barrowclift / barrowclift.github.io Goto Github PK
View Code? Open in Web Editor NEWWhere humanity and computing meet
Home Page: https://barrowclift.me
barrowclift.github.io's People
Contributors
Stargazers
Watchers
barrowclift.github.io's Issues
A suggestion about “Wireguard Server on macOS”
Hi, I'm among the dozen people who run a Wireguard server on macOS. I have a couple of remarks about setting up the firewall rules.
- I think that the two NAT rules you suggest are conflicting with each other. I was noticing dropped pings (first ping ok, then the rest times out)—usually a symptom of different devices using the same IP—which I resolved by removing the
utunNAT rule. The following rule is enough to let me access my LAN through Wireguard:
nat on en0 from 10.0.10.0/24 to any -> (en0)
(where en0 is the active interface on my computer, of course, and 10.0.10.0/24 is Wireguard's subnet).
- Modifying
/etc/pf.conf(or any other system's file in macOS) is never a good idea. It will be most likely overwritten on updates. I use Wireguard'sPostUpandPostDownto dynamically add/remove the above firewall rule. Specifically:
- create
/usr/local/etc/wireguard/postup.shwith the following content:
#!/bin/sh
mkdir -p /usr/local/var/run/wireguard
chmod 700 /usr/local/var/run/wireguard
echo 'nat on en0 from 10.0.10.0/24 to any -> (en0)' | \
pfctl -a com.apple/wireguard -Ef - 2>&1 | \
grep 'Token' | \
sed 's%Token : \(.*\)%\1%' >/usr/local/var/run/wireguard/pf_wireguard_token.txtThis will create a directory to store the token generated by pfctl; set its permissions so that it will be accessible only by root; dynamically add the NAT rule to the com.apple/wireguard anchor; enable the firewall and increase its reference count (-E); filter pfctl output to extract the reference token and store it into pf_wireguard_token.txt.
- Create
/usr/local/etc/wireguard/postdown.shwith the following content:
#!/bin/sh
TOKEN=`cat /usr/local/var/run/wireguard/pf_wireguard_token.txt`
pfctl -X ${TOKEN} || exit 1
rm -f /usr/local/var/run/wireguard/pf_wireguard_token.txtThis will get the reference from the file created before and it will release it (-X), disabling the firewall if there are no other references (otherwise the firewall will remain enabled).
-
Make the two scripts executable!
-
Add
PostUpandPostDowndirectives to the server's configuration, e.g.:
[Interface]
Address = 10.0.10.0/24
PrivateKey = XXX
ListenPort = 51820
DNS = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111
PostUp = /usr/sbin/sysctl -w net.inet.ip.forwarding=1
PostUp = /usr/sbin/sysctl -w net.inet6.ip6.forwarding=1
PostUp = /usr/local/etc/wireguard/postup.sh
PostDown = /usr/local/etc/wireguard/postdown.sh
You don't need a launchd plist to start the firewall any longer. Rather, you should define a launchd plist to bring up Wireguard at boot time:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.wireguard.server</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/wg-quick</string>
<string>up</string>
<string>/usr/local/etc/wireguard/server.conf</string>
</array>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>LaunchOnlyOnce</key>
<true/>
<key>StandardErrorPath</key>
<string>/usr/local/var/log/wireguard.err</string>
<key>EnvironmentVariables</key>
<dict>
<key>PATH</key>
<string>/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
</dict>
</dict>
</plist>
(The above assumes that Wireguard configuration is saved at /usr/local/etc/wireguard/server.conf; also, make sure that /usr/local/var/log/ exists). Enable with:
sudo launchctl enable system/com.wireguard.server
sudo launchctl bootstrap system /Library/LaunchDaemons/com.wireguard.server.plist
You may want to test this and update your nice blog post accordingly ;-)
A suggestion about “Wireguard Server on macOS”
the DNS option on the server config should be removed to make it work with Big Sur properly
not all ISP support 3rd party DNS this took me many hours before figured out
[Interface]
# Substitute with the subnet you chose for Wireguard earlier.
Address = 10.0.10.0/24
# Substitute with your *server's* private key
PrivateKey = XXX
# If you chose a different port earlier when setting up port
# forwarding on your router, update the port here to match.
ListenPort = 51820
# This prevents IPv4 & IPv6 DNS leaks when browsing the web on the
# VPN. I chose Cloudflare's public DNS servers, but feel free to use
# whatever provider you prefer. Note this is Option Enable after the first successful connection between your server and cilent
#DNS = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111
# This ensures our peers continue to report their Wireguard-
# assigned IPs while connected to the VPN. This is required for
# their traffic to get routed correctly by the firewall rules we
# crafted earlier with pf.
PostUp = /usr/sbin/sysctl -w net.inet.ip.forwarding=1
PostUp = /usr/sbin/sysctl -w net.inet6.ip6.forwarding=1
# Adds the firewall routing rule on Wireguard server startup
PostUp = /usr/local/etc/wireguard/postup.sh
# Removes the firewall routing rule on Wireguard server shutdown
PostDown = /usr/local/etc/wireguard/postdown.sh
[Peer]
# Substitute with *this peer*'s public key
PublicKey = XXX
# Chose a unique IP within the Wireguard subnet you defined earlier
# that this particular peer will use when connected to the VPN.
AllowedIPs = 10.0.10.10/32
# Follow the same steps as the [Peer] template above for each
# additional peer you wish to connect to the VPN with.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.