Merge pull request #3 from Manevolent/wireguard

Wireguard

Dockerfile.bird

@@ -1,4 +1,4 @@
-FROM debian:stable
+FROM debian:oldstable
 
 MAINTAINER Pier Carlo Chiodi <pierky@pierky.com>
 

README.md

@@ -39,6 +39,16 @@ For GitHub, at this time the contents would be:
 
 Don't take my word for it, see: https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
 
+**Optional: Generate a WireGuard key**
+
+You only need to do this if you are setting `wg_enabled`=1, for example when you want to service VPN clients from a "master" node. See **Wireguard Options** for more information on how to do that.
+
+See: https://www.wireguard.com/quickstart/
+```
+apk add -U wireguard-tools
+wg genkey | tee privatekey | wg pubkey > publickey
+```
+
 #### Install/Update:
 
 1. Read and follow the prerequisites above and make sure you are ready to install.
@@ -174,11 +184,23 @@ For options we expose here, for information see: https://bird.network.cz/?get_do
  * `bgp_rpki_expire`: How long to keep any records locally cached before they are deleted.  Defaults to `172800` (2 days).
  * `bgp_rpki_known_hosts`: The file path for the SSH key `known_hosts` file to use when validating remote RPKI hosts.  Defaults to `/etc/bird/rpki/known_hosts` (provided by Lixonet; don't change this unless you need to!).
  * `bgp_passwd_*`: The password for a specific BGP peer (i.e. `bgp_passwd_denco_mane_lixo`).  If not specified, no password is used for the host.
- * `bgp_routes`: A comma-delimited list of routes to advertise over BGP.  If not specified, no routes are propagated.
+ * `bgp_routes`: A comma-delimited list of route prefixes (CIDR) to advertise to other BGP peers.  If not specified, no routes are propagated.
 
 #### BIND options
 
 These settings are optional, and are already defaulted to general network common practices.
 
+ * `bind_forward_enable`: Enable BIND DNS forwarding when DNS queries are received from other nodes Lixonet for a domain that you control (i.e. lkwco.mane.lixo on that Lixonet box).  `1`/enabled, `0`/disabled. Defaults to `1`.
  * `bind_forward_address`: The overridden DNS server IP address to forward all requests for your own domain to.  Defaults to the value of `internal_gateway`, which is proper in most if not all cases.  Your BIND zone is automatically converted from your `tinc_peer_name` (i.e. `lkwco_mane_lixo` becomes `lkwco.mane.lixo`).
  * `tld`: The network-wide TLD to use.  Defaults to `lixo`.
+ 
+ #### Wireguard options
+
+Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG.  Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.1.z) where `z` is an unused address (or your ASN number, like 8, 16, so on) and setting that to `wg_address`. This is generally only desired on "master" or globally-reachable/hosted nodes to construct an overlay VPN.  If a node is hosting WireGuard clients, they can send traffic into other nodes but likely won't receive any traffic back unless `wg_routes` is set so BIRD can export peer addresses into the BGP routing framework.
+
+ * `wg_enabled`: Set to 1 to enable WireGuard. Defaults to 0/disabled.
+ * `wg_key`: Required if `wg_enabled`=1. The private key to use for the Wireguard peering point.
+ * `wg_address`: Required if `wg_enabled`=1. The address to assign to the Wireguard interface. Should be unique.
+ * `wg_prefix`: The prefix to assign to Wireguard, defaults to 32.
+ * `wg_port`: Port for WireGuard to listen to connections on (UDP). Defaults to 51820.
+ * `wg_routes`: A comma-delimited list of WireGuard route prefixes (CIDR) to advertise to other BGP peers.  If not specified, no routes are propagated.  If specified, only specific connected WireGuard peers added to the kernel routing table are advertised.

bind/named.conf.tmpl

@@ -61,13 +61,15 @@ view "lixonet" {
     };
 
     # Local reverse zone forwarders
+{{ if eq "1" "${bind_forward_enable:-1}" }}
     {{ if len "${local_reverse_zones:-}" }}{{ range "$local_reverse_zones" | split "," }}zone "{{ . }}" {
         type forward;
         forward only;
         forwarders { ${bind_forward_address-"${internal_gateway}"}; };
     };
     {{ end }}{{ end }}
-    
+{{ end }}
+	
     # Peer forwarding zones
     {{ range files "bind/peers" }} {{ if ne . "${tinc_peer_name}" }}
     zone "{{ . | replace "_" "." }}" {

bird/bird.conf.tmpl

@@ -91,6 +91,13 @@ function is_own_route_v4()
     return false;
 }
 
+function is_wireguard_route_v4()
+{
+    {{ if len "${wg_routes:-}" }}{{ range "$wg_routes" | split "," }}if net ~ [ {{.}}+ ] then return true;
+    {{ end }}{{ end }}
+    return false;
+}
+
 filter bgp_import_filter_v4
 {
     if source ~ [RTS_STATIC] then reject; # Reject our own routes
@@ -109,6 +116,17 @@ filter bgp_export_filter_v4
     reject; # Reject anything else (non-Lixonet)
 }
 
+# In some cases, like WireGuard, we can be a peer to a client which is
+# available over another "adjacent" VPN layer.  In these cases, allow
+# importing routes that are added to the kernel which fall under the
+# Wireguard layer
+filter kernel_import_filter_v4
+{
+    if is_own_route_v4() then reject; # Reject unexpected routes
+    if is_wireguard_route_v4() then accept; # Accept WireGuard routes
+    reject; # Reject anything else
+}
+
 filter kernel_export_filter_v4
 {
     #if is_own_route_v4() then reject; # Reject poisons
@@ -163,7 +181,7 @@ protocol kernel {               # Primary routing table
     scan time 10;           # Scan kernel routing table every 10 seconds
     ipv4 {
         table ${netname:-lixonet}_v4;
-        import none;                        # Don't try to import any routes from the kernel
+        import filter kernel_import_filter_v4; # Import anything we allow from the kernel
         export filter kernel_export_filter_v4; # Export everything we are told to the kernel
     };
 };

build.sh

@@ -46,27 +46,32 @@ do
     echo "Variables: $sigil_vars"
 
     # Clone and copy the repository
-    rm -rf "$(basename "$git" .git)"
+    rm -rfv "$(basename "$git" .git)"
     GIT_SSH_COMMAND="ssh -i /etc/lixonet/${netname}/id_rsa -o IdentitiesOnly=yes" git clone $git || { echo "clone $git failed, quitting" ; exit 1; }
     echo "Creating work directory..."
-    rm -rf work
+    rm -rfv work
     mkdir --verbose work
-    cp -r "$(basename "$git" .git)"/* work/ && cd work
+    cp -rv "$(basename "$git" .git)"/* work/ && cd work
 
     # Copy default files
-    cp -r ../tinc/* tinc/
-    cp -r ../bird/* bird/
-    cp -r ../bind/* bind/
+    mkdir --verbose tinc; cp -rv ../tinc/* tinc/
+    mkdir --verbose bird; cp -rv ../bird/* bird/
+    mkdir --verbose bind; cp -rv ../bind/* bind/
+	if [ "${wg_enabled:-0}" -eq "1" ]; then
+		mkdir --verbose wireguard; cp -rv ../wireguard/* wireguard/
+	fi
 
     # Copy system-local custom files (if they even exist)
-    cp -r $dir/tinc/* tinc/
-    cp -r $dir/bird/* bird/
-    cp -r $dir/bind/* bind/
+    cp -rv $dir/tinc/* tinc/
+    cp -rv $dir/bird/* bird/
+    cp -rv $dir/bind/* bind/
+	if [ "${wg_enabled:-0}" -eq "1" ]; then
+		cp -rv $dir/wireguard/* wireguard/
+	fi
 
     # Tinc
     #  Remove existing configuration
     rm -v -rf /etc/tinc/$netname/*
-	
     #  Copy all tinc default files to /etc/(tinc)
     find tinc -type d | sed -e "s@tinc@tinc/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
     find tinc -type f | sed -e "s@tinc/@@g" | xargs -I '{}' cp --verbose tinc/{} /etc/tinc/$netname/{}
@@ -76,7 +81,7 @@ do
     #  Fill out templates and remove them after
     process_templates "/etc/tinc/$netname/" "$sigil_vars"
     #  Copy private key
-    cp /etc/lixonet/$netname/tinc.key /etc/tinc/$netname/rsa_key.priv
+    cp -v /etc/lixonet/$netname/tinc.key /etc/tinc/$netname/rsa_key.priv
     #  Set permissions for tinc scripts
     chmod +x /etc/tinc/$netname/tinc-up /etc/tinc/$netname/tinc-down /etc/tinc/$netname/subnet-up /etc/tinc/$netname/subnet-down
 
@@ -97,14 +102,29 @@ do
     find bind -type f | sed -e "s@bind/@@g" | xargs -I '{}' cp --verbose bind/{} /etc/bind/$netname/{}
     #  Fill out templates and remove them after
     process_templates "/etc/bind/$netname/" "$sigil_vars"
+	
+	# Wireguard
+	if [ "${wg_enabled:-0}" -eq "1" ]; then
+		#  Remove existing configuration
+		rm -v -rf /etc/wireguard/$netname/*
+		#  Copy all wireguard default files to /etc/(wireguard)
+		find wireguard -type d | sed -e "s@wireguard@wireguard/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
+		find wireguard -type f | sed -e "s@wireguard/@@g" | xargs -I '{}' cp --verbose wireguard/{} /etc/wireguard/$netname/{}
+		#  Fill out templates and remove them after
+		process_templates "/etc/wireguard/$netname/" "$sigil_vars"
+	fi
     
     # Docker
     #  Copy templates and dependencies to directory
     mkdir docker/
-    cp -r ../docker/* docker/
-    cp -r $dir/docker/* docker/
-    cp ./../docker-compose.yml.tmpl .
-    cp ../Dockerfile.* .
+    cp -rv ../docker/* docker/
+	if [ "${wg_enabled:-0}" -eq "1" ]; then
+		cp docker/services.opt/wireguard docker/services/wireguard
+	fi
+	
+    cp -rv $dir/docker/* docker/
+    cp -v ./../docker-compose.yml.tmpl .
+    cp -v ../Dockerfile.* .
     process_templates "." "$sigil_vars"
 
     echo $sigil_vars | tr ' ' '\n' > .env
@@ -115,7 +135,7 @@ do
     docker-compose -p $netname up -d --build --remove-orphans
 	set +e
 	
-    rm .env
+    rm -v .env
 
     # Pop directory
     cd $topdir

docker-compose.yml.tmpl

@@ -1,4 +1,4 @@
-version: "2"
+version: "2.1"
 services:
 {{ range files "docker/services" }}  {{ . }}:
 {{ include (print "docker/services/" .) }}{{ end }}

docker/services.opt/wireguard

@@ -0,0 +1,22 @@
+    image: ghcr.io/linuxserver/wireguard
+    volumes:
+      - /etc/wireguard/${netname}:/config
+      - /lib/modules:/lib/modules
+      - /usr/src:/usr/src
+    environment:
+      - RUNMODE=server
+      - NETNAME=${netname}
+      - TZ=${TZ:-GMT}
+      - SERVERPORT=${wg_port:-51820}
+      - ALLOWEDIPS=${network_address}/${global_prefix:-16}
+      - PUID=431
+      - PGID=431
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    restart: always
+    depends_on:
+      - tinc
+    network_mode: 'service:tinc'
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1

docker/services/tinc

@@ -15,3 +15,5 @@
     networks:
       internal:
         ipv4_address: ${internal_address}
+    sysctls:
+      - net.ipv6.conf.all.disable_ipv6=1

force_update.txt

@@ -0,0 +1 @@
+1

install.sh

@@ -31,6 +31,11 @@ chown -R $UID:$GID /etc/tinc/
 chmod -R 660 /etc/tinc/
 chmod -R a+X /etc/tinc/
 
+mkdir /etc/wireguard
+chown -R $UID:$GID /etc/wireguard/
+chmod -R 660 /etc/wireguard/
+chmod -R a+X /etc/wireguard/
+
 echo "Setting exclusive read access to SSH keys."
 chmod -v 400 /etc/lixonet/id_rsa
 chmod -v 400 /etc/lixonet/*/id_rsa
@@ -44,4 +49,9 @@ touch /etc/lixonet/version
 chmod 660 /etc/lixonet/version
 stat /etc/lixonet/version
 
-docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa lixonet-ee
+if [ "$1" == "force" ]; then
+   echo 0 > /etc/lixonet/version
+fi
+
+docker rm -f lixonet-ee
+docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/wireguard:/etc/wireguard -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa --name lixonet-ee lixonet-ee

wireguard/wg0.conf.tmpl

@@ -0,0 +1,8 @@
+[Interface]
+PrivateKey = ${wg_key}
+Address = ${wg_address}/${wg_prefix:-32}
+
+{{ range files "wireguard/peers" }} {{ if ne . "${tinc_peer_name}" }}
+[Peer]
+{{ include (print "wireguard/peers/" .) }}
+{{ end }}{{ end }}