sync
This commit is contained in:
Samuel Aubertin
86
README.md
Normal file
86
README.md
Normal file
@@ -0,0 +1,86 @@
|
||||
```
|
||||
██████ ██ ▄█▀▒███████▒ █ █░ ▄████
|
||||
▒██ ▒ ██▄█▒ ▒ ▒ ▒ ▄▀░ ▓█░ █ ░█░ ██▒ ▀█▒
|
||||
░ ▓██▄ ▓███▄░ ░ ▒ ▄▀▒░ ░█▒░ █ ▒█░ █░█ ▒ ██░▄▄▄░
|
||||
▒ ██▒▓██ █▄ ▄▀▒ ░ ░█░ █ ░█ ░▓█ ██▓
|
||||
▒██████▒▒▒██▒ █▄▒███████▒ ░░██▒██▓ ░▒▓███▀▒
|
||||
▒ ▒▓▒ ▒ ░▒ ▒▒ ▓▒░▒▒ ▓░▒░▒ ░ ▓░▒ ▒ ░▒ ▒
|
||||
░ ░▒ ░ https://git.sk4.nz/sk4nz/skz-wg ░ ░
|
||||
░ ░ ░ ░ ░ ░
|
||||
```
|
||||
*Samuel 'sk4nz' AUBERTIN*
|
||||
|
||||
**skz-wg** is a VPN (WireGuard) + DNS (Unbound) + Firewall (Packet Filter) automated setup for [OpenBSD](https://www.openbsd.org/) with client configuration management.
|
||||
|
||||
**WARNING: The VPN clients _outgoing_ packets are filtered, and the DNS resolver _lies_ for adverting related hosts.**
|
||||
|
||||
## Howto
|
||||
|
||||
tl;dr: ```make```
|
||||
|
||||
### Install, configure and runs WireGuard for client FOO and BAR
|
||||
|
||||
```CLIENTS="FOO BAR" make```
|
||||
|
||||
### Show informations about the running WireGuard instance
|
||||
|
||||
```make info```
|
||||
|
||||
## Details
|
||||
|
||||
### WireGuard
|
||||
[WireGuard website](https://www.wireguard.com)
|
||||
|
||||
Is configured to listen on ```WG_PORT```, spawning the ```WG_LAN``` private network.
|
||||
It uses PSK authentication and keep-alives.
|
||||
|
||||
#### Server
|
||||
|
||||
Optionally declare the server _IP_ address with ```SERVER= IP``` in the _./Makefile_ or using ```SERVER=IP make```.
|
||||
|
||||
#### Clients
|
||||
|
||||
Declare clients _a_, _b_ and _c_ with ```CLIENTS= a b c``` in the _./Makefile_ or using ```CLIENTS="a b c" make```.
|
||||
|
||||
Client management is additive, meaning you can add more with ```CLIENTS="new" make```.
|
||||
|
||||
#### Configuration files
|
||||
|
||||
Each client has a configuration folder in _./_ named after its name:
|
||||
|
||||
```# ls -1 sk4nz/
|
||||
sk4nz.conf # The client configuration file
|
||||
sk4nz.key # The client secret key
|
||||
sk4nz.pub # The client public key
|
||||
sk4nz.pub # The client PSK
|
||||
sk4nz.qr # QRcode configuration
|
||||
```
|
||||
|
||||
You can use the ```.conf``` or it's encoded version ```.qr``` to configure clients.
|
||||
|
||||
### Unbound
|
||||
[Unbound website](https://www.nlnetlabs.nl/projects/unbound/)
|
||||
|
||||
Lies on ads (used list are declared in ```ADS_URLS```) and validates DNSSEC when available.
|
||||
|
||||
### Packet Filter
|
||||
[OpenBSD PF website](https://www.openbsd.org/faq/pf/)
|
||||
|
||||
NATs ```WG_LAN``` and filters both **ingress** _and_ **egress** ports.
|
||||
|
||||
To allow more ports, please edit ```IN_TCP```, ```OUT_TCP```, ```IN_UDP```, ```OUT_UDP``` and ```VPN_TCP``` in the _./Makefile_.
|
||||
|
||||
#### Ingress: ```IN_TCP```, ```IN_UDP```
|
||||
|
||||
- ```IN_TCP```: Allowed ports for the _incoming_ TCP packets _to_ the server WAN interface.
|
||||
- ```IN_UDP```: Allowed ports for the _incoming_ UDP packets _to_ the server WAN interface.
|
||||
|
||||
#### Egress: ```OUT_TCP```, ```OUT_UDP```
|
||||
|
||||
- ```OUT_TCP```: Allowed destination ports for the _outgoing_ TCP packets _from_ the server WAN interface.
|
||||
- ```OUT_UDP```: Allowed destination ports for the _outgoing_ UDP packets _from_ the server WAN interface.
|
||||
|
||||
#### NAT: ```VPN_TCP```
|
||||
|
||||
Allowed destination ports for packets coming _from_ the ```WG_LAN``` before going throug the NAT.
|
||||
|
||||
Reference in New Issue
Block a user