Koozali.org: home of the SME Server

Contribs.org Forums => Koozali SME Server 10.x Contribs => Topic started by: robf355 on May 23, 2023, 06:34:36 PM

Title: wireguard network acess #2
Post by: robf355 on May 23, 2023, 06:34:36 PM

Hi
In my previous post I was trying to get wireguard working on my local network, I managed to do this using iptables commands:
to set the table entries:
iptables -A FORWARD -s 172.30.0.0/24 -d 192.168.0.0/24 -i wg0 -o wg0 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 172.30.0.0/24 -i wg0 -o wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.30.0.0/24 -o enp3s0 -j MASQUERADE

this allow me to access the local network from a wireguard device

To clear the table entries I used:
iptables -D FORWARD -i wg0 -j ACCEPT
iptables -D FORWARD -o wg0 -j ACCEPT
iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE

Everything works ok, so I tried adding these entries to wg0.conf. I created a template:

/etc/e-smith/templates-custom/etc/wireguard/wg0.conf

with the following in:
PostUp = iptables -A FORWARD -s 172.30.0.0/24 -d 192.168.0.0/24 -i %i -o %i -j ACCEPT
PostUp = iptables -A FORWARD -s 192.168.0.0/24 -d 172.30.0.0/24 -i %i -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -s 172.30.0.0/24 -o enp3s0 -j MASQUERADE


PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE

then executed
expand-template /etc/wireguard/wg0.conf

But systemctl -l start wg-quick@wg0.service
returns
Job for wg-quick@wg0.service failed because the control process exited with error code. See "systemctl status wg-quick@wg0.service" and "journalctl -xe" for details.

systemctl -l status wg-quick@wg0.service
returns
wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/wg-quick@wg0.service.d
           â””─51koozali.conf
   Active: failed (Result: exit-code) since Tue 2023-05-23 17:28:39 BST; 48s ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  Process: 1264 ExecStop=/usr/bin/wg-quick down %i (code=exited, status=0/SUCCESS)
  Process: 3274 ExecStart=/usr/bin/wg-quick up %i (code=exited, status=1/FAILURE)
 Main PID: 3274 (code=exited, status=1/FAILURE)

May 23 17:28:39 server.kjctechnik.com systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
May 23 17:28:39 server.kjctechnik.com wg-quick[3274]:

• ip link add wg0 type wireguard

May 23 17:28:39 server.kjctechnik.com wg-quick[3274]:

• wg setconf wg0 /dev/fd/63

May 23 17:28:39 server.kjctechnik.com wg-quick[3274]: Line unrecognized: `PostUp=iptables-AFORWARD-s172.30.0.0/24-d192.168.0.0/24-i%i-o%i-jACCEPT'
May 23 17:28:39 server.kjctechnik.com wg-quick[3274]: Configuration parsing error
May 23 17:28:39 server.kjctechnik.com wg-quick[3274]:

• ip link delete dev wg0

May 23 17:28:39 server.kjctechnik.com systemd[1]: wg-quick@wg0.service: main process exited, code=exited, status=1/FAILURE
May 23 17:28:39 server.kjctechnik.com systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
May 23 17:28:39 server.kjctechnik.com systemd[1]: Unit wg-quick@wg0.service entered failed state.
May 23 17:28:39 server.kjctechnik.com systemd[1]: wg-quick@wg0.service failed.

var/log/messages :
May 23 17:24:20 server wg-quick:

• ip link add wg0 type wireguard

May 23 17:24:20 server wg-quick:

• wg setconf wg0 /dev/fd/63

May 23 17:24:20 server wg-quick: Line unrecognized: `PostUp=iptables-AFORWARD-s172.30.0.0/24-d192.168.0.0/24-i%i-o%i-jACCEPT'
May 23 17:24:20 server wg-quick: Configuration parsing error
May 23 17:24:20 server wg-quick:

• ip link delete dev wg0

May 23 17:28:39 server wg-quick:

• ip link add wg0 type wireguard

May 23 17:28:39 server wg-quick:

• wg setconf wg0 /dev/fd/63

May 23 17:28:39 server wg-quick: Line unrecognized: `PostUp=iptables-AFORWARD-s172.30.0.0/24-d192.168.0.0/24-i%i-o%i-jACCEPT'
May 23 17:28:39 server wg-quick: Configuration parsing error
May 23 17:28:39 server wg-quick:

• ip link delete dev wg0

it loks like the spaces in the command are being removed, I've checked etc/e-smith/templates-custom/etc/wireguard/wg0.conf
there are no odd characters in the file, i..e the spaces are spaces.
/etc/wireguard/wg0.conf attached

Title: Re: wireguard network acess #2
Post by: Jean-Philippe Pialasse on May 24, 2023, 12:39:23 AM

this will not work after any reload of sme server firewall. masq. as it will be flushed.

you need to implement your rules in masq not there or you will get unpredictable access. 

Title: Re: wireguard network acess #2
Post by: robf355 on May 24, 2023, 02:12:35 PM

Thanks, so this is what I have done

Create a custom template directory:
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/

create a custom template file:
nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40EnableWg0

add the following lines to the file:
/sbin/iptables -A FORWARD -s 172.30.0.0/24 -d 192.168.0.0/24 -i wg0 -o wg0 -j ACCEPT
/sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 172.30.0.0/24 -i wg0 -o wg0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s 172.30.0.0/24 -o enp3s0 -j MASQUERADE

CRTL-X and save

execute
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

This works ok, I did the latest software updates, and the iptables values persist through the update and reboot. Is this the correct way to do this?

Title: Re: wireguard network acess #2
Post by: Jean-Philippe Pialasse on May 24, 2023, 11:00:58 PM

as long as your subnet do not change this seems appropriate.
just need to have a check where in the script it does appears to be set not before something else needs to be.

Title: Re: wireguard network acess #2
Post by: robf355 on May 25, 2023, 07:14:06 PM

Thank you, I presume the scripts are executed in number order, and are the variables available to all scripts as they execute, I'm thinking I could replace the ip ranges and devices with the appropriate variables to make it work with stored ip ranges if anyone else wants to use this.
Is there documentation on the variables?
Regards
Rob

Title: Re: wireguard network acess #2
Post by: ReetP on May 26, 2023, 05:27:48 PM

Quote from: robf355 on May 25, 2023, 07:14:06 PM

Thank you, I presume the scripts are executed in number order

"Processed" in numeric order to get the right place in the masq file.

Quote

are the variables available to all scripts as they execute

Yup. But you need to start understanding more about how Koozali SME works under the hood.

Quote

Is there documentation on the variables?

Check some of the dev docs on the wiki.

Think about what something like this means:

Code: [Select]

my $sshd_autoblock = ${'sshd'}{'AutoBlock'} || "enabled";
Or:

Code: [Select]

($DB->get_all_by_prop( UDPPort => '\d+')
Have a look in

/etc/e-smith/templates/etc/rc.d/init.d/masq/01localNetworks and elsewhere on how to read from the config databases.

Code: [Select]

    use esmith::NetworksDB;
    $nets = esmith::NetworksDB->open;

    foreach my $network ($nets->get_all_by_prop(type => 'network'))

Etc.

Grab the source code from CVS and start having a dig around and look at other templates.

If you want to talk more then ask me for a Rocket account and you can talk to us real time.

Title: Re: wireguard network acess #2
Post by: robf355 on May 26, 2023, 05:58:59 PM

Thanks for the info, I'll have a look