87 lines
3.3 KiB
Markdown
87 lines
3.3 KiB
Markdown
```
|
|
██████ ██ ▄█▀▒███████▒ █ █░ ▄████
|
|
▒██ ▒ ██▄█▒ ▒ ▒ ▒ ▄▀░ ▓█░ █ ░█░ ██▒ ▀█▒
|
|
░ ▓██▄ ▓███▄░ ░ ▒ ▄▀▒░ ░█▒░ █ ▒█░ █░█ ▒ ██░▄▄▄░
|
|
▒ ██▒▓██ █▄ ▄▀▒ ░ ░█░ █ ░█ ░▓█ ██▓
|
|
▒██████▒▒▒██▒ █▄▒███████▒ ░░██▒██▓ ░▒▓███▀▒
|
|
▒ ▒▓▒ ▒ ░▒ ▒▒ ▓▒░▒▒ ▓░▒░▒ ░ ▓░▒ ▒ ░▒ ▒
|
|
░ ░▒ ░ https://git.sk4.nz/sk4nz/skz-wg ░ ░
|
|
░ ░ ░ ░ ░ ░
|
|
```
|
|
*Samuel 'sk4nz' AUBERTIN*
|
|
|
|
**skz-wg** is a VPN (WireGuard) + DNS (Unbound) + Firewall (Packet Filter) automated setup for [OpenBSD](https://www.openbsd.org/) with client configuration management.
|
|
|
|
**WARNING: The VPN clients _outgoing_ packets are filtered, and the DNS resolver _lies_ for adverting related hosts.**
|
|
|
|
## Howto
|
|
|
|
tl;dr: ```make```
|
|
|
|
### Install, configure and runs WireGuard for client FOO and BAR
|
|
|
|
```CLIENTS="FOO BAR" make```
|
|
|
|
### Show informations about the running WireGuard instance
|
|
|
|
```make info```
|
|
|
|
## Details
|
|
|
|
### WireGuard
|
|
[WireGuard website](https://www.wireguard.com)
|
|
|
|
Is configured to listen on ```WG_PORT```, spawning the ```WG_LAN``` private network.
|
|
It uses PSK authentication and keep-alives.
|
|
|
|
#### Server
|
|
|
|
Optionally declare the server _IP_ address with ```SERVER=IP``` in the _./Makefile_ or using ```SERVER=IP make```.
|
|
|
|
#### Clients
|
|
|
|
Declare clients _a_, _b_ and _c_ with ```CLIENTS=a b c``` in the _./Makefile_ or using ```CLIENTS="a b c" make```.
|
|
|
|
Client management is additive, meaning you can add more with ```CLIENTS="new" make```.
|
|
|
|
#### Configuration files
|
|
|
|
Each client has configuration files created in ```./CLIENT_NAME```:
|
|
|
|
```# ls -1 sk4nz/
|
|
sk4nz.conf # The client configuration file
|
|
sk4nz.key # The client secret key
|
|
sk4nz.pub # The client public key
|
|
sk4nz.psk # The client PSK
|
|
sk4nz.qr # QRcode configuration
|
|
```
|
|
|
|
You can use the ```.conf``` or it's QRcode encoded version ```.qr``` to configure clients.
|
|
|
|
### Unbound
|
|
[Unbound website](https://www.nlnetlabs.nl/projects/unbound/)
|
|
|
|
Lies on ads (used list are declared in ```ADS_URLS```) and validates DNSSEC when available.
|
|
|
|
### Packet Filter
|
|
[OpenBSD PF website](https://www.openbsd.org/faq/pf/)
|
|
|
|
NATs ```WG_LAN``` and filters both **ingress** _and_ **egress** ports.
|
|
|
|
To allow more ports, please edit ```IN_TCP```, ```OUT_TCP```, ```IN_UDP```, ```OUT_UDP``` and ```VPN_TCP``` in the _./Makefile_.
|
|
|
|
#### Ingress: ```IN_TCP```, ```IN_UDP```
|
|
|
|
- ```IN_TCP```: Allowed ports for the _incoming_ TCP packets _to_ the server WAN interface.
|
|
- ```IN_UDP```: Allowed ports for the _incoming_ UDP packets _to_ the server WAN interface.
|
|
|
|
#### Egress: ```OUT_TCP```, ```OUT_UDP```
|
|
|
|
- ```OUT_TCP```: Allowed destination ports for the _outgoing_ TCP packets _from_ the server WAN interface.
|
|
- ```OUT_UDP```: Allowed destination ports for the _outgoing_ UDP packets _from_ the server WAN interface.
|
|
|
|
#### NAT: ```VPN_TCP```
|
|
|
|
Allowed destination ports for packets coming _from_ the ```WG_LAN``` before going throug the NAT.
|
|
|