[crux-commits] ports/contrib (refs/remotes/origin/3.6): wireguard-tools: new port (Manage WireGuard VPNs)

crux at crux.nu crux at crux.nu
Sat Apr 10 19:05:43 UTC 2021


commit 948f38dd84d3a598f7bb04830398aa86d104779e
Author: Steffen Nurpmeso <steffen at sdaoden.eu>
Date:   Tue Mar 16 00:05:30 2021 +0100

    wireguard-tools: new port (Manage WireGuard VPNs)

diff --git a/wireguard-tools/.footprint b/wireguard-tools/.footprint
new file mode 100644
index 000000000..9a0145661
--- /dev/null
+++ b/wireguard-tools/.footprint
@@ -0,0 +1,7 @@
+drwxr-xr-x	root/root	usr/
+drwxr-xr-x	root/root	usr/bin/
+-rwxr-xr-x	root/root	usr/bin/wg
+drwxr-xr-x	root/root	usr/share/
+drwxr-xr-x	root/root	usr/share/man/
+drwxr-xr-x	root/root	usr/share/man/man8/
+-rw-r--r--	root/root	usr/share/man/man8/wg.8.gz
diff --git a/wireguard-tools/.signature b/wireguard-tools/.signature
new file mode 100644
index 000000000..d33c6fbd9
--- /dev/null
+++ b/wireguard-tools/.signature
@@ -0,0 +1,5 @@
+untrusted comment: verify with /etc/ports/contrib.pub
+RWSagIOpLGJF343vnmjiPrkZ7iWKeFJsyHE0rvuXrzfQqUBYsS4TqeF6a35aT/tHUvDZ/Zj3mz3gfyhna0jee2nKLidBAVGeLA0=
+SHA256 (Pkgfile) = 17f2aac6980be43a7ed2ef760cd8e810a2de2b7caad19af0849be55daf450830
+SHA256 (.footprint) = d283d75961bbb0a088b71aba318def5a86976ed952b2f3cb9f6542b061b89a47
+SHA256 (wireguard-tools-1.0.20210315.tar.xz) = af001d5492be6bf58ef0bebe04b446b6f50eb53e1226fab679cc34af40733a22
diff --git a/wireguard-tools/Pkgfile b/wireguard-tools/Pkgfile
new file mode 100644
index 000000000..2e5f57790
--- /dev/null
+++ b/wireguard-tools/Pkgfile
@@ -0,0 +1,25 @@
+# Description: Tools for configuring WireGuard
+# URL:         https://git.zx2c4.com/wireguard-tools/
+# Maintainer:  Steffen Nurpmeso, steffen at sdaoden dot eu
+
+name=wireguard-tools
+version=1.0.20210315
+release=1
+source=(https://git.zx2c4.com/wireguard-tools/snapshot/\
+wireguard-tools-${version}.tar.xz)
+
+build() {
+   cd ${name}-${version}
+
+   cd src
+   make
+   make install \
+      DESTDIR="${PKG}" \
+      PREFIX=/usr \
+      RUNSTATEDIR=/run \
+      WITH_BASHCOMPLETION=no \
+      WITH_SYSTEMDUNITS=no \
+      WITH_WGQUICK=no
+}
+
+# s-sh-mode
diff --git a/wireguard-tools/README b/wireguard-tools/README
new file mode 100644
index 000000000..36f9bfc1a
--- /dev/null
+++ b/wireguard-tools/README
@@ -0,0 +1,221 @@
+README for WireGuard
+
+  WireGuard is a thrilling VirtualPrivateNetwork option.
+
+  It uses stateless UDP connections, and looks like a server socket,
+  for example in output of "ss -l", but also "iptables -nvL".
+  It uses today's state-of-the-art algorithms, is extremely simple to
+  setup and maintain, and has really nifty properties.
+  As an example, you can load /dev/null as the key to make the VPN
+  unusable, just put back the correct key and it functions again.
+  You can also create a VPN with a single command line (plus firewall).
+
+  It is possible to create point-to-point connections where the
+  endpoints can communicate with each other, but dedicated "servers" can
+  be used forward all traffic to the internet, so that laptops and other
+  end-devices can be boxed in a totally detached environment, having
+  internet access only through (the) VPN(s).
+
+  In all cases you need the kernel option
+
+    CONFIG_WIREGUARD=y
+
+  and generate keys:
+
+    # wg genkey | tee private.key | wg pubkey > public.key
+
+  You should also create a preshared key (may not work otherwise with
+  software before 2021-03-15):
+
+    # wg genpsk
+
+  Nothing magic about the keys, base64 encoded random of the correct
+  length (should do; and except for pubkey, which applies algorithms).
+
+Simple point-to-point VPN
+
+  To create a simple point-to-point VPN place on the server.
+  Say this is a VPN of two boxes plus broadcast, server on 10.0.0.2,
+  laptop on 10.0.0.1.  The laptop has no fixed IP:
+
+  Server.conf:
+    [Interface]
+    PrivateKey = PRIKEY
+    ListenPort = PORT
+
+    [Peer]
+    PublicKey = PUBKEY
+    AllowedIPs = 10.0.0.0/30
+
+  Laptop.conf:
+    [Interface]
+    PrivateKey = PRIKEY
+    ListenPort = PORT
+
+    [Peer]
+    PublicKey = PUBKEY
+    Endpoint = IP-OF-SERVER:PORT-OF-SERVER
+    AllowedIPs = 10.0.0.2/32
+
+  We assume these are the first interfaces and end up as wg0:
+
+    # wg setconf Server.conf
+
+  We need some firewall rules.  For this case as shown here no
+  forwarding or masquerading is required, it is _never_ but on the
+  server side!
+  The Laptop should get away with
+
+    # ip link add dev wg0 type wireguard
+    # ip address add 10.0.0.1/30 dev wg0
+    # iptables -A OUTPUT -o wg0 -j ACCEPT
+    # # not even iptables -A INPUT -i wg0 -j ACCEPT
+    # iptables -A OUTPUT -p udp --dst SRV-IP --dport SRV-PORT -j ACCEPT
+    # ip link set wg0 up
+    # ip route add 10.0.0.1 dev wg0
+
+  That is it (beat me if i am wrong)!
+  Different iptables on the server:
+
+    # iptables -I INPUT -i wg0 -j ACCEPT
+    # # not even iptables -A OUTPUT -o wg0 -j ACCEPT
+    # iptables -A INPUT -p udp --dport SRV-PORT -j ACCEPT
+
+  Finished.  Of course you can track the endpoint as they show up, and
+  update the rules with the exact address of the endpoint(s).
+  Like this the last rule of the server can apply blacklisting rules.
+  This works easily because once a handshake is completed this entire
+  NETFILTER is bypassed (at filter level), and only fewest packets
+  actually show up on --dport SRV-PORT.  A working watchdog below. 
+
+End-user having access only via VPN
+
+  In fact this is easy.  Of course you can create a wg, then a network
+  namespace, then move the wg to that namespace, then add the default
+  route via "dev DEVNAME", and be done with it.  Linux even seems to
+  allow to move the physical hardware to a network namespace, then go
+  the different way with the new wg.
+  Really important differences are:
+
+    - The laptop must change the AllowedIPs of the server [Peer] to
+
+        AllowedIPs = 0.0.0.0/0
+
+      Only like this all the traffic is forwarded to the server.
+
+    - The server now needs forwarding and masquerading enabled:
+
+      # sysctl -w net.ipv4.conf.ETH0.forwarding=1
+      # sysctl -w net.ipv4.conf.WG0.forwarding=1
+      # iptables -A FORWARD -i WG0 -o ETH0 -j ACCEPT
+      # iptables -A FORWARD -o WG0 -i ETH0 -j ACCEPT
+      # iptables -t nat -A POSTROUTING -o ETH0 -j MASQUERADE
+
+A watchdog
+
+  Driven by cron one can selectively whitelist endpoints without fixed
+  IP addresses, in order to apply strict black listing on those
+
+    # iptables -A INPUT -p udp --dport PORT -j ACCEPT
+
+  rules that are needed.  Here is one idea, it is pretty fresh but
+  working for some time here.  Imagine a configuration
+
+    : ${RUNDIR:=/run}
+
+    # (y/empty) Wireguard VPN (ie: look for WG_digit_ADDR settings)?
+    : ${WG:=}
+       #     If empty
+       : ${WG_WATCHDOG:=${RUNDIR}/.net-qos-wg-watch}
+       #  For wg_watchdog() (aka "$0 watchdog-wg"): persistance data file.
+       #  Watchdog only works if non-empty.
+       # -> WG_digit_ADDR='any wg(8) address:LISTEN-PORT'
+       #     Ie address+CIDR netmask plus listen port.  Whether we create it.
+    ....
+
+  Then this:
+
+wg_watchdog() {
+   [ -n "${WG_WATCHDOG}" ] || {
+      echo >&2 '$WG_WATCHDOG is not set'
+      return 0
+   }
+
+   touch "${WG_WATCHDOG}" "${WG_WATCHDOG}".new "${WG_WATCHDOG}".lck
+   chown root:root "${WG_WATCHDOG}" "${WG_WATCHDOG}".new "${WG_WATCHDOG}".lck
+   chmod 0600 "${WG_WATCHDOG}" "${WG_WATCHDOG}".new "${WG_WATCHDOG}".lck
+
+   if exec 7>"${WG_WATCHDOG}.lck" && flock 7; then :; else
+      echo >&2 'Cannot aquire lock file '${WG_WATCHDOG}.lck
+      return 1
+   fi
+
+   # New list of peers
+   printf '' > "${WG_WATCHDOG}".new
+   wl=
+
+   id=0
+   while :; do
+      eval x=\$WG_${id}_ADDR
+      [ -z "${x}" ] && break
+
+      wg__splita "${x}"
+      dport=${port}
+
+      x=`${wg} show wg${id} endpoints 2>/dev/null`
+      if [ ${?} -eq 0 ]; then
+         x=`echo ${x} | cut -f2 -d' '`
+         if [ "${x}" != '(none)' ]; then
+            wg__splita "${x}"
+            wl=${wl}' '${addr}
+            printf -- "-p udp --src %s --dport %s -j f_m1\n" \
+               "${addr}" "${dport}" >> "${WG_WATCHDOG}".new
+            #--sport ${port}
+         fi
+      fi
+
+      id=$((id + 1))
+   done
+
+   # ..if different to old one, recreate firewall rules
+   if cmp "${WG_WATCHDOG}".new "${WG_WATCHDOG}" >/dev/null 2>&1; then :; else
+      if [ -s "${WG_WATCHDOG}" ]; then
+         while read l; do
+            iptables_rule filter i_good -D ${l}
+         done < "${WG_WATCHDOG}"
+      fi
+
+      # Add new list of peers
+      if [ -n "${wl}" ]; then
+         while read l; do
+            iptables_rule filter i_good -I 1 ${l}
+         done < "${WG_WATCHDOG}".new
+         logger -t /root/bin/net-qos.sh/WG 'whitelist: '${wl}
+      fi
+
+      cp -f "${WG_WATCHDOG}".new "${WG_WATCHDOG}"
+   fi
+
+   exec 7>&-
+}
+
+wg__splita() {
+   addr=${1%:*}
+   port=${1##*:}
+   ip6=0
+
+   if [ "${addr}" != "${addr%]*}" ]; then
+      ip6=1
+      addr=${addr%]*}
+      addr=${addr#[*}
+   fi
+
+   if [ "${addr}" != "${addr%/*}" ]; then
+      mask=/${addr#*/}
+      addr=${addr%/*}
+   else
+      mask=/32
+   fi
+}
+
+# s-ts-mode


More information about the crux-commits mailing list