1 | 1 | | # wireguard-initramfs |
2 | 2 | | Use dropbear over wireguard. |
| 3 | + | Start wireguard network during kernel init; enabling dropbear use over wireguard! |
| 4 | + | |
| 5 | + | Enables wireguard networking during kernel boot, before encrypted partitions |
| 6 | + | are mounted. Combined with [dropbear](https://github.com/mkj/dropbear) this |
| 7 | + | can enable FULLY ENCRYPTED remote booting without storing key material or |
| 8 | + | exposing ports on the remote network. An Internet connection simply needs to |
| 9 | + | exist that can reach the wireguard endpoint. |
| 10 | + | |
| 11 | + | Normal dropbear connections can still be used, as well as DNS resolution to |
| 12 | + | find wireguard endpoints. This essentially enables the creation of a fully |
| 13 | + | encrypted remote managed node, with the ability to prevent all local access. |
| 14 | + | |
| 15 | + | ## Requirements |
| 16 | + | Working knowledge of Linux. Understanding of networking and how Dropbear, |
| 17 | + | Wireguard work. |
| 18 | + | |
| 19 | + | 1. [Debian Bullseye](debian.org) (any version with wireguard support should work, but untested). |
| 20 | + | 1. [Dropbear](https://github.com/mkj/dropbear) installed, configured and in a "known working" state. |
| 21 | + | 1. [Wireguard](https://www.wireguard.com/) installed, configured and in a "known working" state. |
| 22 | + | |
| 23 | + | ## Install |
| 24 | + | Installation is automated via make. Download, extract contents, and install on |
| 25 | + | target machine. |
| 26 | + | |
| 27 | + | Grab the latest release, untarball, and install. |
| 28 | + | ```bash |
| 29 | + | wget https://github.com/r-pufky/wireguard-initramfs/archive/refs/tags/2021-07-03.tar.gz |
| 30 | + | tar xvf 2021-07-03.tar.gz |
| 31 | + | cd wireguard-initramfs-2021-07-03; make install |
| 32 | + | ``` |
| 33 | + | |
| 34 | + | ## Configure |
| 35 | + | Configuration is explained within `/etc/wireguard-initramfs/config`. Be sure to |
| 36 | + | set the private key as well. |
| 37 | + | |
| 38 | + | Restricting dropbear connections to **only** wireguard: |
| 39 | + | Confirm wireguard/dropbear work without restriction first. |
| 40 | + | |
| 41 | + | Set dropbear listen address to only wireguard client interface address. |
| 42 | + | Using example configuration: |
| 43 | + | |
| 44 | + | /etc/dropbear-initramfs/config |
| 45 | + | ```bash |
| 46 | + | DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...' |
| 47 | + | ``` |
| 48 | + | |
| 49 | + | Refer to [wg set man page](https://man7.org/linux/man-pages/man8/wg.8.html) for |
| 50 | + | additional information. |
| 51 | + | |
| 52 | + | :warning: |
| 53 | + | Most installs do not currently encrypt `/boot`; and therefore the client's |
| 54 | + | private key should be considered **untrusted/compromised**. It is highly |
| 55 | + | recommended that a separate wireguard network is used to for remote unlocking. |
| 56 | + | |
| 57 | + | Rebuild initramfs to use: |
| 58 | + | ```bash |
| 59 | + | update-initramfs -u |
| 60 | + | update-grub |
| 61 | + | reboot |
| 62 | + | ``` |
| 63 | + | |
| 64 | + | Any static errors will abort the build. Mis-configurations will not be caught; |
| 65 | + | test this where you can easily get physical access to the machine if something |
| 66 | + | goes wrong. |
| 67 | + | |
| 68 | + | ## FAQ |
| 69 | + | Q: **I want to use this, but without dropbear** |
| 70 | + | |
| 71 | + | > A: Supported; just remove the pre-requisite dependency for `init-bottom`: |
| 72 | + | > |
| 73 | + | > `/usr/share/initramfs-tools/init-bottom/wireguard` |
| 74 | + | > ```bash |
| 75 | + | > #PREREQ="dropbear" |
| 76 | + | > PREREQ="" |
| 77 | + | > ``` |
| 78 | + | > |
| 79 | + | > and rebuild the initramfs image. |
| 80 | + | |
| 81 | + | Q: **I want to restrict dropbear to only wireguard** |
| 82 | + | |
| 83 | + | > A: Supported. Confirm wireguard works before restricting normal networks. |
| 84 | + | > |
| 85 | + | > Restricting dropbear connections to **only** wireguard: |
| 86 | + | > Confirm wireguard/dropbear work without restriction first. |
| 87 | + | > |
| 88 | + | > Set dropbear listen address to only wireguard client interface address. |
| 89 | + | > Using example configuration: |
| 90 | + | > |
| 91 | + | > /etc/dropbear-initramfs/config |
| 92 | + | > ```bash |
| 93 | + | > DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...' |
| 94 | + | > ``` |
| 95 | + | |
| 96 | + | ## Bug / Patches / Contributions? |
| 97 | + | All are welcome, please submit a pull request or open a bug! |
| 98 | + | |
| 99 | + | Know debian packaging? Create a .deb package for this! |
3 | 100 | | |