sk4nz/skz-wg
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Hardened Wireguard setup for OpenBSD
1 Commit 1 Branch 0 Tags 67 KiB
Makefile 100%
469b3f09ec
Go to file
Samuel Aubertin 469b3f09ec sync
2023-12-21 15:05:52 +01:00
Makefile sync 2023-12-21 15:05:52 +01:00
README.md sync 2023-12-21 15:05:52 +01:00

README.md 

  ██████  ██ ▄█▀▒███████▒     █     █░  ▄████ 
▒██    ▒  ██▄█▒ ▒ ▒ ▒ ▄▀░    ▓█░ █ ░█░ ██▒ ▀█▒
░ ▓██▄   ▓███▄░ ░ ▒ ▄▀▒░ ░█▒░ █ ▒█░ █░█ ▒ ██░▄▄▄░
  ▒   ██▒▓██ █▄   ▄▀▒   ░    ░█░ █ ░█ ░▓█  ██▓
▒██████▒▒▒██▒ █▄▒███████▒    ░░██▒██▓ ░▒▓███▀▒
▒ ▒▓▒ ▒ ░▒ ▒▒ ▓▒░▒▒ ▓░▒░▒    ░ ▓░▒ ▒   ░▒   ▒ 
░ ░▒  ░ https://git.sk4.nz/sk4nz/skz-wg ░   ░ 
      ░  ░        ░ ░            ░          ░

Samuel 'sk4nz' AUBERTIN

skz-wg is a VPN (WireGuard) + DNS (Unbound) + Firewall (Packet Filter) automated setup for OpenBSD with client configuration management.

WARNING: The VPN clients outgoing packets are filtered, and the DNS resolver lies for adverting related hosts.

Howto

tl;dr: make

Install, configure and runs WireGuard for client FOO and BAR

CLIENTS="FOO BAR" make

Show informations about the running WireGuard instance

make info

Details

WireGuard

WireGuard website

Is configured to listen on WG_PORT, spawning the WG_LAN private network. It uses PSK authentication and keep-alives.

Server

Optionally declare the server IP address with SERVER= IP in the ./Makefile or using SERVER=IP make.

Clients

Declare clients a, b and c with CLIENTS= a b c in the ./Makefile or using CLIENTS="a b c" make.

Client management is additive, meaning you can add more with CLIENTS="new" make.

Configuration files

Each client has a configuration folder in ./ named after its name:

sk4nz.conf # The client configuration file
sk4nz.key  # The client secret key
sk4nz.pub  # The client public key
sk4nz.pub  # The client PSK
sk4nz.qr   # QRcode configuration

You can use the .conf or it's encoded version .qr to configure clients.

Unbound

Unbound website

Lies on ads (used list are declared in ADS_URLS) and validates DNSSEC when available.

Packet Filter

OpenBSD PF website

NATs WG_LAN and filters both ingress and egress ports.

To allow more ports, please edit IN_TCP, OUT_TCP, IN_UDP, OUT_UDP and VPN_TCP in the ./Makefile.

Ingress: IN_TCP, IN_UDP

  • IN_TCP: Allowed ports for the incoming TCP packets to the server WAN interface.
  • IN_UDP: Allowed ports for the incoming UDP packets to the server WAN interface.

Egress: OUT_TCP, OUT_UDP

  • OUT_TCP: Allowed destination ports for the outgoing TCP packets from the server WAN interface.
  • OUT_UDP: Allowed destination ports for the outgoing UDP packets from the server WAN interface.

NAT: VPN_TCP

Allowed destination ports for packets coming from the WG_LAN before going throug the NAT.