Skip to content

Instantly share code, notes, and snippets.

@Foolson

Foolson/router.md

Last active April 12, 2020 13:35
Show Gist options
  • Save Foolson/9deb2a2e06e705426866bf3f435e3816 to your computer and use it in GitHub Desktop.
Save Foolson/9deb2a2e06e705426866bf3f435e3816 to your computer and use it in GitHub Desktop.
Download ZIP
router.md
Raw
router.md

Work in progress!
I wanted to make a simple Firewall/Router setup with pure Debian and WireGuard remote access. This is what I came up with by creating a test setup with Debian 10 in VirtualBox.
It requires dnsmasq and WireGuard.

/etc/network/interfaces

enp0s3 is the WAN interface and enp0s8 is the LAN interface.
The WAN interface get's its IP from DHCP and the LAN interface has a static IP.

allow-hotplug enp0s3
iface enp0s3 inet dhcp

auto enp0s8
iface enp0s8 inet static
        address 192.168.0.1/24

/etc/sysctl.conf

Enable IP forwading between networks and interfaces.
I'm not interested in IPv6 right now so I have disabled it, can of worms and so on.

net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1

/etc/network/if-pre-up.d/iptables

Simple script that enables firewall rules to survive reboots.

#!/bin/sh
/sbin/iptables-restore < /etc/network/iptables

Make it executable.

$ sudo chmod +x /etc/network/if-pre-up.d/iptables

/etc/network/iptables

Simpler set of firewall rules that blocks input and forwarding traffic from WAN.
Traffic between LAN and WAN is NAT:ed.

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -o enp0s3 -j MASQUERADE
-A PREROUTING -i enp0s3 -p tcp --dport 80 -j DNAT --to 192.168.0.10 -m comment --comment "Port forward to LAN webserver"

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -i enp0s3 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH to router from WAN"
-A INPUT -i enp0s3 -p udp --dport 51820 -j ACCEPT -m comment --comment "WireGuard wg0 from WAN"
-A INPUT -i enp0s3 -j DROP

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i enp0s3 -p tcp -d 192.168.0.10 --dport 80 -j ACCEPT -m comment --comment "Port forward to LAN webserver"
-A FORWARD -i enp0s3 -j DROP

COMMIT

Enable the firewall rules.

$ sudo /etc/network/if-pre-up.d/iptables

/etc/dnsmasq.d/conf

Dnsmasq for DHCP and auto magic DNS.

interface=enp0s8
interface=wg0
no-dhcp-interface=wg0
cache-size=1000
no-resolv
server=1.1.1.1
server=1.0.0.1
local=/local/
domain=local
expand-hosts
dhcp-range=192.168.0.100,192.168.0.254,255.255.255.0,12h
dhcp-option=3,192.168.0.1
dhcp-option=6,192.168.0.1

/etc/dnsmasq.d/static

It's possible to map MAC, hostname and IP for a pseudo static IP.

dhcp-host=08:00:27:f9:05:dc,debian-client-01,192.168.0.10

Restart dnsmasq after any conf modifications.

$ sudo systemctl restart dnsmasq.service

/etc/wireguard/wg0.conf

Why wouldn't you want remote access with WireGuard?

[Interface]
Address = 192.168.1.1/24
ListenPort = 51820
PrivateKey = (Router PrivateKey)

[Peer]
PublicKey = (Client PublicKey)
AllowedIPs = 192.168.1.2/32

Enable and start the WireGuard interface.

$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]

WireGuard client conf

[Interface]
PrivateKey = (Client PrivateKey)
Address = 192.168.1.2/24
DNS = 192.168.0.1

[Peer]
PublicKey = (Router PublicKey)
AllowedIPs = 192.168.1.0/24, 192.168.0.0/24
Endpoint = (Router WAN IP):51820
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment