init

.env

@@ -0,0 +1,9 @@
+# container
+CONTAINER_NAME=wg_docker_container
+IPV4_ADDRESS=172.20.0.10
+WG_PORT=58120
+WG0_CONF="/etc/wireguard/mullvad/mullvad-au1.conf"
+
+# ssh
+SSH_PUBKEY="$HOME/.ssh/id_rsa.pub"
+SOCKS_PORT=9999

.gitignore

@@ -0,0 +1 @@
+authorized_keys

.wg-docker_bash-completion

@@ -0,0 +1,28 @@
+#/usr/bin/env bash
+
+WG_DOCKER_PROFILE_PATH="/opt/wg-docker/profiles"
+
+_wg-docker_completions()
+{
+      local cur prev opts
+      COMPREPLY=()
+      cur="${COMP_WORDS[COMP_CWORD]}"
+      prev="${COMP_WORDS[COMP_CWORD-1]}"
+      opts="firefox shell thunderbird up"
+
+      if [[ ${cur} == * ]] ; then
+          COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) )
+
+          local sub_opts="$(ls $WG_DOCKER_PROFILE_PATH)"
+          case "$prev" in
+            firefox|shell|thunderbird|up)
+              COMPREPLY=( $(compgen -W "${sub_opts}" -- ${cur}) )
+              return 0
+            ;;
+            version)
+          esac
+      fi
+
+}
+
+complete -F _wg-docker_completions wg-docker

Dockerfile

@@ -0,0 +1,9 @@
+FROM alpine:3.16.3
+# Released Nov 11, 2022
+
+RUN apk add --no-cache \
+      openresolv iptables ip6tables iproute2 wireguard-tools openssh
+
+COPY ./entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

Makefile

@@ -0,0 +1,30 @@
+## Load profile env variables
+include .env
+init:
+	@bash docker/message.sh "Start"
+	make start
+up:
+	@bash docker/message.sh "Start"
+	make start PROFILE=$(PROFILE)
+firefox:
+	@bash docker/message.sh "Starting Firefox"
+	make start PROFILE=$(PROFILE)
+	@bash docker/message.sh "started"
+	@bash docker/firefox.sh "$(PROFILE)"
+	make ssh PROFILE=$(PROFILE)
+ssh:
+	@bash docker/message.sh "Creating Socks"
+	@bash docker/inspect.sh "$(CONTAINER_NAME)" "$(SOCKS_PORT)"
+	@bash docker/message.sh "Created"
+logs:
+	docker-compose logs -f
+start: stop
+	@bash docker/message.sh "Starting Wireguard with Docker"
+	@bash docker/message.sh "Loading Profile.."
+	docker-compose -f docker-compose.env.yml up -d
+	@bash docker/message.sh "Docker server started"
+stop:
+	@bash docker/message.sh "Stopping WireGuard with Docker"
+	docker-compose down
+	@bash docker/message.sh "WireGuard with Docker is stopped"
+target: init

README.md

@@ -0,0 +1,108 @@
+# wg-docker [wip]
+
+This repository contain a simple docker setup for wireguard.
+
+requirements: debian|alpine, docker, wireguard, firefox, thunderbird, proxychains
+space requirements:
+
+alpine, docker images:
+- alpine:3.16.3: 5.54MB
+- wg-docker/alpine:0.0.1: 19.1MB
+
+debian, docker images:
+- debian:stable: 124MB
+- wg-docker/debian:0.0.1: 270MB
+
+## Build the image
+
+```
+docker build . -t wg-docker/alpine:0.0.1
+docker build . -f Dockerfile.debian -t wg-docker/debian:0.0.1
+```
+
+## Usage
+The usage would be similar to `wg-quick`
+
+usage: wg-docker [up|shell|firefox|thunderbird] [profile_name]
+
+### start the container with profile 'lattuga'
+```
+wg-docker up lattuga
+```
+### start the container and the firefox profile, proxied to container with profile lattuga
+```
+wg-docker firefox lattuga
+```
+
+### [wip] start the container and the thunderbird profile, proxied to container with profile lattuga
+
+### [wip] start a shell proxied
+```
+wg-docker shell lattuga
+```
+
+for now start the container and then proxychains every command
+```
+wg-docker up lattuga
+proxychains git clone ...
+```
+
+## ssh to container
+
+```
+ssh -ND 9999 root@172.20.0.10
+
+-N :   Do not execute a remote command. This is useful for just forwarding ports.
+-D :   Specifies a local “dynamic” application-level port forwarding.
+       This works by allocating a socket to listen to port on the local
+       side, optionally bound to the specified bind_address.  Whenever a
+       connection is made to this port, the connection is forwarded over
+       the secure channel, and the application protocol is then used to
+       determine where to connect to from the remote machine.  Currently
+       the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
+       as a SOCKS server.
+```
+
+## Create a profile in firefox
+In Firefox in [about:profiles]([about:profiles]) create a new profile and then go to 'settings', 'network settings' to manually setup the proxy to your choosen socks_port.
+
+## Tips
+
+### Vpn rotations
+Use of healthcheck as scheduler to avoid installing crontab, and change configuration file every while (better would be a change of vpn-endpoint every firefox profile restart)
+
+
+###
+Paste your public ssh key in ./authorized_keys
+or alternatively PermitRootLogin with password and initialize a password
+```
+sed -ie 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config;
+echo 'test' | chpasswd
+service ssh restart
+```
+
+
+## Why
+Often I'm browsing some sites through torbrowser and I need at the same time to visit other sites, related to different contexts, and I prefer to open those pages with another network profile, es. via vpn.
+
+I'm currently using mullvad as vpn provider so in this repository there are names of files related to mullvad, but it can be applied easily to other vpns providers that offer wireguard.
+
+## Consulted Links
+- [from ubuntu] https://github.com/linuxserver/docker-wireguard
+- [from alpine] https://github.com/jordanpotter/docker-wireguard
+- https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN
+- https://gitlab.tails.boum.org/tails/blueprints/-/wikis/vpn_support/
+- https://tails.boum.org/support/faq/index.en.html#index20h2
+- https://www.whonix.org/wiki/FAQ#How_does_Whonix_work?
+- https://www.qubes-os.org/intro/
+- https://www.whonix.org/wiki/Qubes
+- https://packages.debian.org/bullseye/proxychains
+- https://manpages.debian.org/bullseye/tsocks/tsocks.8.en.html
+
+## Other similar needings
+Common ways to visit a site that doesn't allow traffic from tor:
+
+- web.archive.org, check if archive as a copy
+paste the link after the / in the archive url https://web.archive.org/https://tor-blocking.website/path-to-resource
+
+1.3G Whoonix size

TODO.md

@@ -0,0 +1,2 @@
+[ ] implement killswitch via iptables
+[ ] firefox needs to be restarted the first time for apply network proxy configs

docker-compose.env.yml

@@ -0,0 +1,28 @@
+version: "3.0"
+
+networks:
+  network:
+    driver: bridge
+    ipam:
+     config:
+       - subnet: 172.20.0.0/12
+
+services:
+  wireguard:
+    build: .
+    image: wg-docker/alpine:0.0.1
+    container_name: ${CONTAINER_NAME}
+    hostname: ${CONTAINER_NAME}
+    restart: unless-stopped
+    ports:
+      - ${WG_PORT}:${WG_PORT}/udp
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv6.conf.all.disable_ipv6=0
+      - net.ipv4.conf.all.src_valid_mark=1
+    volumes:
+      - /lib/modules:/lib/modules
+      - ../../authorized_keys:/root/.ssh/authorized_keys
+      - ${WG0_CONF}:/etc/wireguard/wg0.conf

docker-compose.yml

@@ -0,0 +1,28 @@
+version: "3.0"
+
+networks:
+  network:
+    driver: bridge
+    ipam:
+     config:
+       - subnet: 172.20.0.0/12
+
+services:
+  wireguard:
+    build: .
+    image: wg-docker/alpine:0.0.1
+    container_name: wg_docker_container
+    hostname: wg_docker_container
+    restart: unless-stopped
+    ports:
+      - 51820:51820/udp
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv6.conf.all.disable_ipv6=0
+      - net.ipv4.conf.all.src_valid_mark=1
+    volumes:
+      - /lib/modules:/lib/modules
+      - ./authorized_keys:/root/.ssh/authorized_keys
+      - /etc/wireguard/wg0.conf:/etc/wireguard/wg0.conf

docker/firefox.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+set -o allexport
+source .env
+set -o allexport
+
+profile_path="$HOME/.mozilla/firefox"
+env_path="$(echo $(ls $profile_path | grep $1))"
+
+# ($env_path) && \
+firefox -CreateProfile $1 ; firefox -P $1 &
+
+cat << EOF >> $profile_path/$env_path/prefs.js
+user_pref("network.proxy.socks", "localhost");
+user_pref("network.proxy.socks_port", $SOCKS_PORT);
+user_pref("network.proxy.socks_remote_dns", true);
+user_pref("network.proxy.type", 1);
+user_pref("network.trr.mode", 2);
+user_pref("network.trr.uri", "https://mozilla.cloudflare-dns.com/dns-query");
+EOF

docker/inspect.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+IPV4_ADDRESS=$(docker inspect $1 \
+   | grep \"IPAddress\" \
+   | tail -1 \
+   | awk '{ print $2 }' \
+   | sed -e 's/\"\(.*\)\"\,/\1/')
+
+ssh -o StrictHostKeyChecking=no -ND $2 root@$IPV4_ADDRESS &

docker/message.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+	GREEN='\033[0;32m'
+	NC='\033[0m' # No Color
+	echo -e "${GREEN}########################${NC}"
+	echo -e "${GREEN}  ${1} ${NC}"
+	echo -e "${GREEN}########################${NC}"

entrypoint.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# The net.ipv4.conf.all.src_valid_mark sysctl is set when running the Docker container, so don't have WireGuard also set it
+sed -i "s:sysctl -q net.ipv4.conf.all.src_valid_mark=1:echo Skipping setting net.ipv4.conf.all.src_valid_mark:" /usr/bin/wg-quick
+/usr/bin/wg-quick up wg0;
+
+sed -ie 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config;
+sed -ie 's/AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config;
+sed -ie 's/#MaxSessions 10/MaxSessions 15/' /etc/ssh/sshd_config;
+
+[ -n /root/.ssh/authorized_keys ] && chown root:root /root/.ssh/authorized_keys
+ssh-keygen -A;
+/usr/sbin/sshd -D;
+
+
+for local_subnet in ${LOCAL_SUBNETS//,/$IFS}
+do
+    echo "Allowing traffic to local subnet ${local_subnet}" >&2
+    ip route add $local_subnet via $default_route_ip
+    iptables -I OUTPUT -d $local_subnet -j ACCEPT
+done
+
+shutdown () {
+    wg-quick down $interface
+    exit 0
+}
+
+# missing documentation
+trap shutdown SIGTERM SIGINT SIGQUIT
+
+sleep infinity &
+wait $!

install.sh

@@ -0,0 +1,11 @@
+#!/bin/su root
+
+WG_DOCKER_PATH="/opt/wg-docker"
+
+cp .wg-docker_bash-completion /usr/share/bash-completion/completions/wg-docker
+
+cp wg-docker /usr/bin/
+
+cp -rp ./ $WG_DOCKER_PATH
+
+chown $USER:$USER $WG_DOCKER_PATH

resources/Dockerfile.alpine

@@ -0,0 +1,9 @@
+FROM alpine:3.16.3
+# Released Nov 11, 2022
+
+RUN apk add --no-cache \
+      openresolv iptables ip6tables iproute2 wireguard-tools openssh
+
+COPY ./entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

resources/Dockerfile.debian

@@ -0,0 +1,24 @@
+FROM debian:stable
+
+RUN \
+  echo "**** install dependencies ****" && \
+  apt update -y && \
+  apt install -y --no-install-recommends \
+  iproute2 \
+  iputils-ping \
+  iptables \
+  ifupdown \
+  net-tools \
+  openresolv \
+  mtr \
+  ssh \
+  wireguard-tools && \
+  echo "**** clean up ****" && \
+  rm -rf \
+    /tmp/* \
+    /var/lib/apt/lists/* \
+    /var/tmp/*
+
+COPY ./entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

resources/README.md

@@ -0,0 +1,34 @@
+
+
+thanks
+https://unix.stackexchange.com/questions/14160/ssh-tunneling-error-channel-1-open-failed-administratively-prohibited-open
+
+
+example usage
+
+wg-docker up framagit
+wg-docker up framagit --browser
+wg-docker shell framagit
+
+create profile
+
+
+firefox -CreateProfile wg_$PROFILE_NAME_$SOCKS_PORT
+firefox -P wg_$PROFILE_NAME_$SOCKS_PORT
+
+
+edit profile network proxy section via sed
+avoid if possible other dependencies https://firefox-source-docs.mozilla.org/mozbase/mozprofile.html
+
+<!--
+user_pref("network.proxy.socks", "localhost");
+user_pref("network.proxy.socks_port", $SOCKS_PORT);
+user_pref("network.proxy.socks_remote_dns", true);
+user_pref("network.proxy.type", 1);
+-->
+
+FIREFOX_PROFILE_PATH=framagit
+sed -i -e 's/\(network.proxy.socks\"\, \)\(.*\)/\1\"localhost\"/g' $FIREFOX_PROFILE_PATH
+sed -i -e 's/\(network.proxy.socks_port\"\, \)\(.*\)/\1\"${SOCKS_PORT}\"/g' $FIREFOX_PROFILE_PATH
+sed -i -e 's/\(network.proxy.socks_remote_dns\"\, \)\(.*\)/\1\"true\"/g' $FIREFOX_PROFILE_PATH
+sed -i -e 's/\(network.proxy.socks_remote_dns\"\, \)\(.*\)/\1\"true\"/g' $FIREFOX_PROFILE_PATH

resources/docker-compose.rotate.yml

@@ -0,0 +1,41 @@
+version: "3.0"
+
+networks:
+  network:
+    driver: bridge
+    ipam:
+     config:
+       - subnet: 172.20.0.0/24
+
+services:
+  wireguard:
+    build: .
+    image: wg-docker/alpine:0.0.1
+    container_name: wg_docker_container
+    hostname: wg_docker_container
+    restart: unless-stopped
+    networks:
+      network:
+        ipv4_address: 172.20.0.10
+    ports:
+      - 51820:51820/udp
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/London 
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv6.conf.all.disable_ipv6=0
+      - net.ipv4.conf.all.src_valid_mark=1
+    volumes:
+      - /lib/modules:/lib/modules
+      - /run/sshd:/run/sshd
+      - ./authorized_keys:/root/.ssh/authorized_keys
+      - /etc/wireguard/wg0.conf:/etc/wireguard/wg0.conf
+      - /etc/wireguard/mullvad:/etc/wireguard/mullvad
+      - ./rotate.sh:/usr/bin/rotate.sh
+    healthcheck:
+      test: [ "CMD", "/usr/bin/rotate.sh" ]
+      interval: 24h

resources/entrypoint.alpine.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# The net.ipv4.conf.all.src_valid_mark sysctl is set when running the Docker container, so don't have WireGuard also set it
+sed -i "s:sysctl -q net.ipv4.conf.all.src_valid_mark=1:echo Skipping setting net.ipv4.conf.all.src_valid_mark:" /usr/bin/wg-quick
+/usr/bin/wg-quick up wg0;
+
+sed -ie 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config;
+sed -ie 's/AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config;
+sed -ie 's/#MaxSessions 10/MaxSessions 15/' /etc/ssh/sshd_config;
+
+[ -n /root/.ssh/authorized_keys ] && chown root:root /root/.ssh/authorized_keys
+ssh-keygen -A;
+/usr/sbin/sshd -D;
+
+for local_subnet in ${LOCAL_SUBNETS//,/$IFS}
+do
+    echo "Allowing traffic to local subnet ${local_subnet}" >&2
+    ip route add $local_subnet via $default_route_ip
+    iptables -I OUTPUT -d $local_subnet -j ACCEPT
+done
+
+shutdown () {
+    wg-quick down $interface
+    exit 0
+}
+
+# missing documentation
+trap shutdown SIGTERM SIGINT SIGQUIT
+
+sleep infinity &
+wait $!

resources/entrypoint.debian.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# The net.ipv4.conf.all.src_valid_mark sysctl is set when running the Docker container, so don't have WireGuard also set it
+sed -i "s:sysctl -q net.ipv4.conf.all.src_valid_mark=1:echo Skipping setting net.ipv4.conf.all.src_valid_mark:" /usr/bin/wg-quick
+/usr/bin/wg-quick up wg0;
+
+sed -ie 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config;
+[ -n /root/.ssh/authorized_keys ] && chown root:root /root/.ssh/authorized_keys
+/usr/sbin/sshd -D;

resources/entrypoint.password.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# The net.ipv4.conf.all.src_valid_mark sysctl is set when running the Docker container, so don't have WireGuard also set it
+sed -i "s:sysctl -q net.ipv4.conf.all.src_valid_mark=1:echo Skipping setting net.ipv4.conf.all.src_valid_mark:" /usr/bin/wg-quick
+/usr/bin/wg-quick up wg0;
+
+sed -ie 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config;
+echo '${ROOT_PASSWORD}' | chpasswd
+ssh-keygen -A;
+/usr/sbin/sshd -D;
+
+# missing docs
+trap shutdown SIGTERM SIGINT SIGQUIT
+
+sleep infinity &
+wait $!

resources/killswitch

@@ -0,0 +1,13 @@
+# IPv4 kill switch: traffic must be either (1) to the WireGuard interface, (2) marked as a WireGuard packet, (3) to a local address, or (4) to the Docker network
+docker_network="$(ip -o addr show dev eth0 | awk '$3 == "inet" {print $4}')"
+docker_network_rule=$([ ! -z "$docker_network" ] && echo "! -d $docker_network" || echo "")
+iptables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark) -m addrtype ! --dst-type LOCAL $docker_network_rule -j REJECT
+
+# IPv6 kill switch: traffic must be either (1) to the WireGuard interface, (2) marked as a WireGuard packet, (3) to a local address, or (4) to the Docker network
+docker6_network="$(ip -o addr show dev eth0 | awk '$3 == "inet6" {print $4}')"
+if [[ "$docker6_network" ]]; then
+    docker6_network_rule=$([ ! -z "$docker6_network" ] && echo "! -d $docker6_network" || echo "")
+    ip6tables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark) -m addrtype ! --dst-type LOCAL $docker6_network_rule -j REJECT
+else
+    echo "Skipping IPv6 kill switch setup since IPv6 interface was not found" >&2
+fi

resources/rotate.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+iface="$(ip l | grep mullvad | awk '{print $2}' | sed 's/://')";
+# Delete entry-iface
+[ -z $iface ] \
+	&& iface="$(ip l | grep wg | awk '{print $2}' | sed 's/://')" \
+	&& /usr/bin/wg-quick down $iface;
+
+# Select a random config file
+new_iface="$(ls /etc/wireguard/mullvad/ | sort -R | tail -1)";
+
+/usr/bin/wg-quick down /etc/wireguard/mullvad/$iface.conf;
+/usr/bin/wg-quick up /etc/wireguard/mullvad/$new_iface;

wg-docker

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+WG_DOCKER_PATH="/opt/wg-docker"
+
+cd $WG_DOCKER_PATH
+ls ./profiles || mkdir ./profiles
+
+# create profile
+[ -n $1 ] && [ -n $2 ] && \
+  (ls ./profiles | grep $2) &&
+  (ls ./profiles/$2/ || mkdir ./profiles/$2/) &&
+  cp docker-compose.env.yml ./profiles/$2/ &&
+  cp Makefile ./profiles/$2/ &&
+  cp -r docker/ ./profiles/$2/ &&
+  cd ./profiles/$2/ &&
+  make $1 PROFILE="$2" ||
+(
+profile_name="test"
+wg_conf_path="/etc/wireguard/mullvad/mullvad-au1.conf"
+ssh_pubkey="$HOME/.ssh/id_rsa.pub"
+wg_port=52016
+socks_port=1116
+
+echo "
+usage: wg-docker [up|shell|firefox|thunderbird] [profile_name]
+Provide a profile name, and a valid WireGuard configuration file, and a public ssh key
+
+profile_name: Work
+wg_conf_path: /etc/wireguard/mullvad/mullvad-au1.conf
+ssh_pubkey: $HOME/.ssh/id_rsa.pub
+wg_port: 52000 [default]
+socks_port: 1100 [default]
+######################
+"
+
+# comment out if manually entered
+read -p "profile_name  :  " profile_name
+read -p "wg_conf_path  :  " wg_conf_path
+read -p "ssh_pubkey  :  " ssh_pubkey
+read -p "wg_port  :  " wg_port
+read -p "socks_port  :  " socks_port
+
+profile_path="./profiles/${profile_name}_wg_${wg_port}_socks_${socks_port}"
+
+# Create a profile from template
+[ ! -d $profile_path ] && mkdir $profile_path || \
+touch $profile_path/.env
+
+# fill template
+cat << EOF >> $profile_path/.env
+# container wg
+CONTAINER_NAME=wg_${profile_name}
+WG_PORT=${wg_port}
+WG0_CONF=${wg_conf_path}
+
+# ssh socks
+SSH_PUBKEY=${ssh_pubkey}
+SOCKS_PORT=${socks_port}
+EOF
+
+echo "Profile enviroment created at $profile_path/.env"
+)