wireguard phantun, udp2raw, and udpspeeder configs

11 files changed, 421 insertions, 0 deletions

diff --git a/configs/configs_root_dir/etc/nftables_phantun_wg_client.conf b/configs/configs_root_dir/etc/nftables_phantun_wg_client.conf
new file mode 100644
index 0000000..d42be47
--- /dev/null
+++ b/configs/configs_root_dir/etc/nftables_phantun_wg_client.conf
@@ -0,0 +1,66 @@
+#!/usr/bin/nft -f
+
+# IPv4/IPv6 Simple & Safe firewall ruleset.
+# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
+
+# some codes from https://wiki.archlinux.org/title/Nftables
+
+# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
+flush ruleset
+
+table inet my_table {
+
+	chain my_input {
+		type filter hook input priority filter
+		policy drop
+
+		ct state invalid drop comment "early drop of invalid connections"
+		ct state {established, related} accept comment "allow tracked connections"
+		iifname lo accept comment "allow from loopback"
+		ip protocol icmp accept
+		meta l4proto ipv6-icmp accept
+
+		#tcp dport ssh accept
+		#tcp dport qbt-nox accept
+		#tcp dport searx accept
+		tcp dport qrcp accept
+		udp dport mdns accept
+		tcp dport qbt accept
+		udp dport qbt accept
+		tcp dport monerod-p2p accept
+		#tcp dport iperf3 accept
+		#udp dport wireguard accept
+
+		# insp to ia udp2raw wireguard
+		#ip saddr 89.213.174.92 tcp sport 60711 drop
+
+		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
+		counter comment "count any other traffic"
+	}
+
+	chain my_forward {
+		type filter hook forward priority filter
+		policy drop
+		# Drop everything forwarded to us. We do not forward. That is routers job.
+		# next two lines are needed for phantun
+		iifname pt0 accept
+		oifname pt0 accept
+	}
+
+	chain my_output {
+		type filter hook output priority filter
+		policy accept
+		# Accept every outbound connection
+	}
+}
+
+table inet nat {
+	# needed for phantun https://github.com/dndx/phantun
+	# note here is postrouting not prerouting, server side phantun config is prerouting instead
+	chain postrouting {
+		type nat hook postrouting priority srcnat
+		policy accept
+		iifname pt0 oif enp3s0 masquerade
+		iifname pt0 oif wlp2s0 masquerade
+	}
+}
diff --git a/configs/configs_root_dir/etc/nftables_phantun_wg_server.conf b/configs/configs_root_dir/etc/nftables_phantun_wg_server.conf
new file mode 100644
index 0000000..4c7d084
--- /dev/null
+++ b/configs/configs_root_dir/etc/nftables_phantun_wg_server.conf
@@ -0,0 +1,87 @@
+#!/usr/bin/nft -f
+
+# IPv4/IPv6 Simple & Safe firewall ruleset.
+# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
+
+# references, some codes from:
+# https://wiki.archlinux.org/title/Nftables
+# https://www.procustodibus.com/blog/2021/11/wireguard-nftables
+# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT
+
+# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
+flush ruleset
+
+define pub_iface = "eth0"
+define wg_iface = "wg0"
+
+table inet my_table {
+
+	chain my_input {
+		type filter hook input priority filter
+		policy drop
+
+		ct state invalid drop comment "early drop of invalid connections"
+		ct state {established, related} accept comment "allow tracked connections"
+		iifname lo accept comment "allow from loopback"
+		iifname $wg_iface accept comment "allow from wireguard"
+		ip protocol icmp accept
+		meta l4proto ipv6-icmp accept
+
+		tcp dport ssh accept
+		#tcp dport qbt-nox accept
+		tcp dport qbt accept
+		udp dport qbt accept
+		#tcp dport iperf3 accept
+		udp dport wireguard accept
+		#tcp dport 60711 accept
+		tcp dport 59083 accept
+
+		# insp to ia udp2raw wireguard, not sure if needed
+		#ip daddr 89.213.174.92 tcp dport 60711 drop
+
+		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
+		counter comment "count any other traffic"
+	}
+
+	chain my_forward {
+		type filter hook forward priority filter
+		policy drop
+		# Drop everything forwarded to us. We do not forward. That is routers job.
+
+		# needed for wireguard?
+		#iifname $wg_iface oifname $pub_iface accept
+		#iifname $pub_iface oifname $wg_iface accept
+		iifname $wg_iface accept
+		oifname $wg_iface accept
+		# needed for phantun
+		iifname pt0 accept
+		oifname pt0 accept
+	}
+
+	chain my_output {
+		type filter hook output priority filter
+		policy accept
+		# Accept every outbound connection
+	}
+}
+
+# needed to wireguard NAT masquerade VPN traffic
+# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
+# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
+table inet nat {
+	# needed for phantun
+	# note here is prerouting not postrouting, client side phantun config is postrouting instead
+	chain prerouting {
+		type nat hook prerouting priority dstnat
+		policy accept
+		iif $pub_iface tcp dport 59083 dnat ip to 10.0.2.2
+		iif $pub_iface tcp dport 59083 dnat ip6 to fdc9:281f:04d7:9eeb::2
+	}
+	# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
+	# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
+	chain postrouting {
+		type nat hook postrouting priority 100
+		policy accept
+		oifname $pub_iface masquerade
+	}
+}
diff --git a/configs/configs_root_dir/etc/nftables_udp2raw_wg_client.conf b/configs/configs_root_dir/etc/nftables_udp2raw_wg_client.conf
new file mode 100644
index 0000000..9f5781c
--- /dev/null
+++ b/configs/configs_root_dir/etc/nftables_udp2raw_wg_client.conf
@@ -0,0 +1,66 @@
+#!/usr/bin/nft -f
+
+# IPv4/IPv6 Simple & Safe firewall ruleset.
+# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
+
+# some codes from https://wiki.archlinux.org/title/Nftables
+
+# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
+flush ruleset
+
+table inet my_table {
+
+	chain my_input {
+		type filter hook input priority filter
+		policy drop
+
+		ct state invalid drop comment "early drop of invalid connections"
+		ct state {established, related} accept comment "allow tracked connections"
+		iifname lo accept comment "allow from loopback"
+		ip protocol icmp accept
+		meta l4proto ipv6-icmp accept
+
+		#tcp dport ssh accept
+		#tcp dport qbt-nox accept
+		#tcp dport searx accept
+		tcp dport qrcp accept
+		udp dport mdns accept
+		tcp dport qbt accept
+		udp dport qbt accept
+		tcp dport monerod-p2p accept
+		#tcp dport iperf3 accept
+		#udp dport wireguard accept
+
+		# insp to ia udp2raw wireguard
+		ip saddr 89.213.174.92 tcp sport 60711 drop
+
+		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
+		counter comment "count any other traffic"
+	}
+
+	chain my_forward {
+		type filter hook forward priority filter
+		policy drop
+		# Drop everything forwarded to us. We do not forward. That is routers job.
+		# next two lines are needed for phantun
+		#iifname pt0 accept
+		#oifname pt0 accept
+	}
+
+	chain my_output {
+		type filter hook output priority filter
+		policy accept
+		# Accept every outbound connection
+	}
+}
+
+#table inet nat {
+#	# needed for phantun https://github.com/dndx/phantun
+#	# note here is postrouting not prerouting, server side phantun config is prerouting instead
+#	chain postrouting {
+#		type nat hook postrouting priority srcnat
+#		policy accept
+#		iifname pt0 oif enp3s0 masquerade
+#		iifname pt0 oif wlp2s0 masquerade
+#	}
+#}
diff --git a/configs/configs_root_dir/etc/nftables_udp2raw_wg_server.conf b/configs/configs_root_dir/etc/nftables_udp2raw_wg_server.conf
new file mode 100644
index 0000000..c229f67
--- /dev/null
+++ b/configs/configs_root_dir/etc/nftables_udp2raw_wg_server.conf
@@ -0,0 +1,86 @@
+#!/usr/bin/nft -f
+
+# IPv4/IPv6 Simple & Safe firewall ruleset.
+# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
+
+# references, some codes from:
+# https://wiki.archlinux.org/title/Nftables
+# https://www.procustodibus.com/blog/2021/11/wireguard-nftables
+# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT
+
+# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
+flush ruleset
+
+define pub_iface = "eth0"
+define wg_iface = "wg0"
+
+table inet my_table {
+
+	chain my_input {
+		type filter hook input priority filter
+		policy drop
+
+		ct state invalid drop comment "early drop of invalid connections"
+		ct state {established, related} accept comment "allow tracked connections"
+		iifname lo accept comment "allow from loopback"
+		iifname $wg_iface accept comment "allow from wireguard"
+		ip protocol icmp accept
+		meta l4proto ipv6-icmp accept
+
+		tcp dport ssh accept
+		#tcp dport qbt-nox accept
+		tcp dport qbt accept
+		udp dport qbt accept
+		#tcp dport iperf3 accept
+		udp dport wireguard accept
+		tcp dport 60711 accept
+		#tcp dport 59083 accept
+
+		# insp to ia udp2raw wireguard, not sure if needed
+		ip daddr 89.213.174.92 tcp dport 60711 drop
+
+		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
+		counter comment "count any other traffic"
+	}
+
+	chain my_forward {
+		type filter hook forward priority filter
+		policy drop
+		# Drop everything forwarded to us. We do not forward. That is routers job.
+
+		# needed for wireguard?
+		#iifname $wg_iface oifname $pub_iface accept
+		#iifname $pub_iface oifname $wg_iface accept
+		iifname $wg_iface accept
+		oifname $wg_iface accept
+		#iifname pt0 accept
+		#oifname pt0 accept
+	}
+
+	chain my_output {
+		type filter hook output priority filter
+		policy accept
+		# Accept every outbound connection
+	}
+}
+
+# needed to wireguard NAT masquerade VPN traffic
+# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
+# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
+table inet nat {
+	# needed for phantun
+	# note here is prerouting not postrouting, client side phantun config is postrouting instead
+	#chain prerouting {
+	#	type nat hook prerouting priority dstnat
+	#	policy accept
+	#	iif $pub_iface tcp dport 59083 dnat ip to 10.0.2.2
+	#	iif $pub_iface tcp dport 59083 dnat ip6 to fdc9:281f:04d7:9eeb::2
+	#}
+	# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
+	# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
+	chain postrouting {
+		type nat hook postrouting priority 100
+		policy accept
+		oifname $pub_iface masquerade
+	}
+}
diff --git a/configs/configs_root_dir/etc/systemd/system/udp2raw@.service b/configs/configs_root_dir/etc/systemd/system/udp2raw@.service
new file mode 100644
index 0000000..3d457de
--- /dev/null
+++ b/configs/configs_root_dir/etc/systemd/system/udp2raw@.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=UDP over TCP/ICMP/UDP tunnel
+After=network-online.target
+
+[Service]
+ExecStart=/usr/bin/udp2raw --conf-file /etc/udp2raw/%i.conf
+# from arch pkg
+Restart=always
+RestartSec=30
+StartLimitBurst=10
+
+[Install]
+WantedBy=multi-user.target
diff --git a/configs/configs_root_dir/etc/udp2raw/client.conf b/configs/configs_root_dir/etc/udp2raw/client.conf
new file mode 100644
index 0000000..82a67f6
--- /dev/null
+++ b/configs/configs_root_dir/etc/udp2raw/client.conf
@@ -0,0 +1,30 @@
+# Basically this file is the equivalent to splitting the command line options into multiple lines
+# Each line should contain an option
+
+# https://www.procustodibus.com/blog/2022/02/wireguard-over-tcp/
+
+# client
+-c
+# works
+#--raw-mode icmp
+#--raw-mode easy-faketcp
+# default not working at home, works at school
+#--raw-mode faketcp
+# Or use -s if you use it on server side
+# Define local address
+-l 127.0.0.1:60711
+# Define remote address
+-r 89.213.174.92:60711
+# I use --cipher-mode none so maybe no need a password
+# if later on I want to encrypt, need to change this file's mode bit to 600 and switch to cfg -s add this file
+# can be generated with `wg genpsk`
+#-k <password>
+
+# https://discord.com/channels/1100649526232092692/1100760493423083560/1270466158730018836
+--cipher-mode none
+--auth-mode none
+# following two not sure if useful
+--fix-gro
+--seq-mode 0
+
+#--log-level 5
diff --git a/configs/configs_root_dir/etc/udp2raw/server.conf b/configs/configs_root_dir/etc/udp2raw/server.conf
new file mode 100644
index 0000000..aff3bc8
--- /dev/null
+++ b/configs/configs_root_dir/etc/udp2raw/server.conf
@@ -0,0 +1,29 @@
+# Basically this file is the equivalent to splitting the command line options into multiple lines
+# Each line should contain an option
+
+# server
+-s
+# works
+#--raw-mode icmp
+#--raw-mode easy-faketcp
+# default not working at home, works at school
+#--raw-mode faketcp
+# -l not sure which ip; test shows 127.0.0.1 not working, or maybe need change nftables.conf
+-l 89.213.174.92:60711
+# without udpspeeder
+-r 127.0.0.1:49432
+# with udpspeeder
+#-r 127.0.0.1:53365
+# I use --cipher-mode none so maybe no need a password
+# if later on I want to encrypt, need to change this file's mode bit to 600 and switch to cfg -s add this file
+# can be generated with `wg genpsk`
+#-k <password>
+
+# https://discord.com/channels/1100649526232092692/1100760493423083560/1270466158730018836
+--cipher-mode none
+--auth-mode none
+# following two not sure if useful
+--fix-gro
+--seq-mode 0
+
+#--log-level 5
diff --git a/sh/phantun_wg_client b/sh/phantun_wg_client
new file mode 100755
index 0000000..3c9369c
--- /dev/null
+++ b/sh/phantun_wg_client
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# more see vc notes
+
+sudo env RUST_LOG=info phantun-client --local 127.0.0.1:59083 --remote 89.213.174.92:59083 --tun-local 10.0.1.1 --tun-peer 10.0.1.2 --tun-local6 fdc9:281f:04d7:9eea::1 --tun-peer6 fdc9:281f:04d7:9eea::2 --tun pt0
+# ipv6
+#sudo env RUST_LOG=info phantun-client --local [::1]:59083 --remote [2a0f:9400:7e11:bce7::1]:59083 --tun-local 10.0.1.1 --tun-peer 10.0.1.2 --tun-local6 fdc9:281f:04d7:9eea::1 --tun-peer6 fdc9:281f:04d7:9eea::2 --tun pt0
+
+# try single cpu
+#sudo env RUST_LOG=info firejail --noprofile --cpu=0 phantun-client --local 127.0.0.1:59083 --remote 89.213.174.92:59083 --tun-local 10.0.1.1 --tun-peer 10.0.1.2 --tun-local6 fdc9:281f:04d7:9eea::1 --tun-peer6 fdc9:281f:04d7:9eea::2 --tun pt0
+
+# old
+#sudo env RUST_LOG=info phantun-client --local 127.0.0.1:59083 --remote ia.flylightning.xyz:59083
+#sudo env RUST_LOG=info phantun-client --local 127.0.0.1:59083 --remote 89.213.174.92:59083
+#sudo env RUST_LOG=info phantun-client --local 127.0.0.1:59083 --remote 89.213.174.92:59083 --tun-local 10.0.1.1 --tun-peer 10.0.1.2 --tun-local6 fdc9:281f:04d7:9eea::1 --tun-peer6 fdc9:281f:04d7:9eea::2
+
+# RUST_LOG=debug
diff --git a/sh/phantun_wg_server b/sh/phantun_wg_server
new file mode 100755
index 0000000..b0693a5
--- /dev/null
+++ b/sh/phantun_wg_server
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# more see vc notes
+
+# without udpspeeder
+sudo env RUST_LOG=info phantun-server --local 59083 --remote 127.0.0.1:49432 --tun-local 10.0.2.1 --tun-peer 10.0.2.2 --tun-local6 fdc9:281f:04d7:9eeb::1 --tun-peer6 fdc9:281f:04d7:9eeb::2 --tun pt0
+# ipv6
+#sudo env RUST_LOG=info phantun-server --local 59083 --remote [::1]:49432 --tun-local 10.0.2.1 --tun-peer 10.0.2.2 --tun-local6 fdc9:281f:04d7:9eeb::1 --tun-peer6 fdc9:281f:04d7:9eeb::2 --tun pt0
+
+# old
+#sudo env RUST_LOG=info phantun-server --local 59083 --remote 127.0.0.1:49432
+#sudo env RUST_LOG=info phantun-server --local 59083 --remote 127.0.0.1:49432 --tun-local 10.0.2.1 --tun-peer 10.0.2.2 --tun-local6 fdc9:281f:04d7:9eeb::1 --tun-peer6 fdc9:281f:04d7:9eeb::2
+
+# try with udpspeeder
+#sudo env RUST_LOG=info phantun-server --local 59083 --remote 127.0.0.1:53365 --tun-local 10.0.2.1 --tun-peer 10.0.2.2 --tun-local6 fdc9:281f:04d7:9eeb::1 --tun-peer6 fdc9:281f:04d7:9eeb::2 --tun pt0
+
+# try with swgp
+#sudo env RUST_LOG=info phantun-server --local 59083 --remote 127.0.0.1:54637 --tun-local 10.0.2.1 --tun-peer 10.0.2.2 --tun-local6 fdc9:281f:04d7:9eeb::1 --tun-peer6 fdc9:281f:04d7:9eeb::2 --tun pt0
diff --git a/sh/udpspeeder_client b/sh/udpspeeder_client
new file mode 100755
index 0000000..d192efe
--- /dev/null
+++ b/sh/udpspeeder_client
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# udp2raw, client
+sudo speederv2 -c -l 127.0.0.1:53365 -r 127.0.0.1:60711
+# phantun, client
+#sudo speederv2 -c -l 127.0.0.1:53365 -r 127.0.0.1:59083
diff --git a/sh/udpspeeder_server b/sh/udpspeeder_server
new file mode 100755
index 0000000..08dc93b
--- /dev/null
+++ b/sh/udpspeeder_server
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+sudo speederv2 -s -l 127.0.0.1:53365 -r 127.0.0.1:49432