Hi,
welcome to Nethserver Community.
Here are the relevant firewall settings:
# Firewall config
config set fw_wireguard service TCPPort 51820 access green,red status enabled
signal-event firewall-adjust
and Wireguard support in Nethserver
If the Nethserver is behind a router you may need static routes on the router:
That sounds like you are using NS as the client side. If so, then you may have to specify a listen port, as opposed to letting Wireguard pick a random one, in the peer stanza and also open it to the firewall instead of 51820 as shown by mrmarkuz above.
*** Update ***
Sorry, that should be “in the interface stanza”, not the peer.
But also another question. Is this just a client to the VPS, or does the VPS also act as a client to an NS server. In other words, is there a separate tunnel in each direction.
Cheers.
Thanks, yes that’s the # firewall config that you posted before that I have been trying to use… I will study up on the static routes and try again.
Unfortunately, every time I mess with it, I lose all connectivity and have to go to the server and reset. I may just do a clean install and start over because I probably have it too far gone at this point.
Thnaks for your help, Not sure I understand your question.
The nethserver should be the “client” of the VPS, but of course the traffic would go both ways in that tunnel. IPtables on the VPS sends the web/mail server traffic to the wiregard IP on the nethserver. It’s a way to keep the static ip the same no matter where the server is located and get past whatever port limitations may be on the local ISP connection. And the netserver should send the reply’s back through the wireguard tunnel.
Correct that in a VPN tunnel the traffic goes in both directions, but only 1 side initiates the traffic, which is the client. All the traffic from the other side, the server, will be a reply to whatever is received. It will never send unsolicited traffic to the client.
So I was just verifying that the only server that initiates the traffic is NS, the client and that you were not expecting the VPS to initiate any unsolicited contact to NS. Which if it were the case, then both servers would need to run a Wireguard server.
If that is the case, then you need what I mentioned previously. Add the ListenPort parameter to the interface stanza, so the server will always send it’s replies there and use that port number to open the firewall rules, which BTW would only be needed on the red interface if the Wireguard client is NS itself and not another server behind that, in the LAN space.
Cheers.
How to install and use this wireguard module?
The module is not finished yet.
Howto is in this thread:
Ok, but how to install the module files?
It’s explained here:
curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install wireguard-dkms wireguard-tools
See also the wireguard page.
I try to realize a fixed IP with a VPS with wireguard. Should I change the zone to red to have two WANs? One for general outgoing traffic and one incoming traffic for SMTP and other services or should I use a separate zone?
I used a separate zone as openvpn and ipsec does.
Another example where a separate zone is used:
Sorry, it’s still not finished…
You need to compile, I can compile the module and provide it on my server as a base for your tests, if you like.
Yes please.
By the way: How to compile it? Are there any scripts?
You need a dev environment:
https://wiki.nethserver.org/doku.php?id=developer:developer_howto
Here’s some information about building RPMs:
https://docs.nethserver.org/projects/nethserver-devel/en/latest/building_rpms.html
For the package to work you need to install an external repository, see Wireguard documentation.
I used the dkms package option some time ago, maybe there’s a better option nowadays.
Installation:
curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install https://mrmarkuz.dynu.net/mirror/devtest/nethserver-wireguard-1.0.0-1.ns7.noarch.rpm
No, for CentOS it’s still dkms. They did try, for a short while, using elrepo (I think) with pre-compiled modules, but it turned out to be more of a hassle.
Cheers.
Just posting it in case someone finds it of some interest (WIP):
this is interestin,g and follows the scope of zerotier and nebula
I finally managed to finish the nethserver-wireguard project. Please test it, I’d appreciate your feedback. You need a working internet connection and please don’t test on production systems.
Check out the wiki for more info.
yum -y install https://mrmarkuz.dynu.net/mirror/mrmarkuz/7/noarch/nethserver-mrmarkuz-0.0.1-6.ns7.noarch.rpm
yum -y install nethserver-wireguard
I decided to include wg-manager bare-metal (instead of docker) as UI. It’s in development and has a few bugs but in my tests it was the most flexible tool.
Other UIs were missing user login, the possibility to create more WireGuard interfaces (VPNs) or were not usable at all.
I tested subspace, drago, wg-ui, wireguard-ui and wireguard-manager.
Hi,
I Just came accross this.
GitHub - firezone/firezone: WireGuard-based VPN server and firewall
not sure it can be used as an interface, all same, or its something else altogether