Skip to content

Instantly share code, notes, and snippets.

@kyujin-cho

kyujin-cho/gist:63e58ffd82807d1a152b2852acb1ebbc

Created April 30, 2023 16:40
Show Gist options
  • Save kyujin-cho/63e58ffd82807d1a152b2852acb1ebbc to your computer and use it in GitHub Desktop.
Save kyujin-cho/63e58ffd82807d1a152b2852acb1ebbc to your computer and use it in GitHub Desktop.
Download ZIP
VyOS를 이용한 VPN Router 만들기
Raw
gistfile1.md

목적

192.168.0.0/24 에서 출발하여 특정 도메인/지역으로 향하는 트래픽을 192.168.0.1/32 대신 Wireguard VPN으로 터널

구성

Network (AS-IS)

Local

  • Main NAT: 192.168.0.0/24 (UniFi)

Remote

  • Mullvad Wireguard

Hardware

  • Unifi Dream Machine PRO
    • 2 WAN Ports
  • Ubuntu Server
    • RJ-45 (eth0): Unplugged
    • SFP+ x1 (eth1): 192.168.0.100/32

트래픽 흐름도 (TO-BE)

  • 192.168.0.0/24 대역의 A 장치가 1.1.1.1로 접근할 경우
    1. A -> Unifi LAN
    2. Unifi LAN => De-NAT => Unifi WAN2 -> VyOS LAN1
    3. VyOS LAN1 => Capsule => VyOS WG1 => NAT => VyOS WAN1 -> Unifi LAN
    4. Unifi LAN => De-NAT => Unifi WAN1 -> Remote Wireguard Server

설정

VPN Router 설치

  1. Ubuntu Server에 새 QEMU VM 생성, 이때 eth0과 eth1을 각각 macvtap으로 노출
  2. QEMU VM에 VyOS 1.4 설치

VPN Router 용 Upstream Network 설정

  1. Unifi에 다음과 같은 새 네트워크 설정
  • Address Pool: 192.168.1.0/24
  • VLAN ID: 2

VPN Router 설정

기본 설정

  1. 다음과 같이 설정
configure

# 기본 DNS 설정
set system name-server '192.168.1.1'
# VyOS의 SSH 접속 허용
set service ssh port '22'

# WAN 설정
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth0 vif 2 address 'dhcp'
# LAN 설정
set interfaces ethernet eth1 address '192.168.2.1/24'
set interfaces ethernet eth1 description 'LAN'

# LAN NAT 설정
set nat source rule 100 outbound-interface 'eth0.2'
set nat source rule 100 source address '192.168.2.0/24'
set nat source rule 100 translation address 'masquerade'

# 인터넷 트래픽 방화벽 설정
set firewall interface eth0 in name 'OUTSIDE-IN'
set firewall interface eth0 local name 'OUTSIDE-LOCAL'
set firewall interface eth0.2 in name 'OUTSIDE-IN'
set firewall interface eth0.2 local name 'OUTSIDE-LOCAL'
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'

# SSH 트래픽 방화벽 설정
set firewall name OUTSIDE-LOCAL rule 30 action 'accept'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'

commit
save
exit
  1. VyOS 내에서 ifconfig 시에 eth0에 192.168.1.0/24 대역의 IP가 DHCP로 부여되었음을 확인
  2. Unifi의 WAN2 포트와 Ubuntu Server의 RJ-45 포트를 연결
  3. Unifi의 WAN2 포트에 192.168.2.0/24 대역의 IP가 DHCP로 부여되었음을 확인

Wireguard Peer 설정

configure

set interfaces wireguard wg1 address '<터널 IP>'
set interfaces wireguard wg1 description '<설명>'
set interfaces wireguard wg1 peer sjc address '<대상 WG 서버>'
set interfaces wireguard wg1 peer sjc port '51820'
set interfaces wireguard wg1 peer sjc allowed-ips '0.0.0.0/0'
set interfaces wireguard wg1 peer sjc public-key '<WG 서버의 공개키>'
set interfaces wireguard wg1 port '51820'
set interfaces wireguard wg1 private-key '<Mullvad에서 부여받은 개인키>'

commit
save
exit

LAN 트래픽을 Wireguard로 라우트하도록 설정

configure

# Wireguard로 보낼 트래픽의 Route Table 생성, 모든 트래픽을 wg1 인터페이스에서 처리하도록 설정
set protocols static table 100 route 0.0.0.0/0 interface wg1

# Wireguard로 보낼 트래픽의 대상 Source Address Group 생성
set firewall group address-group WG_Client address 192.168.10.0-192.168.10.255

# Wireguard로 보낼 트래픽의 Policy Route 생성
# eth1에서 들어오는 트래픽 중 Source가 WG_Client에 포함되는 경우 Routing Table 100 참조
set policy route WG_Traffic interface 'eth1'
set policy route WG_Traffic rule 10 source group address-group WG_Client
set policy route WG_Traffic rule 10 set table '100'

# wg1 인터페이스의 NAT 설정
set nat source rule 20 outbound-interface 'wg1'
set nat source rule 20 source address '192.168.10.0/24'
set nat source rule 20 translation address 'masquerade'

# Wireguard 트래픽의 방화벽 설정
set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
set firewall name OUTSIDE-LOCAL rule 40 description 'WireGuard_IN'
set firewall name OUTSIDE-LOCAL rule 40 destination port '51820'
set firewall name OUTSIDE-LOCAL rule 40 log 'enable'
set firewall name OUTSIDE-LOCAL rule 40 protocol 'udp'
set firewall name OUTSIDE-LOCAL rule 40 source
set firewall name OUTSIDE-LOCAL rule 40 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 40 state related 'enable'

commit
save
exit

Unifi 설정

  1. Network - Settings - Traffic Management - Routes - Create New Route
  2. Target을 적절히 설정 후 Interface를 WAN2로 설정
  3. 적용되었음을 확인
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment