diff --git a/.env b/.env new file mode 100644 index 0000000..a4c0efb --- /dev/null +++ b/.env @@ -0,0 +1,11 @@ +## Common configuration +WG_GATEWAY_IP=10.254.0.1/16, df99:23eb:1682:fe::1/64 +WG_CLIENT_IP=10.254.0.2/16, df99:23eb:1682:fe::2/64 + +## Keys (for gateway) +WG_GATEWAY_PRIVATE_KEY= +WG_CLIENT_PUBLIC_KEY= + +## Keys (for client) +# WG_GATEWAY_PUBLIC_KEY= +# WG_CLIENT_PRIVATE_KEY= diff --git a/.gitignore b/.gitignore index 1d484f1..6770382 100644 --- a/.gitignore +++ b/.gitignore @@ -1,10 +1,2 @@ -# gitsecret -.gitsecret/keys/random_seed -!*.secret - -# gitsecret hidden files -infra/root/wg-cloud.conf -.env - # data data/ diff --git a/docker-compose.yml b/docker-compose.yml index 108cfab..7766b75 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,4 +9,12 @@ volumes: - ./data/infra:/data:rw + environment: + ## Common configuration + - WG_GATEWAY_IP=${WG_GATEWAY_IP} + - WG_CLIENT_IP=${WG_CLIENT_IP} + ## Keys (for gateway) + - WG_GATEWAY_PRIVATE_KEY=${WG_GATEWAY_PRIVATE_KEY} + - WG_CLIENT_PUBLIC_KEY=${WG_CLIENT_PUBLIC_KEY} + restart: unless-stopped diff --git a/infra/root/setup.sh b/infra/root/setup.sh index 7020aae..3f78285 100755 --- a/infra/root/setup.sh +++ b/infra/root/setup.sh @@ -11,7 +11,7 @@ #################################################################### # vpn --> outbound -VPN_INTERFACE=wg-cloud +WG_INTERFACE=wg-cloud OUTBOUND_INTERFACE=wgcf #################################################################### @@ -26,16 +26,26 @@ echo_info "Set up wireguard..." -wg-quick down /$VPN_INTERFACE.conf -wg-quick up /$VPN_INTERFACE.conf +echo "[Interface] +PrivateKey = ${WG_GATEWAY_PRIVATE_KEY} +Address = ${WG_GATEWAY_IP} +ListenPort = 47390 + +[Peer] +PublicKey = ${WG_CLIENT_PUBLIC_KEY} +AllowedIPs = ${WG_CLIENT_IP} +" > /${WG_INTERFACE}.conf + +wg-quick down /${WG_INTERFACE}.conf +wg-quick up /${WG_INTERFACE}.conf # default drop forward iptables-nft -P FORWARD DROP ip6tables-nft -P FORWARD DROP # allow establishing connection from vpn -iptables-nft -A FORWARD -i $VPN_INTERFACE -j ACCEPT -ip6tables-nft -A FORWARD -i $VPN_INTERFACE -j ACCEPT +iptables-nft -A FORWARD -i $WG_INTERFACE -j ACCEPT +ip6tables-nft -A FORWARD -i $WG_INTERFACE -j ACCEPT # allow only established connection from outside iptables-nft -A FORWARD -i $OUTBOUND_INTERFACE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables-nft -A FORWARD -i $OUTBOUND_INTERFACE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT @@ -45,8 +55,8 @@ ip6tables-nft -t nat -A POSTROUTING -o $OUTBOUND_INTERFACE -j MASQUERADE # clamp tcp MSS of packets out all tunnels -iptables-nft -t mangle -A POSTROUTING -o $VPN_INTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -ip6tables-nft -t mangle -A POSTROUTING -o $VPN_INTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu +iptables-nft -t mangle -A POSTROUTING -o $WG_INTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu +ip6tables-nft -t mangle -A POSTROUTING -o $WG_INTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables-nft -t mangle -A POSTROUTING -o $OUTBOUND_INTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ip6tables-nft -t mangle -A POSTROUTING -o $OUTBOUND_INTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu @@ -56,15 +66,15 @@ ip r flush table 100 ip r add table 100 default dev $OUTBOUND_INTERFACE -ip ru add iif $VPN_INTERFACE priority 99 lookup main suppress_prefixlength 0 -ip ru add iif $VPN_INTERFACE priority 100 lookup 100 +ip ru add iif $WG_INTERFACE priority 99 lookup main suppress_prefixlength 0 +ip ru add iif $WG_INTERFACE priority 100 lookup 100 # v6 ip -6 r flush table 100 ip -6 r add table 100 default dev $OUTBOUND_INTERFACE -ip -6 ru add iif $VPN_INTERFACE priority 99 lookup main suppress_prefixlength 0 -ip -6 ru add iif $VPN_INTERFACE priority 100 lookup 100 +ip -6 ru add iif $WG_INTERFACE priority 99 lookup main suppress_prefixlength 0 +ip -6 ru add iif $WG_INTERFACE priority 100 lookup 100 #################################################################### # iptables de-duplicate diff --git a/public b/public index e8b66ef..a526a10 160000 --- a/public +++ b/public @@ -1 +1 @@ -Subproject commit e8b66ef38084de151af8bd47155d789062adba83 +Subproject commit a526a1094be51fd9a8bb2977cb0f66d800db4ed9