host_vars | ||
roles | ||
.DS_Store | ||
hosts.yml | ||
readme.md | ||
system-setup.yml |
Supernode mit direkter VPN Ausleitung
ER-X Stock Firmware Config:
cd /tmp curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
cd /config/auth wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public cat wg.public cat wg.key
configure
Wireguard
set interfaces wireguard wg0 address 10.255.1.2/30 set interfaces wireguard wg0 listen-port 51821 set interfaces wireguard wg0 route-allowed-ips false set interfaces wireguard wg0 persistent-keepalive 25 set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001 set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 set interfaces wireguard wg0 private-key /config/auth/wg.key
Firewall for Wireguard
set firewall name WAN_LOCAL rule 20 action accept set firewall name WAN_LOCAL rule 20 protocol udp set firewall name WAN_LOCAL rule 20 description 'WireGuard' set firewall name WAN_LOCAL rule 20 destination port 51821
Config WAN Interface
delete interfaces ethernet eth0
set interfaces ethernet eth0 address dhcp
Config Client Interface
set interfaces ethernet eth2 address 10.1.0.1/16
NAT Rules & DHCP
configure
set service dhcp-server disabled false
set service dhcp-server shared-network-name Client authoritative enable
set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 default-router 10.1.0.1
set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 dns-server 1.1.1.1
set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 lease 86400
set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 start 10.1.1.1 stop 10.1.255.254
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' set firewall group network-group LAN-VPN network 10.1.0.0/16
set firewall group network-group RFC1918 network 10.0.0.0/8 set firewall group network-group RFC1918 network 172.16.0.0/12 set firewall group network-group RFC1918 network 192.168.0.0/16 set firewall group network-group RFC1918 network 169.254.0.0/16
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
set firewall modify VPN_TDF7 rule 100 action modify set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' set firewall modify VPN_TDF7 rule 100 modify table 2 set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
set interfaces ethernet eth2 firewall in modify VPN_TDF7 set interfaces ethernet switch0 firewall in modify VPN_TDF7
nat
set service nat rule 5010 description 'masquerade for VPN' set service nat rule 5010 outbound-interface wg0 set service nat rule 5010 type masquerade set service nat rule 5010 protocol all
commit ; save