net-tools/wireguard-vpn-vlan.conf at master · zephyrproject-rtos/net-tools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Configuration file for setting IP addresses for a network interface
# and setting up Wireguard VPN, one normal interface and a VLAN interface.

INTERFACE="$1"

HWADDR="00:00:5e:00:53:ff"

# zeth setup (all data goes through this one)
IPV6_ADDR_1="2001:db8::2/64"
IPV6_ROUTE_1="2001:db8::/64"
IPV4_ADDR_1="192.0.2.2/24"
IPV4_ROUTE_1="192.0.2.0/24"

ip link set dev $INTERFACE up
ip link set dev $INTERFACE address $HWADDR
ip -6 address add $IPV6_ADDR_1 dev $INTERFACE nodad
ip -6 route add $IPV6_ROUTE_1 dev $INTERFACE
ip address add $IPV4_ADDR_1 dev $INTERFACE
ip route add $IPV4_ROUTE_1 dev $INTERFACE > /dev/null 2>&1

# VLAN setup
VLAN_NAME_PREFIX="vlan"
VLAN_ID=200
VLAN_IFACE="${VLAN_NAME_PREFIX}.${VLAN_ID}"
VLAN_PREFIX_IPV6="2001:db8:200"
VLAN_PREFIXLEN_IPV6="64"
VLAN_PREFIX_IPV4="203.0.113"
VLAN_PREFIXLEN_IPV4="24"

ip link add link ${INTERFACE} name ${VLAN_IFACE} type vlan id ${VLAN_ID}
ip link set ${VLAN_IFACE} up
ip -6 addr add ${VLAN_PREFIX_IPV6}::2/${VLAN_PREFIXLEN_IPV6} dev ${VLAN_IFACE}
ip -6 route add ${VLAN_PREFIX_IPV6}::/${VLAN_PREFIXLEN_IPV6} dev ${VLAN_IFACE}
ip addr add ${VLAN_PREFIX_IPV4}.2/${VLAN_PREFIXLEN_IPV4} dev ${VLAN_IFACE}
ip route add ${VLAN_PREFIX_IPV4}/${VLAN_PREFIXLEN_IPV4} dev ${VLAN_IFACE}

# Then setup Wireguard interfaces zwg0 and zwg1 (for VLAN)

VPN_IFACE="zwg0"
VPN_PORT=51820
PEER_PUBLIC_KEY="akhnZioadZ40wdou2j0HWOxd/fCCqLD1e1AtNNjsjmo="
PEER_ENDPOINT_IPV4="192.0.2.1"
PEER_ENDPOINT_IPV6="2001:db8::1"

# This specifies the outer tunneling addressing. By default this
# is set to IPv4 address.
PEER_ENDPOINT="${PEER_ENDPOINT_IPV4}"

VPN_PREFIX_1_IPV6="2001:db8:100"
VPN_PREFIXLEN_1_IPV6="64"
VPN_ROUTE_IPV6="${VPN_PREFIX_1_IPV6}::/${VPN_PREFIXLEN_1_IPV6}"

# From RFC 5737
VPN_PREFIX_1_IPV4="198.51.100"
VPN_PREFIXLEN_1_IPV4="24"
VPN_ROUTE_IPV4="${VPN_PREFIX_1_IPV4}.0/${VPN_PREFIXLEN_1_IPV4}"

ip link add dev ${VPN_IFACE} type wireguard
ip address add dev ${VPN_IFACE} ${VPN_PREFIX_1_IPV4}.2 peer ${VPN_PREFIX_1_IPV4}.1
ip address add dev ${VPN_IFACE} ${VPN_PREFIX_1_IPV6}::2 peer ${VPN_PREFIX_1_IPV6}::1
wg set ${VPN_IFACE} listen-port ${VPN_PORT} \
   private-key privatekey.wg \
   peer ${PEER_PUBLIC_KEY} \
   endpoint ${PEER_ENDPOINT}:${VPN_PORT} \
   allowed-ips ${VPN_ROUTE_IPV4},${VPN_ROUTE_IPV6}
ip link set up dev ${VPN_IFACE}
ip route add ${VPN_ROUTE_IPV6} dev ${VPN_IFACE}

# And wg1 which will be routed via VLAN

VPN_IFACE="zwg1"
VPN_PORT=51821
PEER_ENDPOINT_IPV6="2001:db8:200::1"
VPN_PREFIX_IPV6="2001:db8:300"
VPN_PREFIXLEN_IPV6="64"
PEER_ENDPOINT="${PEER_ENDPOINT_IPV6}"
VPN_ROUTE_IPV6="${VPN_PREFIX_IPV6}::/${VPN_PREFIXLEN_IPV6}"

ip link add dev ${VPN_IFACE} type wireguard
ip -6 address add dev ${VPN_IFACE} ${VPN_PREFIX_IPV6}::2 peer ${VPN_PREFIX_IPV6}::1
wg set ${VPN_IFACE} listen-port ${VPN_PORT} \
   private-key privatekey.wg \
   peer ${PEER_PUBLIC_KEY} \
   endpoint ${PEER_ENDPOINT}:51820 \
   allowed-ips ${VPN_ROUTE_IPV6}
ip link set up dev ${VPN_IFACE}
ip route add ${VPN_ROUTE_IPV6} dev ${VPN_IFACE}