Wireguard & Firewalld Setup IPv4 & IPv6

Wireguard & Firewalld Setup (firewalld)

IPv4 & IPv6: (but not with initial wireguard setup)
https://oliver-kaestner.de/posts/anleitung-wireguard-vpn-server-dual-stack-einrichten/

IPv4 ONLY: (including initial wireguard setup)
https://oliver-kaestner.de/posts/anleitung-wireguard-vpn-server-einrichten-internetrouting/ 

Original Wireguard Docu Volker:
https://gueldenpfennigs.blogspot.com/2021/08/wireguard-tunsafe.html 

Prepare Server for Wireguard

vi /etc/sysctl.d/90-ip-fwd.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

sysctl --system

cat /proc/sys/net/ipv4/ip_forward

cat /proc/sys/net/ipv6/conf/all/forwarding

Install Wireguard

apt install wireguard

apt install wireguard-tools

copy /etc/wireguard/wg-service.conf from the old server ... 

Check Network Adapters

cat /proc/net/dev

Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
    lo: 12574087   68134    0    0    0     0          0         0 12574087   68134    0    0    0     0       0          0
  eth0: 70448728397 1037898114    0 1746891    0     0          0         0 692815176 1954534    0    0    0     0       0          0
=> lo & eth0 

Setup Config & Autostart of Wireguard

https://www.wireguard.com/quickstart/

systemctl enable wg-quick@wg-service.service  <<<
systemctl disable wg-quick@wg-service.service 

systemctl status wg-quick@wg-service.service  <<<
systemctl restart wg-quick@wg-service.service
systemctl start wg-quick@wg-service.service 
systemctl stop wg-quick@wg-service.service

 

Install & activate firewalld

apt install firewalld

Check Firewall State

systemctl status firewalld

firewall-cmd --state

 

systemctl stop firewalld 

systemctl start firewalld 

Maintain Firewall Rules Wireguard IPv4 & IPv6

# Schnittstelle zum Internet (hier: eth0) zur Zone "public" hinzufügen
firewall-cmd --permanent --zone=public --add-interface=eth0
# Eingehende Verbindungen auf dem eingestellten Wireguard-Port erlauben
firewall-cmd --permanent --zone=public --add-port=51001/udp

# Wireguard Schnittstelle zu neuer Zone "wg-inet" hinzufügen
firewall-cmd --permanent --new-zone=wg-inet
firewall-cmd --permanent --zone=wg-inet --add-interface=wg-service
# eingehenden Traffic aus dem Wireguard Tunnel erlauben
firewall-cmd --permanent --zone=wg-inet --set-target=ACCEPT

# Traffic zwischen beiden Zonen durch Policy explizit erlauben
firewall-cmd --permanent --new-policy=wg-inet-to-public
firewall-cmd --reload
firewall-cmd --permanent --policy=wg-inet-to-public --add-ingress-zone=wg-inet
firewall-cmd --permanent --policy=wg-inet-to-public --add-egress-zone=public
firewall-cmd --permanent --policy=wg-inet-to-public --set-target=ACCEPT

# NAT für IPv4 aktivieren (implizit auch IP-Forwarding generell)
# Dieser Teil ersetzt die PostUp / PostDown Befehle!
firewall-cmd --permanent --zone=public --add-masquerade

# alle Regeln übernehmen
firewall-cmd --reload

Open Squid Port for the Internet

# Eingehende Verbindungen auf dem eingestellten Wireguard-Port erlauben
firewall-cmd --permanent --zone=public --add-port=61923/tcp

# alle Regeln übernehmen
firewall-cmd --reload

Open SoftetherVPN Ports for the Internet

# Eingehende Verbindungen auf den eingestellten Softether-Ports erlauben
firewall-cmd --permanent --zone=public --add-port=5555/tcp
# alle Regeln übernehmen
firewall-cmd --reload

Open OpenVPN (within SoftetherVPN) Ports for the Internet

# Eingehende Verbindungen auf den eingestellten Softether-Ports erlauben
firewall-cmd --permanent --zone=public --add-port=1194/tcp
# OpenVPN prefers udp ;-)
firewall-cmd --permanent --zone=public --add-port=1194/udp

# alle Regeln übernehmen
firewall-cmd --reload

Open L2TP (within SoftetherVPN) Ports for the Internet

# Eingehende Verbindungen auf den eingestellten Softether-Ports erlauben
# L2TP/IPsec cannot switch the ports ... => we have to open these ones!
firewall-cmd --permanent --zone=public --add-port=500/udp
firewall-cmd --permanent --zone=public --add-port=4500/udp

# alle Regeln übernehmen
firewall-cmd --reload

OpenConnect - oconnect Port for the Internet

# Eingehende Verbindungen auf den eingestellten OpenConnect-Port erlauben
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --permanent --zone=public --add-port=443/udp

# alle Regeln übernehmen
firewall-cmd --reload

firewalld documentation

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/using-and-configuring-firewalld_firewall-packet-filters

/usr/lib/firewalld/zones/ 

Firewall Checks 

firewall-cmd --get-zones

firewall-cmd --list-all-zones

firewall-cmd --get-active-zones

firewall-cmd --zone=public --list-all

firewall-cmd --zone=wg-inet --list-all

 

Check Open Ports with the nc-tool "network connect"

nc gueldenpfennig.info 80 -z -w 2

nc linux.gueldenpfennig.info 8080 -z -w 2 

Answer connect ok:
Connection to gueldenpfennig.info (85.13.164.222) 80 port [tcp/http] succeeded!
Connection to linux.gueldenpfennig.info (45.89.127.31) 8080 port [tcp/http-alt] succeeded! 

Answer connect NOT ok:
"... just no answer at all ..."

IPv6 Overview 

Own IP Range: 2a00:11c0:5f:4283::/64

Server-IP on eth0: 2a00:11c0:5f:4283:422:c7ff:fe99:391

Server-IP in Wireguard: 2a00:11c0:5f:4283::cafe:1/120

Client-IP in Wireguard: 2a00:11c0:5f:4283::cafe:<nn>/128 

Google-DNS        = 8.8.8.8, 2001:4860:4860::8888

 

, 2a00:11c0:5f:4283::cafe:

IPv6 Masquerade - not really nice, but possible

https://github.com/firewalld/firewalld/issues/29

=> 

Masquerading "out of the box" could be something like
firewall-cmd --zone=XYZ --add-rich-rule='rule family="ipv6" source address="X::0/118" masquerade'

Also don't forget to disable IPv6_rpfilter in /etc/firewalld/firewalld.conf if u need so.

IPv6 NATting seems to be dependent on the kernel compilation!

https://superuser.com/questions/1751062/ipv6-masquerading-on-linux 

Ubuntu man pages: https://manpages.ubuntu.com/manpages/questing/en/man1/firewall-cmd.1.html

Fritzbox & IPv6 Wireguard & ULA

As the Fritzbox does REQUIRE ULA-IPv6-addresses in the Wireguard Tunnel (public addresses not routed in the internet) - most likely FDxx area needed and FCxx not working in Fritzbox - they would have to be NATted by the Wireguard server in order to be able to route this into the internet. This needs the rarely used/available IPv6 NAT feature on the one hand. On the other hand, this does no longer require a complete IPv6 network, just a single IP /128 is sufficient then ... so, this would be good and bad together ...

Show Open Ports

https://todisco.de/de/blog/genutzte-ports

... just tcp ports:

lsof -i -P -n | grep LISTEN

udp & tcp ports

apt install net-tools

netstat -tuln

Further firewalld information ;-)

https://major.io/tags/firewalld/

https://major.io/p/forwarding-ports-with-firewalld/

https://major.io/p/firewalld-port-redirection/

Convert udp to tcp

https://unix.stackexchange.com/questions/267118/create-udp-to-tcp-bridge-with-socat-netcat-to-relay-control-commands-for-vlc-med

nc -v -u -l -p 3333 | nc -v 127.0.0.1 50000

or

socat -v UDP-LISTEN:3333,fork TCP:localhost:50000

( ubuntu )

#