diff --git a/README.md b/README.md index 951b1e1..777eab9 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,8 @@ expected values are set by default, most with dummy default values. The endpoint of the VPN provider's WireGuard server. - `WIREGUARD_VPN_PUBLIC_KEY`: The public key of the VPN provider's WireGuard peer. +- `WIREGUARD_VPN_PPRESHARED_KEY`: + The preshared key of the VPN provider's WireGuard peer. Set to - to disable. - `WIREGUARD_ALLOWED_IPS`: Comma-separated list of IP addresses that may be contacted using the WireGuard interface. For a namespaced VPN, where the goal is to force all @@ -107,6 +109,22 @@ This package provides a tunnel between the init namesapce and the created VPN namespace so, e.g., you can control services inside the VPN namespace from outside. If you don't need or want the tunnel, just set `TUNNEL_ENABLE=0`. +##### iptables rules + +To control the services from outside the VPN as though they were running in the +physical namespace, rather than only having the accessible from this host, a +few iptables rules are required. Here I'm assuming that `net.ipv4.ip_forward=1` +and that the `FORWARD` table is allowing forwarding between interfaces. +``` +iptables -t nat -A PREROUTING -i [PHYSICAL] -p tcp -m tcp --dport [PORT] -j DNAT --to-destination [TUNNEL_VPN_IP_ADDRESSES]:[PORT] +iptables -t nat -A POSTROUTING -d [TUNNEL_VPN_IP_ADDRESSES] -o [TUNNEL_VPN_NAME] -p tcp -m tcp --dport [PORT] -j MASQUERADE +``` +For example with the standard settings to forward port 8000 from `eth0` you may use +``` +iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 10.127.0.2:8000 +iptables -t nat -A POSTROUTING -d 10.127.0.2/32 -o veth-vpn0 -p tcp -m tcp --dport 8000 -j MASQUERADE +``` + #### Namespace Overlay Most likely, there will be some additional configuration that you will want to @@ -157,7 +175,10 @@ $ ip netns exec $NETNS_NAME nslookup example.com While `ip netns exec` is handy for one-off commands, this project is most useful to allow running other systemd units in a VPN-only namespace. This is accomplished by adding a drop-in override file to the unit. In the following example, we'll configure -Transmission Daemon to run in our namespace. +Transmission Daemon to run in our namespace. Beware that is used in conjunction with the +`nsswitch.conf` and `resolv.conf` tweaks above this will not work correctly, as systemd +does not mount them into the right locations. There using `ip netns exec` may be more +appropriate. #### `/etc/systemd/system/transmission-daemon.service.d/10-vpn-netns.conf`: diff --git a/bin/namespaced-wireguard-vpn-interface b/bin/namespaced-wireguard-vpn-interface index 69a04c9..ab37907 100755 --- a/bin/namespaced-wireguard-vpn-interface +++ b/bin/namespaced-wireguard-vpn-interface @@ -9,11 +9,21 @@ case "$1" in up) ip link add "$WIREGUARD_NAME" mtu $WIREGUARD_INITIAL_MTU type wireguard || die - wg set "$WIREGUARD_NAME" \ - private-key <(echo "$WIREGUARD_PRIVATE_KEY") \ - peer "$WIREGUARD_VPN_PUBLIC_KEY" \ - endpoint "$WIREGUARD_ENDPOINT" \ - allowed-ips "$WIREGUARD_ALLOWED_IPS" || die + if [ "$WIREGUARD_VPN_PRESHARED_KEY" == "-" ] + then + wg set "$WIREGUARD_NAME" \ + private-key <(echo "$WIREGUARD_PRIVATE_KEY") \ + peer "$WIREGUARD_VPN_PUBLIC_KEY" \ + endpoint "$WIREGUARD_ENDPOINT" \ + allowed-ips "$WIREGUARD_ALLOWED_IPS" || die + else + wg set "$WIREGUARD_NAME" \ + private-key <(echo "$WIREGUARD_PRIVATE_KEY") \ + peer "$WIREGUARD_VPN_PUBLIC_KEY" \ + preshared-key <(echo "$WIREGUARD_VPN_PRESHARED_KEY") \ + endpoint "$WIREGUARD_ENDPOINT" \ + allowed-ips "$WIREGUARD_ALLOWED_IPS" || die + fi ip link set "$WIREGUARD_NAME" netns "$NETNS_NAME" || die diff --git a/conf/namespaced-wireguard-vpn.conf b/conf/namespaced-wireguard-vpn.conf index 3fff4b5..f187347 100644 --- a/conf/namespaced-wireguard-vpn.conf +++ b/conf/namespaced-wireguard-vpn.conf @@ -13,6 +13,9 @@ WIREGUARD_ENDPOINT=1.2.3.4:56789 # Public key of the VPN WireGuard peer WIREGUARD_VPN_PUBLIC_KEY=abcdFAKEefghFAKEijklFAKEmnopFAKEqrstFAKEuvw= +# Preshared key of the VPN WireGuard peer, set to - to disable +WIREGUARD_VPN_PRESHARED_KEY=- + # Comma-separated list of allowed IP addresses for the VPN WireGuard interface WIREGUARD_ALLOWED_IPS=0.0.0.0/0,::0/0