Thursday, January 23, 2020

manually config iptables/routes for VPN tunnel on WiFi router

After countless sleepless nights I’ve finally compiled a working kernel mod to enable wireguard on a netgear LTE router.

I’ve messed around with ip [-6] route and iptables but the most I’m able to achieve is to successfully forcing all IPv6 and IPv4 data from the router shell itself through the tunnel like when I run curl or ping while I’m SSH’d into the router. When I connect a device via WiFi, none of the traffic goes through the tunnel despite the default gateway of the router being set to the tunnel network interface. I've tried things like ip route add 155.254.96.50 via 10.38.125.65, ip route add 0/1 dev wg0, ip route add 128/1 dev wg0, etc

What do I need to do manually with routes and IP tables to set up forced VPN tunneling for devices connected via WiFi?

Here’s my default config untouched by my changes except for the addition of the wireguard interface. I connect to WiFi primarily on wlan0 based on the MAC address.

```

~ root@mdm9650 ❯ ifconfig bridge0 Link encap:Ethernet HWaddr 10:0C:6B:79:B9:86
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::604f:e2ff:fed6:678b/64 Scope:Link UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1 RX packets:2741 errors:0 dropped:0 overruns:0 frame:0 TX packets:2593831 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:178838 (174.6 KiB) TX bytes:1223449056 (1.1 GiB)

eth0 Link encap:Ethernet HWaddr 02:29:CE:CD:34:E9
UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:1036 errors:0 dropped:0 overruns:0 frame:0 TX packets:1036 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:544167 (531.4 KiB) TX bytes:544167 (531.4 KiB)

rmnet_data0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.38.125.66 Mask:255.255.255.252 inet6 addr: 2600:380:5221:52a4:e870:cb70:7bee:8a5e/64 Scope:Global inet6 addr: fe80::e1b1:5e20:6636:ce96/64 Scope:Link UP RUNNING PROMISC ALLMULTI MTU:1430 Metric:1 RX packets:1834 errors:0 dropped:0 overruns:0 frame:0 TX packets:3098 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:336379 (328.4 KiB) TX bytes:468256 (457.2 KiB)

rmnet_ipa0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP RUNNING MTU:2000 Metric:1 RX packets:1834 errors:0 dropped:0 overruns:0 frame:0 TX packets:3098 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:343715 (335.6 KiB) TX bytes:468256 (457.2 KiB)

rndis0 Link encap:Ethernet HWaddr E6:8C:C1:46:4F:00
UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.65.187.205 P-t-P:10.65.187.205 Mask:255.255.255.255 inet6 addr: fc00:bbbb:bbbb:bb01::2:bbcc/128 Scope:Global UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1 RX packets:7 errors:0 dropped:0 overruns:0 frame:0 TX packets:18 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:984 (984.0 B) TX bytes:1256 (1.2 KiB)

wlan0 Link encap:Ethernet HWaddr 10:0C:6B:79:B9:85
inet addr:169.254.1.1 Bcast:255.255.255.255 Mask:0.0.0.0 inet6 addr: fe80::120c:6bff:fe79:b985/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29162 errors:0 dropped:0 overruns:0 frame:0 TX packets:44110 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3000 RX bytes:248 (248.0 B) TX bytes:367112 (358.5 KiB)

wlan2 Link encap:Ethernet HWaddr 10:0C:6B:79:B9:86
inet addr:169.254.2.1 Bcast:255.255.255.255 Mask:0.0.0.0 inet6 addr: fe80::120c:6bff:fe79:b986/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:1095 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3000 RX bytes:0 (0.0 B) TX bytes:76088 (74.3 KiB) ```

``` ~ root@mdm9650 ❯ iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i rmnet_data0 -p tcp -m tcp —dport 443 -j DROP
-A INPUT -i rmnet_data0 -p tcp -m tcp —dport 80 -j DROP
-A INPUT -i rmnet0 -m state —state INVALID,NEW -j DROP
-A INPUT -i rmnet+ -m state —state INVALID,NEW -j DROP
-A FORWARD -i bridge0 -p tcp -m state —state INVALID -j DROP
-A FORWARD -p tcp -m tcp —tcp-flags SYN,RST SYN -j TCPMSS —set-mss 1390 ```

~ root@mdm9650 ❯ iptables -t nat -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -A POSTROUTING -o rmnet_data0 -j SNAT --to-source 10.38.125.66~ root@mdm9650 ❯ ip route default via 10.38.125.65 dev rmnet_data0 10.38.125.64/30 dev rmnet_data0 scope link 192.168.1.0/24 dev bridge0 proto kernel scope link src 192.168.1.1

~ root@mdm9650 ❯ ip -6 route 2600:380:5221:52a4::/64 dev bridge0 metric 1024 fc00:bbbb:bbbb:bb01::2:bbcc dev wg0 proto kernel metric 256 fe80::/64 dev bridge0 proto kernel metric 256 fe80::/64 dev rmnet_data0 proto kernel metric 256 mtu 1430 default dev rmnet_data0 metric 256



No comments:

Post a Comment