CGHMN-Router-Configuration: Difference between revisions
Created page with "Example Script to join a Linux box to the network as a router: <code>#!/bin/bash # Replace the values below with the ones you got from us when joining # and/or with values that match your setup WG_CONFIG_PATH=/etc/wireguard/wg-cghmn.conf WG_TUNNEL_IP=100.89.128.1 BRIDGED_LAN_INTERFACE=eth1 BRIDGED_LAN_IP=100.96.1.1 BRIDGED_LAN_DHCP_START=100.96.1.100 BRIDGED_LAN_DHCP_END=100.96.1.200 # Bring up Wireguard tunnel ip link add wg-cghmn type wireguard wg setconf wg-cghnm..." |
No edit summary |
||
| Line 2: | Line 2: | ||
# | <code>#!/bin/bash</code> | ||
# | <code># Replace the values below with the ones you got from us when joining</code> | ||
# | <code># and/or with values that match your setup</code> | ||
<code>WG_CONFIG_PATH=/etc/wireguard/wg-cghmn.conf</code> | |||
<code>WG_TUNNEL_IP=100.89.128.1</code> | |||
<code>BRIDGED_LAN_INTERFACE=eth1</code> | |||
<code>BRIDGED_LAN_IP=100.96.1.1</code> | |||
# Start dnsmasq as DHCP server | <code>BRIDGED_LAN_DHCP_START=100.96.1.100</code> | ||
dnsmasq -d -R -P 80 \ | |||
<code>BRIDGED_LAN_DHCP_END=100.96.1.200</code> | |||
<code># Bring up Wireguard tunnel</code> | |||
<code>ip link add wg-cghmn type wireguard</code> | |||
<code>wg setconf wg-cghnm "${WG_CONFIG_PATH}"</code> | |||
<code>ip addr add "${WG_TUNNEL_IP}/22" dev wg-cghmn</code> | |||
<code>ip link set wg-cghmn up</code> | |||
<code># Add necessary routes to Wireguard interface</code> | |||
<code>ip route add 100.89.128.0/22 dev wg-cghmn</code> | |||
<code>ip route add 172.23.0.0/16 dev wg-cghmn</code> | |||
<code>ip route add 100.96.0.0/13 dev wg-cghmn</code> | |||
<code># Enable IP forwarding</code> | |||
<code>sysctl -w net.ipv4.ip_forward=1</code> | |||
<code># Create bridge and add "LAN"-side interface</code> | |||
<code>ip link add br-cghmn type bridge</code> | |||
<code>ip link set br-cghmn up</code> | |||
<code>ip addr flush "${BRIDGED_LAN_INTERFACE}"</code> | |||
<code>ip link set "${BRIDGED_LAN_INTERFACE}" master br-cghmn</code> | |||
<code># Add "LAN"-side IP address to bridge</code> | |||
<code>ip addr add "${BRIDGED_LAN_IP}/24" dev br-cghmn</code> | |||
<code># Add nftables rules to prevent IP traffic from leaving the bridge</code> | |||
<code>nft add table bridge filter</code> | |||
<code>nft add chain bridge filter forward '{ type filter hook forward priority 0; }'</code> | |||
<code>nft add rule bridge forward 'oifname gretap* meta ibrname meta nfproto ipv4 br-cghmn drop comment "Drop IPv4 from leaving the bridge"'</code> | |||
<code>nft add rule bridge forward 'iifname gretap* meta ibrname meta nfproto ipv4 br-cghmn drop comment "Drop IPv4 from entering the bridge"'</code> | |||
<code>nft add rule bridge forward 'oifname gretap* meta ibrname meta nfproto ipv6 br-cghmn drop comment "Drop IPv6 from leaving the bridge"'</code> | |||
<code>nft add rule bridge forward 'iifname gretap* meta ibrname meta nfproto ipv6 br-cghmn drop comment "Drop IPv6 from entering the bridge"'</code> | |||
<code># Create GRETAP interface and add to bridge</code> | |||
<code>ip link add gretap-cghmn type gretap remote 172.23.4.103 ignore-df nopmtudisc ttl 255</code> | |||
<code>ip link set gretap-cghmn master br-cghmn mtu 1500</code> | |||
<code>ip link set br-cghmn mtu 1500</code> | |||
<code>ip link set gretap-cghmn up</code> | |||
<code># Start dnsmasq as DHCP server</code> | |||
<code>dnsmasq -d -R -P 80 \</code> | |||
<code> -i "${BRIDGED_LAN_INTERFACE}" \</code> | |||
<code> -S 100.89.128.0 \</code> | |||
<code> -F "${BRIDGED_LAN_DHCP_START},${BRIDGED_LAN_DHCP_END}"</code> | |||
Latest revision as of 00:25, 2 April 2025
Example Script to join a Linux box to the network as a router:
#!/bin/bash
# Replace the values below with the ones you got from us when joining
# and/or with values that match your setup
WG_CONFIG_PATH=/etc/wireguard/wg-cghmn.conf
WG_TUNNEL_IP=100.89.128.1
BRIDGED_LAN_INTERFACE=eth1
BRIDGED_LAN_IP=100.96.1.1
BRIDGED_LAN_DHCP_START=100.96.1.100
BRIDGED_LAN_DHCP_END=100.96.1.200
# Bring up Wireguard tunnel
ip link add wg-cghmn type wireguard
wg setconf wg-cghnm "${WG_CONFIG_PATH}"
ip addr add "${WG_TUNNEL_IP}/22" dev wg-cghmn
ip link set wg-cghmn up
# Add necessary routes to Wireguard interface
ip route add 100.89.128.0/22 dev wg-cghmn
ip route add 172.23.0.0/16 dev wg-cghmn
ip route add 100.96.0.0/13 dev wg-cghmn
# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
# Create bridge and add "LAN"-side interface
ip link add br-cghmn type bridge
ip link set br-cghmn up
ip addr flush "${BRIDGED_LAN_INTERFACE}"
ip link set "${BRIDGED_LAN_INTERFACE}" master br-cghmn
# Add "LAN"-side IP address to bridge
ip addr add "${BRIDGED_LAN_IP}/24" dev br-cghmn
# Add nftables rules to prevent IP traffic from leaving the bridge
nft add table bridge filter
nft add chain bridge filter forward '{ type filter hook forward priority 0; }'
nft add rule bridge forward 'oifname gretap* meta ibrname meta nfproto ipv4 br-cghmn drop comment "Drop IPv4 from leaving the bridge"'
nft add rule bridge forward 'iifname gretap* meta ibrname meta nfproto ipv4 br-cghmn drop comment "Drop IPv4 from entering the bridge"'
nft add rule bridge forward 'oifname gretap* meta ibrname meta nfproto ipv6 br-cghmn drop comment "Drop IPv6 from leaving the bridge"'
nft add rule bridge forward 'iifname gretap* meta ibrname meta nfproto ipv6 br-cghmn drop comment "Drop IPv6 from entering the bridge"'
# Create GRETAP interface and add to bridge
ip link add gretap-cghmn type gretap remote 172.23.4.103 ignore-df nopmtudisc ttl 255
ip link set gretap-cghmn master br-cghmn mtu 1500
ip link set br-cghmn mtu 1500
ip link set gretap-cghmn up
# Start dnsmasq as DHCP server
dnsmasq -d -R -P 80 \
-i "${BRIDGED_LAN_INTERFACE}" \
-S 100.89.128.0 \
-F "${BRIDGED_LAN_DHCP_START},${BRIDGED_LAN_DHCP_END}"