1 1 # wireguard-initramfs 2 2 Use dropbear over wireguard. 3 - Start wireguard network during kernel init; enabling dropbear use over wireguard! 4 3 5 4 Enables wireguard networking during kernel boot, before encrypted partitions 6 5 are mounted. Combined with [dropbear](https://github.com/mkj/dropbear) this 7 6 can enable FULLY ENCRYPTED remote booting without storing key material or 8 7 exposing ports on the remote network. An Internet connection simply needs to 9 - exist that can reach the wireguard endpoint. 8 + exist that can reach the wireguard server endpoint. 10 9 11 - Normal dropbear connections can still be used, as well as DNS resolution to 12 - find wireguard endpoints. This essentially enables the creation of a fully13 - encrypted remote managed node, with the ability to prevent all local access. 10 + Normal dropbear connections and DNS resolution can be used to find wireguard 11 + endpoints. This essentially enables the creation of a fully encrypted remote 12 + managed node, with the ability to prevent all local access. 14 13 15 14 ## Requirements 16 - Working knowledge of Linux. Understanding of networking and how Dropbear , 17 - Wireguard work. 15 + Working knowledge of Linux. Understanding of networking and Wireguard . 18 16 19 - 1. [Debian Bullseye](debian.org) (any version with wireguard support should work , but untested ) . 20 - 1. [Dropbear](https://github.com/mkj/dropbear) installed, configured and in a "known working" state. 21 - 1. [Wireguard](https://www.wireguard.com/) installed, configured and in a " known working " state . 17 + 1. [Debian Bullseye](debian.org) (any version with wireguard support should 18 + work, but untested). 19 + 1. [Wireguard](https://www.wireguard.com/) installed, configured and in a 20 + "known working" state. 22 21 23 22 ## Install 24 23 Installation is automated via make. Download, extract contents, and install on skipped 6 lines 31 30 cd wireguard-initramfs-2021-07-03; make install 32 31 ``` 33 32 34 - ## Configure 35 - Configuration is explained within `/etc/wireguard-initramfs/config`. Be sure to36 - set the private key as well.37 - 38 - Restricting dropbear connections to **only** wireguard: 39 - > Confirm wireguard/dropbear work without restriction first. 40 - > 41 - > Set dropbear listen address to only wireguard client interface address. 42 - > Using example configuration: 43 - > 44 - > /etc/dropbear-initramfs/config 45 - > ```bash 46 - > DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...' 47 - > ``` 33 + ### Configure 34 + See comments in `/etc/wireguard-initramfs/config`. Be sure to set the private 35 + key as well. 48 36 49 37 Refer to [wg set man page](https://man7.org/linux/man-pages/man8/wg.8.html) for 50 38 additional information. 51 39 52 40 :warning: 53 - Most installs do not currently encrypt `/boot`; and therefore the client' s 41 + Most installs do not currently encrypt `/boot`; and therefore the client 54 42 private key should be considered **untrusted/compromised**. It is highly 55 - recommended that a separate wireguard network is used to for remote unlocking . 43 + recommended that a separate point - to - point wireguard network with proper port 44 + blocking is used for remote unlocking. 56 45 57 46 Rebuild initramfs to use: 58 47 ```bash skipped 2 lines 61 50 reboot 62 51 ``` 63 52 64 - Any static errors will abort the build. Mis-configurations will not be caught; 65 - test this where you can easily get physical access to the machine if something 66 - goes wrong. 53 + Any static errors will abort the build. Mis-configurations will not be caught. 54 + Be sure to test while you still have physical access to the machine. 67 55 68 - ## FAQ 69 - Q: **I want to use this, but without dropbear** 56 + ## Dropbear 57 + `wireguard-initramfs` can be combined with dropbear to enable remote system 58 + unlocking without needing control over the remote network, or knowing what the 59 + public IP of that system is. It also creates an encrypted no-trust tunnel 60 + before SSH connections are attempted. 70 61 71 - > A: Supported; just remove the pre-requisite dependency for `init-bottom`: 72 - > 73 - > `/usr/share/initramfs-tools/init-bottom/wireguard` 74 - > ```bash 75 - > #PREREQ="dropbear" 76 - > PREREQ="" 77 - > ``` 78 - > 79 - > and rebuild the initramfs image. 62 + ### Requirements 80 63 81 - Q: **I want to restrict dropbear to only wireguard** 64 + 1. [Dropbear](https://github.com/mkj/dropbear) installed, configured and in a "known working" state. 82 65 83 - > A: Supported. Confirm wireguard works before restricting normal networks. 84 - > 85 - > Restricting dropbear connections to **only** wireguard: 86 - > > Confirm wireguard/dropbear work without restriction first. 87 - > > 88 - > > Set dropbear listen address to only wireguard client interface address. 89 - > > Using example configuration: 90 - > > 91 - > > /etc/dropbear-initramfs/config 92 - > > ```bash 93 - > > DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...' 94 - > > ``` 66 + ### Configure 67 + Set dropbear to use *all* network interfaces to ensure remote unlocks work over 68 + wireguard first. Then restrict to the wireguard network once it is working: 69 + 70 + `/etc/dropbear-initramfs/config` 71 + ```bash 72 + DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...' 73 + ``` 95 74 96 75 ## Bug / Patches / Contributions? 97 76 All are welcome, please submit a pull request or open a bug! skipped 3 lines