From 7772331aa5df0b8106f3523a0070269fae735894 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 17 Mar 2024 21:09:42 -0700 Subject: xyzca init --- etc/systemd/network/default.network | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'etc/systemd/network') diff --git a/etc/systemd/network/default.network b/etc/systemd/network/default.network index cb28d02e..43f05d95 100644 --- a/etc/systemd/network/default.network +++ b/etc/systemd/network/default.network @@ -2,5 +2,5 @@ Name=eth0 [Network] -Gateway=89.213.174.1 -Address=89.213.174.95/24 +Gateway=216.181.107.1 +Address=216.181.107.253/24 -- cgit v1.2.3-70-g09d2 From 1f7639e561760bf83e1630cbef71514fec54928c Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 4 Apr 2024 07:14:01 +0000 Subject: make ipv6 work --- etc/systemd/network/default.network | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) (limited to 'etc/systemd/network') diff --git a/etc/systemd/network/default.network b/etc/systemd/network/default.network index 43f05d95..dc46831e 100644 --- a/etc/systemd/network/default.network +++ b/etc/systemd/network/default.network @@ -1,6 +1,25 @@ +# not fully understood +# https://unix.stackexchange.com/q/509430/ +# man `systemd.network` +# https://superuser.com/q/1562380 +# https://docs.netgate.com/pfsense/en/latest/network/ipv6/subnets.html + [Match] Name=eth0 -[Network] -Gateway=216.181.107.1 +[Address] Address=216.181.107.253/24 + +[Address] +# 2606:a8c0:3:38d::1/64 also works, but I use 2606:a8c0:3:38d::a/64 because crunchbits panel reverse DNS support this address +Address=2606:a8c0:3:38d::a/64 +# use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380 +#Address=2606:a8c0:3:38d::a/48 + +[Route] +Gateway=216.181.107.1 + +[Route] +Gateway=2606:a8c0:3::1 +# GatewayOnLink=yes needed for 2606:a8c0:3::1 gateway, maybe because 2606:a8c0:3::1 is not in the same subnet as 2606:a8c0:3:38d::a/64? see: https://serverfault.com/q/814419 +GatewayOnLink=yes -- cgit v1.2.3-70-g09d2 From f0ff093564f27c7bd3ed6966f4e7fdc6d8c0dc11 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 9 Apr 2024 01:18:39 -0700 Subject: new ca bad default cloud-init routes --- etc/systemd/network/10-cloud-init-eth0.network | 21 +++++++++++++++++++++ etc/systemd/network/default.network | 25 ------------------------- 2 files changed, 21 insertions(+), 25 deletions(-) create mode 100644 etc/systemd/network/10-cloud-init-eth0.network delete mode 100644 etc/systemd/network/default.network (limited to 'etc/systemd/network') diff --git a/etc/systemd/network/10-cloud-init-eth0.network b/etc/systemd/network/10-cloud-init-eth0.network new file mode 100644 index 00000000..e1e0bd2d --- /dev/null +++ b/etc/systemd/network/10-cloud-init-eth0.network @@ -0,0 +1,21 @@ +[Address] +Address=2606:a8c0:3:773::a/64 + +[Address] +Address=2606:a8c0:3::75f/128 + +[Address] +Address=38.175.201.185/22 + +[Match] +MACAddress=00:46:d3:d8:15:5d +Name=eth0 + +[Network] +DHCP=no +DNS=9.9.9.9 1.1.1.1 2620:fe::fe 2620:fe::9 + +[Route] +Gateway=2606:a8c0:3::1 +Gateway=38.175.200.1 + diff --git a/etc/systemd/network/default.network b/etc/systemd/network/default.network deleted file mode 100644 index dc46831e..00000000 --- a/etc/systemd/network/default.network +++ /dev/null @@ -1,25 +0,0 @@ -# not fully understood -# https://unix.stackexchange.com/q/509430/ -# man `systemd.network` -# https://superuser.com/q/1562380 -# https://docs.netgate.com/pfsense/en/latest/network/ipv6/subnets.html - -[Match] -Name=eth0 - -[Address] -Address=216.181.107.253/24 - -[Address] -# 2606:a8c0:3:38d::1/64 also works, but I use 2606:a8c0:3:38d::a/64 because crunchbits panel reverse DNS support this address -Address=2606:a8c0:3:38d::a/64 -# use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380 -#Address=2606:a8c0:3:38d::a/48 - -[Route] -Gateway=216.181.107.1 - -[Route] -Gateway=2606:a8c0:3::1 -# GatewayOnLink=yes needed for 2606:a8c0:3::1 gateway, maybe because 2606:a8c0:3::1 is not in the same subnet as 2606:a8c0:3:38d::a/64? see: https://serverfault.com/q/814419 -GatewayOnLink=yes -- cgit v1.2.3-70-g09d2 From f946a5ddb111497b3bf49da35e8249283c0b1b4d Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 9 Apr 2024 01:19:34 -0700 Subject: new ca fix ipv6 route --- etc/systemd/network/10-cloud-init-eth0.network | 29 ++++++++++++++++---------- 1 file changed, 18 insertions(+), 11 deletions(-) (limited to 'etc/systemd/network') diff --git a/etc/systemd/network/10-cloud-init-eth0.network b/etc/systemd/network/10-cloud-init-eth0.network index e1e0bd2d..f98222e3 100644 --- a/etc/systemd/network/10-cloud-init-eth0.network +++ b/etc/systemd/network/10-cloud-init-eth0.network @@ -1,21 +1,28 @@ -[Address] -Address=2606:a8c0:3:773::a/64 +# not fully understood +# https://unix.stackexchange.com/q/509430/ +# man `systemd.network` +# https://superuser.com/q/1562380 +# https://docs.netgate.com/pfsense/en/latest/network/ipv6/subnets.html -[Address] -Address=2606:a8c0:3::75f/128 +[Match] +Name=eth0 [Address] Address=38.175.201.185/22 -[Match] -MACAddress=00:46:d3:d8:15:5d -Name=eth0 +[Address] +# ...:1/64 also works, but I use ...:a/64 because crunchbits panel reverse DNS support this address +Address=2606:a8c0:3:773::a/64 +# use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380 +#Address=2606:a8c0:3:773::a/48 -[Network] -DHCP=no -DNS=9.9.9.9 1.1.1.1 2620:fe::fe 2620:fe::9 +[Address] +Address=2606:a8c0:3::75f/128 [Route] -Gateway=2606:a8c0:3::1 Gateway=38.175.200.1 +[Route] +Gateway=2606:a8c0:3::1 +# GatewayOnLink=yes needed for 2606:a8c0:3::1 gateway, maybe because 2606:a8c0:3::1 is not in the same subnet as 2606:a8c0:3:38d::a/64? see: https://serverfault.com/q/814419 +GatewayOnLink=yes -- cgit v1.2.3-70-g09d2 From 0be48cdae85e0321c83db7da14b67cb80f21d83e Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 9 Apr 2024 11:01:46 +0100 Subject: I want 2606:a8c0:3:773::a which has RDNS to be the default It seems move 2606:a8c0:3::75f in front of 2606:a8c0:3:773::a will make the latter default? --- etc/systemd/network/10-cloud-init-eth0.network | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'etc/systemd/network') diff --git a/etc/systemd/network/10-cloud-init-eth0.network b/etc/systemd/network/10-cloud-init-eth0.network index f98222e3..1bc579b9 100644 --- a/etc/systemd/network/10-cloud-init-eth0.network +++ b/etc/systemd/network/10-cloud-init-eth0.network @@ -10,15 +10,15 @@ Name=eth0 [Address] Address=38.175.201.185/22 +[Address] +Address=2606:a8c0:3::75f/128 + [Address] # ...:1/64 also works, but I use ...:a/64 because crunchbits panel reverse DNS support this address Address=2606:a8c0:3:773::a/64 # use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380 #Address=2606:a8c0:3:773::a/48 -[Address] -Address=2606:a8c0:3::75f/128 - [Route] Gateway=38.175.200.1 -- cgit v1.2.3-70-g09d2 From 9c956cfe1ee447fc0968d88516e7c859a601b25a Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 28 Jun 2024 00:57:17 +0000 Subject: feat: wg and swgp config, mainly for aa --- etc/nftables.conf | 25 +++++++++++++++++++++- etc/services | 2 ++ etc/sysctl.d/99-sysctl.conf | 7 ++++++ etc/systemd/network/10-cloud-init-eth0.network | 7 ++++++ .../multi-user.target.wants/wg-quick@wg0.service | 1 + home/xyz/.config/myconf/pacman_Qqme | 3 ++- home/xyz/.config/myconf/pacman_Qqne | 2 +- home/xyz/.config/myconf/sye | 3 ++- 8 files changed, 46 insertions(+), 4 deletions(-) create mode 100644 etc/sysctl.d/99-sysctl.conf create mode 120000 etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service (limited to 'etc/systemd/network') diff --git a/etc/nftables.conf b/etc/nftables.conf index 22e38dfe..b824edee 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -8,6 +8,8 @@ # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` flush ruleset +define pub_iface = "eth0" +define wg_iface = "wg0" table inet my_table { chain my_input { @@ -17,6 +19,7 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" + iifname $wg_iface accept comment "allow from wireguard" ip protocol icmp accept meta l4proto ipv6-icmp accept @@ -25,7 +28,8 @@ table inet my_table { #tcp dport qbt accept #udp dport qbt accept #tcp dport iperf3 accept - #udp dport wireguard accept + udp dport wireguard accept + udp dport swgp accept # for acme.sh standalone mode builtin webserver to renew ssl cert tcp dport http accept # email related ports @@ -45,6 +49,12 @@ table inet my_table { type filter hook forward priority filter policy drop # Drop everything forwarded to us. We do not forward. That is routers job. + + # needed for wireguard? + #iifname $wg_iface oifname $pub_iface accept + #iifname $pub_iface oifname $wg_iface accept + iifname $wg_iface accept + oifname $wg_iface accept } chain my_output { @@ -53,3 +63,16 @@ table inet my_table { # Accept every outbound connection } } + +# needed to wireguard NAT masquerade VPN traffic +# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? +# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families +table inet nat { + # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ + # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface + chain postrouting { + type nat hook postrouting priority 100 + policy accept + oifname $pub_iface masquerade + } +} diff --git a/etc/services b/etc/services index aa270681..91a89df2 100644 --- a/etc/services +++ b/etc/services @@ -11510,5 +11510,7 @@ inspider 49150/tcp # my services # My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server. # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/ +wireguard 49432/udp ssh-isp 49812/tcp iperf3 53497/tcp +swgp 54635/udp diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf new file mode 100644 index 00000000..b9677c02 --- /dev/null +++ b/etc/sysctl.d/99-sysctl.conf @@ -0,0 +1,7 @@ +# at least `net.ipv4.ip_forward = 1` is needed for wireguard masquerade? to work. Without will result into can't ping ips, can't curl websites, browser can't visit websites +# ka seems has this as default, maybe arch linux cloud-init image has this as default? +# https://forums.rockylinux.org/t/wireguard-masquerade-wont-work/7752 +# https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding +# https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522 +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1 diff --git a/etc/systemd/network/10-cloud-init-eth0.network b/etc/systemd/network/10-cloud-init-eth0.network index 1bc579b9..7829f528 100644 --- a/etc/systemd/network/10-cloud-init-eth0.network +++ b/etc/systemd/network/10-cloud-init-eth0.network @@ -14,7 +14,14 @@ Address=38.175.201.185/22 Address=2606:a8c0:3::75f/128 [Address] +# another ipv6 address for aa wireguard+swgp into +# not sure if it is corret, but it works +Address=2606:a8c0:3:773::b/64 + +[Address] +# the last address seems is the default? # ...:1/64 also works, but I use ...:a/64 because crunchbits panel reverse DNS support this address +# 2024-06-27, ...:1/64 seems doe not work any more, not sure why Address=2606:a8c0:3:773::a/64 # use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380 #Address=2606:a8c0:3:773::a/48 diff --git a/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service b/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service new file mode 120000 index 00000000..0a92cb9a --- /dev/null +++ b/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/wg-quick@.service \ No newline at end of file diff --git a/home/xyz/.config/myconf/pacman_Qqme b/home/xyz/.config/myconf/pacman_Qqme index 1ae6f3b5..1ae88691 100644 --- a/home/xyz/.config/myconf/pacman_Qqme +++ b/home/xyz/.config/myconf/pacman_Qqme @@ -5,8 +5,9 @@ bash-complete-alias dashbinsh grub-hook htop-vim -librespeed-cli +librespeed-cli-bin neovim-plug paru-bin pipdeptree +swgp-go task-spooler diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index 21020ae5..c1e1c8bd 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -54,7 +54,7 @@ unrar-free unzip vidir2-git wget +wireguard-tools xdg-user-dirs -xfsprogs zip zoxide diff --git a/home/xyz/.config/myconf/sye b/home/xyz/.config/myconf/sye index 8d845498..a47a970f 100644 --- a/home/xyz/.config/myconf/sye +++ b/home/xyz/.config/myconf/sye @@ -6,6 +6,7 @@ opendkim.service enabled disabled opendmarc.service enabled disabled postfix.service enabled disabled sshd.service enabled disabled +swgp-go.service enabled disabled systemd-network-generator.service enabled enabled systemd-networkd-wait-online.service enabled enabled systemd-networkd.service enabled enabled @@ -19,4 +20,4 @@ acme.sh.timer enabled disabled paccache.timer enabled disabled pacman-filesdb-refresh.timer enabled disabled -19 unit files listed. +20 unit files listed. -- cgit v1.2.3-70-g09d2