IP routing
Troubleshooting
1. Ethernet 2. Link IP same network, different address 3. DHCP 4. ARP MAC / IP neigh link DHCP / Static ifupdown-ng, netplan 5. Route to next hop 6. Route to default gateway 7. Firewall, iptables ... next 8. Traceroute to gateway 9. DNS Server 10. Ping/Traceroute to Server 11. Protocol Handshake
Netcheck
IPv4 ip_forward is set to: 1 default via : 87.92.64.1 arp : ? (87.92.64.1) at 00:00:5e:00:01:01 [ether] on wan ping : 87.92.64.1: seq=0 ttl=64 time=0.823 ms google.com is at : 216.58.209.206 ping : 216.58.209.206: seq=0 ttl=61 time=1.393 ms iptables : 1519K 131M MASQUERADE all -- # wan 10.0.0.0/8 0.0.0.0/0 IPv6 ip_forward is set to: 1 default via : fe80::bb ip neigh : fe80::bb dev wan lladdr 00:00:5e:00:01:01 router DELAY fe80::bb dev eth4 FAILED ping : fe80::bb: seq=0 ttl=255 time=0.890 ms google.com is at : ipv6.l.google.com. ping : 2a00:1450:4026:802::200e: seq=0 ttl=61 time=1.230 ms
#!/bin/ash
IPFORWARD=$(sysctl net.ipv4.ip_forward)
echo "IPv4 ip_forward is set to:" ${IPFORWARD##*=}
IPDEFAULT=$(ip route show default | cut -d' ' -f3)
echo "default via :" ${IPDEFAULT}
ARP=$(arp -n ${IPDEFAULT})
echo "arp :" ${ARP}
PONG=$(ping -c 1 ${IPDEFAULT} | head -2 | tail -1)
echo "ping :" ${PONG/64 bytes from/}
GOOGIP=$(dig google.com +short)
echo "google.com is at :" ${GOOGIP}
PONG=$(ping -c 1 ${GOOGIP} | head -2 | tail -1)
echo "ping :" ${PONG/64 bytes from/}
IPFW=$(iptables -L POSTROUTING -v -n -t nat | grep MASQ)
echo "iptables :" ${IPFW/\*/#}
echo ""
IP6FORWARD=$(sysctl net.ipv6.conf.all.forwarding)
echo "IPv6 ip_forward is set to:" ${IP6FORWARD##*=}
IPDEFAULT=$(ip -6 route show default | cut -d' ' -f3)
echo "default via :" ${IPDEFAULT}
ARP=$(ip -6 neigh show ${IPDEFAULT})
echo "ip neigh :" ${ARP}
PONG=$(ping -6 -c 1 ${IPDEFAULT} -I wan | head -2 | tail -1)
echo "ping :" ${PONG/64 bytes from/}
GOOGIP=$(dig ipv6.google.com +short)
echo "google.com is at :" ${GOOGIP}
PONG=$(ping -6 -c 1 ${GOOGIP} | head -2 | tail -1)
echo "ping :" ${PONG/64 bytes from/}
Complicated network setup
One endpoint with the IP address of a remote system
ifconfig qvs1:0 10.0.0.15 up ip route replace 10.0.0.0/8 via 192.168.1.2
sysctl -w net.ipv4.ip_forward=1 iptables -A POSTROUTING -t nat -i lan -o wan -j MASQUERADE iptables -I INPUT 4 -i eth5 -p udp --dport 27016 -j ACCEPT
iptables -t nat -A PREROUTING -i wan -p udp --dport 27016 -j DNAT --to 10.0.0.209:27016
Wireguard
IPsec is typically used in combination with IKE to negotiate secret keys and other parameters. It has many parameters that must match on both sides. Wireguard creates the same TUN/TAP interface with an encrypted connection, but doesn't require negotiation and depends on fixed keys, each side is configured with the peer's public key, for which it has a matching private key. The private key must be kept secret. The keys must be rotated manually, there is no forward secrecy, if the private key leaks, all past communication can be decyphered. IPsec can be initialized by both peers. Wireguard can also act as equal peers, but in a mobile (road warrior) scenario one peer acts as server waiting for the mobile wireguards to connect.
wg is the commandline that interfaces with the kernel module. wg-quick is a script to run several commands including routing. In Alpine Linux it's probably better to use ifupdown-ng to configure all networking including wireguard. It can use "requires" to depend on a specific interface. wg config is different from wg-quick especially in allowedips. In the server config of the peers, allowedips must only contain the peers address 10.0.9.87/32. In the client config the peers can be 0.0.0.0/0 to allow routing to all destinations. the 0.0.0.0/1 and 128.0.0.1/1 routes are used, because routes are selected based on the shortest network prefix, which means that 0.0.0.0/0 is overruled. The default route can still exist but will not be used, In the Windows Wireguard client it's called a "kill-switch", since it forces all traffic to route through the wireguard interface. Was the default port UDP/51820 changed to UDP/9366?
wireconf.sh
#!/bin/bash
#1. argv the name
#2. make name as dir
#3. check AllowedIPs number do plus one ()
#4. create priv+pub with name in dir
#5. create conf with private
#6. add public to wg
#7. reload wg0 interface
nextip(){
IP=$1
IP_HEX=$(printf '%.2X%.2X%.2X%.2X\n' `echo $IP | sed -e 's/\./ /g'`)
NEXT_IP_HEX=$(printf %.8X `echo $(( 0x$IP_HEX + 1 ))`)
NEXT_IP=$(printf '%d.%d.%d.%d\n' `echo $NEXT_IP_HEX | sed -r 's/(..)/0x\1 /g'`)
echo "$NEXT_IP"
}
IP=$(grep AllowedIPs /etc/wireguard/wg0.conf | tail -1 | awk -F '= |/32' '{print $2}')
NEXT=$(nextip ${IP})
echo ${NEXT}
if [ $# -eq 0 ]; then
echo "No arguments provided"
exit 1
fi
mkdir /etc/wireguard/${1}
pushd /etc/wireguard/${1}
PRIV=$(wg genkey)
PUB=$(echo ${PRIV} | wg pubkey)
echo ${PUB}
cat << EOF >> /etc/wireguard/${1}/${1}.conf
[Interface]
Address = ${NEXT}/32
DNS = 10.0.10.1
PrivateKey = ${PRIV}
[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = fi.router.islief.com:51820
PublicKey = LWiBoAF2KsaEOoimg6yvhHlMk+R0O5Zf/GGVkqWJoAw=
EOF
cat << EOF >> /etc/wireguard/wg0.conf
[Peer]
# ${1}
PublicKey =${PUB}
AllowedIPs = ${NEXT}/32, 10.0.0.0/8, 0.0.0.0/0
EOF
qrencode -t ansiutf8 < /etc/wireguard/${1}/${1}.conf | tee /etc/wireguard/${1}/${1}.qr
ifreload wg0
popd
Client Configuration
wg genkey | tee privatekey | wg pubkey > publickey
[Interface]
Address = 10.0.10.2/32
DNS = 10.0.10.1
PrivateKey = ${PRIVKEY}
[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = fi.router.islief.com:51820
PublicKey = LWiBoAF2KsaEOoimg6yvhHlMk+R0O5Zf/GGVkqWJoAw=
qrencode -t ansiutf8 < client.conf | tee client.qr
Server Configuration
/etc/wireguard/wg0.conf
[Peer]
PublicKey = ${PUBKEY}
AllowedIPs = 10.0.10.3/32, 10.0.0.0/8, 0.0.0.0/0
wg setconf wg0 wg0.conf
ifupdown-ng
auto wg0 iface wg0 inet static requires wan use wireguard address 10.0.10.1
Troubleshoot
wg show all dump
Config
/usr/local/etc/wireguard
/usr/local/opnsense/service/conf/actions.d/actions_wireguard.conf /usr/local/opnsense/scripts/OPNsense/Wireguard/setup.sh; /usr/local/etc/rc.d/wireguard restart; /usr/local/etc/rc.routing_configure
wireguard-go wg0 wg-quick strip wg0 > /tmp/wg-int.conf wg setconf wg0 /tmp/wg-int.conf wg setconf wg0 <(wg-quick strip wg0) ifconfig wg0 inet 10.0.9.1/24 10.0.9.1 alias ifconfig wg0 mtu 1420 ifconfig wg0 up route -q -n add -inet 10.0.9.0/24 -interface wg0
route -q -n add -inet 10.0.9.2/32 -interface wg0 route -q -n add -inet 192.168.1.0/24 -interface wg0
wg on alpine
apk add wireguard-tools-wg ifupdown-ng-wireguard umask 077 wg genkey | tee privatekey | wg pubkey > publickey
ip link add dev wg0 type wireguard ip address add dev wg0 10.0.10.16/24 wg set wg0 listen-port 51820 private-key /home/alpine/privatekey peer LWiBoAF2KsaEOoimg6yvhHlMk+R0O5Zf/GGVkqWJoAw= allowed-ips 10.0.10.0/24 endpoint 87.123.123.123:51820 ip link set up dev wg0
ip route 87.123.123.123 via 172.31.0.1 dev eth0 ip route replace default via 10.0.10.1 dev wg0 curl https://checkip.amazonaws.com
wg showconf wg0 [Interface] ListenPort = 51820 PrivateKey = AO3fXM3kff1234Ljh+JU4bj3n00UmBtEH6sjn9t53VU= [Peer] PublicKey = 2Sql4/jthYM7dxFuW1wumb5K1v7AwEiSTvBNzFVLiQo= AllowedIPs = 10.0.10.0/24 Endpoint = 87.123.123.123:51820
/etc/networking/interface ifup wg0
opnsense-code plugins
cd /usr/plugins/net/wireguard make upgrade
service wireguard stop service wireguard start
wg-quick up wg0 ifconfig wg0 inet 10.0.10.1/24 10.0.10.1 alias
wg syncconf wg0 <(wg-quick strip wg0) wg syncconf wg0 /usr/local/etc/wireguard/wg0.conf
umask 077 wg genkey > privatekey wg pubkey < privatekey > publickey
Letsencrypt
ipset create letsencrypt hash:net ipset add letsencrypt 131.103.20.160/27 ipset add letsencrypt 165.254.145.0/26 ipset add letsencrypt 104.192.143.0/24 iptables -A INPUT -p tcp -m tcp --dport 80 -m set --match-set letsencrypt src -j ACCEPT
apk add certbot-nginx certbot renew --renew-hook "service nginx reload" cat etc/periodic/weekly/certbot.sh
PHP-FPM
vi /etc/php8/php-fpm.conf vi /etc/php8/php-fpm.d/www.conf cd /var/run/ ln -s php-fpm8 php-fpm
ls -la /var/run/php-fpm/php-fpm.sock service php-fpm8 restart