WG+GRE

1. głupi AP - serwer WG + serwer DHCP-Guest:
2.  
3. /etc/config/network
4. ....
5. config interface 'wg0'
6.     option proto 'wireguard'
7.     option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
8.     option listen_port '55055'
9.     list addresses '10.9.0.1/24'
10.     option mtu 2800
11.  
12. config wireguard_wg0
13.     option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
14.     option route_allowed_ips '1'
15.     option allowed_ips '10.9.0.2/24 192.168.2.0/24'
16.     option persistent_keepalive '25'
17.     option description 'peer2'
18.  
19. config interface 'gretap'
20.     option proto 'gretap'
21.     option peeraddr '10.9.0.2'
22.     option ipaddr '10.9.0.1'
23.     option tunlink 'wg0'
24.     option mtu '1560'
25.  
26. config device                            
27.         option name 'br-guest'              
28.         option type 'bridge'              
29.         list ports '@gretap'
30.  
31. config interface 'guest'
32.     option proto 'static'
33.     option device 'br-guest'
34.     list ipaddr '172.16.0.1'
35.     option netmask '255.255.255.0'
36.  
37.  
38. /etc/config/dhcp
39. ...
40. config dhcp 'guest'
41.     option interface 'guest'
42.     option start '100'
43.     option limit '10'
44.     option leasetime '12h'
45.     option dhcpv4 'server'
46.     option dhcpv6 'server'
47.     option ra 'server'
48.     option ra_slaac '1'
49.     list ra_flags 'managed-config'
50.     list ra_flags 'other-config'
51.     list dhcp_option '3'
52.     list dhcp_option '6'
53.  
54.  
55. /etc/config/firewall
56. ....
57. config zone
58.     option name     wg
59.     list   network      'wg0'
60.     option input        ACCEPT
61.     option output       ACCEPT
62.     option forward      ACCEPT
63.  
64. config forwarding
65.     option src      wg
66.     option dest     lan
67.  
68. config forwarding
69.     option src      lan
70.     option dest     wg
71.  
72. config zone
73.     option name     guest
74.     list   network      'guest'
75.     option input        ACCEPT
76.     option output       ACCEPT
77.     option forward      ACCEPT
78.  
79.  
80. /etc/firewall.user
81.  
82. #blokada z sieci Guest do lokalnej sieci LAN1
83. iptables -I input_rule -s 172.16.0.0/24 -d 192.168.1.0/24 -j DROP
84. #blokada z lokalnej sieci LAN1 do sieci Guest.
85. iptables -I input_rule -d 172.16.0.0/24 -s 192.168.1.0/24 -j DROP
86.  
87.  
88. /etc/config/wireless
89. ....
90. config wifi-iface 'default_radio0'
91.     option device 'radio0'
92.     option network 'lan'
93.     option mode 'ap'
94.     option ssid 'LAN1'
95.     option encryption 'psk2'
96.     option key 'passwordlan1'
97.  
98. config wifi-iface 'guest'
99.     option device 'radio0'
100.     option network 'guest'
101.     option mode 'ap'
102.     option ssid 'guest1'
103.     option encryption 'psk2'
104.     option key 'passwordguest1'
105.  
106. ############################################################################
107.  
108. Peer WG + client DHCP Guest
109.  
110. /etc /config/network
111. ....
112. config interface 'wg0'
113.     option proto 'wireguard'
114.     option private_key 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
115.     list addresses '10.9.0.2/24'
116.     option mtu 2800
117.  
118. config wireguard_wg0
119.     option public_key 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
120.     option route_allowed_ips '1'
121.     option allowed_ips '10.9.0.0/24 192.168.1.0/24'
122.     option endpoint_host 'Public_IP_routera_brzegowego'
123.     option endpoint_port '55055'
124.     option persistent_keepalive '25'
125.     option description 'serwer_WG'
126.  
127. config interface 'gretap'
128.     option proto 'gretap
129.     option peeraddr '10.9.0.1'
130.     option ipaddr '10.9.0.2'
131.     option tunlink 'wg0'
132.     option mtu '1560'
133.  
134. config device                            
135.     option name 'br-guest'              
136.     option type 'bridge'              
137.     list ports '@gretap'
138.  
139. config interface 'guest'
140.     option proto 'dhcp'
141.     option device 'br-guest'
142.  
143.  
144. /etc/config/dhcp
145. ...
146. config dhcp 'guest'
147.     option interface 'guest'
148.     option ignore '1'
149.  
150.  
151. /etc/config/firewall
152. ....
153. config zone
154.     option name     wg
155.     list   network      'wg0'
156.     option input        ACCEPT
157.     option output       ACCEPT
158.     option forward      ACCEPT
159.  
160. config forwarding
161.     option src      lan
162.     option dest     wg
163.  
164. config forwarding
165.     option src      wg
166.     option dest     lan
167.  
168. config zone
169.     option name     guest
170.     list   network      'guest'
171.     option input        ACCEPT
172.     option output       ACCEPT
173.     option forward      ACCEPT
174.  
175.  
176. /etc/firewall.user
177.  
178. #blokada z sieci Guest do lokalnej sieci LAN2
179. iptables -I input_rule -s 172.16.0.0/24 -d 192.168.2.0/24 -j DROP
180. #blokada z lokalnej sieci LAN2 do sieci Guest.
181. iptables -I input_rule -d 172.16.0.0/24 -s 192.168.2.0/24 -j DROP
182.  
183.  
184. /etc/config/wireless
185. ....
186. config wifi-iface 'default_radio0'
187.     option device 'radio0'
188.     option network 'lan'
189.     option mode 'ap'
190.     option ssid 'LAN2'
191.     option encryption 'psk2'
192.     option key  'passwordlan2'
193.  
194. config wifi-iface 'guest'
195.     option device 'radio0'
196.     option network 'guest'
197.     option mode 'ap'
198.     option ssid 'guest2'
199.     option encryption 'psk2'
200.     option key  'passwordguest2'