Maurice/alpine-server-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Wireguard to go

Browse Source
This commit is contained in:
Maurice
2025-09-24 13:29:25 +02:00
parent c49ffa1769
commit 12681bd7e2
11 changed files with 94 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
installation/firewall.sh
View File

@@ -11,4 +11,11 @@ modprobe -v iptable_nat #if NAT is used
rc-update add iptables rc-update add iptables
rc-update add ip6tables rc-update add ip6tables
rc-service iptables start rc-service iptables start
rc-service ip6tables start rc-service ip6tables start
# In the global policy, LAN rules are omitted, as we are behind a NAT router.
# If not, add this to global.policy.json:
# "LAN": { "iface": "eth1" },
# ...
# { "in": "LAN", "action": "accept" },
# { "out": "LAN", "action": "accept" },

2
installation/podman.sh
View File

@@ -11,7 +11,7 @@ modprobe tun
echo tun >> /etc/modules echo tun >> /etc/modules
echo podman:100000:65536 > /etc/subuid echo podman:100000:65536 > /etc/subuid
echo podman:100000:65536 > /etc/subgid echo podman:100000:65536 > /etc/subgid
doas su -c "podman system migrate" podman su -c "podman system migrate" podman
# Get rid of podman compose docker warning # Get rid of podman compose docker warning
touch /etc/containers/nodocker touch /etc/containers/nodocker

5
services/basic/global.policy.json
View File

@@ -2,14 +2,11 @@
"description": "Restrict all internet access", "description": "Restrict all internet access",
"zone": { "zone": {
"WAN": { "iface": "eth0" }, "WAN": { "iface": "eth0" },
"LAN": { "iface": "eth1" }, "VPN": { "iface": "wg0" }
"VPN": { "iface": "tun+" }
}, },
"policy": [ "policy": [
{ "in": "VPN", "action": "accept" }, { "in": "VPN", "action": "accept" },
{ "out": "VPN", "action": "accept" }, { "out": "VPN", "action": "accept" },
{ "in": "LAN", "action": "accept" },
{ "out": "LAN", "action": "accept" },
{ "in": "WAN", "action": "drop" }, { "in": "WAN", "action": "drop" },
{ "action": "reject" } { "action": "reject" }
] ]

7
services/openvpn/config/openvpn.conf
View File

@@ -1,7 +0,0 @@
port 1194
proto udp
dev tun
topology subnet
# TODO

11
services/openvpn/install.sh
View File

@@ -1,11 +0,0 @@
#!/bin/sh
echo "Setting up OpenVPN..."
apk add openvpn
rc-update add openvpn
modprobe tun
echo tun >> /etc/modules-load.d/tun.conf
# Enable IP forwarding, persistent
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf
sysctl -p /etc/sysctl.d/ip_forward.conf

14
services/openvpn/openvpn.policy.json
View File

@@ -1,14 +0,0 @@
{
"description": "Allow OpenVPN server access from the internet",
"service": {
"openvpn": { "port": 1194, "proto": "udp" }
},
"filter": [
{
"in": "WAN",
"out": "_fw",
"service": "openvpn",
"action": "accept"
}
]
}

2
services/openvpn/update.sh
View File

@@ -1,2 +0,0 @@
#!/bin/sh
ln -sf ./config/openvpn.conf /etc/openvpn/openvpn.conf

42
services/wireguard/add_client.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/sh
if [ -z "$1" ]; then
echo "Usage: $0 <client-name>"
exit 1
fi
mkdir -p /etc/wireguard/clients/keys
# Count existing clients to assign next IP, starting from 10.0.0.2
CLIENT_COUNT=$(ls /etc/wireguard/clients | wc -l)
NEXT_IP="10.0.0.$((CLIENT_COUNT + 1))"
CLIENT_NAME=$1
SERVER_ADDRESS="goofjes.nl"
# Generate public and private keys for the client
wg genkey | tee /etc/wireguard/clients/keys/$CLIENT_NAME.priv.key | wg pubkey > /etc/wireguard/clients/keys/$CLIENT_NAME.pub.key
# Generate PSK for the client
wg genpsk | tee /etc/wireguard/clients/keys/$CLIENT_NAME.psk.key
cat <<EOF >> /etc/wireguard/wg0.conf
[Peer]
PublicKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.pub.key)
PresharedKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.psk.key)
AllowedIPs = $NEXT_IP/32
EOF
cat <<EOF > /etc/wireguard/clients/$CLIENT_NAME.conf
[Interface]
Address = $NEXT_IP/24
PrivateKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.priv.key)
# $CLIENT_NAME configuration
[Peer]
PublicKey = $(cat /etc/wireguard/server_pub.key)
PresharedKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.psk.key)
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $SERVER_ADDRESS:51820
EOF
rc-service wg-quick.wg0 restart

27
services/wireguard/install.sh Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/sh
echo "Setting up Wireguard ..."
apk add wireguard-tools
# Generate server private and public keys
mkdir -p /etc/wireguard
wg genkey | tee /etc/wireguard/server_priv.key | wg pubkey > /etc/wireguard/server_pub.key
# Generate configuration
cat <<EOF > /etc/wireguard/wg0.conf
[Interface]
PrivateKey = $(cat /etc/wireguard/server_priv.key)
Address = 10.0.0.1/24 # Server has IP in the wg network
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
EOF
# Enable IP forwarding, persistent
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf
sysctl -p /etc/sysctl.d/ip_forward.conf
# Auto-start Wireguard on boot
apk add wireguard-tools-openrc
ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.wg0
rc-update add wg-quick.wg0
rc-service wg-quick.wg0 start

14
services/wireguard/wireguard.policy.json Normal file
View File

@@ -0,0 +1,14 @@
{
"description": "Allow Wireguard server access from the internet",
"service": {
"wireguard": { "port": 51820, "proto": "udp" }
},
"filter": [
{
"in": "WAN",
"out": "_fw",
"service": "wireguard",
"action": "accept"
}
]
}

1
update.sh
View File

@@ -11,6 +11,7 @@ for service in "./services"/*/; do
# Run install.sh if installing for the first time (if $1 is "install") # Run install.sh if installing for the first time (if $1 is "install")
if [ "$1" = "install" ] && [ -f "install.sh" ]; then if [ "$1" = "install" ] && [ -f "install.sh" ]; then
read -n 1 -s -r -p "Press any key to install $service..."
source ./install.sh source ./install.sh
fi fi