Knowledge Base (Posts about vpn)https://bgstack15.ddns.net/blog/enContents © 2023 <a href="mailto:bgstack15@gmail.com">bgstack15</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" style="border-width:0; margin-bottom:12px;" src="https://bgstack15.ddns.net/.images/l_by-sa_4.0_88x31.png"></a>Mon, 27 Nov 2023 14:00:33 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssresolv.conf when turning off wireguard vpnhttps://bgstack15.ddns.net/blog/posts/2023/11/27/resolv-conf-when-turning-off-wireguard-vpn/bgstack15<p>This probably isn't the best way to handle things, but because I use both connman and wireguard on a laptop that I take on the road, I have this snippet in my <code>/etc/wireguard/wg0.conf</code>:</p> <div class="code"><pre class="code literal-block"><span class="k">[Interface]</span><span class="w"></span> <span class="na">DNS</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">192.168.1.1,192.168.1.2, ipa.internal.com, vm.internal.com, remote.internal.com, internal.com</span><span class="w"></span> <span class="na">PostUp</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">ln -sf /run/resolvconf/resolv.conf /etc/resolv.conf</span><span class="w"></span> <span class="na">PostDown</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">ln -sf /run/connman/resolv.conf /etc/resolv.conf</span><span class="w"></span> </pre></div> <p>This forces my resolv.conf to use whatever resolvconf generates, which wireguard uses. And wireguard passes those non-IP address names as the search domains to resolvconf, and of course those nameserver entries.</p> <p>I should probably bother to learn how to get connman to use resolvconf, or get it to use wireguard.</p> <h2>Further reading</h2> <p>Further research indicates that while Connman has wireguard support, it is incomplete/buggy and I will stick to my current methods of using it.</p> <ol> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/www.phoronix.com/news/ConnMan-WireGuard">Intel's ConnMan Is Ready With WireGuard Support - Phoronix</a> sa.</li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=244c2a69bf33afd3e0a2362573231cf4e37d1417">connman/connman.git - Connection Manager</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/git.kernel.org/pub/scm/network/connman/connman.git/log/?qt=grep&amp;q=wireguard">connman/connman.git - Connection Manager</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=9c781b75657bb72a9d65ba7cc73aa5111ae13eb2">connman/connman.git - Connection Manager</a></li> <li><a href="https://bgstack15.ddns.net/blog/outbound/https:/wiki.libreelec.tv/configuration/wireguard#known-issues">WireGuard - LibreELEC.wiki#known-issues</a></li> </ol>dnsvpnwireguardhttps://bgstack15.ddns.net/blog/posts/2023/11/27/resolv-conf-when-turning-off-wireguard-vpn/Mon, 27 Nov 2023 13:53:17 GMTSetting up remote server, bgstack15-stylehttps://bgstack15.ddns.net/blog/posts/2022/08/21/setting-up-remote-server-bgstack15-style/bgstack15<p>I have previously described some of these tasks in an <a href="https://bgstack15.ddns.net/blog/posts/2021/11/30/preparing-offsite-backup-server-part-2">old post</a>, but this is a single section of steps, updated!</p> <p>When I set up a remote system I want to have a connection to it so I can control and administer it. I set up two paths to it:</p> <ol> <li>autossh from $NEWSERVER back to $OLDSITE</li> <li>wireguard vpn connection</li> </ol> <p>Install wireguard and autossh. Additionally I used resolvconf because it makes wireguard control dns better. That might resemble:</p> <div class="code"><pre class="code literal-block"><span class="n">sudo</span><span class="w"> </span><span class="n">apt</span><span class="o">-</span><span class="n">get</span><span class="w"> </span><span class="n">install</span><span class="w"> </span><span class="n">wireguard</span><span class="w"> </span><span class="n">autossh</span><span class="w"> </span><span class="n">resolvconf</span><span class="w"></span> </pre></div> <h2>Establish autossh</h2> <p>Create a user for this purpose and generate an ssh key.</p> <div class="code"><pre class="code literal-block"><span class="n">sudo</span><span class="w"> </span><span class="n">useradd</span><span class="w"> </span><span class="o">--</span><span class="k">create</span><span class="o">-</span><span class="n">home</span><span class="w"> </span><span class="o">--</span><span class="n">shell</span><span class="w"> </span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">bash</span><span class="w"> </span><span class="n">autossh</span><span class="w"></span> <span class="n">sudo</span><span class="w"> </span><span class="n">passwd</span><span class="w"> </span><span class="n">autossh</span><span class="w"></span> <span class="n">sudo</span><span class="w"> </span><span class="n">su</span><span class="w"> </span><span class="n">autossh</span><span class="w"> </span><span class="o">-</span><span class="n">c</span><span class="w"> </span><span class="s1">'ssh-keygen'</span><span class="w"></span> <span class="n">sudo</span><span class="w"> </span><span class="n">su</span><span class="w"> </span><span class="n">autossh</span><span class="w"></span> <span class="err">#</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="k">user</span><span class="w"> </span><span class="nl">autossh</span><span class="p">:</span><span class="w"></span> <span class="n">ssh</span><span class="o">-</span><span class="n">copy</span><span class="o">-</span><span class="n">id</span><span class="w"> </span><span class="o">-</span><span class="n">p</span><span class="w"> </span><span class="mi">2022</span><span class="w"> </span><span class="n">autossh</span><span class="nv">@www</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> </pre></div> <p>Make a new system service with either an <a href="https://bgstack15.ddns.net/blog/files/2022/08/autossh.init">init file</a> or <a href="https://bgstack15.ddns.net/blog/files/2022/08/autossh.service">unit file</a>.</p> <p>Restart the system service!</p> <h2>Establish wireguard</h2> <p>And for wireguard, establish the settings to connect my relevant nodes. Select an available IP address from "IP space map - Internal.ods" file. Establish file <code>/etc/wireguard/wg0.conf</code> like below.</p> <div class="code"><pre class="code literal-block"><span class="k">[Interface]</span><span class="w"></span> <span class="na">Address</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">10.222.0.102/24</span><span class="w"></span> <span class="na">ListenPort</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">51820</span><span class="w"></span> <span class="c1"># from `wg genkey`</span><span class="w"></span> <span class="na">PrivateKey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">SCRUBBED</span><span class="w"></span> <span class="c1"># this system public key</span><span class="w"></span> <span class="c1"># from `echo $PrivateKey | wg pubkey`</span><span class="w"></span> <span class="c1"># SCRUBBED</span><span class="w"></span> <span class="c1"># If I need dns servers and search domains</span><span class="w"></span> <span class="na">DNS</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">192.168.1.10,192.168.1.11, ipa.internal.com, vm.internal.com, internal.com</span><span class="w"></span> <span class="k">[Peer]</span><span class="w"></span> <span class="c1"># first main peer</span><span class="w"></span> <span class="na">PublicKey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">KOQVWMYb+TMzkMrCSsG7DJm29wQFovEV1LfKrptfAjw=</span><span class="w"></span> <span class="na">AllowedIPs</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">192.168.1.10/32, 192.168.1.11/32, 192.168.1.12, 192.168.1.15/32, 10.222.0.0/24</span><span class="w"></span> <span class="na">PersistentKeepalive</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">25</span><span class="w"></span> <span class="na">Endpoint</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">www.example.com:51820</span><span class="w"></span> <span class="k">[Peer]</span><span class="w"></span> <span class="c1"># second main peer</span><span class="w"></span> <span class="na">PublicKey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">aReyDUOGHqhhnqyUJQltfuWw+JoG+KES8DzD1k3CNWE=</span><span class="w"></span> <span class="na">AllowedIPs</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">10.222.0.3/32</span><span class="w"></span> <span class="na">PersistentKeepalive</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">25</span><span class="w"></span> <span class="na">Endpoint</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">secondary.ddns.net:51820</span><span class="w"></span> </pre></div> <p>And of course, add this new peer to both the primary and secondary wireguard nodes.</p> <div class="code"><pre class="code literal-block"><span class="k">[Peer]</span><span class="w"></span> <span class="c1"># new system comment</span><span class="w"></span> <span class="na">PublicKey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">+gJ2m3vJmIQzR7AfmBNq6+8+y9gWlISeCsuCgEGvPTM=</span><span class="w"></span> <span class="na">AllowedIPs</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">10.222.0.102/32</span><span class="w"></span> <span class="c1"># If needed:</span><span class="w"></span> <span class="na">PersistentKeepalive</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">25</span><span class="w"></span> <span class="na">Endpoint</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">location.remote.example.com:51820</span><span class="w"></span> </pre></div> <p>Start wireguard. If on a non-systemd distro, use a <a href="https://bgstack15.ddns.net/blog/files/2022/08/wireguard.init">wireguard init script</a>.</p> <div class="code"><pre class="code literal-block"><span class="n">sudo</span><span class="w"> </span><span class="n">update</span><span class="o">-</span><span class="n">rc</span><span class="p">.</span><span class="n">d</span><span class="w"> </span><span class="n">wireguard</span><span class="w"> </span><span class="n">defaults</span><span class="w"></span> <span class="n">sudo</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="n">wireguard</span><span class="w"> </span><span class="n">start</span><span class="w"></span> <span class="p">#</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nl">systemd:</span><span class="w"></span> <span class="n">sudo</span><span class="w"> </span><span class="n">systemctl</span><span class="w"> </span><span class="n">enable</span><span class="w"> </span><span class="n">wg</span><span class="o">-</span><span class="n">quick</span><span class="p">@</span><span class="n">wg0</span><span class="p">.</span><span class="n">service</span><span class="w"></span> <span class="n">sudo</span><span class="w"> </span><span class="n">systemctl</span><span class="w"> </span><span class="n">start</span><span class="w"> </span><span class="n">wg</span><span class="o">-</span><span class="n">quick</span><span class="p">@</span><span class="n">wg0</span><span class="p">.</span><span class="n">service</span><span class="w"></span> </pre></div> <p>Optionally, set up new A record under remote.example.com on server1 with:</p> <div class="code"><pre class="code literal-block">updatezone remote.example.com </pre></div>autosshremoteservervpnwireguardhttps://bgstack15.ddns.net/blog/posts/2022/08/21/setting-up-remote-server-bgstack15-style/Sun, 21 Aug 2022 13:12:03 GMTQuick tray icon for wireguardhttps://bgstack15.ddns.net/blog/posts/2021/12/28/quick-tray-icon-for-wireguard/bgstack15<p>I have been setting up more and more <a href="https://bgstack15.ddns.net/blog/categories/wireguard/">wireguard</a> endpoints for myself. On the most recent, I actually have a desktop environment. I want to control the vpn status from the graphical environment. I use <a href="https://www.devuan.org/">Devuan</a> Ceres and they dropped wicd just like Debian Sid did. I switched over to ConnMan, and so I investigated connman-vpn, but it doesn't have anything to do with wireguard, at least not the version in Ceres. Debian Sid's connman version is 1.36-2.3, and a quick Internet search shows that <a href="https://www.phoronix.com/scan.php?page=news_item&amp;px=ConnMan-WireGuard">ConnMan supports wireguard starting with 1.38</a>.</p> <p>So I wrote a quick and dirty shell script utility that uses <a href="https://gitlab.com/bgstack15/mktrayicon">mktrayicon</a>. I chose some very simple icons, stylized lower- and upper-case letter "V." I got the icons under a linkware license: <a href="https://visualpharm.com/free-icons/v-595b40b65ba036ed117d4d2e">https://visualpharm.com/free-icons/v-595b40b65ba036ed117d4d2e</a>.</p> <p>Here's my file <code>/usr/local/bin/vpn-trayicon</code></p> <table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span> <span class="normal"> 2</span> <span class="normal"> 3</span> <span class="normal"> 4</span> <span class="normal"> 5</span> <span class="normal"> 6</span> <span class="normal"> 7</span> <span class="normal"> 8</span> <span class="normal"> 9</span> <span class="normal">10</span> <span class="normal">11</span> <span class="normal">12</span> <span class="normal">13</span> <span class="normal">14</span> <span class="normal">15</span> <span class="normal">16</span> <span class="normal">17</span> <span class="normal">18</span> <span class="normal">19</span> <span class="normal">20</span> <span class="normal">21</span> <span class="normal">22</span> <span class="normal">23</span> <span class="normal">24</span> <span class="normal">25</span> <span class="normal">26</span> <span class="normal">27</span> <span class="normal">28</span> <span class="normal">29</span> <span class="normal">30</span> <span class="normal">31</span> <span class="normal">32</span> <span class="normal">33</span> <span class="normal">34</span> <span class="normal">35</span> <span class="normal">36</span> <span class="normal">37</span> <span class="normal">38</span> <span class="normal">39</span> <span class="normal">40</span> <span class="normal">41</span> <span class="normal">42</span> <span class="normal">43</span> <span class="normal">44</span> <span class="normal">45</span> <span class="normal">46</span> <span class="normal">47</span> <span class="normal">48</span> <span class="normal">49</span></pre></div></td><td class="code"><pre class="code literal-block"><span></span><code><span class="ch">#!/bin/sh</span> <span class="c1"># Startdate: 2021-12-26 21:10</span> <span class="c1"># Reference: keyboard-leds-trayicons</span> <span class="c1"># Documentation:</span> <span class="c1"># for some stupid reason sudo /usr/local/bin/vpn-on doesn't work, so I just use the real commands here.</span> clean_vpn_trayicon<span class="o">()</span> <span class="o">{</span> <span class="o">{</span> <span class="nb">test</span> -e <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"q"</span> &gt; <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">"</span> <span class="p">;</span> <span class="o">}</span> <span class="m">1</span>&gt;/dev/null <span class="m">2</span>&gt;<span class="p">&amp;</span><span class="m">1</span> <span class="p">&amp;</span> sleep <span class="m">1</span> <span class="o">&amp;&amp;</span> rm -f <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">"</span> <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_KILLFILE</span><span class="si">}</span><span class="s2">"</span> <span class="o">}</span> <span class="nb">export</span> <span class="nv">vpn_trayicon</span><span class="o">=</span><span class="s2">"/var/run/user/</span><span class="k">$(</span> id -u <span class="k">)</span><span class="s2">/</span><span class="si">${</span>$<span class="si">}</span><span class="s2">.vpn.icon"</span> <span class="nb">export</span> <span class="nv">vpn_KILLFILE</span><span class="o">=</span>/tmp/kill-all-vpn-trayicons <span class="nb">test</span> <span class="s2">"ON"</span> <span class="o">=</span> <span class="s2">"ON"</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> mkfifo <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">"</span> mktrayicon <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">"</span> <span class="p">&amp;</span> <span class="nb">echo</span> <span class="s2">"m Turn vpn on,sudo wg-quick up wg0|Turn vpn off,sudo wg-quick down wg0|quit,echo 'q' &gt; </span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2"> ; touch \"</span><span class="si">${</span><span class="nv">vpn_KILLFILE</span><span class="si">}</span><span class="s2">\""</span> &gt; <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"i networkmanager"</span> &gt; <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">"</span> <span class="o">}</span> rm -f <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_KILLFILE</span><span class="si">}</span><span class="s2">"</span> <span class="nb">trap</span> <span class="s1">'trap "" 2 ; touch "${vpn_KILLFILE}" '</span> <span class="m">2</span> <span class="c1"># CTRL-C</span> <span class="k">while</span> ! <span class="nb">test</span> -e <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_KILLFILE</span><span class="si">}</span><span class="s2">"</span> <span class="m">2</span>&gt;/dev/null <span class="p">;</span> <span class="k">do</span> ip -o a s wg0 <span class="m">1</span>&gt;/dev/null <span class="m">2</span>&gt;<span class="p">&amp;</span><span class="m">1</span> <span class="p">;</span> <span class="nv">status_now</span><span class="o">=</span><span class="nv">$?</span> <span class="p">;</span> <span class="k">if</span> <span class="nb">test</span> <span class="s2">"</span><span class="si">${</span><span class="nv">status_now</span><span class="si">}</span><span class="s2">"</span> !<span class="o">=</span> <span class="s2">"</span><span class="si">${</span><span class="nv">status_old</span><span class="si">}</span><span class="s2">"</span> <span class="p">;</span> <span class="k">then</span> <span class="nb">test</span> -p <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="k">case</span> <span class="s2">"</span><span class="si">${</span><span class="nv">status_now</span><span class="si">}</span><span class="s2">"</span> <span class="k">in</span> <span class="m">0</span><span class="o">)</span> <span class="c1"># vpn is on now</span> <span class="nb">test</span> -n <span class="s2">"</span><span class="si">${</span><span class="nv">VPN_DEBUG</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"vpn is on (icon file </span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">)"</span> <span class="m">1</span>&gt;<span class="p">&amp;</span><span class="m">2</span> <span class="nb">echo</span> <span class="s2">"i /usr/local/share/vpn-on.svg"</span> &gt; <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"t vpn is on"</span> &gt; <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">"</span> <span class="p">;;</span> <span class="m">1</span><span class="o">)</span> <span class="c1"># vpn is off now</span> <span class="nb">test</span> -n <span class="s2">"</span><span class="si">${</span><span class="nv">VPN_DEBUG</span><span class="si">}</span><span class="s2">"</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"vpn is off (icon file </span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">)"</span> <span class="m">1</span>&gt;<span class="p">&amp;</span><span class="m">2</span> <span class="nb">echo</span> <span class="s2">"i /usr/local/share/vpn-off.svg"</span> &gt; <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"t vpn is off"</span> &gt; <span class="s2">"</span><span class="si">${</span><span class="nv">vpn_trayicon</span><span class="si">}</span><span class="s2">"</span> <span class="p">;;</span> <span class="k">esac</span> <span class="k">fi</span> <span class="nv">status_old</span><span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">status_now</span><span class="si">}</span><span class="s2">"</span> sleep <span class="m">1</span> <span class="k">done</span> <span class="c1"># safety shutoff</span> clean_vpn_trayicon </code></pre> </td></tr></table> <p>So when I right-click the icon, I can choose "vpn on", "vpn off", or "quit". That's about it.</p>iconshelltrayiconvpnwireguardhttps://bgstack15.ddns.net/blog/posts/2021/12/28/quick-tray-icon-for-wireguard/Tue, 28 Dec 2021 14:24:25 GMTExtending my vpn to route all my traffic for my vpn clientshttps://bgstack15.ddns.net/blog/posts/2021/03/10/extending-my-vpn-to-route-all-my-traffic-for-my-vpn-clients/bgstack15<p>I read on the Internet that you can route all traffic through your vpn to your house to take advantage of everything you already run for your home network. For me, this includes robust <a href="https://bgstack15.ddns.net/blog/posts/2020/09/06/block-ads-within-existing-bind9-infastructure/">ad- blocking</a>, and of course various network services not available to the public. To extend my new, fancy <a href="https://bgstack15.ddns.net/blog/posts/2021/03/06/connecting-my-mobile-phone-to-my-home-network-for-playing-media/">wireguard vpn</a>, I took some extra steps so I could route all traffic through my home network.</p> <h2>On server</h2> <p>On my wireguard "server" (the peer that is at my house) I added firewall rules. At first I fiddled with nftables (which has supplanted iptables), but eventually found that I was supposed to use firewalld on CentOS 8.</p> <pre class="code literal-block"><span></span><code>sudo firewall-cmd --add-masquerade --permanent </code></pre> <p>And then set sysctl value to allow forwarding.</p> <pre class="code literal-block"><span></span><code>sudo sysctl net.ipv4.ip_forward=1 </code></pre> <p>And for permanency, set file <code>/etc/sysctl.d/wg.conf</code>:</p> <pre class="code literal-block"><span></span><code>net.ipv4.ip_forward = 1 </code></pre> <h2>On client</h2> <p>And then add on the Android client the allowed IP address <code>0.0.0.0/0</code>. The Android app adds the correct routing already!</p> <h2>References</h2> <h3>Weblinks</h3> <ol> <li><a href="https://stanislas.blog/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/">How to setup a VPN server using WireGuard (with NAT and IPv6)</a></li> <li><a href="https://linux-audit.com/nftables-beginners-guide-to-traffic-filtering/">Beginners Guide to nftables Traffic Filtering - Linux Audit</a></li> <li><a href="https://alextsang.net/articles/20191012-080947/index.html">WireGuard on Alpine Linux with nftables</a></li> <li><a href="https://www.eriksuniverse.com/using-firewalld-as-a-linux-router.html">Using FirewallD as a Linux Router | A Little Guy and His Blog</a></li> </ol>routingvpnhttps://bgstack15.ddns.net/blog/posts/2021/03/10/extending-my-vpn-to-route-all-my-traffic-for-my-vpn-clients/Wed, 10 Mar 2021 14:25:26 GMTConnecting my mobile phone to my home network for playing mediahttps://bgstack15.ddns.net/blog/posts/2021/03/06/connecting-my-mobile-phone-to-my-home-network-for-playing-media/bgstack15<p>I use <a href="https://www.plex.tv/">Plex</a>, which is OK, but I don't like having to depend on an external service to access my own media files. I have successfully set up a VPN to my home network, so that my mobile phone can access my media files from anywhere! I set up WireGuard as a vpn, so VLC on Android can play my files from my nfs server at home!</p> <h2>On Linux server</h2> <p>On my nfs server (CentOS 8), I installed <a href="https://www.wireguard.com/install/">wireguard</a>, the up-and-coming VPN solution that can be included in the Linux kernel! I used method two, using kmod, but from <a href="https://rpmfusion.org/Configuration">rpmfusion</a> which I already had enabled.</p> <pre class="code literal-block"><span></span><code><span class="n">sudo</span> <span class="n">yum</span> <span class="n">install</span> <span class="n">kmod</span><span class="o">-</span><span class="n">wireguard</span> <span class="n">wireguard</span><span class="o">-</span><span class="n">tools</span> </code></pre> <p>Then I set up file <strong>/etc/wireguard/wg0.conf</strong>. There was a template file somewhere with some better notes, but this is the boiled-down version.</p> <pre class="code literal-block"><span></span><code><span class="k">[Interface]</span> <span class="na">Address</span> <span class="o">=</span> <span class="s">10.222.0.1/24</span> <span class="na">ListenPort</span> <span class="o">=</span> <span class="s">51820</span> <span class="c1"># from `wg genkey`</span> <span class="na">PrivateKey</span> <span class="o">=</span> <span class="s">123456789009876543211234567890=</span> <span class="c1"># server1 public key, from `echo "${PrivateKey}" | wg pubkey`</span> <span class="c1"># 123456789012345678901234567890=</span> <span class="k">[Peer]</span> <span class="c1"># my mobile phone's public key, from below instructions</span> <span class="na">PublicKey</span> <span class="o">=</span> <span class="s">01982643901625901902283497598275=</span> <span class="na">AllowedIPs</span> <span class="o">=</span> <span class="s">10.222.0.2/32</span> <span class="na">PersistentKeepalive</span> <span class="o">=</span> <span class="s">25</span> </code></pre> <p>I chose to save the public key right there in the config file, in case I need to retrieve it often! And then I had to open the firewall, of course.</p> <pre class="code literal-block"><span></span><code>sudo firewall-cmd --add-port=51820/udp --permanent </code></pre> <p>I also had to forward port 51820 in my router to my server's IP address. And then I took virtual NIC up!</p> <pre class="code literal-block"><span></span><code>sudo wg-quick up wg0 </code></pre> <p>Because my plan included accessing NFS with VLC for Android, I needed to add a rule in <strong>/etc/exports</strong> :</p> <pre class="code literal-block"><span></span><code><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">server1</span><span class="o">/</span><span class="n">shares</span> <span class="mf">10.222</span><span class="o">.</span><span class="mf">0.0</span><span class="o">/</span><span class="mi">24</span><span class="p">(</span><span class="n">ro</span><span class="p">,</span><span class="n">sync</span><span class="p">,</span><span class="n">insecure</span><span class="p">)</span> </code></pre> <p>And update the current export list.</p> <pre class="code literal-block"><span></span><code><span class="n">sudo</span> <span class="n">exportfs</span> <span class="o">-</span><span class="n">ra</span> </code></pre> <p>And to make sure the wireguard interface</p> <h2>On android mobile phone</h2> <p>I installed the official Wireguard app from <a href="https://f-droid.org/">F-droid</a>. I appreciate how the app lets you configure interfaces and peers in a manner that looks basically identical to the contents of the config file used to define an interface+peers on a full GNU/Linux system! I named the interface, and added my IP address of 10.222.0.2/32. I also listed DNS servers that are on my home network. I hard-coded the listen port to 51820. For the peer, I added the public key from my server1 above. <strong>Allowed IPs:</strong> 10.222.0.0/24,192.168.1.0/24 As I understand it, the allowed IP addresses indicate what networks will be routed through the VPN. So here I am including the VPN network, and also my home network's main IP network. <strong>Endpoint:</strong> (my ddns name):51820 <strong>Persistent keepalive:</strong> 25 seconds.</p> <h2>Conclusion</h2> <p>I don't know how to perform low-level network diagnostics from Android such as ping or netcat, so I really only tested from my server. I pinged the client (once all wireguard interfaces were up on both devices). And for the final test, I was out driving in my car, and I had an opportunity to enable my wireguard interface on my phone, run VLC, and connect to my nfs server and play music! So this was a successful operation (even if it is a bit flaky, due to nfs's dislike of spotty networks). And now I don't need</p>mobilenfsvpnwireguardhttps://bgstack15.ddns.net/blog/posts/2021/03/06/connecting-my-mobile-phone-to-my-home-network-for-playing-media/Sat, 06 Mar 2021 14:11:04 GMT