From 6d864e2e70789d28b1b4979a192888e15da7a0a0 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 14:01:51 -0600
Subject: [PATCH 01/26] Add initial support for WG
---
build.sh | 11 +++++++++++
docker/services/wireguard | 20 ++++++++++++++++++++
install.sh | 7 ++++++-
3 files changed, 37 insertions(+), 1 deletion(-)
create mode 100644 docker/services/wireguard
diff --git a/build.sh b/build.sh
index b0c65dd..4be5dde 100644
--- a/build.sh
+++ b/build.sh
@@ -57,11 +57,13 @@ do
cp -r ../tinc/* tinc/
cp -r ../bird/* bird/
cp -r ../bind/* bind/
+ cp -r ../wireguard/* wireguard/
# Copy system-local custom files (if they even exist)
cp -r $dir/tinc/* tinc/
cp -r $dir/bird/* bird/
cp -r $dir/bind/* bind/
+ cp -r $dir/wireguard/* wireguard/
# Tinc
# Remove existing configuration
@@ -97,6 +99,15 @@ do
find bind -type f | sed -e "s@bind/@@g" | xargs -I '{}' cp --verbose bind/{} /etc/bind/$netname/{}
# Fill out templates and remove them after
process_templates "/etc/bind/$netname/" "$sigil_vars"
+
+ # Wireguard
+ # Remove existing configuration
+ rm -v -rf /etc/wireguard/$netname/*
+ # Copy all bind default files to /etc/(bind)
+ find wireguard -type d | sed -e "s@wireguard@wireguard/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
+ find wireguard -type f | sed -e "s@wireguard/@@g" | xargs -I '{}' cp --verbose wireguard/{} /etc/wireguard/$netname/{}
+ # Fill out templates and remove them after
+ process_templates "/etc/wireguard/$netname/" "$sigil_vars"
# Docker
# Copy templates and dependencies to directory
diff --git a/docker/services/wireguard b/docker/services/wireguard
new file mode 100644
index 0000000..52a77c8
--- /dev/null
+++ b/docker/services/wireguard
@@ -0,0 +1,20 @@
+ image: ghcr.io/linuxserver/wireguard
+ container_name: wireguard
+ volumes:
+ - /etc/wireguard/${netname}:/config
+ - /lib/modules:/lib/modules
+ environment:
+ - RUNMODE=server
+ - NETNAME=${netname}
+ - TZ=America/Denver
+ - SERVERPORT=${wg_port:-51820}
+ - INTERNAL_SUBNET=${wg_subnet}
+ - ALLOWEDIPS=${network_address}/${global_prefix:-16}
+ cap_add:
+ - NET_ADMIN
+ - SYS_MODULE
+ restart: always
+ depends_on:
+ - tinc
+ sysctls:
+ - net.ipv4.conf.all.src_valid_mark=1
diff --git a/install.sh b/install.sh
index 19bb802..a378ef6 100644
--- a/install.sh
+++ b/install.sh
@@ -31,6 +31,11 @@ chown -R $UID:$GID /etc/tinc/
chmod -R 660 /etc/tinc/
chmod -R a+X /etc/tinc/
+mkdir /etc/wireguard
+chown -R $UID:$GID /etc/wireguard/
+chmod -R 660 /etc/wireguard/
+chmod -R a+X /etc/wireguard/
+
echo "Setting exclusive read access to SSH keys."
chmod -v 400 /etc/lixonet/id_rsa
chmod -v 400 /etc/lixonet/*/id_rsa
@@ -42,4 +47,4 @@ touch /etc/lixonet/version
chmod 660 /etc/lixonet/version
stat /etc/lixonet/version
-docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa lixonet-ee
\ No newline at end of file
+docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/wireguard:/etc/wireguard/ -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa --name lixonet-ee lixonet-ee
\ No newline at end of file
From 85841e45cce5e21de1ef5c07b5f6ce6d41154c5c Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 15:08:09 -0600
Subject: [PATCH 02/26] Version changes before going to master
---
README.md | 8 +++++---
wireguard/wg0.conf | 8 ++++++++
2 files changed, 13 insertions(+), 3 deletions(-)
create mode 100644 wireguard/wg0.conf
diff --git a/README.md b/README.md
index d7ab31e..059e0b5 100644
--- a/README.md
+++ b/README.md
@@ -185,8 +185,10 @@ These settings are optional, and are already defaulted to general network common
#### Wireguard options
-Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG.
+Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG. Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.y.z) where `y` is your first network number, i.e. `8` or `16` and `z` is an unused address and setting that to `wg_address`.
- * `wg_key`: The private key to use for the Wireguard peering point
- * `wg_address`: The address to assign to Wireguard, should be unique.
+ * `wg_enabled`: Set to 1 to enable WireGuard. Defaults to 0/disabled.
+ * `wg_key`: Required. The private key to use for the Wireguard peering point.
+ * `wg_address`: Required. The address to assign to the Wireguard interface. Should be unique.
* `wg_prefix`: The prefix to assign to Wireguard, defaults to 32.
+ * `wg_port`: Port for WireGuard to listen to connections on (UDP). Defaults to 51820.
diff --git a/wireguard/wg0.conf b/wireguard/wg0.conf
new file mode 100644
index 0000000..5e060d1
--- /dev/null
+++ b/wireguard/wg0.conf
@@ -0,0 +1,8 @@
+[Interface]
+PrivateKey = ${wg_key}
+Address = ${wg_address}/${wg_prefix:-32}
+
+{{ range files "wireguard/peers" }} {{ if ne . "${tinc_peer_name}" }}
+[Peer]
+{{ include (print "wireguard/peers" .) }}
+{{ end }}{{ end }}
\ No newline at end of file
From f4329c810df1d43771c2eaa51ab9ab6415b416e8 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 15:17:59 -0600
Subject: [PATCH 03/26] Finish up first pass at WG
---
build.sh | 16 +++++++++-------
docker/services/wireguard | 4 ++--
2 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/build.sh b/build.sh
index 4be5dde..54abb12 100644
--- a/build.sh
+++ b/build.sh
@@ -101,13 +101,15 @@ do
process_templates "/etc/bind/$netname/" "$sigil_vars"
# Wireguard
- # Remove existing configuration
- rm -v -rf /etc/wireguard/$netname/*
- # Copy all bind default files to /etc/(bind)
- find wireguard -type d | sed -e "s@wireguard@wireguard/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
- find wireguard -type f | sed -e "s@wireguard/@@g" | xargs -I '{}' cp --verbose wireguard/{} /etc/wireguard/$netname/{}
- # Fill out templates and remove them after
- process_templates "/etc/wireguard/$netname/" "$sigil_vars"
+ if [ $wg_enabled -eq "1" ]; then
+ # Remove existing configuration
+ rm -v -rf /etc/wireguard/$netname/*
+ # Copy all bind default files to /etc/(bind)
+ find wireguard -type d | sed -e "s@wireguard@wireguard/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
+ find wireguard -type f | sed -e "s@wireguard/@@g" | xargs -I '{}' cp --verbose wireguard/{} /etc/wireguard/$netname/{}
+ # Fill out templates and remove them after
+ process_templates "/etc/wireguard/$netname/" "$sigil_vars"
+ fi
# Docker
# Copy templates and dependencies to directory
diff --git a/docker/services/wireguard b/docker/services/wireguard
index ad8e7d9..c526be0 100644
--- a/docker/services/wireguard
+++ b/docker/services/wireguard
@@ -1,4 +1,4 @@
- image: ghcr.io/linuxserver/wireguard
+{{ if eq "1" "${wg_enabled:-0}" }} image: ghcr.io/linuxserver/wireguard
container_name: wireguard
volumes:
- /etc/wireguard/${netname}:/config
@@ -16,4 +16,4 @@
depends_on:
- tinc
sysctls:
- - net.ipv4.conf.all.src_valid_mark=1
+ - net.ipv4.conf.all.src_valid_mark=1{{ end }}
\ No newline at end of file
From e22f5ee4941ebe8bdda6f97b6b021dbacf6cb09d Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 15:34:17 -0600
Subject: [PATCH 04/26] Force update
---
force_update.txt | 1 +
1 file changed, 1 insertion(+)
diff --git a/force_update.txt b/force_update.txt
index e69de29..56a6051 100644
--- a/force_update.txt
+++ b/force_update.txt
@@ -0,0 +1 @@
+1
\ No newline at end of file
From d142397330c75a1b1ff103bc21cdabd0c28bb4f0 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 15:36:31 -0600
Subject: [PATCH 05/26] Fix if
---
build.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/build.sh b/build.sh
index 54abb12..5389602 100644
--- a/build.sh
+++ b/build.sh
@@ -101,7 +101,7 @@ do
process_templates "/etc/bind/$netname/" "$sigil_vars"
# Wireguard
- if [ $wg_enabled -eq "1" ]; then
+ if [ "$wg_enabled" -eq "1" ]; then
# Remove existing configuration
rm -v -rf /etc/wireguard/$netname/*
# Copy all bind default files to /etc/(bind)
From aa05a2d45bc2993d881aa9ffcad7271daf3a503d Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 15:50:44 -0600
Subject: [PATCH 06/26] Default wg_enabled=0
---
build.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/build.sh b/build.sh
index 5389602..09cca49 100644
--- a/build.sh
+++ b/build.sh
@@ -101,10 +101,10 @@ do
process_templates "/etc/bind/$netname/" "$sigil_vars"
# Wireguard
- if [ "$wg_enabled" -eq "1" ]; then
+ if [ "${wg_enabled:-0}" -eq "1" ]; then
# Remove existing configuration
rm -v -rf /etc/wireguard/$netname/*
- # Copy all bind default files to /etc/(bind)
+ # Copy all wireguard default files to /etc/(wireguard)
find wireguard -type d | sed -e "s@wireguard@wireguard/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
find wireguard -type f | sed -e "s@wireguard/@@g" | xargs -I '{}' cp --verbose wireguard/{} /etc/wireguard/$netname/{}
# Fill out templates and remove them after
From 3a2d30419f8b33d52fe978cbc4f8f84eebdc744f Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 15:54:46 -0600
Subject: [PATCH 07/26] Make WireGuard optional
---
build.sh | 4 ++++
docker/{services => services.opt}/wireguard | 4 ++--
install.sh | 2 +-
3 files changed, 7 insertions(+), 3 deletions(-)
rename docker/{services => services.opt}/wireguard (76%)
diff --git a/build.sh b/build.sh
index 09cca49..3411417 100644
--- a/build.sh
+++ b/build.sh
@@ -115,6 +115,10 @@ do
# Copy templates and dependencies to directory
mkdir docker/
cp -r ../docker/* docker/
+ if [ "${wg_enabled:-0}" -eq "1" ]; then
+ cp docker/services.opt/wireguard docker/services/wireguard
+ fi
+
cp -r $dir/docker/* docker/
cp ./../docker-compose.yml.tmpl .
cp ../Dockerfile.* .
diff --git a/docker/services/wireguard b/docker/services.opt/wireguard
similarity index 76%
rename from docker/services/wireguard
rename to docker/services.opt/wireguard
index c526be0..6be4866 100644
--- a/docker/services/wireguard
+++ b/docker/services.opt/wireguard
@@ -1,4 +1,4 @@
-{{ if eq "1" "${wg_enabled:-0}" }} image: ghcr.io/linuxserver/wireguard
+ image: ghcr.io/linuxserver/wireguard
container_name: wireguard
volumes:
- /etc/wireguard/${netname}:/config
@@ -16,4 +16,4 @@
depends_on:
- tinc
sysctls:
- - net.ipv4.conf.all.src_valid_mark=1{{ end }}
\ No newline at end of file
+ - net.ipv4.conf.all.src_valid_mark=1
\ No newline at end of file
diff --git a/install.sh b/install.sh
index d17e3ec..2f6bd7e 100644
--- a/install.sh
+++ b/install.sh
@@ -49,4 +49,4 @@ touch /etc/lixonet/version
chmod 660 /etc/lixonet/version
stat /etc/lixonet/version
-docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa lixonet-ee
+docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa --name lixonet-ee lixonet-ee
From 8e2b57d6157702b40424ed620db765da460b89b6 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 16:20:28 -0600
Subject: [PATCH 08/26] oldstable
---
Dockerfile.bird | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Dockerfile.bird b/Dockerfile.bird
index 884116e..59d832b 100644
--- a/Dockerfile.bird
+++ b/Dockerfile.bird
@@ -1,4 +1,4 @@
-FROM debian:stable
+FROM debian:oldstable
MAINTAINER Pier Carlo Chiodi <pierky@pierky.com>
From 12ce80e3814d5b5485ccc15656b1ba3f27fda302 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 17:28:39 -0600
Subject: [PATCH 09/26] Update docs
---
README.md | 3 ++-
bind/named.conf.tmpl | 4 +++-
install.sh | 1 +
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 059e0b5..9b725f4 100644
--- a/README.md
+++ b/README.md
@@ -180,12 +180,13 @@ For options we expose here, for information see: https://bird.network.cz/?get_do
These settings are optional, and are already defaulted to general network common practices.
+ * `bind_forward_enable`: Enable BIND DNS forwarding when DNS queries are received from other nodes Lixonet for a domain that you control (i.e. lkwco.mane.lixo on that Lixonet box). `1`/enabled, `0`/disabled. Defaults to `1`.
* `bind_forward_address`: The overridden DNS server IP address to forward all requests for your own domain to. Defaults to the value of `internal_gateway`, which is proper in most if not all cases. Your BIND zone is automatically converted from your `tinc_peer_name` (i.e. `lkwco_mane_lixo` becomes `lkwco.mane.lixo`).
* `tld`: The network-wide TLD to use. Defaults to `lixo`.
#### Wireguard options
-Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG. Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.y.z) where `y` is your first network number, i.e. `8` or `16` and `z` is an unused address and setting that to `wg_address`.
+Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG. Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.y.z) where `y` is your first network number, i.e. `8` or `16` and `z` is an unused address and setting that to `wg_address`. This is generally only desired on "master" or globally-reachable/hosted nodes to construct an overlay VPN.
* `wg_enabled`: Set to 1 to enable WireGuard. Defaults to 0/disabled.
* `wg_key`: Required. The private key to use for the Wireguard peering point.
diff --git a/bind/named.conf.tmpl b/bind/named.conf.tmpl
index d5d5c87..b00e344 100644
--- a/bind/named.conf.tmpl
+++ b/bind/named.conf.tmpl
@@ -61,13 +61,15 @@ view "lixonet" {
};
# Local reverse zone forwarders
+{{ if eq "1" "${bind_forward_enable:-1}" }}
{{ if len "${local_reverse_zones:-}" }}{{ range "$local_reverse_zones" | split "," }}zone "{{ . }}" {
type forward;
forward only;
forwarders { ${bind_forward_address-"${internal_gateway}"}; };
};
{{ end }}{{ end }}
-
+{{ end }}
+
# Peer forwarding zones
{{ range files "bind/peers" }} {{ if ne . "${tinc_peer_name}" }}
zone "{{ . | replace "_" "." }}" {
diff --git a/install.sh b/install.sh
index 2f6bd7e..d4fb993 100644
--- a/install.sh
+++ b/install.sh
@@ -49,4 +49,5 @@ touch /etc/lixonet/version
chmod 660 /etc/lixonet/version
stat /etc/lixonet/version
+docker rm -f lixonet-ee
docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa --name lixonet-ee lixonet-ee
From 3fabf8c73ebbc92d364929e6778a0b4eaa4e4ab6 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 17:59:41 -0600
Subject: [PATCH 10/26] update documentation and configure BIRD better for WG
---
README.md | 9 +++++----
bird/bird.conf.tmpl | 20 +++++++++++++++++++-
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/README.md b/README.md
index 9b725f4..05e83e7 100644
--- a/README.md
+++ b/README.md
@@ -174,7 +174,7 @@ For options we expose here, for information see: https://bird.network.cz/?get_do
* `bgp_rpki_expire`: How long to keep any records locally cached before they are deleted. Defaults to `172800` (2 days).
* `bgp_rpki_known_hosts`: The file path for the SSH key `known_hosts` file to use when validating remote RPKI hosts. Defaults to `/etc/bird/rpki/known_hosts` (provided by Lixonet; don't change this unless you need to!).
* `bgp_passwd_*`: The password for a specific BGP peer (i.e. `bgp_passwd_denco_mane_lixo`). If not specified, no password is used for the host.
- * `bgp_routes`: A comma-delimited list of routes to advertise over BGP. If not specified, no routes are propagated.
+ * `bgp_routes`: A comma-delimited list of route prefixes (CIDR) to advertise to other BGP peers. If not specified, no routes are propagated.
#### BIND options
@@ -186,10 +186,11 @@ These settings are optional, and are already defaulted to general network common
#### Wireguard options
-Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG. Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.y.z) where `y` is your first network number, i.e. `8` or `16` and `z` is an unused address and setting that to `wg_address`. This is generally only desired on "master" or globally-reachable/hosted nodes to construct an overlay VPN.
+Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG. Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.1.z) where `z` is an unused address (or your ASN number, like 8, 16, so on) and setting that to `wg_address`. This is generally only desired on "master" or globally-reachable/hosted nodes to construct an overlay VPN. If a node is hosting WireGuard clients, they can send traffic into other nodes but likely won't receive any traffic back unless `wg_routes` is set correctly so BIRD can export peer addresses into the BGP routing framework.
* `wg_enabled`: Set to 1 to enable WireGuard. Defaults to 0/disabled.
- * `wg_key`: Required. The private key to use for the Wireguard peering point.
- * `wg_address`: Required. The address to assign to the Wireguard interface. Should be unique.
+ * `wg_key`: Required if `wg_enabled`=1. The private key to use for the Wireguard peering point.
+ * `wg_address`: Required if `wg_enabled`=1. The address to assign to the Wireguard interface. Should be unique.
* `wg_prefix`: The prefix to assign to Wireguard, defaults to 32.
* `wg_port`: Port for WireGuard to listen to connections on (UDP). Defaults to 51820.
+ * `wg_routes`: A comma-delimited list of WireGuard route prefixes (CIDR) to advertise to other BGP peers. If not specified, no routes are propagated. If specified, only specific connected WireGuard peers added to the kernel routing table are advertised.
diff --git a/bird/bird.conf.tmpl b/bird/bird.conf.tmpl
index 1344c0f..e52ea19 100644
--- a/bird/bird.conf.tmpl
+++ b/bird/bird.conf.tmpl
@@ -91,6 +91,13 @@ function is_own_route_v4()
return false;
}
+function is_wireguard_route_v4()
+{
+ {{ if len "${wg_routes:-}" }}{{ range "$wg_routes" | split "," }}if net ~ [ {{.}}+ ] then return true;
+ {{ end }}{{ end }}
+ return false;
+}
+
filter bgp_import_filter_v4
{
if source ~ [RTS_STATIC] then reject; # Reject our own routes
@@ -109,6 +116,17 @@ filter bgp_export_filter_v4
reject; # Reject anything else (non-Lixonet)
}
+# In some cases, like WireGuard, we can be a peer to a client which is
+# available over another "adjacent" VPN layer. In these cases, allow
+# importing routes that are added to the kernel which fall under the
+# Wireguard layer
+filter kernel_import_filter_v4
+{
+ if is_own_route_v4() then reject; # Reject unexpected routes
+ if is_wireguard_route_v4() then accept; # Accept WireGuard routes
+ reject; # Reject anything else
+}
+
filter kernel_export_filter_v4
{
#if is_own_route_v4() then reject; # Reject poisons
@@ -163,7 +181,7 @@ protocol kernel { # Primary routing table
scan time 10; # Scan kernel routing table every 10 seconds
ipv4 {
table ${netname:-lixonet}_v4;
- import none; # Don't try to import any routes from the kernel
+ import filter kernel_import_filter_v4; # Import anything we allow from the kernel
export filter kernel_export_filter_v4; # Export everything we are told to the kernel
};
};
From 45b9cfc49e69d0ecba94b2dff486c62b359aea93 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 18:06:00 -0600
Subject: [PATCH 11/26] Update README
---
README.md | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 05e83e7..f894e3b 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,16 @@ For GitHub, at this time the contents would be:
Don't take my word for it, see: https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
+**Optional: Generate a WireGuard key**
+
+You only need to do this if you are setting `wg_enabled`=1, for example when you want to service VPN clients from a "master" node. See **Wireguard Options** for more information on how to do that.
+
+See: https://www.wireguard.com/quickstart/
+```
+apk add -U wireguard-tools
+wg genkey | tee privatekey | wg pubkey > publickey
+```
+
#### Install/Update:
1. Read and follow the prerequisites above and make sure you are ready to install.
@@ -186,7 +196,7 @@ These settings are optional, and are already defaulted to general network common
#### Wireguard options
-Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG. Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.1.z) where `z` is an unused address (or your ASN number, like 8, 16, so on) and setting that to `wg_address`. This is generally only desired on "master" or globally-reachable/hosted nodes to construct an overlay VPN. If a node is hosting WireGuard clients, they can send traffic into other nodes but likely won't receive any traffic back unless `wg_routes` is set correctly so BIRD can export peer addresses into the BGP routing framework.
+Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG. Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.1.z) where `z` is an unused address (or your ASN number, like 8, 16, so on) and setting that to `wg_address`. This is generally only desired on "master" or globally-reachable/hosted nodes to construct an overlay VPN. If a node is hosting WireGuard clients, they can send traffic into other nodes but likely won't receive any traffic back unless `wg_routes` is set so BIRD can export peer addresses into the BGP routing framework.
* `wg_enabled`: Set to 1 to enable WireGuard. Defaults to 0/disabled.
* `wg_key`: Required if `wg_enabled`=1. The private key to use for the Wireguard peering point.
From c3575ce3623df74ef00a2f1cac8f2304a3665f9c Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 18:09:13 -0600
Subject: [PATCH 12/26] Fix tabulation and support timezone control
---
docker/services.opt/wireguard | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/docker/services.opt/wireguard b/docker/services.opt/wireguard
index 6be4866..3e2d960 100644
--- a/docker/services.opt/wireguard
+++ b/docker/services.opt/wireguard
@@ -6,9 +6,9 @@
environment:
- RUNMODE=server
- NETNAME=${netname}
- - TZ=America/Denver
- - SERVERPORT=${wg_port:-51820}
- - ALLOWEDIPS=${network_address}/${global_prefix:-16}
+ - TZ=${TZ:-GMT}
+ - SERVERPORT=${wg_port:-51820}
+ - ALLOWEDIPS=${network_address}/${global_prefix:-16}
cap_add:
- NET_ADMIN
- SYS_MODULE
From 092a2a912232daf263265f5d2e79013f16b03a4b Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 18:10:37 -0600
Subject: [PATCH 13/26] The Compose file './docker-compose.yml' is invalid
because: Unsupported config option for services.wireguard: 'sysctls'
---
docker-compose.yml.tmpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docker-compose.yml.tmpl b/docker-compose.yml.tmpl
index 975f71a..16205ab 100644
--- a/docker-compose.yml.tmpl
+++ b/docker-compose.yml.tmpl
@@ -1,4 +1,4 @@
-version: "2"
+version: "2.1"
services:
{{ range files "docker/services" }} {{ . }}:
{{ include (print "docker/services/" .) }}{{ end }}
From 4197cec3255158a59912aa1492984cca30679f54 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 18:24:32 -0600
Subject: [PATCH 14/26] Explicitly disable IPv6 in the kernel
---
docker/services/tinc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/docker/services/tinc b/docker/services/tinc
index 0cf3f53..90aa190 100644
--- a/docker/services/tinc
+++ b/docker/services/tinc
@@ -15,3 +15,5 @@
networks:
internal:
ipv4_address: ${internal_address}
+ sysctls:
+ - net.ipv6.conf.all.disable_ipv6=1
\ No newline at end of file
From a4b6c19cb3c91d310867741d4e388f7ff7a58ad2 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 18:29:35 -0600
Subject: [PATCH 15/26] Mount /usr/src
---
docker/services.opt/wireguard | 1 +
1 file changed, 1 insertion(+)
diff --git a/docker/services.opt/wireguard b/docker/services.opt/wireguard
index 3e2d960..e57ff1b 100644
--- a/docker/services.opt/wireguard
+++ b/docker/services.opt/wireguard
@@ -3,6 +3,7 @@
volumes:
- /etc/wireguard/${netname}:/config
- /lib/modules:/lib/modules
+ - /usr/src:/usr/src
environment:
- RUNMODE=server
- NETNAME=${netname}
From 7867005dfc96a550513e0bae8beead72402a421b Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 18:33:00 -0600
Subject: [PATCH 16/26] Improper newline
---
docker/services/tinc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docker/services/tinc b/docker/services/tinc
index 90aa190..295801f 100644
--- a/docker/services/tinc
+++ b/docker/services/tinc
@@ -16,4 +16,4 @@
internal:
ipv4_address: ${internal_address}
sysctls:
- - net.ipv6.conf.all.disable_ipv6=1
\ No newline at end of file
+ - net.ipv6.conf.all.disable_ipv6=1
From f042cdf8249b2be86e8fbd12294f0c19c3cd2a1d Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 18:58:14 -0600
Subject: [PATCH 17/26] MAke configuration a tmpl
---
wireguard/{wg0.conf => wg0.conf.tmpl} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename wireguard/{wg0.conf => wg0.conf.tmpl} (100%)
diff --git a/wireguard/wg0.conf b/wireguard/wg0.conf.tmpl
similarity index 100%
rename from wireguard/wg0.conf
rename to wireguard/wg0.conf.tmpl
From 85dd4b33f3d3584bbce912e9285ed09004f43536 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 19:10:25 -0600
Subject: [PATCH 18/26] Force directory creation, increase verbosity
---
build.sh | 35 +++++++++++++++++------------------
1 file changed, 17 insertions(+), 18 deletions(-)
diff --git a/build.sh b/build.sh
index 3411417..8a2b9d6 100644
--- a/build.sh
+++ b/build.sh
@@ -46,29 +46,28 @@ do
echo "Variables: $sigil_vars"
# Clone and copy the repository
- rm -rf "$(basename "$git" .git)"
+ rm -rfv "$(basename "$git" .git)"
GIT_SSH_COMMAND="ssh -i /etc/lixonet/${netname}/id_rsa -o IdentitiesOnly=yes" git clone $git || { echo "clone $git failed, quitting" ; exit 1; }
echo "Creating work directory..."
- rm -rf work
+ rm -rfv work
mkdir --verbose work
- cp -r "$(basename "$git" .git)"/* work/ && cd work
+ cp -rv "$(basename "$git" .git)"/* work/ && cd work
# Copy default files
- cp -r ../tinc/* tinc/
- cp -r ../bird/* bird/
- cp -r ../bind/* bind/
- cp -r ../wireguard/* wireguard/
+ mkdir --verbose tinc && cp -rv ../tinc/* tinc/
+ mkdir --verbose bird && cp -rv ../bird/* bird/
+ mkdir --verbose bind && cp -rv ../bind/* bind/
+ mkdir --verbose wireguard && cp -rv ../wireguard/* wireguard/
# Copy system-local custom files (if they even exist)
- cp -r $dir/tinc/* tinc/
- cp -r $dir/bird/* bird/
- cp -r $dir/bind/* bind/
- cp -r $dir/wireguard/* wireguard/
+ cp -rv $dir/tinc/* tinc/
+ cp -rv $dir/bird/* bird/
+ cp -rv $dir/bind/* bind/
+ cp -rv $dir/wireguard/* wireguard/
# Tinc
# Remove existing configuration
rm -v -rf /etc/tinc/$netname/*
-
# Copy all tinc default files to /etc/(tinc)
find tinc -type d | sed -e "s@tinc@tinc/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
find tinc -type f | sed -e "s@tinc/@@g" | xargs -I '{}' cp --verbose tinc/{} /etc/tinc/$netname/{}
@@ -78,7 +77,7 @@ do
# Fill out templates and remove them after
process_templates "/etc/tinc/$netname/" "$sigil_vars"
# Copy private key
- cp /etc/lixonet/$netname/tinc.key /etc/tinc/$netname/rsa_key.priv
+ cp -v /etc/lixonet/$netname/tinc.key /etc/tinc/$netname/rsa_key.priv
# Set permissions for tinc scripts
chmod +x /etc/tinc/$netname/tinc-up /etc/tinc/$netname/tinc-down /etc/tinc/$netname/subnet-up /etc/tinc/$netname/subnet-down
@@ -114,14 +113,14 @@ do
# Docker
# Copy templates and dependencies to directory
mkdir docker/
- cp -r ../docker/* docker/
+ cp -rv ../docker/* docker/
if [ "${wg_enabled:-0}" -eq "1" ]; then
cp docker/services.opt/wireguard docker/services/wireguard
fi
- cp -r $dir/docker/* docker/
- cp ./../docker-compose.yml.tmpl .
- cp ../Dockerfile.* .
+ cp -rv $dir/docker/* docker/
+ cp -v ./../docker-compose.yml.tmpl .
+ cp -v ../Dockerfile.* .
process_templates "." "$sigil_vars"
echo $sigil_vars | tr ' ' '\n' > .env
@@ -132,7 +131,7 @@ do
docker-compose -p $netname up -d --build --remove-orphans
set +e
- rm .env
+ rm -v .env
# Pop directory
cd $topdir
From 4c64b5bad6114b45c3a10e0a281dd366bd5529db Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 19:20:12 -0600
Subject: [PATCH 19/26] More ignores
---
build.sh | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/build.sh b/build.sh
index 8a2b9d6..627bd90 100644
--- a/build.sh
+++ b/build.sh
@@ -57,13 +57,17 @@ do
mkdir --verbose tinc && cp -rv ../tinc/* tinc/
mkdir --verbose bird && cp -rv ../bird/* bird/
mkdir --verbose bind && cp -rv ../bind/* bind/
- mkdir --verbose wireguard && cp -rv ../wireguard/* wireguard/
+ if [ "${wg_enabled:-0}" -eq "1" ]; then
+ mkdir --verbose wireguard && cp -rv ../wireguard/* wireguard/
+ fi
# Copy system-local custom files (if they even exist)
cp -rv $dir/tinc/* tinc/
cp -rv $dir/bird/* bird/
cp -rv $dir/bind/* bind/
- cp -rv $dir/wireguard/* wireguard/
+ if [ "${wg_enabled:-0}" -eq "1" ]; then
+ cp -rv $dir/wireguard/* wireguard/
+ fi
# Tinc
# Remove existing configuration
From e8115f0cf2fd59e4a957ecdf248bc9c9b59e77da Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 19:26:12 -0600
Subject: [PATCH 20/26] STacked commands breaking stuff
---
build.sh | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/build.sh b/build.sh
index 627bd90..04fa048 100644
--- a/build.sh
+++ b/build.sh
@@ -54,11 +54,11 @@ do
cp -rv "$(basename "$git" .git)"/* work/ && cd work
# Copy default files
- mkdir --verbose tinc && cp -rv ../tinc/* tinc/
- mkdir --verbose bird && cp -rv ../bird/* bird/
- mkdir --verbose bind && cp -rv ../bind/* bind/
+ mkdir --verbose tinc; cp -rv ../tinc/* tinc/
+ mkdir --verbose bird; cp -rv ../bird/* bird/
+ mkdir --verbose bind; cp -rv ../bind/* bind/
if [ "${wg_enabled:-0}" -eq "1" ]; then
- mkdir --verbose wireguard && cp -rv ../wireguard/* wireguard/
+ mkdir --verbose wireguard; cp -rv ../wireguard/* wireguard/
fi
# Copy system-local custom files (if they even exist)
From 8ee65af4b5e23c08709769ee5bbc6fdb10c7704c Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 19:27:32 -0600
Subject: [PATCH 21/26] Get rid of wireguard container name because it would
otherwise clash
---
docker/services.opt/wireguard | 1 -
1 file changed, 1 deletion(-)
diff --git a/docker/services.opt/wireguard b/docker/services.opt/wireguard
index e57ff1b..115fc48 100644
--- a/docker/services.opt/wireguard
+++ b/docker/services.opt/wireguard
@@ -1,5 +1,4 @@
image: ghcr.io/linuxserver/wireguard
- container_name: wireguard
volumes:
- /etc/wireguard/${netname}:/config
- /lib/modules:/lib/modules
From 083a259e9d1a2048c4b0334a0e152239f45d317d Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 19:32:44 -0600
Subject: [PATCH 22/26] Change user and group IDs
---
docker/services.opt/wireguard | 2 ++
1 file changed, 2 insertions(+)
diff --git a/docker/services.opt/wireguard b/docker/services.opt/wireguard
index 115fc48..eb6823d 100644
--- a/docker/services.opt/wireguard
+++ b/docker/services.opt/wireguard
@@ -9,6 +9,8 @@
- TZ=${TZ:-GMT}
- SERVERPORT=${wg_port:-51820}
- ALLOWEDIPS=${network_address}/${global_prefix:-16}
+ - PUID=431
+ - PGID=431
cap_add:
- NET_ADMIN
- SYS_MODULE
From 9acf479b39d32e39d130573fc8a7f8ce74e77c78 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 19:40:32 -0600
Subject: [PATCH 23/26] Support forced reinstall
---
docker/services.opt/wireguard | 4 ++--
install.sh | 4 ++++
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/docker/services.opt/wireguard b/docker/services.opt/wireguard
index eb6823d..3e9651c 100644
--- a/docker/services.opt/wireguard
+++ b/docker/services.opt/wireguard
@@ -9,8 +9,8 @@
- TZ=${TZ:-GMT}
- SERVERPORT=${wg_port:-51820}
- ALLOWEDIPS=${network_address}/${global_prefix:-16}
- - PUID=431
- - PGID=431
+ - PUID=431
+ - PGID=431
cap_add:
- NET_ADMIN
- SYS_MODULE
diff --git a/install.sh b/install.sh
index d4fb993..0e9b368 100644
--- a/install.sh
+++ b/install.sh
@@ -49,5 +49,9 @@ touch /etc/lixonet/version
chmod 660 /etc/lixonet/version
stat /etc/lixonet/version
+if [ "$1" == "force" ]; then
+ echo 0 > /etc/lixonet/version
+fi
+
docker rm -f lixonet-ee
docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa --name lixonet-ee lixonet-ee
From 647acf4b8297fe2c5da31f917a9557296364dda1 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 19:46:00 -0600
Subject: [PATCH 24/26] Mount /etc/wireguard
---
install.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install.sh b/install.sh
index 0e9b368..b4e95f0 100644
--- a/install.sh
+++ b/install.sh
@@ -54,4 +54,4 @@ if [ "$1" == "force" ]; then
fi
docker rm -f lixonet-ee
-docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa --name lixonet-ee lixonet-ee
+docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/wireguard:/etc/wireguard -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa --name lixonet-ee lixonet-ee
From de804af1b26bd87423da0cbf52f60e8914bdbcb9 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 19:55:17 -0600
Subject: [PATCH 25/26] Add wireguard network mode
---
docker/services.opt/wireguard | 1 +
1 file changed, 1 insertion(+)
diff --git a/docker/services.opt/wireguard b/docker/services.opt/wireguard
index 3e9651c..efb2280 100644
--- a/docker/services.opt/wireguard
+++ b/docker/services.opt/wireguard
@@ -17,5 +17,6 @@
restart: always
depends_on:
- tinc
+ network_mode: 'service:tinc'
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
\ No newline at end of file
From 8a85ae8aeada70e2575a8d68f9ca7db107021591 Mon Sep 17 00:00:00 2001
From: Manevolent <manevolent@team.lixo>
Date: Tue, 21 Sep 2021 20:00:50 -0600
Subject: [PATCH 26/26] Missing /
---
wireguard/wg0.conf.tmpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/wireguard/wg0.conf.tmpl b/wireguard/wg0.conf.tmpl
index 5e060d1..4ce90b4 100644
--- a/wireguard/wg0.conf.tmpl
+++ b/wireguard/wg0.conf.tmpl
@@ -4,5 +4,5 @@ Address = ${wg_address}/${wg_prefix:-32}
{{ range files "wireguard/peers" }} {{ if ne . "${tinc_peer_name}" }}
[Peer]
-{{ include (print "wireguard/peers" .) }}
+{{ include (print "wireguard/peers/" .) }}
{{ end }}{{ end }}
\ No newline at end of file