お手製自家製TunnelSats
注:これは作業メモの転載です。AS-ISですしrecklessかもしれません。
サーバーサイド
Edit UFW defaults
$ cp /etc/default/ufw{,.orig}
$ diff /etc/default/ufw{.orig,}
19c19
< DEFAULT_FORWARD_POLICY="DROP"
---
> DEFAULT_FORWARD_POLICY="ACCEPT"Add NAT rule to UFW
$ cp /etc/ufw/before.rules{,.orig}
$ diff /etc/ufw/before.rules{.orig,}
10a11,17
> # TunnelSats
> *nat
> :PREROUTING ACCEPT [0:0]
> -A PREROUTING -i <Interface with global address eg. eth0 enp1s0> -p tcp -m tcp --dport 9735 -j DNAT --to 10.9.0.2:9735
> -A POSTROUTING -s 10.9.0.0/24 -o <Interface with global address eg. eth0 enp1s0> -j MASQUERADE
> COMMIT
> Enable ipv4.ip_forward
$ cp /etc/sysctl.conf{,.orig}
$ diff /etc/sysctl.conf{.orig,}
28c28
< #net.ipv4.ip_forward=1
---
> net.ipv4.ip_forward=1Add UFW rules
$ ufw allow 9735 comment 'LN'
Rule added
Rule added (v6)
$ ufw allow 51820 comment 'WireGuard'
Rule added
Rule added (v6)
Enable ufw
$ ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y <--- INPUT
Firewall is active and enabled on system startup
$ ufw reloadApply sysctl
$ sysctl --system
...
* Applying /etc/sysctl.conf ...
net.ipv4.ip_forward = 1
Install WireGuard
$ apt update
...
All packages are up to date.
$ apt install --no-install-recommends -y wireguard
...Generate server key
$ umask 077
$ wg genkey | tee server.priv | wg pubkey > server.pub
$ ls -l
total 8
-rw------- 1 root root 45 Mar 8 13:04 server.priv
-rw------- 1 root root 45 Mar 8 13:04 server.pubGenerate client key
$ wg genkey | tee client.priv | wg pubkey > client.pub
$ ls -l
total 16
-rw------- 1 root root 45 Mar 8 13:06 client.priv
-rw------- 1 root root 45 Mar 8 13:06 client.pub
-rw------- 1 root root 45 Mar 8 13:04 server.priv
-rw------- 1 root root 45 Mar 8 13:04 server.pubGenerate pre-shared key
$ wg genpsk > preshared.keyCreate WireGuard configuration
$ cat tunnelsats.conf
[Interface]
Address = 10.9.0.1/32
SaveConfig = true
ListenPort = 51820
PrivateKey = <Content of server.priv>
[Peer]
PublicKey = <Content of client.pub>
PresharedKey = <Content of preshared.key>
AllowedIPs = 10.9.0.2/32
PersistentKeepalive = 25Enable and start WireGuard interface
$ systemctl enable --now wg-quick@tunnelsats.service
Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@tunnelsats.service → /lib/systemd/system/wg-quick@.service.クライアントサイド
$ cat tunnelsatsv2.conf
[Interface]
PrivateKey = <Content of client.priv>
Address = 10.9.0.2/32
#VPNPort = 9735
#myPubKey = <Content of client.pub>
[Peer]
PublicKey = <Content of server.pub>
PresharedKey = <Content of preshared.key>
Endpoint = <Global IP on VPS>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25Execute setupv2.sh
$ wget -O setupv2.sh https://github.com/tunnelsats/tunnelsats/raw/main/scripts/setupv2.sh
$ bash setupv2.sh
「Create WireGuard configuration」で tunnelsats.confファイルを作って置く場所は/etc/wireguard
そこにないと「Enable and start WireGuard interface」を実施しても失敗する。