Wireguard - Split Tunnel - Between Raspberry Pi and Firewalla Gold
In the spirt of OpenSource, I wanted to post this here for anyone looking to have a Wireguard Site-to-Site tunnel set up between a Raspberry Pi and Firewalla Gold.
I had a situation in which I wanted to have my parents network connected to mine (for troubleshooting and file sharing). I don't have the funds to buy them a Firewalla Purple/Gold and for what they do, I could not justify them spending any additional money. Plus I like to figure things out, and this was a challenge I wanted to complete. I had a old RaspberryPi 2B lying around and wanted to set that up as the gateway. For anyone looking to do the same, here are the steps in doing so.
***Notice: You must have two different networks set up for this. In other words, you cannot connect two networks with the same IP range. Ex: Pi network is 192.168.1.0/24 and FWG network is 192.168.1.0/24. They MUST be different***
1) Create new Wireguard VPN Profile via Firewalla App. Download and save to computer.
RaspberryPi Setup:
2) SSH into Raspberry Pi with your favorite ssh program
3) switch to root or prepend sudo to every command
sudo su
4) Install Wireguard
apt-get update
apt-get install wireguard -y
5) Change directory to wireguard
cd /etc/wireguard
6) Create peer profile - Either upload via sftp client/terminal or the easy way is to open the file on your computer then paste it. I choose to copy paste. Create a file in this directory and name it something meaningful, I named mine firewalla.conf. The file will look something like this ...
[Interface]
PrivateKey=<your private key from firewalla>
Address=10.189.134.75/32
DNS=10.189.134.1
MTU=1412
[Peer]
PublicKey=<public key from firewalla>
Endpoint=<ip/url to firewalla:port>
AllowedIPs=<comma separated list of subnets to route or put 0.0.0.0/0 to tunnel all traffic>
7) Before closing the document we need to add some rules. After the "MTU = 1412" line, we will add some PostUp and PostDown rules.
PostUp = iptables -t nat -A POSTROUTING -o %i -m comment --comment "Added via Firewalla Wireguard" -j MASQUERADE
PostUp = iptables -A FORWARD -i eth0 -o %i -m comment --comment "Added via Firewalla Wireguard" -j ACCEPT
PostUp = iptables -A FORWARD -i %i -o eth0 -m state --state RELATED,ESTABLISHED -m comment --comment "Added via Firewalla Wireguard" -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o %i -m comment --comment "Added via Firewalla Wireguard" -j MASQUERADE
PostDown = iptables -D FORWARD -i eth0 -o %i -m comment --comment "Added via Firewalla Wireguard" -j ACCEPT
PostDown = iptables -D FORWARD -i %i -o eth0 -m state --state RELATED,ESTABLISHED -m comment --comment "Added via Firewalla Wireguard" -j ACCEPT
This is telling Wireguard to insert these rules into iptables when the connection comes up, and remove when it goes down. The first one says that anything going out via the '%i' interface to MASQUERADE the source ip. The '%i' will get replaced with whatever you named the file (in my case 'firewalla'). The second is saying any traffic going from the eth0 port to the firewalla port to allow. The third is saying anything already established, to allow. The PostDown lines just reverse everything.
Once you are done the file should look something like this
[Interface]
PrivateKey=<your private key from firewalla>
Address=10.189.134.75/32
DNS=10.189.134.1
MTU=1412
PostUp = iptables -t nat -A POSTROUTING -o %i -m comment --comment "Added via Firewalla Wireguard" -j MASQUERADE
PostUp = iptables -A FORWARD -i eth0 -o %i -m comment --comment "Added via Firewalla Wireguard" -j ACCEPT
PostUp = iptables -A FORWARD -i %i -o eth0 -m state --state RELATED,ESTABLISHED -m comment --comment "Added via Firewalla Wireguard" -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o %i -m comment --comment "Added via Firewalla Wireguard" -j MASQUERADE
PostDown = iptables -D FORWARD -i eth0 -o %i -m comment --comment "Added via Firewalla Wireguard" -j ACCEPT
PostDown = iptables -D FORWARD -i %i -o eth0 -m state --state RELATED,ESTABLISHED -m comment --comment "Added via Firewalla Wireguard" -j ACCEPT
[Peer]
PublicKey=<public key from firewalla>
Endpoint=<ip/url to firewalla:port>
AllowedIPs=<comma separated list of subnets to route or put 0.0.0.0/0 to tunnel all traffic>
8) Save and close the file
9) Allow raspberry pi to forward packets. Edit the file /etc/sysctl.conf and find the line that says "net.ipv4.ip_forward=0". Change the 0 to a 1 (uncomment the line if it is commented out .. ie: remove the # at the beginning if there is one). Save and close that file.
10) Test the connection. (Replace 'firewalla' with whatever you named the file in /etc/wireguard)
wg-quick up firewalla
11) Ping a device on the firewalla side to test.
12) Make the connection persistent on reboot. (Replace 'firewalla' with whatever you named the file in /etc/wireguard)
systemctl enable wg-quick@firewalla
13) That is it. Wireguard should have place a entry into your routing table (view it with the command `ip route`) for the subnet(s) you specified in the 'AllowedIps' section.
*You will have to place a Static Route in your Router on the Pi side to direct all traffic destined for the Firewalla network to the Pi* If you want all devices on the Pi side to access the Firewalla devices. Otherwise you will have to add the route to each computer's routing table you want to access the firewalla devices
Firewalla Setup
14) I like to have a folder in the /home/pi directory that I create any scripts in and then link them to the post_main.d folder. Makes it easier on me to edit if I need to. You can skip this step if you want.
mkdir my_scripts
cd my_scripts
15) We will need to tell firewalla where to route the traffic for the raspberry pi clients. Create a file and name it something meaningful. This was for my parents house, so I named it wg_st_parents.sh
16) Here is my script. You will need to make some modifications to it, to fit your need.
#!/bin/bash
# This will add all the required changes to allow access to Parents House via site to site
# VPN tunnel with Wireguard
#add the route to the routing table
sudo ip route add <Pi subnet> dev wg0 table lan_routable
#Add the subnet to Wireguard for the client
sudo wg set wg0 peer <public key of peer set up for Pi> allowed-ips 10.189.134.75/32,<Pi subnet/24>
Script explanation:
The first command 'sudo ip route add <subnet> dev wg0 table lan_routable' will tell firewalla where to direct the traffic. Replace <subnet> with the subnet of the RaspberryPi. For example, if the Pi has an IP address of 192.168.1.10 and you want to route all traffic for 1.x then replace <subnet> with 192.168.1.0/24 so the command would look like this 'sudo ip route add 192.168.1.0/24 dev wg0 table lan_routable'
The second command will adjust the server config for the client to allow that same subnet to go through the tunnel. Make sure to replace <public key of peer set up for Pi> with the Public Key of the connection for the Pi. The command will look like this
sudo wg set wg0 peer <public key> allowed-ips <ip wg peer>,192.168.1.0/24
The <ip wg peer> is the IP address Firewalla assigned during the client setup in the app. You can get the public key and the IP address of the peer by issuing the command 'sudo wg show' and look for the client in the list.
17) Save and close the file
18) Make the file executable
sudo chmod u+x <file_name>
19) Execute the file and test the connection
sudo ./<file_name>
20) You should now be able to ping a device on the Pi side. Test by Pinging the Pi gateway/router from your computer, not from the Firewalla Console
ping <ip of Pi Router>
21) Link the file to the post_main.d folder
sudo ln -s /home/pi/my_scripts/<file_name> /home/pi/.firewalla/config/post_main.d/<file_name>
If you did not create a folder in step 14, then you can move the file to the post_main.d folder
sudo mv <file_name> /home/pi/.firewalla/config/post_main.d/<file_name>
That is it. You should have a split tunnel set up between the two devices.
You can add rules in the Firewalla App to disallow specific traffic if you like, or if you know iptables, you can add those rules to the file in the post_main.d folder so they are inserted at reboot.
-
Where did you find the publickey on your firewalla at? I have looked through all wireguard directories via SSH and cannot find it. I have another wireguard server in the cloud that I want to connect my firewalla at home to as a client and need the firewalla client publickey to add the peer endpoint to my cloud WG.
-
I am trying to use the VPN Client 3rd party in the firewalla to connect to a cloud wireguard server. I don't see an option to download other than when adding VPN clients to the Firewalla wireguard VPN server. I need the firewalla publickey to be able to add it to the wg0.conf file on the cloud wireguard server as a peer.
-
So you are going from the cloud to your firewalla? That would be a client then...... You would just add a new client and then download the profile, install on the cloud and connect (default is route ALL traffic through from client to firewalla, might have to adjust that if you want split-tunnel).
-
Wouldn't you generate everything you need on the server then (public/private keys), generate the config file, and then upload to the Firewalla? The Firewalla UI generates a conf file with the client private key, and public key to allow the connection.
Quick google search got this site that walks through how to generate the private/public keys you would need on the server side of things.
Please sign in to leave a comment.
Comments
8 comments