Skip to content

Instantly share code, notes, and snippets.

@papertigers

papertigers/how-to.md

Last active November 15, 2023 00:22
Show Gist options
  • Save papertigers/e06fe033213b692b9a80edf29abcfc23 to your computer and use it in GitHub Desktop.
Save papertigers/e06fe033213b692b9a80edf29abcfc23 to your computer and use it in GitHub Desktop.
Download ZIP
illumos boringtun (wireguard) guide
Raw
how-to.md

This port of boringtun works on any illumos box that has the tuntap device. SmartOS comes with this device by deafult. You can install this device on OmniOS by running pkg install tuntap. Currently the userland daemon will drop as many privileges(5) as it can after setting up the tunnel etc. The daemon is also currently using epoll/signalfd unil I find time to wire up the event port interface.

Clone the following repo and checkout the illumos branch.

git clone [email protected]:papertigers/boringtun.git

Build the binary on an illumos box (SmartOS, OmniOS, etc)

cargo build --release

In addition to the boringtun program built from this repository, you will need to build the wg tool from the upstream WireGuard.git; e.g.,

$ git clone https://git.zx2c4.com/WireGuard
$ cd WireGuard/src/tools
$ make LDLIBS='-lnsl -lsocket'
  CC      /ws/wireguard/WireGuard/src/tools/wg.o
  CC      /ws/wireguard/WireGuard/src/tools/set.o
  CC      /ws/wireguard/WireGuard/src/tools/mnlg.o
  CC      /ws/wireguard/WireGuard/src/tools/pubkey.o
  CC      /ws/wireguard/WireGuard/src/tools/showconf.o
  CC      /ws/wireguard/WireGuard/src/tools/genkey.o
  CC      /ws/wireguard/WireGuard/src/tools/setconf.o
  CC      /ws/wireguard/WireGuard/src/tools/curve25519.o
  CC      /ws/wireguard/WireGuard/src/tools/encoding.o
  CC      /ws/wireguard/WireGuard/src/tools/ipc.o
  CC      /ws/wireguard/WireGuard/src/tools/terminal.o
  CC      /ws/wireguard/WireGuard/src/tools/config.o
  CC      /ws/wireguard/WireGuard/src/tools/show.o
  LD      /ws/wireguard/WireGuard/src/tools/wg
$ ./wg
interface: tun0

Setup a zone to run boringtun and enable ip spoofing on the interface that will be handling the vpn traffic

Setup ipv4 forwarding

routeadm -ue ipv4-forwarding

Setup the zone to NAT connections:

  • create /etc/ipf/ipnat.conf with this single line.

    map * from 5.0.1.0/24 to any -> 0.0.0.0/32

  • enable ipfilter:

    svcadm enable ipfilter

Start the daemon. Note there seems to be an issue with the connected-udp default so turn it off for now.

./boringtun -f --disable-connected-udp tun

Configure the tunnel. Due to the way point-to-point links need to be configured on illumos at the moment, you'll need to set aside a "destination" address to represent the remote side of the tunnel. In the example below I've used 5.0.1.1 as the IP address of this system, and 5.0.1.2 as the fake destination address. You can use the same fake destination IP on all systems but no system on the VPN can use it as its actual IP.

ifconfig tun0 5.0.1.1 5.0.1.2 netmask 255.255.255.255 mtu 1420 up
route add 5.0.1.0/24 5.0.1.2
wg setconf tun0 tun0.conf

Then to verify a client has connected:

# wg
interface: tun0
  public key: <....>
  private key: (hidden)
  listening port: 51820

peer: <....>
  endpoint: 10.0.1.1:37894
  allowed ips: 5.0.1.3/32
  latest handshake: 41 seconds ago
  transfer: 7.20 MiB received, 345.62 MiB sent

Thanks @jclulow for the wireguard-go work. It made getting this rust daemon working a lot easier: https://github.com/jclulow/wireguard-go-illumos-wip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment