Added Wireguard option for VPN

2025-11-20 08:40:23 -05:00 · 2025-11-20 08:40:23 -05:00 · a29c79c1a6
parent 7d8bb3490a
commit a29c79c1a6
3 changed files with 140 additions and 7 deletions
--- a/firewall/nftables.conf.example
+++ b/firewall/nftables.conf.example
@ -2,7 +2,7 @@
 #
 # Example nftables config for:
 # - Public web ports (80/443) via Traefik
-# - SSH + AI services accessible ONLY over ZeroTier (zt+)
+# - SSH + AI services accessible ONLY over ZeroTier (zt+) or Wireguard
 # - Default deny for everything else

 flush ruleset
@ -12,6 +12,7 @@ flush ruleset
 #
 define wan_if      = "eno1"   # WAN interface (optional use; mainly for clarity)
 define vpn_if_pref = "zt+"    # ZeroTier interfaces start with "zt"
+define wg_if       = "wg0"
 # define lan_if    = "br0"    # If you later want LAN-specific rules


@ -21,8 +22,8 @@ table inet filter {
  # Named sets for ports
  #

-  # Ports allowed *only* over ZeroTier (VPN) interface(s)
-  set zt_tcp_ports {
+  # Ports allowed *only* over ZeroTier|Wireguard (VPN) interface(s)
+  set vpn_tcp_ports {
    type inet_service
    comment "SSH + AI services via ZeroTier only"
    elements = {
@ -31,19 +32,29 @@ table inet filter {
      8000,        # vLLM or similar
      8080-8089,   # Llamafile, Sandbox UIs, etc. (range example)
      8501,        # Sandbox Fusion / Streamlit-style
-      11434        # Ollama
+      11434,       # Ollama
+      21114-21119  # RustDesk server TCP ports
+    }
+  }
+
+  set vpn_udp_ports {
+    type inet_service
+    flags interval
+    comment "RustDesk UDP via ZeroTier|Wireguard only"
+    elements = {
+      21116
    }
  }

  # Ports allowed on WAN (public Internet)
+  #   Add mail etc. to 'elements' if you ever expose them:
+  #   25, 465, 587, 993 # SMTP
  set wan_tcp_ports {
    type inet_service
    comment "Public-facing services (Traefik, etc.)"
    elements = {
      80,          # HTTP (redirect to HTTPS)
      443          # HTTPS
-      # Add mail etc. here if you ever expose them:
-      # 25, 465, 587, 993
    }
  }

@ -71,7 +82,17 @@ table inet filter {
    # --- ZeroTier-only services (SSH + AI stack) ---
    # Any TCP port in @zt_tcp_ports is allowed only when coming
    # from an interface whose name starts with "zt".
-    iifname $vpn_if_pref tcp dport @zt_tcp_ports accept
+    iifname $vpn_if_pref tcp dport @vpn_tcp_ports accept
+    iifname $vpn_if_pref udp dport @vpn_udp_ports accept
+
+    # WireGuard listener on WAN
+    iifname $wan_if udp dport $wg_port accept
+
+    # Private services via WireGuard OR ZeroTier
+    iifname $wg_if   tcp dport @vpn_tcp_ports accept
+    iifname $zt_if_pref tcp dport @vpn_tcp_ports accept
+    iifname $wg_if   udp dport @vpn_udp_ports accept
+    iifname $zt_if_pref udp dport @vpn_udp_ports accept

    # --- Public web (Traefik) ---
    # Allow HTTP/HTTPS on any interface (typically WAN),
--- a/firewall/nftables.wireguard.conf.example
+++ b/firewall/nftables.wireguard.conf.example
@ -0,0 +1,85 @@
+#!/usr/sbin/nft -f
+#
+# nftables-wireguard.conf.example
+#
+# Example nftables config for:
+# - Traefik on 80/443 (public web)
+# - WireGuard VPN on UDP 51820
+# - Private services only accessible via WireGuard (interface wg0)
+#
+# Copy to /etc/nftables.conf and adjust interface names and port sets.
+
+flush ruleset
+
+# Adjust to your actual interfaces
+define wan_if    = "eno1"    # WAN interface name
+define wg_if     = "wg0"     # WireGuard interface name
+define wg_port   = 51820     # WireGuard UDP port
+
+table inet filter {
+
+  #
+  # Sets of ports
+  #
+
+  # Public web ports (Traefik)
+  set wan_tcp_ports {
+    type inet_service
+    comment "Public-facing web ports"
+    elements = {
+      80,
+      443
+    }
+  }
+
+  # Private TCP services accessible only via WireGuard
+  set wg_tcp_ports {
+    type inet_service
+    flags interval
+    comment "Private services (AI stack, etc.) over WireGuard only"
+    elements = {
+      22,          # SSH
+      7860,        # Stable Diffusion
+      8000,        # vLLM or similar
+      8080-8089,   # Llamafile / sandbox UIs
+      8501,        # Sandbox Fusion / Streamlit
+      11434        # Ollama
+    }
+  }
+
+  chain input {
+    type filter hook input priority 0;
+    policy drop;
+
+    # Loopback
+    iifname "lo" accept
+
+    # Established/related
+    ct state established,related accept
+
+    # ICMP (ping, etc.)
+    ip protocol icmp accept
+    ip6 nexthdr icmpv6 accept
+
+    # WireGuard VPN – allow incoming tunnel on WAN
+    iifname $wan_if udp dport $wg_port accept comment "WireGuard VPN listen"
+
+    # Private services only over WireGuard interface
+    iifname $wg_if tcp dport @wg_tcp_ports accept
+
+    # Public web
+    # If you want to restrict 80/443 strictly to WAN:
+    # iifname $wan_if tcp dport @wan_tcp_ports accept
+    tcp dport @wan_tcp_ports accept
+  }
+
+  chain forward {
+    type filter hook forward priority 0;
+    policy drop;
+  }
+
+  chain output {
+    type filter hook output priority 0;
+    policy accept;
+  }
+}
--- a/wireguard/wg0.conf.example
+++ b/wireguard/wg0.conf.example
@ -0,0 +1,27 @@
+# wireguard/wg0.conf.example
+#
+# Example WireGuard server configuration for VHostLoom host
+# Copy to /etc/wireguard/wg0.conf and replace placeholders.
+
+[Interface]
+# Address inside the VPN (server side)
+Address = 10.20.0.1/24
+
+# WireGuard listens on UDP 51820 by default (change if you like)
+ListenPort = 51820
+
+# Server private key (generate with: wg genkey)
+PrivateKey = <SERVER_PRIVATE_KEY>
+
+# Optional: enable routing on Linux (also set sysctl)
+# PostUp   = sysctl -w net.ipv4.ip_forward=1
+# PostDown = sysctl -w net.ipv4.ip_forward=0
+
+# Example peer (your laptop, desktop, etc.)
+[Peer]
+# Peer public key (from: wg genkey | tee peer.key | wg pubkey)
+PublicKey = <CLIENT_PUBLIC_KEY>
+
+# Allowed IPs for this peer inside VPN
+# Typically a single /32 address
+AllowedIPs = 10.20.0.2/32