Road Warrior config with fwmark

Road Warrior config with fwmark

[Bruno Wolff III]

It would be nice if fwmark was mentioned on https://www.wireguard.com/netns/ 
when covering routing all of your traffic through your tunnel for Road 
Warrior setups.

I noticed the fwmark support when looking at tools/wg-quick.bash. 
fwmark can be used to set up routing configurations that are essentially 
(they don't give bogus addresses) independent of the local network 
configuration. So no special action needs to be taken as you move from 
one wireless network to another. This makes the rules based approach much 
more competitive with the namespace technique.

I have this working on my laptop, but I want to tweak my router so that 
I don't need to have special iptables rules on my home network.

I have things set up to give my laptop the same static IP address, no matter 
where it is located.

Re: Road Warrior config with fwmark

[Bruno Wolff III]

[-- Attachment #1: Type: text/plain, Size: 346 bytes --]

On Tue, Nov 14, 2017 at 10:34:53 -0600,
  Bruno Wolff III <bruno@wolff.to> wrote:
>
>I have this working on my laptop, but I want to tweak my router so 
>that I don't need to have special iptables rules on my home network.

I got this fixed so I'll attach /etc/sysconfig/iptables and 
/etc/systemd/system/wireguard.service that make things work.

[-- Attachment #2: iptables --]
[-- Type: text/plain, Size: 1372 bytes --]

# If our addresses are used by the local network, the wrong source
# address will be used for packets that initially (before marking)
# look like they should go out the local gateway will get the wrong
# source address. So we need to be prepared to rewrite it to make things
# work.
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING ! -s 98.103.208.29/32 -o wg0 -j SNAT --to-source 98.103.208.29
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i wg0 -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -s 98.103.208.26 -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -i wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 98.103.208.24/29 -i wg0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 129.89.240.0/24 -i wg0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.32.2.72/32 -i wg0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp -s 98.103.208.26 --dport 992 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o wg0 -j ACCEPT
-A OUTPUT -m mark --mark 0x1 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

[-- Attachment #3: wireguard.service --]
[-- Type: text/plain, Size: 643 bytes --]

[Unit]
Description=WireGuard Server

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=-/usr/sbin/ip link del dev wg0
ExecStart=-/usr/sbin/ip rule del pref 100
ExecStart=/usr/sbin/ip link add dev wg0 type wireguard
ExecStart=/usr/bin/wg setconf wg0 /etc/wireguard/config
ExecStart=/usr/sbin/ip address add 98.103.208.29/32 dev wg0
ExecStart=/usr/sbin/ip link set up dev wg0
ExecStart=/usr/sbin/ip route add default dev wg0 src 98.103.208.29 table 100
ExecStart=/usr/sbin/ip rule add not fwmark 1 pref 100 table 100
ExecStopPost=/usr/sbin/ip link del dev wg0
ExecStopPost=/usr/sbin/ip rule del pref 100

[Install]
WantedBy=multi-user.target