Как создать переключатель отключения VPN для PrivateInternetAccess и Wireguard в ufw или iptables?
Я использую коллекцию сценариев ручных подключений от PrivateInternetAccess на моем безголовом сервере Ubuntu. Я запускаю сценарий установки в сервисном блоке, и мне нужно убедиться, что я не получаю доступ к чему-либо за пределами своей локальной сети при сбое Wireguard.
/etc/systemd/system/pia.service
[Unit]
Description=PrivateInternetAccess (Wireguard, Switzerland)
After=network-online.target
[Service]
User=ubuntu
Group=ubuntu
ExecStart=/usr/bin/sudo PIA_USER=REDACTED PIA_PASS=REDACTED PIA_DNS=true PIA_PF=true DISABLE_IPV6=yes VPN_PROTOCOL=wireguard PREFERRED_REGION=swiss ./run_setup.sh
WorkingDirectory=/home/ubuntu/src/manual-connections
[Install]
WantedBy=multi-user.target
Журналы журнала:
PIA_USER=REDACTED
PIA_PASS input received.
Checking login credentials...OK!
PIA_TOKEN=REDACTED
This token will expire in 24 hours, on Wed Nov 24 12:23:26 2021.
PIA_PF=true
The variable DISABLE_IPV6=yes, does not start with 'n' for 'no'.
Defaulting to yes.
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
IPv6 has been disabled, you can enable it again with:
sysctl -w net.ipv6.conf.all.disable_ipv6=0
sysctl -w net.ipv6.conf.default.disable_ipv6=0
AUTOCONNECT was not declared.
Region input is : swiss
Getting the server list...OK!
The selected region is Switzerland.
The script found the best servers from the region you selected.
When connecting to an IP (no matter which protocol), please verify
the SSL/TLS certificate actually contains the hostname so that you
are sure you are connecting to a secure server, validated by the
PIA authority. Please find below the list of best IPs and matching
hostnames for each protocol:
Meta Services 212.102.37.176 - zurich402
WireGuard 212.102.37.187 - zurich402
OpenVPN TCP 212.102.37.187 - zurich402
OpenVPN UDP 212.102.37.187 - zurich402
Using existing token REDACTED.
VPN_PROTOCOL=wireguard
PIA_DNS=true
Getting the server list...OK!
Using existing token REDACTED.
The ./get_region.sh script got started with
VPN_PROTOCOL=wireguard, so we will automatically connect to WireGuard,
by running this command:
$ PIA_TOKEN=REDACTED \
WG_SERVER_IP=212.102.37.205 WG_HOSTNAME=zurich402 \
PIA_PF=true ./connect_to_wireguard_with_token.sh
Trying to connect to the PIA WireGuard API on 212.102.37.205...
Trying to disable a PIA WG connection in case it exists...
wg-quick: `pia' is not a WireGuard interface
Trying to set up DNS to 10.0.0.243. In case you do not have resolvconf,
this operation will fail and you will not get a VPN. If you have issues,
start this script without PIA_DNS.
Trying to write /etc/wireguard/pia.conf...OK!
Trying to create the wireguard interface...
[#] ip link add pia type wireguard
[#] wg setconf pia /dev/fd/63
[#] ip -4 address add 10.28.251.36 dev pia
[#] ip link set mtu 1420 up dev pia
[#] resolvconf -a tun.pia -m 0 -x
[#] wg set pia fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev pia table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
The WireGuard interface got created.
At this point, internet should work via VPN.
To disconnect the VPN, run:
--> wg-quick down pia <--
This script got started with PIA_PF=true.
Starting port forwarding in 5...4...3...2...1...
Starting procedure to enable port forwarding by running the following command:
$ PIA_TOKEN=REDACTED \
PF_GATEWAY=212.102.37.205 \
PF_HOSTNAME=zurich402 \
./port_forwarding.sh
Getting new signature... OK!
Signature REDACTED
Payload REDACTED
--> The port is 22419 and it will expire on 2022-01-25T00:25:25.06880542Z. <--
Trying to bind the port... OK!
Forwarded port 22419
Refreshed on Tue Nov 23 12:23:43 UTC 2021
Expires on Tue Jan 25 00:25:25 UTC 2022
This script will need to remain active to use port forwarding, and will refresh every 15 minutes.
Я хотел бы иметь набор правил UFW для шлюза, описанного в журналах (при этом иметь доступ к любой из моих других машин в локальной сети). Я не могу понять, как. Я нашел несколько руководств, которые относятся только к OpenVPN, а не к новой версии Wireguard.
Аппаратное обеспечение: Raspberry Pi 3 Model B Plus Rev 1.3
ОС: Ubuntu 21.10 (GNU/Linux 5.13.0-1010-raspi aarch64)
ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether REDACTED brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether REDACTED brd ff:ff:ff:ff:ff:ff
4: pia: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/none