From c49ffa176921102627a79f6189c38a42473142ab Mon Sep 17 00:00:00 2001
From: Maurice <maurice.golverdingen@infosupport.com>
Date: Tue, 23 Sep 2025 20:55:46 +0200
Subject: [PATCH] WIP: openvpn

---
 .DS_Store                            | Bin 0 -> 6148 bytes
 SETUP-WORKSTATION.md                 |   3 ++-
 install.sh                           |   4 ++--
 installation/podman.sh               |   5 +++--
 services/basic/global.policy.json    |  11 ++++++++---
 services/basic/icmp.policy.json      |   3 ++-
 services/basic/outgoing.policy.json  |   2 +-
 services/caddy/http.policy.json      |   2 +-
 services/openvpn/config/openvpn.conf |   7 +++++++
 services/openvpn/install.sh          |  11 +++++++++++
 services/openvpn/openvpn.policy.json |  14 ++++++++++++++
 services/openvpn/update.sh           |   2 ++
 services/ssh/ssh.policy.json         |   2 +-
 update.sh                            |   5 +++++
 14 files changed, 59 insertions(+), 12 deletions(-)
 create mode 100644 .DS_Store
 create mode 100644 services/openvpn/config/openvpn.conf
 create mode 100644 services/openvpn/install.sh
 create mode 100644 services/openvpn/openvpn.policy.json
 create mode 100644 services/openvpn/update.sh

diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..879acf08f9c497a74806edd83bd5be524b5c07f7
GIT binary patch
literal 6148
zcmeHKOHRWu5FNK!1kpv7z{)#V0lfeURX9N}Kz}Ng(k7yXb(XM0LgE}80+l;(2@ogX
zjcv8D(neh&gk~!HIpZ1o<)zKkM5H=*!!}VwL?IeuV-MX1<9TisYdB8}sCbQZ-0lvt
zX<msG$6r-|pItzwG^PnH{O9-ZSe~0^NzzZVK78TH)6v`W+54qGKdhb4Z%W^d<`+__
zg*|69rv>#W#ixhSgfg1>Jc7@<*fOv0mwdTAHoUg3J<ZlUcZv6S(>e1F!FfctbPu)z
zjOISyh<_KAm@?0g;NsBn+z_|sR~P5=dSzZ>qJStM3hb%?YBpQAZ&7+tKok%KRtoU@
zL8CFo4hxIs)q&0&0e}JA#xRa}0Mrg+hlNGVz?4k|+EnF^7|N!@uU%a1u&`*;NtvCo
zj@wze6N)ms!>>&^so0|QqJSviE6}u;5!e5#?dN|#Nv=czQQ%)Gpn{~EbZ|?qwpMPA
uYpq7RMq}f+!s03g15=6-%cb}L%^3We2f)~2VG$mf{1GrRNGA&XsscafqI9VM

literal 0
HcmV?d00001

diff --git a/SETUP-WORKSTATION.md b/SETUP-WORKSTATION.md
index d8a369b..c6613a6 100644
--- a/SETUP-WORKSTATION.md
+++ b/SETUP-WORKSTATION.md
@@ -2,4 +2,5 @@
 
 chronyd takes care of keeping the system clock in sync. When the system boots, chronyd will block start-up until it has resolved the time. This is useful on systems without a hardware clock (to avoid the system booting as 1970-01-01), but annoying for this setup.
 
-This behaviour can be disabled by editing /etc/conf.d/chronyd and setting FAST_STARTUP=yes.
\ No newline at end of file
+This behaviour can be disabled by editing /etc/conf.d/chronyd and setting FAST_STARTUP=yes.
+
diff --git a/install.sh b/install.sh
index 7dae1a3..69078f9 100755
--- a/install.sh
+++ b/install.sh
@@ -18,5 +18,5 @@ source ./firewall.sh
 
 cd "$base_dir"
 
-# Run update script
-source ./update.sh
\ No newline at end of file
+# Run update script with install argument to set up services
+source ./update.sh install
\ No newline at end of file
diff --git a/installation/podman.sh b/installation/podman.sh
index 6a16ee0..9ec117d 100644
--- a/installation/podman.sh
+++ b/installation/podman.sh
@@ -24,5 +24,6 @@ EOF
 
 chmod +x /etc/local.d/mount-rshared.start
 
-# Allow ports >= 53 to be rootless bound
-sysctl net.ipv4.ip_unprivileged_port_start=53
\ No newline at end of file
+# Allow ports >= 53 to be rootless bound, persistent
+echo "net.ipv4.ip_unprivileged_port_start=53" >> /etc/sysctl.d/podman.conf
+sysctl -p /etc/sysctl.d/podman.conf
\ No newline at end of file
diff --git a/services/basic/global.policy.json b/services/basic/global.policy.json
index 2198fe0..a58c8a6 100644
--- a/services/basic/global.policy.json
+++ b/services/basic/global.policy.json
@@ -1,11 +1,16 @@
 {
     "description": "Restrict all internet access",
-    "variable": { "internet_if": "eth0" },
     "zone": {
-        "internet": { "iface": "$internet_if" }
+        "WAN": { "iface": "eth0" },
+        "LAN": { "iface": "eth1" },
+        "VPN": { "iface": "tun+" }
     },
     "policy": [
-        { "in": "internet", "action": "drop" },
+        { "in": "VPN", "action": "accept" },
+        { "out": "VPN", "action": "accept" },
+        { "in": "LAN", "action": "accept" },
+        { "out": "LAN", "action": "accept" },
+        { "in": "WAN", "action": "drop" },
         { "action": "reject" }
     ]
 }
\ No newline at end of file
diff --git a/services/basic/icmp.policy.json b/services/basic/icmp.policy.json
index 3d3370c..1436f7e 100644
--- a/services/basic/icmp.policy.json
+++ b/services/basic/icmp.policy.json
@@ -2,7 +2,8 @@
     "description": "Allow ping-pong",
     "filter": [
         {
-            "in": "internet",
+            "in": "WAN",
+            "out": "_fw",
             "service": "ping",
             "action": "accept",
             "flow-limit": { "count": 10, "interval": 6 }
diff --git a/services/basic/outgoing.policy.json b/services/basic/outgoing.policy.json
index 82cd1e3..1e45c66 100644
--- a/services/basic/outgoing.policy.json
+++ b/services/basic/outgoing.policy.json
@@ -3,7 +3,7 @@
     "filter": [
         {
             "in": "_fw",
-            "out": "internet",
+            "out": "WAN",
             "service": ["http", "https", "dns", "ssh", "ntp", "ping"],
             "action": "accept"
         }
diff --git a/services/caddy/http.policy.json b/services/caddy/http.policy.json
index 24ffb7f..0e6626d 100644
--- a/services/caddy/http.policy.json
+++ b/services/caddy/http.policy.json
@@ -2,7 +2,7 @@
     "description": "Allow incoming http (TCP 80 & 443) ports",
     "filter": [
         {
-            "in": "internet",
+            "in": "WAN",
             "out": "_fw",
             "service": ["http", "https"],
             "action": "accept"
diff --git a/services/openvpn/config/openvpn.conf b/services/openvpn/config/openvpn.conf
new file mode 100644
index 0000000..e1846ef
--- /dev/null
+++ b/services/openvpn/config/openvpn.conf
@@ -0,0 +1,7 @@
+port 1194
+proto udp
+dev tun
+
+topology subnet
+
+# TODO
\ No newline at end of file
diff --git a/services/openvpn/install.sh b/services/openvpn/install.sh
new file mode 100644
index 0000000..236f2ee
--- /dev/null
+++ b/services/openvpn/install.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+echo "Setting up OpenVPN..."
+apk add openvpn
+
+rc-update add openvpn
+modprobe tun
+echo tun >> /etc/modules-load.d/tun.conf
+
+# Enable IP forwarding, persistent
+echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf
+sysctl -p /etc/sysctl.d/ip_forward.conf
diff --git a/services/openvpn/openvpn.policy.json b/services/openvpn/openvpn.policy.json
new file mode 100644
index 0000000..c11f732
--- /dev/null
+++ b/services/openvpn/openvpn.policy.json
@@ -0,0 +1,14 @@
+{
+    "description": "Allow OpenVPN server access from the internet",
+    "service": {
+        "openvpn": { "port": 1194, "proto": "udp" }
+    },
+    "filter": [
+        {
+            "in": "WAN",
+            "out": "_fw",
+            "service": "openvpn",
+            "action": "accept"
+        }
+    ]
+}
diff --git a/services/openvpn/update.sh b/services/openvpn/update.sh
new file mode 100644
index 0000000..c2862a7
--- /dev/null
+++ b/services/openvpn/update.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+ln -sf ./config/openvpn.conf /etc/openvpn/openvpn.conf
\ No newline at end of file
diff --git a/services/ssh/ssh.policy.json b/services/ssh/ssh.policy.json
index d5c2238..98092a3 100644
--- a/services/ssh/ssh.policy.json
+++ b/services/ssh/ssh.policy.json
@@ -2,7 +2,7 @@
     "description": "Allow limited incoming SSH access (TCP/22)",
     "filter": [
         {
-            "in": "internet",
+            "in": "WAN",
             "out": "_fw",
             "service": "ssh",
             "action": "accept",
diff --git a/update.sh b/update.sh
index 0f3d84d..9a17586 100644
--- a/update.sh
+++ b/update.sh
@@ -9,6 +9,11 @@ for service in "./services"/*/; do
   [ -d "$service" ] || continue
   cd "$service" || continue
 
+  # Run install.sh if installing for the first time (if $1 is "install")
+  if [ "$1" = "install" ] && [ -f "install.sh" ]; then
+    source ./install.sh
+  fi
+
   # Run update.sh if present
   if [ -f "update.sh" ]; then
     source ./update.sh