swith to new ca server; wireguard no need

5 files changed, 2 insertions, 38 deletions

diff --git a/etc/nftables.conf b/etc/nftables.conf
index c4ca7f45..22e38dfe 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -3,17 +3,11 @@
 # IPv4/IPv6 Simple & Safe firewall ruleset.
 # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
 
-# references, some codes from:
-# https://wiki.archlinux.org/title/Nftables
-# https://www.procustodibus.com/blog/2021/11/wireguard-nftables
-# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT
+# some codes from https://wiki.archlinux.org/title/Nftables
 
 # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
 flush ruleset
 
-define pub_iface = "eth0"
-define wg_iface = "wg0"
-
 table inet my_table {
 
 	chain my_input {
@@ -23,7 +17,6 @@ table inet my_table {
 		ct state invalid drop comment "early drop of invalid connections"
 		ct state {established, related} accept comment "allow tracked connections"
 		iifname lo accept comment "allow from loopback"
-		iifname $wg_iface accept comment "allow from wireguard"
 		ip protocol icmp accept
 		meta l4proto ipv6-icmp accept
 
@@ -32,7 +25,7 @@ table inet my_table {
 		#tcp dport qbt accept
 		#udp dport qbt accept
 		#tcp dport iperf3 accept
-		udp dport wireguard accept
+		#udp dport wireguard accept
 		# for acme.sh standalone mode builtin webserver to renew ssl cert
 		tcp dport http accept
 		# email related ports
@@ -52,12 +45,6 @@ table inet my_table {
 		type filter hook forward priority filter
 		policy drop
 		# Drop everything forwarded to us. We do not forward. That is routers job.
-
-		# needed for wireguard?
-		#iifname $wg_iface oifname $pub_iface accept
-		#iifname $pub_iface oifname $wg_iface accept
-		iifname $wg_iface accept
-		oifname $wg_iface accept
 	}
 
 	chain my_output {
@@ -66,16 +53,3 @@ table inet my_table {
 		# Accept every outbound connection
 	}
 }
-
-# needed to wireguard NAT masquerade VPN traffic
-# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
-# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
-table inet nat {
-	# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
-	# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
-	chain postrouting {
-		type nat hook postrouting priority 100
-		policy accept
-		oifname $pub_iface masquerade
-	}
-}
diff --git a/etc/services b/etc/services
index b1b9f5bc..500c6ac7 100644
--- a/etc/services
+++ b/etc/services
@@ -11507,7 +11507,6 @@ nusrp           49001/tcp
 nusdp-disc      49001/udp
 inspider        49150/tcp
 # my services
-wireguard       49432/udp
 # My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server.
 # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/
 ssh-isp         49812/tcp
diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf
deleted file mode 100644
index b9677c02..00000000
--- a/etc/sysctl.d/99-sysctl.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# at least `net.ipv4.ip_forward = 1` is needed for wireguard masquerade? to work. Without will result into can't ping ips, can't curl websites, browser can't visit websites
-# ka seems has this as default, maybe arch linux cloud-init image has this as default?
-# https://forums.rockylinux.org/t/wireguard-masquerade-wont-work/7752
-# https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding
-# https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522
-net.ipv4.ip_forward = 1
-net.ipv6.conf.all.forwarding = 1
diff --git a/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service b/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service
deleted file mode 120000
index 0a92cb9a..00000000
--- a/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service
+++ /dev/null
@@ -1 +0,0 @@
-/usr/lib/systemd/system/wg-quick@.service
\ No newline at end of file
diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne
index 912426c0..f60f41bc 100644
--- a/home/xyz/.config/myconf/pacman_Qqne
+++ b/home/xyz/.config/myconf/pacman_Qqne
@@ -49,7 +49,6 @@ tree
 unrar-free
 unzip
 vidir2-git
-wireguard-tools
 xdg-user-dirs
 xfsprogs
 zip