diff --git a/installation/firewall.sh b/installation/firewall.sh index a1e6c9e..93de9e3 100644 --- a/installation/firewall.sh +++ b/installation/firewall.sh @@ -11,4 +11,11 @@ modprobe -v iptable_nat #if NAT is used rc-update add iptables rc-update add ip6tables rc-service iptables start -rc-service ip6tables start \ No newline at end of file +rc-service ip6tables start + +# In the global policy, LAN rules are omitted, as we are behind a NAT router. +# If not, add this to global.policy.json: +# "LAN": { "iface": "eth1" }, +# ... +# { "in": "LAN", "action": "accept" }, +# { "out": "LAN", "action": "accept" }, \ No newline at end of file diff --git a/installation/podman.sh b/installation/podman.sh index 9ec117d..4c82aad 100644 --- a/installation/podman.sh +++ b/installation/podman.sh @@ -11,7 +11,7 @@ modprobe tun echo tun >> /etc/modules echo podman:100000:65536 > /etc/subuid echo podman:100000:65536 > /etc/subgid -doas su -c "podman system migrate" podman +su -c "podman system migrate" podman # Get rid of podman compose docker warning touch /etc/containers/nodocker diff --git a/services/basic/global.policy.json b/services/basic/global.policy.json index a58c8a6..8a06e2c 100644 --- a/services/basic/global.policy.json +++ b/services/basic/global.policy.json @@ -2,14 +2,11 @@ "description": "Restrict all internet access", "zone": { "WAN": { "iface": "eth0" }, - "LAN": { "iface": "eth1" }, - "VPN": { "iface": "tun+" } + "VPN": { "iface": "wg0" } }, "policy": [ { "in": "VPN", "action": "accept" }, { "out": "VPN", "action": "accept" }, - { "in": "LAN", "action": "accept" }, - { "out": "LAN", "action": "accept" }, { "in": "WAN", "action": "drop" }, { "action": "reject" } ] diff --git a/services/openvpn/config/openvpn.conf b/services/openvpn/config/openvpn.conf deleted file mode 100644 index e1846ef..0000000 --- a/services/openvpn/config/openvpn.conf +++ /dev/null @@ -1,7 +0,0 @@ -port 1194 -proto udp -dev tun - -topology subnet - -# TODO \ No newline at end of file diff --git a/services/openvpn/install.sh b/services/openvpn/install.sh deleted file mode 100644 index 236f2ee..0000000 --- a/services/openvpn/install.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh -echo "Setting up OpenVPN..." -apk add openvpn - -rc-update add openvpn -modprobe tun -echo tun >> /etc/modules-load.d/tun.conf - -# Enable IP forwarding, persistent -echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf -sysctl -p /etc/sysctl.d/ip_forward.conf diff --git a/services/openvpn/openvpn.policy.json b/services/openvpn/openvpn.policy.json deleted file mode 100644 index c11f732..0000000 --- a/services/openvpn/openvpn.policy.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "description": "Allow OpenVPN server access from the internet", - "service": { - "openvpn": { "port": 1194, "proto": "udp" } - }, - "filter": [ - { - "in": "WAN", - "out": "_fw", - "service": "openvpn", - "action": "accept" - } - ] -} diff --git a/services/openvpn/update.sh b/services/openvpn/update.sh deleted file mode 100644 index c2862a7..0000000 --- a/services/openvpn/update.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -ln -sf ./config/openvpn.conf /etc/openvpn/openvpn.conf \ No newline at end of file diff --git a/services/wireguard/add_client.sh b/services/wireguard/add_client.sh new file mode 100644 index 0000000..d1c560d --- /dev/null +++ b/services/wireguard/add_client.sh @@ -0,0 +1,42 @@ +#!/bin/sh +if [ -z "$1" ]; then + echo "Usage: $0 " + exit 1 +fi + +mkdir -p /etc/wireguard/clients/keys + +# Count existing clients to assign next IP, starting from 10.0.0.2 +CLIENT_COUNT=$(ls /etc/wireguard/clients | wc -l) +NEXT_IP="10.0.0.$((CLIENT_COUNT + 1))" +CLIENT_NAME=$1 +SERVER_ADDRESS="goofjes.nl" + +# Generate public and private keys for the client +wg genkey | tee /etc/wireguard/clients/keys/$CLIENT_NAME.priv.key | wg pubkey > /etc/wireguard/clients/keys/$CLIENT_NAME.pub.key + +# Generate PSK for the client +wg genpsk | tee /etc/wireguard/clients/keys/$CLIENT_NAME.psk.key + +cat <> /etc/wireguard/wg0.conf + +[Peer] +PublicKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.pub.key) +PresharedKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.psk.key) +AllowedIPs = $NEXT_IP/32 +EOF + +cat < /etc/wireguard/clients/$CLIENT_NAME.conf +[Interface] +Address = $NEXT_IP/24 +PrivateKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.priv.key) + +# $CLIENT_NAME configuration +[Peer] +PublicKey = $(cat /etc/wireguard/server_pub.key) +PresharedKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.psk.key) +AllowedIPs = 0.0.0.0/0, ::/0 +Endpoint = $SERVER_ADDRESS:51820 +EOF + +rc-service wg-quick.wg0 restart \ No newline at end of file diff --git a/services/wireguard/install.sh b/services/wireguard/install.sh new file mode 100644 index 0000000..0a2a615 --- /dev/null +++ b/services/wireguard/install.sh @@ -0,0 +1,27 @@ +#!/bin/sh +echo "Setting up Wireguard ..." +apk add wireguard-tools + +# Generate server private and public keys +mkdir -p /etc/wireguard +wg genkey | tee /etc/wireguard/server_priv.key | wg pubkey > /etc/wireguard/server_pub.key + +# Generate configuration +cat < /etc/wireguard/wg0.conf +[Interface] +PrivateKey = $(cat /etc/wireguard/server_priv.key) +Address = 10.0.0.1/24 # Server has IP in the wg network +ListenPort = 51820 +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE +EOF + +# Enable IP forwarding, persistent +echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf +sysctl -p /etc/sysctl.d/ip_forward.conf + +# Auto-start Wireguard on boot +apk add wireguard-tools-openrc +ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.wg0 +rc-update add wg-quick.wg0 +rc-service wg-quick.wg0 start \ No newline at end of file diff --git a/services/wireguard/wireguard.policy.json b/services/wireguard/wireguard.policy.json new file mode 100644 index 0000000..d976937 --- /dev/null +++ b/services/wireguard/wireguard.policy.json @@ -0,0 +1,14 @@ +{ + "description": "Allow Wireguard server access from the internet", + "service": { + "wireguard": { "port": 51820, "proto": "udp" } + }, + "filter": [ + { + "in": "WAN", + "out": "_fw", + "service": "wireguard", + "action": "accept" + } + ] +} \ No newline at end of file diff --git a/update.sh b/update.sh index 9a17586..1c2f910 100644 --- a/update.sh +++ b/update.sh @@ -11,6 +11,7 @@ for service in "./services"/*/; do # Run install.sh if installing for the first time (if $1 is "install") if [ "$1" = "install" ] && [ -f "install.sh" ]; then + read -n 1 -s -r -p "Press any key to install $service..." source ./install.sh fi