init
This commit is contained in:
commit
2a309d4704
24 changed files with 573 additions and 0 deletions
9
.env
Normal file
9
.env
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
# container
|
||||||
|
CONTAINER_NAME=wg_docker_container
|
||||||
|
IPV4_ADDRESS=172.20.0.10
|
||||||
|
WG_PORT=58120
|
||||||
|
WG0_CONF="/etc/wireguard/mullvad/mullvad-au1.conf"
|
||||||
|
|
||||||
|
# ssh
|
||||||
|
SSH_PUBKEY="$HOME/.ssh/id_rsa.pub"
|
||||||
|
SOCKS_PORT=9999
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
authorized_keys
|
28
.wg-docker_bash-completion
Executable file
28
.wg-docker_bash-completion
Executable file
|
@ -0,0 +1,28 @@
|
||||||
|
#/usr/bin/env bash
|
||||||
|
|
||||||
|
WG_DOCKER_PROFILE_PATH="/opt/wg-docker/profiles"
|
||||||
|
|
||||||
|
_wg-docker_completions()
|
||||||
|
{
|
||||||
|
local cur prev opts
|
||||||
|
COMPREPLY=()
|
||||||
|
cur="${COMP_WORDS[COMP_CWORD]}"
|
||||||
|
prev="${COMP_WORDS[COMP_CWORD-1]}"
|
||||||
|
opts="firefox shell thunderbird up"
|
||||||
|
|
||||||
|
if [[ ${cur} == * ]] ; then
|
||||||
|
COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) )
|
||||||
|
|
||||||
|
local sub_opts="$(ls $WG_DOCKER_PROFILE_PATH)"
|
||||||
|
case "$prev" in
|
||||||
|
firefox|shell|thunderbird|up)
|
||||||
|
COMPREPLY=( $(compgen -W "${sub_opts}" -- ${cur}) )
|
||||||
|
return 0
|
||||||
|
;;
|
||||||
|
version)
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
complete -F _wg-docker_completions wg-docker
|
9
Dockerfile
Normal file
9
Dockerfile
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
FROM alpine:3.16.3
|
||||||
|
# Released Nov 11, 2022
|
||||||
|
|
||||||
|
RUN apk add --no-cache \
|
||||||
|
openresolv iptables ip6tables iproute2 wireguard-tools openssh
|
||||||
|
|
||||||
|
COPY ./entrypoint.sh /entrypoint.sh
|
||||||
|
|
||||||
|
ENTRYPOINT ["/entrypoint.sh"]
|
30
Makefile
Normal file
30
Makefile
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
## Load profile env variables
|
||||||
|
include .env
|
||||||
|
init:
|
||||||
|
@bash docker/message.sh "Start"
|
||||||
|
make start
|
||||||
|
up:
|
||||||
|
@bash docker/message.sh "Start"
|
||||||
|
make start PROFILE=$(PROFILE)
|
||||||
|
firefox:
|
||||||
|
@bash docker/message.sh "Starting Firefox"
|
||||||
|
make start PROFILE=$(PROFILE)
|
||||||
|
@bash docker/message.sh "started"
|
||||||
|
@bash docker/firefox.sh "$(PROFILE)"
|
||||||
|
make ssh PROFILE=$(PROFILE)
|
||||||
|
ssh:
|
||||||
|
@bash docker/message.sh "Creating Socks"
|
||||||
|
@bash docker/inspect.sh "$(CONTAINER_NAME)" "$(SOCKS_PORT)"
|
||||||
|
@bash docker/message.sh "Created"
|
||||||
|
logs:
|
||||||
|
docker-compose logs -f
|
||||||
|
start: stop
|
||||||
|
@bash docker/message.sh "Starting Wireguard with Docker"
|
||||||
|
@bash docker/message.sh "Loading Profile.."
|
||||||
|
docker-compose -f docker-compose.env.yml up -d
|
||||||
|
@bash docker/message.sh "Docker server started"
|
||||||
|
stop:
|
||||||
|
@bash docker/message.sh "Stopping WireGuard with Docker"
|
||||||
|
docker-compose down
|
||||||
|
@bash docker/message.sh "WireGuard with Docker is stopped"
|
||||||
|
target: init
|
108
README.md
Normal file
108
README.md
Normal file
|
@ -0,0 +1,108 @@
|
||||||
|
# wg-docker [wip]
|
||||||
|
|
||||||
|
This repository contain a simple docker setup for wireguard.
|
||||||
|
|
||||||
|
requirements: debian|alpine, docker, wireguard, firefox, thunderbird, proxychains
|
||||||
|
space requirements:
|
||||||
|
|
||||||
|
alpine, docker images:
|
||||||
|
- alpine:3.16.3: 5.54MB
|
||||||
|
- wg-docker/alpine:0.0.1: 19.1MB
|
||||||
|
|
||||||
|
debian, docker images:
|
||||||
|
- debian:stable: 124MB
|
||||||
|
- wg-docker/debian:0.0.1: 270MB
|
||||||
|
|
||||||
|
## Build the image
|
||||||
|
|
||||||
|
```
|
||||||
|
docker build . -t wg-docker/alpine:0.0.1
|
||||||
|
docker build . -f Dockerfile.debian -t wg-docker/debian:0.0.1
|
||||||
|
```
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
The usage would be similar to `wg-quick`
|
||||||
|
|
||||||
|
usage: wg-docker [up|shell|firefox|thunderbird] [profile_name]
|
||||||
|
|
||||||
|
### start the container with profile 'lattuga'
|
||||||
|
```
|
||||||
|
wg-docker up lattuga
|
||||||
|
```
|
||||||
|
### start the container and the firefox profile, proxied to container with profile lattuga
|
||||||
|
```
|
||||||
|
wg-docker firefox lattuga
|
||||||
|
```
|
||||||
|
|
||||||
|
### [wip] start the container and the thunderbird profile, proxied to container with profile lattuga
|
||||||
|
|
||||||
|
### [wip] start a shell proxied
|
||||||
|
```
|
||||||
|
wg-docker shell lattuga
|
||||||
|
```
|
||||||
|
|
||||||
|
for now start the container and then proxychains every command
|
||||||
|
```
|
||||||
|
wg-docker up lattuga
|
||||||
|
proxychains git clone ...
|
||||||
|
```
|
||||||
|
|
||||||
|
## ssh to container
|
||||||
|
|
||||||
|
```
|
||||||
|
ssh -ND 9999 root@172.20.0.10
|
||||||
|
|
||||||
|
-N : Do not execute a remote command. This is useful for just forwarding ports.
|
||||||
|
-D : Specifies a local “dynamic” application-level port forwarding.
|
||||||
|
This works by allocating a socket to listen to port on the local
|
||||||
|
side, optionally bound to the specified bind_address. Whenever a
|
||||||
|
connection is made to this port, the connection is forwarded over
|
||||||
|
the secure channel, and the application protocol is then used to
|
||||||
|
determine where to connect to from the remote machine. Currently
|
||||||
|
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
|
||||||
|
as a SOCKS server.
|
||||||
|
```
|
||||||
|
|
||||||
|
## Create a profile in firefox
|
||||||
|
In Firefox in [about:profiles]([about:profiles]) create a new profile and then go to 'settings', 'network settings' to manually setup the proxy to your choosen socks_port.
|
||||||
|
|
||||||
|
## Tips
|
||||||
|
|
||||||
|
### Vpn rotations
|
||||||
|
Use of healthcheck as scheduler to avoid installing crontab, and change configuration file every while (better would be a change of vpn-endpoint every firefox profile restart)
|
||||||
|
|
||||||
|
|
||||||
|
###
|
||||||
|
Paste your public ssh key in ./authorized_keys
|
||||||
|
or alternatively PermitRootLogin with password and initialize a password
|
||||||
|
```
|
||||||
|
sed -ie 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config;
|
||||||
|
echo 'test' | chpasswd
|
||||||
|
service ssh restart
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Why
|
||||||
|
Often I'm browsing some sites through torbrowser and I need at the same time to visit other sites, related to different contexts, and I prefer to open those pages with another network profile, es. via vpn.
|
||||||
|
|
||||||
|
I'm currently using mullvad as vpn provider so in this repository there are names of files related to mullvad, but it can be applied easily to other vpns providers that offer wireguard.
|
||||||
|
|
||||||
|
## Consulted Links
|
||||||
|
- [from ubuntu] https://github.com/linuxserver/docker-wireguard
|
||||||
|
- [from alpine] https://github.com/jordanpotter/docker-wireguard
|
||||||
|
- https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN
|
||||||
|
- https://gitlab.tails.boum.org/tails/blueprints/-/wikis/vpn_support/
|
||||||
|
- https://tails.boum.org/support/faq/index.en.html#index20h2
|
||||||
|
- https://www.whonix.org/wiki/FAQ#How_does_Whonix_work?
|
||||||
|
- https://www.qubes-os.org/intro/
|
||||||
|
- https://www.whonix.org/wiki/Qubes
|
||||||
|
- https://packages.debian.org/bullseye/proxychains
|
||||||
|
- https://manpages.debian.org/bullseye/tsocks/tsocks.8.en.html
|
||||||
|
|
||||||
|
## Other similar needings
|
||||||
|
Common ways to visit a site that doesn't allow traffic from tor:
|
||||||
|
|
||||||
|
- web.archive.org, check if archive as a copy
|
||||||
|
paste the link after the / in the archive url https://web.archive.org/https://tor-blocking.website/path-to-resource
|
||||||
|
|
||||||
|
1.3G Whoonix size
|
2
TODO.md
Normal file
2
TODO.md
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
[ ] implement killswitch via iptables
|
||||||
|
[ ] firefox needs to be restarted the first time for apply network proxy configs
|
28
docker-compose.env.yml
Normal file
28
docker-compose.env.yml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
version: "3.0"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
network:
|
||||||
|
driver: bridge
|
||||||
|
ipam:
|
||||||
|
config:
|
||||||
|
- subnet: 172.20.0.0/12
|
||||||
|
|
||||||
|
services:
|
||||||
|
wireguard:
|
||||||
|
build: .
|
||||||
|
image: wg-docker/alpine:0.0.1
|
||||||
|
container_name: ${CONTAINER_NAME}
|
||||||
|
hostname: ${CONTAINER_NAME}
|
||||||
|
restart: unless-stopped
|
||||||
|
ports:
|
||||||
|
- ${WG_PORT}:${WG_PORT}/udp
|
||||||
|
cap_add:
|
||||||
|
- NET_ADMIN
|
||||||
|
- SYS_MODULE
|
||||||
|
sysctls:
|
||||||
|
- net.ipv6.conf.all.disable_ipv6=0
|
||||||
|
- net.ipv4.conf.all.src_valid_mark=1
|
||||||
|
volumes:
|
||||||
|
- /lib/modules:/lib/modules
|
||||||
|
- ../../authorized_keys:/root/.ssh/authorized_keys
|
||||||
|
- ${WG0_CONF}:/etc/wireguard/wg0.conf
|
28
docker-compose.yml
Normal file
28
docker-compose.yml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
version: "3.0"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
network:
|
||||||
|
driver: bridge
|
||||||
|
ipam:
|
||||||
|
config:
|
||||||
|
- subnet: 172.20.0.0/12
|
||||||
|
|
||||||
|
services:
|
||||||
|
wireguard:
|
||||||
|
build: .
|
||||||
|
image: wg-docker/alpine:0.0.1
|
||||||
|
container_name: wg_docker_container
|
||||||
|
hostname: wg_docker_container
|
||||||
|
restart: unless-stopped
|
||||||
|
ports:
|
||||||
|
- 51820:51820/udp
|
||||||
|
cap_add:
|
||||||
|
- NET_ADMIN
|
||||||
|
- SYS_MODULE
|
||||||
|
sysctls:
|
||||||
|
- net.ipv6.conf.all.disable_ipv6=0
|
||||||
|
- net.ipv4.conf.all.src_valid_mark=1
|
||||||
|
volumes:
|
||||||
|
- /lib/modules:/lib/modules
|
||||||
|
- ./authorized_keys:/root/.ssh/authorized_keys
|
||||||
|
- /etc/wireguard/wg0.conf:/etc/wireguard/wg0.conf
|
19
docker/firefox.sh
Normal file
19
docker/firefox.sh
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
#!/bin/bash
|
||||||
|
set -o allexport
|
||||||
|
source .env
|
||||||
|
set -o allexport
|
||||||
|
|
||||||
|
profile_path="$HOME/.mozilla/firefox"
|
||||||
|
env_path="$(echo $(ls $profile_path | grep $1))"
|
||||||
|
|
||||||
|
# ($env_path) && \
|
||||||
|
firefox -CreateProfile $1 ; firefox -P $1 &
|
||||||
|
|
||||||
|
cat << EOF >> $profile_path/$env_path/prefs.js
|
||||||
|
user_pref("network.proxy.socks", "localhost");
|
||||||
|
user_pref("network.proxy.socks_port", $SOCKS_PORT);
|
||||||
|
user_pref("network.proxy.socks_remote_dns", true);
|
||||||
|
user_pref("network.proxy.type", 1);
|
||||||
|
user_pref("network.trr.mode", 2);
|
||||||
|
user_pref("network.trr.uri", "https://mozilla.cloudflare-dns.com/dns-query");
|
||||||
|
EOF
|
9
docker/inspect.sh
Executable file
9
docker/inspect.sh
Executable file
|
@ -0,0 +1,9 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
IPV4_ADDRESS=$(docker inspect $1 \
|
||||||
|
| grep \"IPAddress\" \
|
||||||
|
| tail -1 \
|
||||||
|
| awk '{ print $2 }' \
|
||||||
|
| sed -e 's/\"\(.*\)\"\,/\1/')
|
||||||
|
|
||||||
|
ssh -o StrictHostKeyChecking=no -ND $2 root@$IPV4_ADDRESS &
|
7
docker/message.sh
Normal file
7
docker/message.sh
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
GREEN='\033[0;32m'
|
||||||
|
NC='\033[0m' # No Color
|
||||||
|
echo -e "${GREEN}########################${NC}"
|
||||||
|
echo -e "${GREEN} ${1} ${NC}"
|
||||||
|
echo -e "${GREEN}########################${NC}"
|
32
entrypoint.sh
Executable file
32
entrypoint.sh
Executable file
|
@ -0,0 +1,32 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# The net.ipv4.conf.all.src_valid_mark sysctl is set when running the Docker container, so don't have WireGuard also set it
|
||||||
|
sed -i "s:sysctl -q net.ipv4.conf.all.src_valid_mark=1:echo Skipping setting net.ipv4.conf.all.src_valid_mark:" /usr/bin/wg-quick
|
||||||
|
/usr/bin/wg-quick up wg0;
|
||||||
|
|
||||||
|
sed -ie 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config;
|
||||||
|
sed -ie 's/AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config;
|
||||||
|
sed -ie 's/#MaxSessions 10/MaxSessions 15/' /etc/ssh/sshd_config;
|
||||||
|
|
||||||
|
[ -n /root/.ssh/authorized_keys ] && chown root:root /root/.ssh/authorized_keys
|
||||||
|
ssh-keygen -A;
|
||||||
|
/usr/sbin/sshd -D;
|
||||||
|
|
||||||
|
|
||||||
|
for local_subnet in ${LOCAL_SUBNETS//,/$IFS}
|
||||||
|
do
|
||||||
|
echo "Allowing traffic to local subnet ${local_subnet}" >&2
|
||||||
|
ip route add $local_subnet via $default_route_ip
|
||||||
|
iptables -I OUTPUT -d $local_subnet -j ACCEPT
|
||||||
|
done
|
||||||
|
|
||||||
|
shutdown () {
|
||||||
|
wg-quick down $interface
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# missing documentation
|
||||||
|
trap shutdown SIGTERM SIGINT SIGQUIT
|
||||||
|
|
||||||
|
sleep infinity &
|
||||||
|
wait $!
|
11
install.sh
Executable file
11
install.sh
Executable file
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/su root
|
||||||
|
|
||||||
|
WG_DOCKER_PATH="/opt/wg-docker"
|
||||||
|
|
||||||
|
cp .wg-docker_bash-completion /usr/share/bash-completion/completions/wg-docker
|
||||||
|
|
||||||
|
cp wg-docker /usr/bin/
|
||||||
|
|
||||||
|
cp -rp ./ $WG_DOCKER_PATH
|
||||||
|
|
||||||
|
chown $USER:$USER $WG_DOCKER_PATH
|
9
resources/Dockerfile.alpine
Normal file
9
resources/Dockerfile.alpine
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
FROM alpine:3.16.3
|
||||||
|
# Released Nov 11, 2022
|
||||||
|
|
||||||
|
RUN apk add --no-cache \
|
||||||
|
openresolv iptables ip6tables iproute2 wireguard-tools openssh
|
||||||
|
|
||||||
|
COPY ./entrypoint.sh /entrypoint.sh
|
||||||
|
|
||||||
|
ENTRYPOINT ["/entrypoint.sh"]
|
24
resources/Dockerfile.debian
Normal file
24
resources/Dockerfile.debian
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
FROM debian:stable
|
||||||
|
|
||||||
|
RUN \
|
||||||
|
echo "**** install dependencies ****" && \
|
||||||
|
apt update -y && \
|
||||||
|
apt install -y --no-install-recommends \
|
||||||
|
iproute2 \
|
||||||
|
iputils-ping \
|
||||||
|
iptables \
|
||||||
|
ifupdown \
|
||||||
|
net-tools \
|
||||||
|
openresolv \
|
||||||
|
mtr \
|
||||||
|
ssh \
|
||||||
|
wireguard-tools && \
|
||||||
|
echo "**** clean up ****" && \
|
||||||
|
rm -rf \
|
||||||
|
/tmp/* \
|
||||||
|
/var/lib/apt/lists/* \
|
||||||
|
/var/tmp/*
|
||||||
|
|
||||||
|
COPY ./entrypoint.sh /entrypoint.sh
|
||||||
|
|
||||||
|
ENTRYPOINT ["/entrypoint.sh"]
|
34
resources/README.md
Normal file
34
resources/README.md
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
|
||||||
|
|
||||||
|
thanks
|
||||||
|
https://unix.stackexchange.com/questions/14160/ssh-tunneling-error-channel-1-open-failed-administratively-prohibited-open
|
||||||
|
|
||||||
|
|
||||||
|
example usage
|
||||||
|
|
||||||
|
wg-docker up framagit
|
||||||
|
wg-docker up framagit --browser
|
||||||
|
wg-docker shell framagit
|
||||||
|
|
||||||
|
create profile
|
||||||
|
|
||||||
|
|
||||||
|
firefox -CreateProfile wg_$PROFILE_NAME_$SOCKS_PORT
|
||||||
|
firefox -P wg_$PROFILE_NAME_$SOCKS_PORT
|
||||||
|
|
||||||
|
|
||||||
|
edit profile network proxy section via sed
|
||||||
|
avoid if possible other dependencies https://firefox-source-docs.mozilla.org/mozbase/mozprofile.html
|
||||||
|
|
||||||
|
<!--
|
||||||
|
user_pref("network.proxy.socks", "localhost");
|
||||||
|
user_pref("network.proxy.socks_port", $SOCKS_PORT);
|
||||||
|
user_pref("network.proxy.socks_remote_dns", true);
|
||||||
|
user_pref("network.proxy.type", 1);
|
||||||
|
-->
|
||||||
|
|
||||||
|
FIREFOX_PROFILE_PATH=framagit
|
||||||
|
sed -i -e 's/\(network.proxy.socks\"\, \)\(.*\)/\1\"localhost\"/g' $FIREFOX_PROFILE_PATH
|
||||||
|
sed -i -e 's/\(network.proxy.socks_port\"\, \)\(.*\)/\1\"${SOCKS_PORT}\"/g' $FIREFOX_PROFILE_PATH
|
||||||
|
sed -i -e 's/\(network.proxy.socks_remote_dns\"\, \)\(.*\)/\1\"true\"/g' $FIREFOX_PROFILE_PATH
|
||||||
|
sed -i -e 's/\(network.proxy.socks_remote_dns\"\, \)\(.*\)/\1\"true\"/g' $FIREFOX_PROFILE_PATH
|
41
resources/docker-compose.rotate.yml
Normal file
41
resources/docker-compose.rotate.yml
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
version: "3.0"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
network:
|
||||||
|
driver: bridge
|
||||||
|
ipam:
|
||||||
|
config:
|
||||||
|
- subnet: 172.20.0.0/24
|
||||||
|
|
||||||
|
services:
|
||||||
|
wireguard:
|
||||||
|
build: .
|
||||||
|
image: wg-docker/alpine:0.0.1
|
||||||
|
container_name: wg_docker_container
|
||||||
|
hostname: wg_docker_container
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
network:
|
||||||
|
ipv4_address: 172.20.0.10
|
||||||
|
ports:
|
||||||
|
- 51820:51820/udp
|
||||||
|
environment:
|
||||||
|
- PUID=1000
|
||||||
|
- PGID=1000
|
||||||
|
- TZ=Europe/London
|
||||||
|
cap_add:
|
||||||
|
- NET_ADMIN
|
||||||
|
- SYS_MODULE
|
||||||
|
sysctls:
|
||||||
|
- net.ipv6.conf.all.disable_ipv6=0
|
||||||
|
- net.ipv4.conf.all.src_valid_mark=1
|
||||||
|
volumes:
|
||||||
|
- /lib/modules:/lib/modules
|
||||||
|
- /run/sshd:/run/sshd
|
||||||
|
- ./authorized_keys:/root/.ssh/authorized_keys
|
||||||
|
- /etc/wireguard/wg0.conf:/etc/wireguard/wg0.conf
|
||||||
|
- /etc/wireguard/mullvad:/etc/wireguard/mullvad
|
||||||
|
- ./rotate.sh:/usr/bin/rotate.sh
|
||||||
|
healthcheck:
|
||||||
|
test: [ "CMD", "/usr/bin/rotate.sh" ]
|
||||||
|
interval: 24h
|
31
resources/entrypoint.alpine.sh
Executable file
31
resources/entrypoint.alpine.sh
Executable file
|
@ -0,0 +1,31 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# The net.ipv4.conf.all.src_valid_mark sysctl is set when running the Docker container, so don't have WireGuard also set it
|
||||||
|
sed -i "s:sysctl -q net.ipv4.conf.all.src_valid_mark=1:echo Skipping setting net.ipv4.conf.all.src_valid_mark:" /usr/bin/wg-quick
|
||||||
|
/usr/bin/wg-quick up wg0;
|
||||||
|
|
||||||
|
sed -ie 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config;
|
||||||
|
sed -ie 's/AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config;
|
||||||
|
sed -ie 's/#MaxSessions 10/MaxSessions 15/' /etc/ssh/sshd_config;
|
||||||
|
|
||||||
|
[ -n /root/.ssh/authorized_keys ] && chown root:root /root/.ssh/authorized_keys
|
||||||
|
ssh-keygen -A;
|
||||||
|
/usr/sbin/sshd -D;
|
||||||
|
|
||||||
|
for local_subnet in ${LOCAL_SUBNETS//,/$IFS}
|
||||||
|
do
|
||||||
|
echo "Allowing traffic to local subnet ${local_subnet}" >&2
|
||||||
|
ip route add $local_subnet via $default_route_ip
|
||||||
|
iptables -I OUTPUT -d $local_subnet -j ACCEPT
|
||||||
|
done
|
||||||
|
|
||||||
|
shutdown () {
|
||||||
|
wg-quick down $interface
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# missing documentation
|
||||||
|
trap shutdown SIGTERM SIGINT SIGQUIT
|
||||||
|
|
||||||
|
sleep infinity &
|
||||||
|
wait $!
|
9
resources/entrypoint.debian.sh
Executable file
9
resources/entrypoint.debian.sh
Executable file
|
@ -0,0 +1,9 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# The net.ipv4.conf.all.src_valid_mark sysctl is set when running the Docker container, so don't have WireGuard also set it
|
||||||
|
sed -i "s:sysctl -q net.ipv4.conf.all.src_valid_mark=1:echo Skipping setting net.ipv4.conf.all.src_valid_mark:" /usr/bin/wg-quick
|
||||||
|
/usr/bin/wg-quick up wg0;
|
||||||
|
|
||||||
|
sed -ie 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config;
|
||||||
|
[ -n /root/.ssh/authorized_keys ] && chown root:root /root/.ssh/authorized_keys
|
||||||
|
/usr/sbin/sshd -D;
|
16
resources/entrypoint.password.sh
Normal file
16
resources/entrypoint.password.sh
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# The net.ipv4.conf.all.src_valid_mark sysctl is set when running the Docker container, so don't have WireGuard also set it
|
||||||
|
sed -i "s:sysctl -q net.ipv4.conf.all.src_valid_mark=1:echo Skipping setting net.ipv4.conf.all.src_valid_mark:" /usr/bin/wg-quick
|
||||||
|
/usr/bin/wg-quick up wg0;
|
||||||
|
|
||||||
|
sed -ie 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config;
|
||||||
|
echo '${ROOT_PASSWORD}' | chpasswd
|
||||||
|
ssh-keygen -A;
|
||||||
|
/usr/sbin/sshd -D;
|
||||||
|
|
||||||
|
# missing docs
|
||||||
|
trap shutdown SIGTERM SIGINT SIGQUIT
|
||||||
|
|
||||||
|
sleep infinity &
|
||||||
|
wait $!
|
13
resources/killswitch
Normal file
13
resources/killswitch
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# IPv4 kill switch: traffic must be either (1) to the WireGuard interface, (2) marked as a WireGuard packet, (3) to a local address, or (4) to the Docker network
|
||||||
|
docker_network="$(ip -o addr show dev eth0 | awk '$3 == "inet" {print $4}')"
|
||||||
|
docker_network_rule=$([ ! -z "$docker_network" ] && echo "! -d $docker_network" || echo "")
|
||||||
|
iptables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark) -m addrtype ! --dst-type LOCAL $docker_network_rule -j REJECT
|
||||||
|
|
||||||
|
# IPv6 kill switch: traffic must be either (1) to the WireGuard interface, (2) marked as a WireGuard packet, (3) to a local address, or (4) to the Docker network
|
||||||
|
docker6_network="$(ip -o addr show dev eth0 | awk '$3 == "inet6" {print $4}')"
|
||||||
|
if [[ "$docker6_network" ]]; then
|
||||||
|
docker6_network_rule=$([ ! -z "$docker6_network" ] && echo "! -d $docker6_network" || echo "")
|
||||||
|
ip6tables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark) -m addrtype ! --dst-type LOCAL $docker6_network_rule -j REJECT
|
||||||
|
else
|
||||||
|
echo "Skipping IPv6 kill switch setup since IPv6 interface was not found" >&2
|
||||||
|
fi
|
13
resources/rotate.sh
Executable file
13
resources/rotate.sh
Executable file
|
@ -0,0 +1,13 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
iface="$(ip l | grep mullvad | awk '{print $2}' | sed 's/://')";
|
||||||
|
# Delete entry-iface
|
||||||
|
[ -z $iface ] \
|
||||||
|
&& iface="$(ip l | grep wg | awk '{print $2}' | sed 's/://')" \
|
||||||
|
&& /usr/bin/wg-quick down $iface;
|
||||||
|
|
||||||
|
# Select a random config file
|
||||||
|
new_iface="$(ls /etc/wireguard/mullvad/ | sort -R | tail -1)";
|
||||||
|
|
||||||
|
/usr/bin/wg-quick down /etc/wireguard/mullvad/$iface.conf;
|
||||||
|
/usr/bin/wg-quick up /etc/wireguard/mullvad/$new_iface;
|
62
wg-docker
Executable file
62
wg-docker
Executable file
|
@ -0,0 +1,62 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
WG_DOCKER_PATH="/opt/wg-docker"
|
||||||
|
|
||||||
|
cd $WG_DOCKER_PATH
|
||||||
|
ls ./profiles || mkdir ./profiles
|
||||||
|
|
||||||
|
# create profile
|
||||||
|
[ -n $1 ] && [ -n $2 ] && \
|
||||||
|
(ls ./profiles | grep $2) &&
|
||||||
|
(ls ./profiles/$2/ || mkdir ./profiles/$2/) &&
|
||||||
|
cp docker-compose.env.yml ./profiles/$2/ &&
|
||||||
|
cp Makefile ./profiles/$2/ &&
|
||||||
|
cp -r docker/ ./profiles/$2/ &&
|
||||||
|
cd ./profiles/$2/ &&
|
||||||
|
make $1 PROFILE="$2" ||
|
||||||
|
(
|
||||||
|
profile_name="test"
|
||||||
|
wg_conf_path="/etc/wireguard/mullvad/mullvad-au1.conf"
|
||||||
|
ssh_pubkey="$HOME/.ssh/id_rsa.pub"
|
||||||
|
wg_port=52016
|
||||||
|
socks_port=1116
|
||||||
|
|
||||||
|
echo "
|
||||||
|
usage: wg-docker [up|shell|firefox|thunderbird] [profile_name]
|
||||||
|
Provide a profile name, and a valid WireGuard configuration file, and a public ssh key
|
||||||
|
|
||||||
|
profile_name: Work
|
||||||
|
wg_conf_path: /etc/wireguard/mullvad/mullvad-au1.conf
|
||||||
|
ssh_pubkey: $HOME/.ssh/id_rsa.pub
|
||||||
|
wg_port: 52000 [default]
|
||||||
|
socks_port: 1100 [default]
|
||||||
|
######################
|
||||||
|
"
|
||||||
|
|
||||||
|
# comment out if manually entered
|
||||||
|
read -p "profile_name : " profile_name
|
||||||
|
read -p "wg_conf_path : " wg_conf_path
|
||||||
|
read -p "ssh_pubkey : " ssh_pubkey
|
||||||
|
read -p "wg_port : " wg_port
|
||||||
|
read -p "socks_port : " socks_port
|
||||||
|
|
||||||
|
profile_path="./profiles/${profile_name}_wg_${wg_port}_socks_${socks_port}"
|
||||||
|
|
||||||
|
# Create a profile from template
|
||||||
|
[ ! -d $profile_path ] && mkdir $profile_path || \
|
||||||
|
touch $profile_path/.env
|
||||||
|
|
||||||
|
# fill template
|
||||||
|
cat << EOF >> $profile_path/.env
|
||||||
|
# container wg
|
||||||
|
CONTAINER_NAME=wg_${profile_name}
|
||||||
|
WG_PORT=${wg_port}
|
||||||
|
WG0_CONF=${wg_conf_path}
|
||||||
|
|
||||||
|
# ssh socks
|
||||||
|
SSH_PUBKEY=${ssh_pubkey}
|
||||||
|
SOCKS_PORT=${socks_port}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
echo "Profile enviroment created at $profile_path/.env"
|
||||||
|
)
|
Loading…
Reference in a new issue