You are not logged in.
my laptop and remote vps are connected with wireguard.
It was ok until try ufw.
problem is can't ssh to vps after remote vps reboot. but it's OK after,
$ sudo ufw disable && sudo ufw enableby using vps provider's web console.
below is some info about my vps setup.
1. dsnet.service is wireguard setup helper service.
https://github.com/naggie/dsnet
https://aur.archlinux.org/packages/dsnet
2. I've tried ufw.service by modifying,
Before=sysinit.target -> #Before=sysinit.target
Requires=dsnet.serviceArchlinux aarch64 (arm instance)
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 02:00:17:00:fd:34 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.43/24 metric 1024 brd 10.0.0.255 scope global dynamic enp0s3
valid_lft 85933sec preferred_lft 85933sec
inet6 fe80::17ff:fe00:fd34/64 scope link
valid_lft forever preferred_lft forever
3: dsnet: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.57.66.1/24 brd 10.57.66.255 scope global dsnet
valid_lft forever preferred_lft forever
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
Anywhere ALLOW IN 10.57.66.0/24
$ sudo systemctl cat ufw.service dsnet.service
# /etc/systemd/system/ufw.service
[Unit]
Description=CLI Netfilter Manager
DefaultDependencies=no
After=systemd-sysctl.service
Requires=dsnet.service
#Before=sysinit.target
ConditionPathExists=|/etc/ufw/ufw.conf
ConditionDirectoryNotEmpty=|/usr/lib/ufw
[Service]
Type=oneshot
ExecStart=/usr/lib/ufw/ufw-init start
ExecStop=/usr/lib/ufw/ufw-init stop
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
# /usr/lib/systemd/system/dsnet.service
# Copy this service file to /etc/systemd/system/ to start dsnet on boot,
# assuming dsnet is installed to /usr/local/bin
[Unit]
Description=dsnet
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/bin/dsnet up
ExecStop=/usr/bin/dsnet down
RemainAfterExit=yes
ExecReload=/usr/bin/dsnet sync
$ sudo systemctl status ufw.service dsnet.service
* ufw.service - CLI Netfilter Manager
Loaded: loaded (/etc/systemd/system/ufw.service; enabled; preset: disabled)
Active: active (exited) since Sun 2022-10-09 21:04:17 UTC; 20min ago
Process: 292 ExecStart=/usr/lib/ufw/ufw-init start (code=exited, status=0/SUCCESS)
Main PID: 292 (code=exited, status=0/SUCCESS)
CPU: 67ms
Oct 09 21:04:17 alarm systemd[1]: Finished CLI Netfilter Manager.
Notice: journal has been rotated since unit was started, output may be incomplete.
* dsnet.service - dsnet
Loaded: loaded (/usr/lib/systemd/system/dsnet.service; enabled; preset: disabled)
Active: active (exited) since Sun 2022-10-09 21:04:18 UTC; 20min ago
Process: 478 ExecStart=/usr/bin/dsnet up (code=exited, status=0/SUCCESS)
Main PID: 478 (code=exited, status=0/SUCCESS)
CPU: 30ms
Oct 09 21:04:18 alarm systemd[1]: Starting dsnet...
Oct 09 21:04:18 alarm systemd[1]: Finished dsnet.
$ sudo systemctl status iptables.service ip6tables.service
* iptables.service - IPv4 Packet Filtering Framework
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; preset: disabled)
Active: inactive (dead)
* ip6tables.service - IPv6 Packet Filtering Framework
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; preset: disabled)
Active: inactive (dead)EDIT:
sudo ufw allow 51820/udpsolved problem. 51820 is your wireguard interface listening port.
ufw.service reverted to original version.
Last edited by YCH (2022-10-10 08:55:24)
YCH
Offline