Jump to content
Not connected, Your IP: 44.212.50.220
999null

Kill switch settings for Wireguard on ubuntu 20

Recommended Posts

Hello everyone, 

Can someone advice me the iptable or PreUP postdown rules to set up for Wireguard, if the airvpn server goes down (for maintenance or error).  on ubuntu 20. 

Currently it's just this

[Interface]
Address = 10xxxxxxxxxxxxxxxxxxxxxxxxx6852/48
PrivateKey = oKdZxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx3ES1s=
DNS = 10.128.0.1, fd7d:76ee:e68f:a993::1

[Peer]
PublicKey = PyLCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxuig+hk=
PresharedKey = q0xxxxxxxxxxxxxxxxxxxxxxxx9BacQ=
Endpoint = 134.19.179.146:1637
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 15

Share this post


Link to post

Hello friend,

in search for a "killswitch" I found your question and a little later a solution for myself. Well there are in fact a few possible solutions. I don't claim this one to be the best, but it works in my case and that is what matters to me.

My wg0.conf looks like this:

[Interface]
Address = xxx
PrivateKey = xxx
DNS = xxx

PostUp  =  iptables --flush && iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && iptables -A INPUT -i lo -j ACCEPT && iptables -I OUTPUT -s 192.168.00.0/16 -j ACCEPT && iptables -I INPUT -s 192.168.0.0/16 -j ACCEPT
PreDown = iptables --flush

[Peer]
PublicKey =xxx
PresharedKey =xxx
Endpoint =xxx
AllowedIPs = xxx
PersistentKeepalive = xxx

What this does: In the PostUp I delete all iptable rules and make shure every traffic goes trough the wg device. I need to communicate with devices in my LAN, so I made this possible with the two input/output rules at the end. Also loopback communication is allowed which otherwise would also be blocked.

Please keep in mind: I dont use iptabes/nftables other than for this purpouse. If you do you could just revert every changed value via PreDown instead of flushing all rules.

Also for convinience I start wireguard with systemd at startup. This requires wg-quick to work.
You need to copy or move your config-file to the wireguard dir:
sudo cp wg0.conf /etc/wireguard/wg0.conf


Try if there are possible errors:
sudo systemctl start wg-quick@wg0.service
sudo systemctl status wg-quick@wg0.service

Then make it persistent:
sudo systemctl enable wg-quick@wg0.service

Share this post


Link to post
Thank you for your reply.

Although I am not sure this is correct, as this will delete all my previous rules. Please correct me if I am wrong.

 
iptables --flush



 

Share this post


Link to post

You are absolutly right. The "flush" parameter will delete all your iptable rules.

Like I said: I dont use iptabes other than for this purpouse. So this is no problem for me.

What you could do instead is delete (the -D parameter) every rule you set in post up. The whole set of postup/predown rules with LAN-access allowed:
 

PostUp  = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && iptables -A INPUT -i lo -j ACCEPT && iptables -I OUTPUT -s 192.168.00.0/16 -j ACCEPT && iptables -I INPUT -s 192.168.0.0/16 -j ACCEPT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && iptables -D INPUT -i lo -j ACCEPT && iptables -D OUTPUT -s 192.168.00.0/16 -j ACCEPT && iptables -D INPUT -s 192.168.0.0/16 -j ACCEPT

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...