192.168.0.0/24 에서 출발하여 특정 도메인/지역으로 향하는 트래픽을 192.168.0.1/32 대신 Wireguard VPN으로 터널
- Main NAT: 192.168.0.0/24 (UniFi)
- Mullvad Wireguard
- Unifi Dream Machine PRO
- 2 WAN Ports
- Ubuntu Server
- RJ-45 (eth0): Unplugged
- SFP+ x1 (eth1): 192.168.0.100/32
- 192.168.0.0/24 대역의 A 장치가 1.1.1.1로 접근할 경우
- A -> Unifi LAN
- Unifi LAN => De-NAT => Unifi WAN2 -> VyOS LAN1
- VyOS LAN1 => Capsule => VyOS WG1 => NAT => VyOS WAN1 -> Unifi LAN
- Unifi LAN => De-NAT => Unifi WAN1 -> Remote Wireguard Server
- Ubuntu Server에 새 QEMU VM 생성, 이때 eth0과 eth1을 각각 macvtap으로 노출
- QEMU VM에 VyOS 1.4 설치
- Unifi에 다음과 같은 새 네트워크 설정
- Address Pool: 192.168.1.0/24
- VLAN ID: 2
- 다음과 같이 설정
configure
# 기본 DNS 설정
set system name-server '192.168.1.1'
# VyOS의 SSH 접속 허용
set service ssh port '22'
# WAN 설정
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth0 vif 2 address 'dhcp'
# LAN 설정
set interfaces ethernet eth1 address '192.168.2.1/24'
set interfaces ethernet eth1 description 'LAN'
# LAN NAT 설정
set nat source rule 100 outbound-interface 'eth0.2'
set nat source rule 100 source address '192.168.2.0/24'
set nat source rule 100 translation address 'masquerade'
# 인터넷 트래픽 방화벽 설정
set firewall interface eth0 in name 'OUTSIDE-IN'
set firewall interface eth0 local name 'OUTSIDE-LOCAL'
set firewall interface eth0.2 in name 'OUTSIDE-IN'
set firewall interface eth0.2 local name 'OUTSIDE-LOCAL'
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
# SSH 트래픽 방화벽 설정
set firewall name OUTSIDE-LOCAL rule 30 action 'accept'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
commit
save
exit
- VyOS 내에서
ifconfig
시에 eth0에 192.168.1.0/24 대역의 IP가 DHCP로 부여되었음을 확인 - Unifi의 WAN2 포트와 Ubuntu Server의 RJ-45 포트를 연결
- Unifi의 WAN2 포트에 192.168.2.0/24 대역의 IP가 DHCP로 부여되었음을 확인
configure
set interfaces wireguard wg1 address '<터널 IP>'
set interfaces wireguard wg1 description '<설명>'
set interfaces wireguard wg1 peer sjc address '<대상 WG 서버>'
set interfaces wireguard wg1 peer sjc port '51820'
set interfaces wireguard wg1 peer sjc allowed-ips '0.0.0.0/0'
set interfaces wireguard wg1 peer sjc public-key '<WG 서버의 공개키>'
set interfaces wireguard wg1 port '51820'
set interfaces wireguard wg1 private-key '<Mullvad에서 부여받은 개인키>'
commit
save
exit
configure
# Wireguard로 보낼 트래픽의 Route Table 생성, 모든 트래픽을 wg1 인터페이스에서 처리하도록 설정
set protocols static table 100 route 0.0.0.0/0 interface wg1
# Wireguard로 보낼 트래픽의 대상 Source Address Group 생성
set firewall group address-group WG_Client address 192.168.10.0-192.168.10.255
# Wireguard로 보낼 트래픽의 Policy Route 생성
# eth1에서 들어오는 트래픽 중 Source가 WG_Client에 포함되는 경우 Routing Table 100 참조
set policy route WG_Traffic interface 'eth1'
set policy route WG_Traffic rule 10 source group address-group WG_Client
set policy route WG_Traffic rule 10 set table '100'
# wg1 인터페이스의 NAT 설정
set nat source rule 20 outbound-interface 'wg1'
set nat source rule 20 source address '192.168.10.0/24'
set nat source rule 20 translation address 'masquerade'
# Wireguard 트래픽의 방화벽 설정
set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
set firewall name OUTSIDE-LOCAL rule 40 description 'WireGuard_IN'
set firewall name OUTSIDE-LOCAL rule 40 destination port '51820'
set firewall name OUTSIDE-LOCAL rule 40 log 'enable'
set firewall name OUTSIDE-LOCAL rule 40 protocol 'udp'
set firewall name OUTSIDE-LOCAL rule 40 source
set firewall name OUTSIDE-LOCAL rule 40 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 40 state related 'enable'
commit
save
exit
- Network - Settings - Traffic Management - Routes - Create New Route
- Target을 적절히 설정 후 Interface를 WAN2로 설정
- 적용되었음을 확인