STRLCPY/wireguard-initramfs

Remove dropbear dependency.

* Remove PREREQ dropbear dependency in init-bottom; this is not needed for
  dropbear to work correctly.
* Move initramfs scripts to `/etc/initramfs-tools` since there is no longer
  a dependency on the dropbear system package.
* Update Makefile to handle new location and automatically remove the old
  location.
* Added IPv6 DNS support if IPv6 use is detected.
* Standardized, clarify code & documentation.

Robert Pufky committed 3 years ago

ccd38316

1 parent 75e75677

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 6 files Show one by one

■ ■ ■ ■ ■ ■

Makefile

		skipped 2 lines
3	3		# You can set these variables from the command line, and also
4	4		# from the environment for the first two.
5	5		TARGETDIR = /etc/wireguard-initramfs
6		-	INITRAMFS = /usr/share/initramfs-tools
	6	+	INITRAMFS = /etc/initramfs-tools
7	7
8	8		help:
9	9		@echo "USAGE:"
		skipped 8 lines
18	18
19	19		.PHONY: help Makefile
20	20
21		-	install:
	21	+	install: remove_legacy
22	22		@if ! [ "$(shell id -u)" = 0 ]; then echo "You must be root to perform this action."; exit 1; fi
23	23		@echo "Installing wireguard-initramfs ..."
24	24		@apt update && apt install initramfs-tools
25	25		@mkdir -p "$(TARGETDIR)"
26	26		@touch "$(TARGETDIR)/private_key"
27		-	@chmod 0400 "$(TARGETDIR)/private_key"
	27	+	@chmod 0600 "$(TARGETDIR)/private_key"
28	28		@cp -v config "$(TARGETDIR)/config"
29	29		@chmod 0644 "$(TARGETDIR)/config"
30	30		@cp -v hooks "$(INITRAMFS)/hooks/wireguard"
	31	+	@chmod 0755 hooks "$(INITRAMFS)/hooks/wireguard"
31	32		@cp -v init-premount "$(INITRAMFS)/scripts/init-premount/wireguard"
	33	+	@chmod 0755 init-premount "$(INITRAMFS)/scripts/init-premount/wireguard"
32	34		@cp -v init-bottom "$(INITRAMFS)/scripts/init-bottom/wireguard"
	35	+	@chmod 0755 init-bottom "$(INITRAMFS)/scripts/init-bottom/wireguard"
33	36		@echo "Done."
34	37		@echo
35	38		@echo "Setup $(TARGETDIR)/config and run:"
36	39		@echo
37	40		@echo " update-initramfs -u && update-grub"
	41	+	@echo
38	42		@echo "Done."
39	43
40		-	uninstall:
	44	+	uninstall: remove_legacy
41	45		@if ! [ "$(shell id -u)" = 0 ]; then echo "You must be root to perform this action."; exit 1; fi
42	46		@echo "Uninstalling wireguard-initramfs ..."
43	47		@rm -f "$(INITRAMFS)/hooks/wireguard"
44	48		@rm -f "$(INITRAMFS)/scripts/init-premount/wireguard"
45	49		@rm -f "$(INITRAMFS)/scripts/init-bottom/wireguard"
	50	+	@echo
46	51		@echo "Done."
47		-	@echo
	52	+
	53	+	remove_legacy:
	54	+	@rm -f "/usr/share/initramfs-tools/hooks/wireguard"
	55	+	@rm -f "/usr/share/initramfs-tools/scripts/init-premount/wireguard"
	56	+	@rm -f "/usr/share/initramfs-tools/scripts/init-bottom/wireguard"
48	57

■ ■ ■ ■ ■ ■

README.md

1	1		# wireguard-initramfs
2	2		Use dropbear over wireguard.
3		-	Start wireguard network during kernel init; enabling dropbear use over wireguard!
4	3
5	4		Enables wireguard networking during kernel boot, before encrypted partitions
6	5		are mounted. Combined with [dropbear](https://github.com/mkj/dropbear) this
7	6		can enable FULLY ENCRYPTED remote booting without storing key material or
8	7		exposing ports on the remote network. An Internet connection simply needs to
9		-	exist that can reach the wireguard endpoint.
	8	+	exist that can reach the wireguard server endpoint.
10	9
11		-	Normal dropbear connections can still be used, as well as DNS resolution to
12		-	find wireguard endpoints. This essentially enables the creation of a fully
13		-	encrypted remote managed node, with the ability to prevent all local access.
	10	+	Normal dropbear connections and DNS resolution can be used to find wireguard
	11	+	endpoints. This essentially enables the creation of a fully encrypted remote
	12	+	managed node, with the ability to prevent all local access.
14	13
15	14		## Requirements
16		-	Working knowledge of Linux. Understanding of networking and how Dropbear,
17		-	Wireguard work.
	15	+	Working knowledge of Linux. Understanding of networking and Wireguard.
18	16
19		-	1. [Debian Bullseye](debian.org) (any version with wireguard support should work, but untested).
20		-	1. [Dropbear](https://github.com/mkj/dropbear) installed, configured and in a "known working" state.
21		-	1. [Wireguard](https://www.wireguard.com/) installed, configured and in a "known working" state.
	17	+	1. [Debian Bullseye](debian.org) (any version with wireguard support should
	18	+	work, but untested).
	19	+	1. [Wireguard](https://www.wireguard.com/) installed, configured and in a
	20	+	"known working" state.
22	21
23	22		## Install
24	23		Installation is automated via make. Download, extract contents, and install on
		skipped 6 lines
31	30		cd wireguard-initramfs-2021-07-03; make install
32	31		```
33	32
34		-	## Configure
35		-	Configuration is explained within `/etc/wireguard-initramfs/config`. Be sure to
36		-	set the private key as well.
37		-
38		-	Restricting dropbear connections to only wireguard:
39		-	> Confirm wireguard/dropbear work without restriction first.
40		-	>
41		-	> Set dropbear listen address to only wireguard client interface address.
42		-	> Using example configuration:
43		-	>
44		-	> /etc/dropbear-initramfs/config
45		-	> ```bash
46		-	> DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...'
47		-	> ```
	33	+	### Configure
	34	+	See comments in `/etc/wireguard-initramfs/config`. Be sure to set the private
	35	+	key as well.
48	36
49	37		Refer to [wg set man page](https://man7.org/linux/man-pages/man8/wg.8.html) for
50	38		additional information.
51	39
52	40		:warning:
53		-	Most installs do not currently encrypt `/boot`; and therefore the client's
	41	+	Most installs do not currently encrypt `/boot`; and therefore the client
54	42		private key should be considered untrusted/compromised. It is highly
55		-	recommended that a separate wireguard network is used to for remote unlocking.
	43	+	recommended that a separate point-to-point wireguard network with proper port
	44	+	blocking is used for remote unlocking.
56	45
57	46		Rebuild initramfs to use:
58	47		```bash
		skipped 2 lines
61	50		reboot
62	51		```
63	52
64		-	Any static errors will abort the build. Mis-configurations will not be caught;
65		-	test this where you can easily get physical access to the machine if something
66		-	goes wrong.
	53	+	Any static errors will abort the build. Mis-configurations will not be caught.
	54	+	Be sure to test while you still have physical access to the machine.
67	55
68		-	## FAQ
69		-	Q: I want to use this, but without dropbear
	56	+	## Dropbear
	57	+	`wireguard-initramfs` can be combined with dropbear to enable remote system
	58	+	unlocking without needing control over the remote network, or knowing what the
	59	+	public IP of that system is. It also creates an encrypted no-trust tunnel
	60	+	before SSH connections are attempted.
70	61
71		-	> A: Supported; just remove the pre-requisite dependency for `init-bottom`:
72		-	>
73		-	> `/usr/share/initramfs-tools/init-bottom/wireguard`
74		-	> ```bash
75		-	> #PREREQ="dropbear"
76		-	> PREREQ=""
77		-	> ```
78		-	>
79		-	> and rebuild the initramfs image.
	62	+	### Requirements
80	63
81		-	Q: I want to restrict dropbear to only wireguard
	64	+	1. [Dropbear](https://github.com/mkj/dropbear) installed, configured and in a "known working" state.
82	65
83		-	> A: Supported. Confirm wireguard works before restricting normal networks.
84		-	>
85		-	> Restricting dropbear connections to only wireguard:
86		-	> > Confirm wireguard/dropbear work without restriction first.
87		-	> >
88		-	> > Set dropbear listen address to only wireguard client interface address.
89		-	> > Using example configuration:
90		-	> >
91		-	> > /etc/dropbear-initramfs/config
92		-	> > ```bash
93		-	> > DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...'
94		-	> > ```
	66	+	### Configure
	67	+	Set dropbear to use all network interfaces to ensure remote unlocks work over
	68	+	wireguard first. Then restrict to the wireguard network once it is working:
	69	+
	70	+	`/etc/dropbear-initramfs/config`
	71	+	```bash
	72	+	DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...'
	73	+	```
95	74
96	75		## Bug / Patches / Contributions?
97	76		All are welcome, please submit a pull request or open a bug!
		skipped 3 lines

■ ■ ■ ■ ■ ■

config

		skipped 1 lines
2	2		#
3	3		# NOTE: As most systems do not encrypt /boot, private key material is exposed
4	4		# and compromised/untrusted. Boot wireguard network should be
5		-	# different & untrusted, versus the network used after booting.
	5	+	# different & untrusted; versus the network used after booting.
	6	+	# Always restrict ports and access on the wireguard server.
6	7		#
7	8		# Be sure to test wireguard config with a running system before setting
8	9		# options. See: https://manpages.debian.org/unstable/wireguard-tools/wg.8.en.html
9	10		#
10	11		# Restricting dropbear connections to only wireguard:
11		-	# Confirm wireguard/dropbear work without restriction first.
12		-	#
13		-	# Set dropbear listen address to only wireguard client interface address.
14		-	# Using example configuration:
	12	+	# * Confirm wireguard/dropbear work without restriction first.
	13	+	# * Set dropbear listen address to only wireguard client interface address.
15	14		#
16	15		# /etc/dropbear-initramfs/config
17		-	# ...
18	16		# DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...'
19	17		#
20	18
		skipped 3 lines
24	22		# CIDR wireguard interface address.
25	23		INTERFACE_ADDR=172.31.255.10/32
26	24
27		-	# Peer public key (server's public key)
	25	+	# Peer public key (server's public key).
28	26		PEER_PUBLIC_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
29	27
30	28		# IP:PORT of the peer (server); any reachable IP/DNS.
		skipped 2 lines
33	31		# Client Private key. Specify location of file containing only the private key.
34	32		CLIENT_PRIVATE_KEYFILE=/etc/wireguard-initramfs/private_key
35	33
36		-	# Keepalives. Required to ensure connection for non-exposed ports.
	34	+	# Persistent Keepalive. Required to ensure connection for non-exposed ports.
37	35		PERSISTENT_KEEPALIVES=25
38	36
39		-	# CIDR IP's allowed on wireguard connection, typically the peer (server)
	37	+	# Allowed IP's (CIDR) on wireguard; for boot this should be the peer (server).
40	38		ALLOWED_IPS=172.31.255.254/32
41	39

■ ■ ■ ■ ■ ■

hooks

		skipped 2 lines
3	3		PREREQ=""
4	4
5	5		prereqs() {
6		-	echo "${PREREQ}"
	6	+	echo "${PREREQ}"
7	7		}
8	8
9	9		case "${1}" in
10		-	prereqs)
11		-	prereqs
12		-	exit 0
13		-	;;
	10	+	prereqs)
	11	+	prereqs
	12	+	exit 0
	13	+	;;
14	14		esac
15	15
16	16		. /usr/share/initramfs-tools/hook-functions
		skipped 31 lines

■ ■ ■ ■ ■ ■

init-bottom

1	1		#!/bin/sh
2	2
3		-	PREREQ="dropbear"
	3	+	PREREQ=""
4	4
5	5		prereqs() {
6		-	echo "${PREREQ}"
	6	+	echo "${PREREQ}"
7	7		}
8	8
9	9		case "${1}" in
10		-	prereqs)
11		-	prereqs
12		-	exit 0
13		-	;;
	10	+	prereqs)
	11	+	prereqs
	12	+	exit 0
	13	+	;;
14	14		esac
15	15
16	16		. /scripts/functions
17	17
18	18		. /etc/wireguard/config
	19	+
19	20		log_begin_msg 'Stopping wireguard boot network'
20	21		ip link delete dev ${INTERFACE}
21	22		log_end_msg
		skipped 1 lines

■ ■ ■ ■ ■ ■

init-premount

		skipped 2 lines
3	3		PREREQ="udev"
4	4
5	5		prereqs() {
6		-	echo "${PREREQ}"
	6	+	echo "${PREREQ}"
7	7		}
8	8
9	9		case "${1}" in
10		-	prereqs)
11		-	prereqs
12		-	exit 0
13		-	;;
	10	+	prereqs)
	11	+	prereqs
	12	+	exit 0
	13	+	;;
14	14		esac
15	15
16	16		. /scripts/functions
17	17
18	18		if [ ! -e /sbin/wg ]; then
19		-	log_failure_msg 'Wireguard binary not found, skipping setup'
	19	+	log_failure_msg 'Wireguard binary not found; skipping start'
20	20		exit 0
21	21		fi
22	22		if [ ! -e /etc/wireguard/config ]; then
23		-	log_failure_msg 'Wireguard config not found, skipping setup'
	23	+	log_failure_msg 'Wireguard config not found; skipping start'
24	24		exit 0
25	25		fi
26	26		if [ ! -e /etc/wireguard/private_key ]; then
27		-	log_failure_msg 'Wireguard client private key not found, skipping setup'
	27	+	log_failure_msg 'Wireguard client private keyfile not found, skipping start'
28	28		exit 0
29	29		fi
30	30
		skipped 1 lines
32	32		. /etc/wireguard/config
33	33
34	34		if [ -z ${INTERFACE} ]; then
35		-	log_failure_msg 'Interface name is not defined!'
	35	+	log_failure_msg 'Interface name is not defined'
36	36		return 1
37	37		fi
38	38
39	39		if [ -z ${INTERFACE_ADDR} ]; then
40		-	log_failure_msg 'Interface address is not defined!'
	40	+	log_failure_msg 'Interface address is not defined'
41	41		return 1
42	42		fi
43	43
44	44		if [ -z ${PEER_PUBLIC_KEY} ]; then
45		-	log_failure_msg 'Peer Public Key is not defined!'
	45	+	log_failure_msg 'Peer public key is not defined'
46	46		return 1
47	47		fi
48	48
49	49		if [ -z ${PEER_ENDPOINT} ]; then
50		-	log_failure_msg 'Peer endpoint is not defined!'
	50	+	log_failure_msg 'Peer endpoint is not defined'
51	51		return 1
52	52		fi
53	53
54	54		if [ -z ${PERSISTENT_KEEPALIVES} ]; then
55		-	log_failure_msg 'Persistent Keep Alives is not defined!'
	55	+	log_failure_msg 'Persistent keepalive is not defined'
56	56		return 1
57	57		fi
58	58
59	59		if [ -z ${ALLOWED_IPS} ]; then
60		-	log_failure_msg 'Allowed IPs is not defined!'
	60	+	log_failure_msg 'Allowed IPs is not defined'
61	61		return 1
62	62		fi
63	63		log_end_msg
64	64
65	65		log_begin_ms 'Starting wireguard'
66		-
67	66		# Ensure networking is started (idempotent) and setup DNS.
68	67		configure_networking
69	68		touch /etc/resolv.conf
70	69		for adapter in /run/net-*.conf; do
71		-	source "${adapter}"
72		-	echo nameserver "${IPV4DNS0}" >> /etc/resolv.conf
73		-	echo nameserver "${IPV4DNS1}" >> /etc/resolv.conf
	70	+	. "${adapter}"
	71	+	if [ ! -z "${IPV4DNS0}" ]; then
	72	+	echo nameserver "${IPV4DNS0}" >> /etc/resolv.conf
	73	+	echo nameserver "${IPV4DNS1}" >> /etc/resolv.conf
	74	+	fi
	75	+	if [ ! -z "${IPV6DNS0}" ]; then
	76	+	echo nameserver "${IPV6DNS0}" >> /etc/resolv.conf
	77	+	fi
74	78		done
75	79
76	80		ip link add dev ${INTERFACE} type wireguard
		skipped 11 lines