sk4nz/skz-wg
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

2026 cleanup

Browse Source
This commit is contained in:
Samuel Aubertin
2026-06-02 11:19:52 +02:00
parent 8a6a84e247
commit 9f331e40b2
1 changed files with 40 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
Makefile
View File

@@ -27,14 +27,15 @@ WG_LAN= 10.10.10.1/24
WAN!= route -n show -inet | grep default | awk '{print $$NF}' WAN!= route -n show -inet | grep default | awk '{print $$NF}'
# Packet Filter configuration for allowed ports # Packet Filter configuration for allowed ports
OUT_TCP= http ftp whois https ssh OUT_TCP?= http ftp whois https ssh
IN_TCP= http https ssh IN_TCP?= http https ssh
OUT_UDP= domain ntp $(WG_PORT) OUT_UDP?= domain ntp $(WG_PORT)
IN_UDP= $(WG_PORT) IN_UDP?= $(WG_PORT)
VPN_TCP= $(IN_TCP) VPN_TCP?= $(IN_TCP)
VPN_UDP?= domain ntp https
# Server private key # Server private key
WG_KEY!= cat server.key 2> /dev/null || wg genkey WG_KEY!= cat server.key 2> /dev/null || wg genkey
.poison empty $(WG_KEY) .poison empty $(WG_KEY)
# Ads lists # Ads lists
@@ -88,34 +89,37 @@ restart:
/etc/pf.header: /etc/pf.header:
# The original pf header # The original pf header
printf 'set skip on lo\nblock return\npass\ printf 'set skip on lo\nblock return\n#pass\
\nblock return in on ! lo0 proto tcp to port 6000:6010\ \nblock return in on ! lo0 proto tcp to port 6000:6010\
\nblock return out log proto {tcp udp} user _pbuild\n' > $@ \nblock return out log proto {tcp udp} user _pbuild\n' > $@
/etc/pf.wg: /etc/pf.bogons /etc/pf.abuse_ssh /etc/pf.abuse_tcp /etc/pf.header /etc/pf.conf.orig /etc/pf.wg: /etc/pf.bogons /etc/pf.abuse_ssh /etc/pf.abuse_tcp /etc/pf.header /etc/pf.conf.orig
# Define allowed PF ports # Define allowed PF ports
printf 'out_tcp_ports = "{ $(OUT_TCP) }"\ printf '# PF.WG\
\n### Allowed Ports\
\nout_tcp_ports = "{ $(OUT_TCP) }"\
\nout_udp_ports = "{ $(OUT_UDP) }"\ \nout_udp_ports = "{ $(OUT_UDP) }"\
\nvpn_tcp_ports = "{ $(VPN_TCP) }"\ \nvpn_tcp_ports = "{ $(VPN_TCP) }"\
\nvpn_udp_ports = "{ $(VPN_UDP) }"\
\nin_tcp_ports = "{ $(IN_TCP) }"\ \nin_tcp_ports = "{ $(IN_TCP) }"\
\nin_udp_ports = "{ $(IN_UDP) }"\n' > $@ \nin_udp_ports = "{ $(IN_UDP) }"\n' > $@
# Rules # Rules
printf '# BEGIN PF.WG\ printf '### Macros \
\n### Macros \
\n# statefull tracking options - sto\ \n# statefull tracking options - sto\
\n# SSH is considered under abuse when there are more than 6 connections per minute \ \n# SSH is considered under abuse when there are more than 10 simultaneous connections or 1 connections per 2 second \
\nssh_sto = "(max-src-conn-rate 6/60, overload <t_abuse_ssh> flush global)"\ \nssh_sto = "(max-src-conn 100, max-src-conn-rate 6/60, overload <t_abuse_ssh> flush global)"\
\n# TCP is considered under abuse when there are more than 300 simultaneous connections or 600 per minute\ \n# TCP is considered under abuse when there are more than 300 simultaneous connections or 600 per minute\
\ntcp_sto = "(max-src-conn 300, max-src-conn-rate 600/60, overload <t_abuse_tcp> flush global)"\ \ntcp_sto = "(max-src-conn 300, max-src-conn-rate 600/60, overload <t_abuse_tcp> flush global)"\
\n# TCP flags \ \n# TCP flags \
\nflag_syn = "flags S/SA modulate state"\ \nflag_syn = "flags S/SA modulate state"\
\n# define e (egress) and i (ingress) macros\ \n# define e (egress) and i (ingress) macros\
\nedropin = "block drop in quick on egress from"\ \nedropin = "block drop in quick on egress from"\
\nedropout = "block drop out log quick on egress from"\ \nedropout = "block drop out quick on egress from"\
\nepassout = "pass out log on egress proto tcp to any port"\ \nepassout = "pass out on egress proto tcp to any port"\
\ninblocktcp = "block in log quick proto tcp from"\ \ninblocktcp = "block in quick proto tcp from"\
\ninpasstcp = "pass in on egress proto tcp to any port"\ \ninpasstcp = "pass in on egress proto tcp to any port"\
\ninvpntcp = "pass in log on wg0 proto tcp to any port"\ \ninvpntcp = "pass in on wg0 proto tcp to any port"\
\ninvpnudp = "pass in on wg0 proto udp to any port"\
\n# Persitent tables\ \n# Persitent tables\
\ntable <t_bogons> persist file "/etc/pf.bogons"\ \ntable <t_bogons> persist file "/etc/pf.bogons"\
\ntable <t_abuse_tcp> persist file "/etc/pf.abuse_tcp"\ \ntable <t_abuse_tcp> persist file "/etc/pf.abuse_tcp"\
@@ -125,41 +129,42 @@ restart:
\nset optimization conservative\ \nset optimization conservative\
\nset reassemble yes\ \nset reassemble yes\
\nset syncookies adaptive (start 25%%, end 12%%)\ \nset syncookies adaptive (start 25%%, end 12%%)\
\nset ruleset-optimization profile\ \nset ruleset-optimization basic\
\nset skip on lo\ \nset skip on lo\
\nantispoof for { lo, egress }\ \nantispoof for { lo, egress }\
\nmatch in all scrub (max-mss 1440 no-df random-id reassemble tcp)\ \nmatch in all scrub (max-mss 1440 no-df random-id reassemble tcp)\
\n### Rules \ \n### Rules \
\n# Prevent dns leaks \ \n# Prevent dns leaks \
\nblock in log on egress inet proto { tcp udp } from any to ! egress port 53\ \n#block in log quick on egress inet proto { tcp udp } from any to ! egress port 53\
\n# Block bogons - DEACTIVATED \ \n# Block bogons - DEACTIVATED \
\n# TODO : change pf.bogons to allow LAN\ \n# TODO : change pf.bogons to allow LAN\
\n#$edropin { <t_bogons> } to any\ \n#$$edropin { <t_bogons> } to any\
\n#$edropout any to { <t_bogons> }\ \n#$$edropout any to { <t_bogons> }\
\n# block abusers\ \n# block abusers\
\n$inblocktcp <t_abuse_ssh> to any port ssh\ \n$$inblocktcp <t_abuse_ssh> to any port ssh\
\n$inblocktcp <t_abuse_tcp> to any port $in_tcp_ports\ \n$$inblocktcp <t_abuse_tcp> to any port $$in_tcp_ports\
\n# Default rule : block stateless traffic\ \n# Default rule : block stateless traffic\
\nblock\ \n# block\
\n# Enable ICMP echo request, reply, unreach\ \n# Enable ICMP echo request, reply, unreach\
\npass quick inet proto icmp all icmp-type { echoreq, echorep, unreach }\ \npass quick inet proto icmp all icmp-type { echoreq, echorep, unreach }\
\n# Enable IPv4 traceroute\ \n# Enable IPv4 traceroute\
\npass out on egress proto udp to port 33433:33626\ \npass out on egress proto udp to port 33433:33626\
\n# Pass ingress \ \n# Pass ingress \
\n$inpasstcp ssh $$flag_syn $$ssh_sto\ \n$$inpasstcp ssh $$flag_syn $$ssh_sto\
\n$inpasstcp http $$flag_syn $$tcp_sto\ \n$$inpasstcp http $$flag_syn $$tcp_sto\
\n$inpasstcp https $$flag_syn $$tcp_sto\ \n$$inpasstcp https $$flag_syn $$tcp_sto\
\n$invpntcp $$vpn_tcp_ports $$flag_syn $$tcp_sto\ \n$$invpntcp $$vpn_tcp_ports\
\n$$invpnudp $$vpn_udp_ports\
\npass in on egress proto udp to any port $$in_udp_ports\ \npass in on egress proto udp to any port $$in_udp_ports\
\n# Pass egress\ \n# Pass egress\
\n$epassout $$out_tcp_ports $$flag_syn\ \n$$epassout $$out_tcp_ports $$flag_syn\
\npass out on egress proto udp to any port $$out_udp_ports allow-opts\ \npass out quick on egress proto udp to any port $$out_udp_ports allow-opts\
\n# Pass Wireguard-LAN\ \n# Pass Wireguard-LAN\
\npass out log on wg0 proto tcp to any port $$vpn_tcp_ports\ \npass out on wg0 proto tcp to any port $$vpn_tcp_ports\
\npass in on wg0 proto udp to any port $$out_udp_ports allow-opts\ \npass out on wg0 proto udp to any port $$vpn_udp_ports\
\n# END PF.WG\n' >> $@ \npass in on wg0 proto udp to any port $$out_udp_ports allow-opts\n' >> $@
# NAT the WireGuard interface to WAN # NAT the WireGuard interface to WAN
printf 'pass out on $(WAN) inet from wg0:network to any nat-to ($(WAN))' >> $@ printf 'pass out on $(WAN) inet from wg0:network to any nat-to ($(WAN)) static-port\n' >> $@
ad-blacklist: ad-blacklist:
rm -rf /var/unbound/ad-blacklist.conf rm -rf /var/unbound/ad-blacklist.conf
@@ -245,8 +250,8 @@ $(CLIENTS): server.conf
wg genpsk > $@/$@.psk wg genpsk > $@/$@.psk
# Append to server.conf (deprecated) and the client configuration # Append to server.conf (deprecated) and the client configuration
PSK=$$(cat $@/$@.psk); PUB=$$(cat $@/$@.pub); N=$$(sha256 -qs $@ | cut -b 1-2);\ PSK=$$(cat $@/$@.psk); PUB=$$(cat $@/$@.pub); N=$$(sha256 -qs $@ | cut -b 1-2);\
echo -e '[Peer] # '$@'\nAllowedIPs = $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N)))'/32\nPublicKey = '$$PUB'\nPresharedKey = '$$PSK'\n' >> server.conf;\ echo -e '[Peer] # '$@'\nAllowedIPs = $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N)))'/24\nPublicKey = '$$PUB'\nPresharedKey = '$$PSK'\n' >> server.conf;\
echo -e '[Interface] # Local tunnel address: $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N))) router: $(WG_LAN:H)'\nAddress = $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N)))/32'\nPrivateKey = '$$(cat $@/$@.key)'\nDNS = $(WG_LAN:H)\n[Peer] # Tunnel endpoint: $(SERVER)\nEndpoint = $(SERVER):$(WG_PORT)\nPublicKey = '$$(cat server.pub)'\nPresharedKey = '$$PSK'\nAllowedIPs = 0.0.0.0/0' > $@/$@.conf echo -e '[Interface] # Local tunnel address: $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N))) router: $(WG_LAN:H)'\nAddress = $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N)))/24'\nPrivateKey = '$$(cat $@/$@.key)'\nDNS = $(WG_LAN:H)\n[Peer] # Tunnel endpoint: $(SERVER)\nEndpoint = $(SERVER):$(WG_PORT)\nPublicKey = '$$(cat server.pub)'\nPresharedKey = '$$PSK'\nAllowedIPs = 0.0.0.0/0' > $@/$@.conf
cat $@/$@.conf | qrencode -t ansiutf8 -o $@/$@.qr cat $@/$@.conf | qrencode -t ansiutf8 -o $@/$@.qr
chmod -R 600 $@ chmod -R 600 $@