999null 0 Posted ... Hello everyone, Can someone advice me the iptable or PreUP postdown rules to set up for Wireguard, if the airvpn server goes down (for maintenance or error). on ubuntu 20. Currently it's just this [Interface] Address = 10xxxxxxxxxxxxxxxxxxxxxxxxx6852/48 PrivateKey = oKdZxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx3ES1s= DNS = 10.128.0.1, fd7d:76ee:e68f:a993::1 [Peer] PublicKey = PyLCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxuig+hk= PresharedKey = q0xxxxxxxxxxxxxxxxxxxxxxxx9BacQ= Endpoint = 134.19.179.146:1637 AllowedIPs = 0.0.0.0/0, ::/0 PersistentKeepalive = 15 Quote Share this post Link to post
Chino 2 Posted ... Hello friend, in search for a "killswitch" I found your question and a little later a solution for myself. Well there are in fact a few possible solutions. I don't claim this one to be the best, but it works in my case and that is what matters to me. My wg0.conf looks like this: [Interface] Address = xxx PrivateKey = xxx DNS = xxx PostUp = iptables --flush && iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && iptables -A INPUT -i lo -j ACCEPT && iptables -I OUTPUT -s 192.168.00.0/16 -j ACCEPT && iptables -I INPUT -s 192.168.0.0/16 -j ACCEPT PreDown = iptables --flush [Peer] PublicKey =xxx PresharedKey =xxx Endpoint =xxx AllowedIPs = xxx PersistentKeepalive = xxx What this does: In the PostUp I delete all iptable rules and make shure every traffic goes trough the wg device. I need to communicate with devices in my LAN, so I made this possible with the two input/output rules at the end. Also loopback communication is allowed which otherwise would also be blocked. Please keep in mind: I dont use iptabes/nftables other than for this purpouse. If you do you could just revert every changed value via PreDown instead of flushing all rules. Also for convinience I start wireguard with systemd at startup. This requires wg-quick to work. You need to copy or move your config-file to the wireguard dir: sudo cp wg0.conf /etc/wireguard/wg0.conf Try if there are possible errors: sudo systemctl start wg-quick@wg0.service sudo systemctl status wg-quick@wg0.service Then make it persistent: sudo systemctl enable wg-quick@wg0.service Quote Share this post Link to post
999null 0 Posted ... Thank you for your reply. Although I am not sure this is correct, as this will delete all my previous rules. Please correct me if I am wrong. iptables --flush Quote Share this post Link to post
Chino 2 Posted ... You are absolutly right. The "flush" parameter will delete all your iptable rules. Like I said: I dont use iptabes other than for this purpouse. So this is no problem for me. What you could do instead is delete (the -D parameter) every rule you set in post up. The whole set of postup/predown rules with LAN-access allowed: PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && iptables -A INPUT -i lo -j ACCEPT && iptables -I OUTPUT -s 192.168.00.0/16 -j ACCEPT && iptables -I INPUT -s 192.168.0.0/16 -j ACCEPT PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && iptables -D INPUT -i lo -j ACCEPT && iptables -D OUTPUT -s 192.168.00.0/16 -j ACCEPT && iptables -D INPUT -s 192.168.0.0/16 -j ACCEPT Quote Share this post Link to post
Not connected, Your IP: 3.15.203.195
Online: 27473 users - 355432 Mbit/s total BW