STRLCPY/wireguard-initramfs

Initial wireguard-initramfs commit.
Robert Pufky committed 3 years ago

d291098e

1 parent 567facf9

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

Makefile

1	+	# Makefile for wireguard initramfs boot.
2	+
3	+	# You can set these variables from the command line, and also
4	+	# from the environment for the first two.
5	+	TARGETDIR = /etc/wireguard-initramfs
6	+	INITRAMFS = /usr/share/initramfs-tools
7	+
8	+	help:
9	+	@echo "USAGE:"
10	+	@echo " make install"
11	+	@echo " Install wireguard-initramfs and default configuration files."
12	+	@echo " Requires additional configuration!"
13	+	@echo
14	+	@echo " make uninstall"
15	+	@echo " Remove wireguard-initramfs from initramfs, leaves "
16	+	@echo " $(TARGETDIR). Does not need to be installed."
17	+	@echo
18	+
19	+	.PHONY: help Makefile
20	+
21	+	install:
22	+	@if ! [ "$(shell id -u)" = 0 ]; then echo "You must be root to perform this action."; exit 1; fi
23	+	@echo "Installing wireguard-initramfs ..."
24	+	@apt update && apt install initramfs-tools
25	+	@mkdir -p "$(TARGETDIR)"
26	+	@touch "$(TARGETDIR)/private_key"
27	+	@chmod 0400 "$(TARGETDIR)/private_key"
28	+	@cp -v config "$(TARGETDIR)/config"
29	+	@chmod 0644 "$(TARGETDIR)/config"
30	+	@cp -v hooks "$(INITRAMFS)/hooks/wireguard"
31	+	@cp -v init-premount "$(INITRAMFS)/scripts/init-premount/wireguard"
32	+	@cp -v init-bottom "$(INITRAMFS)/scripts/init-bottom/wireguard"
33	+	@echo "Done."
34	+	@echo
35	+	@echo "Setup $(TARGETDIR)/config and run:"
36	+	@echo
37	+	@echo " update-initramfs -u && update-grub"
38	+	@echo "Done."
39	+
40	+	uninstall:
41	+	@if ! [ "$(shell id -u)" = 0 ]; then echo "You must be root to perform this action."; exit 1; fi
42	+	@echo "Uninstalling wireguard-initramfs ..."
43	+	@rm -f "$(INITRAMFS)/hooks/wireguard"
44	+	@rm -f "$(INITRAMFS)/scripts/init-premount/wireguard"
45	+	@rm -f "$(INITRAMFS)/scripts/init-bottom/wireguard"
46	+	@echo "Done."
47	+	@echo
48	+

■ ■ ■ ■ ■ ■

README.md

1	1		# wireguard-initramfs
2	2		Use dropbear over wireguard.
	3	+	Start wireguard network during kernel init; enabling dropbear use over wireguard!
	4	+
	5	+	Enables wireguard networking during kernel boot, before encrypted partitions
	6	+	are mounted. Combined with [dropbear](https://github.com/mkj/dropbear) this
	7	+	can enable FULLY ENCRYPTED remote booting without storing key material or
	8	+	exposing ports on the remote network. An Internet connection simply needs to
	9	+	exist that can reach the wireguard endpoint.
	10	+
	11	+	Normal dropbear connections can still be used, as well as DNS resolution to
	12	+	find wireguard endpoints. This essentially enables the creation of a fully
	13	+	encrypted remote managed node, with the ability to prevent all local access.
	14	+
	15	+	## Requirements
	16	+	Working knowledge of Linux. Understanding of networking and how Dropbear,
	17	+	Wireguard work.
	18	+
	19	+	1. [Debian Bullseye](debian.org) (any version with wireguard support should work, but untested).
	20	+	1. [Dropbear](https://github.com/mkj/dropbear) installed, configured and in a "known working" state.
	21	+	1. [Wireguard](https://www.wireguard.com/) installed, configured and in a "known working" state.
	22	+
	23	+	## Install
	24	+	Installation is automated via make. Download, extract contents, and install on
	25	+	target machine.
	26	+
	27	+	Grab the latest release, untarball, and install.
	28	+	```bash
	29	+	wget https://github.com/r-pufky/wireguard-initramfs/archive/refs/tags/2021-07-03.tar.gz
	30	+	tar xvf 2021-07-03.tar.gz
	31	+	cd wireguard-initramfs-2021-07-03; make install
	32	+	```
	33	+
	34	+	## Configure
	35	+	Configuration is explained within `/etc/wireguard-initramfs/config`. Be sure to
	36	+	set the private key as well.
	37	+
	38	+	Restricting dropbear connections to only wireguard:
	39	+	Confirm wireguard/dropbear work without restriction first.
	40	+
	41	+	Set dropbear listen address to only wireguard client interface address.
	42	+	Using example configuration:
	43	+
	44	+	/etc/dropbear-initramfs/config
	45	+	```bash
	46	+	DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...'
	47	+	```
	48	+
	49	+	Refer to [wg set man page](https://man7.org/linux/man-pages/man8/wg.8.html) for
	50	+	additional information.
	51	+
	52	+	:warning:
	53	+	Most installs do not currently encrypt `/boot`; and therefore the client's
	54	+	private key should be considered untrusted/compromised. It is highly
	55	+	recommended that a separate wireguard network is used to for remote unlocking.
	56	+
	57	+	Rebuild initramfs to use:
	58	+	```bash
	59	+	update-initramfs -u
	60	+	update-grub
	61	+	reboot
	62	+	```
	63	+
	64	+	Any static errors will abort the build. Mis-configurations will not be caught;
	65	+	test this where you can easily get physical access to the machine if something
	66	+	goes wrong.
	67	+
	68	+	## FAQ
	69	+	Q: I want to use this, but without dropbear
	70	+
	71	+	> A: Supported; just remove the pre-requisite dependency for `init-bottom`:
	72	+	>
	73	+	> `/usr/share/initramfs-tools/init-bottom/wireguard`
	74	+	> ```bash
	75	+	> #PREREQ="dropbear"
	76	+	> PREREQ=""
	77	+	> ```
	78	+	>
	79	+	> and rebuild the initramfs image.
	80	+
	81	+	Q: I want to restrict dropbear to only wireguard
	82	+
	83	+	> A: Supported. Confirm wireguard works before restricting normal networks.
	84	+	>
	85	+	> Restricting dropbear connections to only wireguard:
	86	+	> Confirm wireguard/dropbear work without restriction first.
	87	+	>
	88	+	> Set dropbear listen address to only wireguard client interface address.
	89	+	> Using example configuration:
	90	+	>
	91	+	> /etc/dropbear-initramfs/config
	92	+	> ```bash
	93	+	> DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...'
	94	+	> ```
	95	+
	96	+	## Bug / Patches / Contributions?
	97	+	All are welcome, please submit a pull request or open a bug!
	98	+
	99	+	Know debian packaging? Create a .deb package for this!
3	100

■ ■ ■ ■ ■ ■

config

1	+	# Wireguard initramfs configuration.
2	+	#
3	+	# NOTE: As most systems do not encrypt /boot, private key material is exposed
4	+	# and compromised/untrusted. Boot wireguard network should be
5	+	# different & untrusted, versus the network used after booting.
6	+	#
7	+	# Be sure to test wireguard config with a running system before setting
8	+	# options. See: https://manpages.debian.org/unstable/wireguard-tools/wg.8.en.html
9	+	#
10	+	# Restricting dropbear connections to only wireguard:
11	+	# Confirm wireguard/dropbear work without restriction first.
12	+	#
13	+	# Set dropbear listen address to only wireguard client interface address.
14	+	# Using example configuration:
15	+	#
16	+	# /etc/dropbear-initramfs/config
17	+	# ...
18	+	# DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...'
19	+	#
20	+
21	+	# Wireguard interface name.
22	+	INTERFACE=example_vpn
23	+
24	+	# CIDR wireguard interface address.
25	+	INTERFACE_ADDR=172.31.255.10/32
26	+
27	+	# Peer public key (server's public key)
28	+	PEER_PUBLIC_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
29	+
30	+	# IP:PORT of the peer (server); any reachable IP/DNS.
31	+	PEER_ENDPOINT=wg.example.com:51820
32	+
33	+	# Client Private key. Specify location of file containing only the private key.
34	+	CLIENT_PRIVATE_KEYFILE=/etc/wireguard-initramfs/private_key
35	+
36	+	# Keepalives. Required to ensure connection for non-exposed ports.
37	+	PERSISTENT_KEEPALIVES=25
38	+
39	+	# CIDR IP's allowed on wireguard connection, typically the peer (server)
40	+	ALLOWED_IPS=172.31.255.254/32
41	+

■ ■ ■ ■ ■ ■

hooks

1	+	#!/bin/sh
2	+
3	+	PREREQ=""
4	+
5	+	prereqs() {
6	+	echo "${PREREQ}"
7	+	}
8	+
9	+	case "${1}" in
10	+	prereqs)
11	+	prereqs
12	+	exit 0
13	+	;;
14	+	esac
15	+
16	+	. /usr/share/initramfs-tools/hook-functions
17	+
18	+	CONFIG='/etc/wireguard-initramfs/config'
19	+
20	+	# Validate and copy configuration to initramfs
21	+	if [ ! -s "${CONFIG}" ]; then
22	+	echo "Wireguard initramfs config required. Missing: ${CONFIG}"
23	+	return 1
24	+	fi
25	+	. "${CONFIG}"
26	+	if [ ! -s "${CLIENT_PRIVATE_KEYFILE}" ]; then
27	+	echo "Wireguard client private key required. Missing: ${CLIENT_PRIVATE_KEYFILE}"
28	+	return 1
29	+	fi
30	+
31	+	# Copy latest versions of shared objects needed for DNS resolution
32	+	for so in $(ldconfig -p \| sed -nr 's/^\slibnss_files\.so\.[0-9]+\s.=>\s*//p'); do
33	+	copy_exec "${so}"
34	+	done
35	+	for so in $(ldconfig -p \| sed -nr 's/^\slibnss_dns\.so\.[0-9]+\s.=>\s*//p'); do
36	+	copy_exec "${so}"
37	+	done
38	+
39	+	# Copy config and host keys
40	+	mkdir -p -- "${DESTDIR}/etc/wireguard"
41	+	cp -p "${CONFIG}" "${DESTDIR}/etc/wireguard"
42	+	cp -p "${CLIENT_PRIVATE_KEYFILE}" "${DESTDIR}/etc/wireguard/private_key"
43	+
44	+	# Add modules and wireguard exec
45	+	manual_add_modules wireguard
46	+	copy_exec /usr/bin/wg /sbin
47	+

■ ■ ■ ■ ■ ■

init-bottom

1	+	#!/bin/sh
2	+
3	+	PREREQ="dropbear"
4	+
5	+	prereqs() {
6	+	echo "${PREREQ}"
7	+	}
8	+
9	+	case "${1}" in
10	+	prereqs)
11	+	prereqs
12	+	exit 0
13	+	;;
14	+	esac
15	+
16	+	. /scripts/functions
17	+
18	+	. /etc/wireguard/config
19	+	log_begin_msg 'Stopping wireguard boot network'
20	+	ip link delete dev ${INTERFACE}
21	+	log_end_msg
22	+

■ ■ ■ ■ ■ ■

init-premount

1	+	#!/bin/sh
2	+
3	+	PREREQ="udev"
4	+
5	+	prereqs() {
6	+	echo "${PREREQ}"
7	+	}
8	+
9	+	case "${1}" in
10	+	prereqs)
11	+	prereqs
12	+	exit 0
13	+	;;
14	+	esac
15	+
16	+	. /scripts/functions
17	+
18	+	if [ ! -e /sbin/wg ]; then
19	+	log_failure_msg 'Wireguard binary not found, skipping setup'
20	+	exit 0
21	+	fi
22	+	if [ ! -e /etc/wireguard/config ]; then
23	+	log_failure_msg 'Wireguard config not found, skipping setup'
24	+	exit 0
25	+	fi
26	+	if [ ! -e /etc/wireguard/private_key ]; then
27	+	log_failure_msg 'Wireguard client private key not found, skipping setup'
28	+	exit 0
29	+	fi
30	+
31	+	log_begin_msg 'Loading wireguard config'
32	+	. /etc/wireguard/config
33	+
34	+	if [ -z ${INTERFACE} ]; then
35	+	log_failure_msg 'Interface name is not defined!'
36	+	return 1
37	+	fi
38	+
39	+	if [ -z ${INTERFACE_ADDR} ]; then
40	+	log_failure_msg 'Interface address is not defined!'
41	+	return 1
42	+	fi
43	+
44	+	if [ -z ${PEER_PUBLIC_KEY} ]; then
45	+	log_failure_msg 'Peer Public Key is not defined!'
46	+	return 1
47	+	fi
48	+
49	+	if [ -z ${PEER_ENDPOINT} ]; then
50	+	log_failure_msg 'Peer endpoint is not defined!'
51	+	return 1
52	+	fi
53	+
54	+	if [ -z ${PERSISTENT_KEEPALIVES} ]; then
55	+	log_failure_msg 'Persistent Keep Alives is not defined!'
56	+	return 1
57	+	fi
58	+
59	+	if [ -z ${ALLOWED_IPS} ]; then
60	+	log_failure_msg 'Allowed IPs is not defined!'
61	+	return 1
62	+	fi
63	+	log_end_msg
64	+
65	+	log_begin_ms 'Starting wireguard'
66	+
67	+	# Ensure networking is started (idempotent) and setup DNS.
68	+	configure_networking
69	+	touch /etc/resolv.conf
70	+	for adapter in /run/net-*.conf; do
71	+	source "${adapter}"
72	+	echo nameserver "${IPV4DNS0}" >> /etc/resolv.conf
73	+	echo nameserver "${IPV4DNS1}" >> /etc/resolv.conf
74	+	done
75	+
76	+	ip link add dev ${INTERFACE} type wireguard
77	+	/sbin/wg set ${INTERFACE} \
78	+	private-key /etc/wireguard/private_key \
79	+	peer ${PEER_PUBLIC_KEY} \
80	+	endpoint ${PEER_ENDPOINT} \
81	+	persistent-keepalive ${PERSISTENT_KEEPALIVES} \
82	+	allowed-ips ${ALLOWED_IPS}
83	+	ip addr add ${INTERFACE_ADDR} dev ${INTERFACE}
84	+	ip link set ${INTERFACE} up
85	+	ip route add ${ALLOWED_IPS} dev ${INTERFACE}
86	+	log_end_msg
87	+

Initial wireguard-initramfs commit.