``` ██████ ██ ▄█▀▒███████▒ █ █░ ▄████ ▒██ ▒ ██▄█▒ ▒ ▒ ▒ ▄▀░ ▓█░ █ ░█░ ██▒ ▀█▒ ░ ▓██▄ ▓███▄░ ░ ▒ ▄▀▒░ ░█▒░ █ ▒█░ █░█ ▒ ██░▄▄▄░ ▒ ██▒▓██ █▄ ▄▀▒ ░ ░█░ █ ░█ ░▓█ ██▓ ▒██████▒▒▒██▒ █▄▒███████▒ ░░██▒██▓ ░▒▓███▀▒ ▒ ▒▓▒ ▒ ░▒ ▒▒ ▓▒░▒▒ ▓░▒░▒ ░ ▓░▒ ▒ ░▒ ▒ ░ ░▒ ░ https://git.sk4.nz/sk4nz/skz-wg ░ ░ ░ ░ ░ ░ ░ ░ ``` *Samuel 'sk4nz' AUBERTIN* **skz-wg** is a VPN (WireGuard) + DNS (Unbound) + Firewall (Packet Filter) automated setup for [OpenBSD](https://www.openbsd.org/) with client configuration management. **WARNING: The VPN clients _outgoing_ packets are filtered, and the DNS resolver _lies_ for adverting related hosts.** ## Howto tl;dr: ```make``` ### Install, configure and runs WireGuard for client FOO and BAR ```CLIENTS="FOO BAR" make``` ### Show informations about the running WireGuard instance ```make info``` ## Details ### WireGuard [WireGuard website](https://www.wireguard.com) Is configured to listen on ```WG_PORT```, spawning the ```WG_LAN``` private network. It uses PSK authentication and keep-alives. #### Server Optionally declare the server _IP_ address with ```SERVER=IP``` in the _./Makefile_ or using ```SERVER=IP make```. #### Clients Declare clients _a_, _b_ and _c_ with ```CLIENTS=a b c``` in the _./Makefile_ or using ```CLIENTS="a b c" make```. Client management is additive, meaning you can add more with ```CLIENTS="new" make```. #### Configuration files Each client has configuration files created in ```./CLIENT_NAME```: ```# ls -1 sk4nz/ sk4nz.conf # The client configuration file sk4nz.key # The client secret key sk4nz.pub # The client public key sk4nz.psk # The client PSK sk4nz.qr # QRcode configuration ``` You can use the ```.conf``` or it's QRcode encoded version ```.qr``` to configure clients. ### Unbound [Unbound website](https://www.nlnetlabs.nl/projects/unbound/) Lies on ads (used list are declared in ```ADS_URLS```) and validates DNSSEC when available. ### Packet Filter [OpenBSD PF website](https://www.openbsd.org/faq/pf/) NATs ```WG_LAN``` and filters both **ingress** _and_ **egress** ports. To allow more ports, please edit ```IN_TCP```, ```OUT_TCP```, ```IN_UDP```, ```OUT_UDP``` and ```VPN_TCP``` in the _./Makefile_. #### Ingress: ```IN_TCP```, ```IN_UDP``` - ```IN_TCP```: Allowed ports for the _incoming_ TCP packets _to_ the server WAN interface. - ```IN_UDP```: Allowed ports for the _incoming_ UDP packets _to_ the server WAN interface. #### Egress: ```OUT_TCP```, ```OUT_UDP``` - ```OUT_TCP```: Allowed destination ports for the _outgoing_ TCP packets _from_ the server WAN interface. - ```OUT_UDP```: Allowed destination ports for the _outgoing_ UDP packets _from_ the server WAN interface. #### NAT: ```VPN_TCP``` Allowed destination ports for packets coming _from_ the ```WG_LAN``` before going throug the NAT.