WIP: openvpn

2025-09-23 20:55:46 +02:00
parent edf4b2c03f
commit c49ffa1769
14 changed files with 59 additions and 12 deletions
--- a/.DS_Store
+++ b/.DS_Store
--- a/SETUP-WORKSTATION.md
+++ b/SETUP-WORKSTATION.md
@@ -2,4 +2,5 @@

 chronyd takes care of keeping the system clock in sync. When the system boots, chronyd will block start-up until it has resolved the time. This is useful on systems without a hardware clock (to avoid the system booting as 1970-01-01), but annoying for this setup.

-This behaviour can be disabled by editing /etc/conf.d/chronyd and setting FAST_STARTUP=yes.
+This behaviour can be disabled by editing /etc/conf.d/chronyd and setting FAST_STARTUP=yes.
+
--- a/install.sh
+++ b/install.sh
@@ -18,5 +18,5 @@ source ./firewall.sh

 cd "$base_dir"

-# Run update script
-source ./update.sh
+# Run update script with install argument to set up services
+source ./update.sh install
--- a/installation/podman.sh
+++ b/installation/podman.sh
@@ -24,5 +24,6 @@ EOF

 chmod +x /etc/local.d/mount-rshared.start

-# Allow ports >= 53 to be rootless bound
-sysctl net.ipv4.ip_unprivileged_port_start=53
+# Allow ports >= 53 to be rootless bound, persistent
+echo "net.ipv4.ip_unprivileged_port_start=53" >> /etc/sysctl.d/podman.conf
+sysctl -p /etc/sysctl.d/podman.conf
--- a/services/basic/global.policy.json
+++ b/services/basic/global.policy.json
@@ -1,11 +1,16 @@
 {
    "description": "Restrict all internet access",
-    "variable": { "internet_if": "eth0" },
    "zone": {
-        "internet": { "iface": "$internet_if" }
+        "WAN": { "iface": "eth0" },
+        "LAN": { "iface": "eth1" },
+        "VPN": { "iface": "tun+" }
    },
    "policy": [
-        { "in": "internet", "action": "drop" },
+        { "in": "VPN", "action": "accept" },
+        { "out": "VPN", "action": "accept" },
+        { "in": "LAN", "action": "accept" },
+        { "out": "LAN", "action": "accept" },
+        { "in": "WAN", "action": "drop" },
        { "action": "reject" }
    ]
 }
--- a/services/basic/icmp.policy.json
+++ b/services/basic/icmp.policy.json
@@ -2,7 +2,8 @@
    "description": "Allow ping-pong",
    "filter": [
        {
-            "in": "internet",
+            "in": "WAN",
+            "out": "_fw",
            "service": "ping",
            "action": "accept",
            "flow-limit": { "count": 10, "interval": 6 }
--- a/services/basic/outgoing.policy.json
+++ b/services/basic/outgoing.policy.json
@@ -3,7 +3,7 @@
    "filter": [
        {
            "in": "_fw",
-            "out": "internet",
+            "out": "WAN",
            "service": ["http", "https", "dns", "ssh", "ntp", "ping"],
            "action": "accept"
        }
--- a/services/caddy/http.policy.json
+++ b/services/caddy/http.policy.json
@@ -2,7 +2,7 @@
    "description": "Allow incoming http (TCP 80 & 443) ports",
    "filter": [
        {
-            "in": "internet",
+            "in": "WAN",
            "out": "_fw",
            "service": ["http", "https"],
            "action": "accept"
--- a/services/openvpn/config/openvpn.conf
+++ b/services/openvpn/config/openvpn.conf
@@ -0,0 +1,7 @@
+port 1194
+proto udp
+dev tun
+
+topology subnet
+
+# TODO
--- a/services/openvpn/install.sh
+++ b/services/openvpn/install.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+echo "Setting up OpenVPN..."
+apk add openvpn
+
+rc-update add openvpn
+modprobe tun
+echo tun >> /etc/modules-load.d/tun.conf
+
+# Enable IP forwarding, persistent
+echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf
+sysctl -p /etc/sysctl.d/ip_forward.conf
--- a/services/openvpn/openvpn.policy.json
+++ b/services/openvpn/openvpn.policy.json
@@ -0,0 +1,14 @@
+{
+    "description": "Allow OpenVPN server access from the internet",
+    "service": {
+        "openvpn": { "port": 1194, "proto": "udp" }
+    },
+    "filter": [
+        {
+            "in": "WAN",
+            "out": "_fw",
+            "service": "openvpn",
+            "action": "accept"
+        }
+    ]
+}
--- a/services/openvpn/update.sh
+++ b/services/openvpn/update.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+ln -sf ./config/openvpn.conf /etc/openvpn/openvpn.conf
--- a/services/ssh/ssh.policy.json
+++ b/services/ssh/ssh.policy.json
@@ -2,7 +2,7 @@
    "description": "Allow limited incoming SSH access (TCP/22)",
    "filter": [
        {
-            "in": "internet",
+            "in": "WAN",
            "out": "_fw",
            "service": "ssh",
            "action": "accept",
--- a/update.sh
+++ b/update.sh
@@ -9,6 +9,11 @@ for service in "./services"/*/; do
  [ -d "$service" ] || continue
  cd "$service" || continue

+  # Run install.sh if installing for the first time (if $1 is "install")
+  if [ "$1" = "install" ] && [ -f "install.sh" ]; then
+    source ./install.sh
+  fi
+
  # Run update.sh if present
  if [ -f "update.sh" ]; then
    source ./update.sh