IPV4 rule for address alias $ALIAS_V4 for table $IP_TABLE ...
#sudo ip -4 rule del from $ALIAS_V4
sudo ip -4 rule add from $ALIAS_V4 table $IP_TABLE
#sudo ip -4 rule list
echo === creating IPv4 nft table ...
sudo nft add table ip $NFT_TABLE
sudo nft flush table ip $NFT_TABLE
#sudo nft -a list ruleset
echo === setting up SNAT for IPV4 address alias ...
sudo nft create chain ip $NFT_TABLE nat_postrouting { type nat hook postrouting priority 0 \; }
sudo nft insert rule ip $NFT_TABLE nat_postrouting oifname "$DEV" ip saddr $ALIAS_V4 snat to $LOCAL_V4
#sudo nft -a list table ip $NFT_TABLE
echo === setting up DNAT for IPV4 address alias ...
sudo nft create chain ip $NFT_TABLE nat_prerouting {type nat hook prerouting priority 0 \; }
sudo nft add rule ip $NFT_TABLE nat_prerouting iifname "$DEV" dnat to $ALIAS_V4
#sudo nft -a list table ip $NFT_TABLE
echo === showing IPv4 nft rules
sudo nft -a list table ip $NFT_TABLE
fi # IPv4 address alias

echo === showing IPv4 rules for table $IP_TABLE
ip -4 rule list | grep $IP_TABLE

echo === showing IPv4 routing table for table $IP_TABLE
ip -4 route show table all | grep $IP_TABLE

fi # IPv4

###########################################################

if [ "$LOCAL_V6" != "" ]; then
echo === adding IPV6 default route for table $IP_TABLE ...
sudo ip -6 route add default dev $DEV table $IP_TABLE
if [ "$SERVER_PROTO" == "6" ]; then
echo === adding IPV6 route for server for table $IP_TABLE ...
sudo ip -6 route add $SERVER_IP via $SERVER_GW dev $SERVER_IF table $IP_TABLE
fi
#sudo ip -6 route show table $IP_TABLE

if [ "$ALIAS_IDX" == "" ]; then
echo === adding IPV6 rule for VPN address $LOCAL_V6 for table $IP_TABLE ...
#sudo ip -6 rule del from $LOCAL_V6
sudo ip -6 rule add from $LOCAL_V6 table $IP_TABLE
#sudo ip -6 rule list
fi

if [ "$ALIAS_IDX" != "" ]; then
# set up IPv6 address alias
echo === using $ALIAS_V6 as IPv6 address alias ...
echo === adding IPv6 alias address ${ALIAS_V6} for device ...
sudo ip -6 addr add ${ALIAS_V6} dev $DEV
echo === adding IPV6 rule for address alias $ALIAS_V6 for table $IP_TABLE ...
#sudo ip -6 rule del from $ALIAS_V6
sudo ip -6 rule add from $ALIAS_V6 table $IP_TABLE
#sudo ip -6 rule list
echo === creating IPv6 nft table ...
sudo nft add table ip6 $NFT_TABLE
sudo nft flush table ip6 $NFT_TABLE
#sudo nft -a list ruleset
echo === setting up SNAT for IPV6 address alias ...
sudo nft create chain ip6 $NFT_TABLE nat_postrouting { type nat hook postrouting priority 0 \; }
sudo nft insert rule ip6 $NFT_TABLE nat_postrouting oifname "$DEV" ip6 saddr $ALIAS_V6 snat to $LOCAL_V6
#sudo nft -a list table ip6 $NFT_TABLE
echo === setting up DNAT for IPV6 address alias ...
sudo nft create chain ip6 $NFT_TABLE nat_prerouting {type nat hook prerouting priority 0 \; }
sudo nft add rule ip6 $NFT_TABLE nat_prerouting iifname "$DEV" dnat to $ALIAS_V6
#sudo nft -a list table ip6 $NFT_TABLE
echo === showing IPv6 nft rules
sudo nft -a list table ip6 $NFT_TABLE
fi # IPv6 address alias

echo === showing IPv6 rules for table $IP_TABLE
ip -6 rule list | grep $IP_TABLE
echo === showing IPv6 routing table for table $IP_TABLE
ip -6 route show table all | grep $IP_TABLE

fi # IPv6

echo ===

Script is called using sh script arg1 arg2, arg1 being path to a wireguard config file, arg2 is ALIAS_IDX, which I don't know what it does (script works if it is omitted), so first question to network/bash gurus, it this script safe ?
Second question, what's the purpose of the ALIAS_IDX variable ?
Third question, with modifications (removing the sudo command, and maybe the parts that use ALIAS_IDX variable) could that script be used as an openrc service in place of wgquick service (the code I posted is to set up the wireguard interface, there's also a second script to properly shut it down, check the source link) ? Or maybe launch the script as a local service ?

Fourth question, the script source page gives a 3rd script to use with net-proxy/squid, allowing to use the vpn connection through a http proxy for apps that support it - as I get it, I could use webbrowser1 with my real IP, while webbrowser2 goes through the proxy. But I don't get how to use it

Quote:

"To run this on a remote server and access SQUID there from home, you would need to set up an ssh tunnel to forward the listening port. "

I have no clue about how to use ssh command to do that. Explanation for dummies is welcome

Thanks for reading
_________________
Dragon Princess Music Games Heroes and villains

nicop
Tux's lil' helper

Joined: 10 Apr 2014
Posts: 97

Posted: Wed Nov 20, 2024 4:49 pm Post subject:

You should consult config from wiki : https://wiki.gentoo.org/wiki/WireGuard#Network_management_methods and comment lines that set default route. To use VPN only for an app, the simpliest method is to run that app with a specific user and set an ip rule with uidrange.

Display posts from previous:

	Gentoo Forums Forum Index Networking & Security	All times are GMT
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy