commit d6a8182d4191fd587d897c558e5f020099747df9 Author: ale Date: Tue Feb 4 20:35:21 2025 +0100 initial commit Signed-off-by: ale diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..ff79280 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,2 @@ +FROM lscr.io/linuxserver/wireguard:latest +RUN apk add nmap-ncat knock iptables diff --git a/README.md b/README.md new file mode 100644 index 0000000..78c4f36 --- /dev/null +++ b/README.md @@ -0,0 +1,19 @@ +# Wireknock + +### Wireguard VPN + Port Knocking + +## Build + + docker-compose -f compose-client.yml build + +## Start + + docker-compose -f compose-client.yml up -d + +## Stop + + docker-compose -f compose-client.yml down + +## License + + MIT diff --git a/compose-client.yml b/compose-client.yml new file mode 100644 index 0000000..6e5d905 --- /dev/null +++ b/compose-client.yml @@ -0,0 +1,31 @@ +services: + wireknock-client: + image: wireknock + build: . + container_name: wireknock-client + hostname: wireknock-client + restart: always + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Madrid + - INTERNAL_SUBNET=192.168.9.0 + - ALLOWEDIPS=192.168.9.0/24,0.0.0.0/0 + - SERVERURL=wireknock-server + - SERVERPORT=51820 + - PERSISTENTKEEPALIVE_PEERS=all + - LOG_CONFS=false + - USE_COREDNS=false + volumes: + - ./config-client:/config + - /lib/modules:/lib/modules:ro + - ./open-sesame.sh:/custom-cont-init.d/open-sesame.sh:ro + cap_add: + - NET_ADMIN + - SYS_MODULE + healthcheck: + test: ncat -4 -z -u $SERVERURL $SERVERPORT || kill 1 + interval: 1m + retries: 2 + start_period: 1m + network_mode: host diff --git a/compose-server.yml b/compose-server.yml new file mode 100644 index 0000000..5ac8817 --- /dev/null +++ b/compose-server.yml @@ -0,0 +1,30 @@ +services: + wireknock-server: + image: wireknock + build: . + container_name: wireknock-server + hostname: wireknock-server + restart: always + environment: + - IFACE=eth0 + - PUID=1000 + - PGID=1000 + - TZ=Europe/Madrid + - SERVERURL=wireknock-server + - SERVERPORT=51820 + - PEERS=3 + - PEERDNS=auto + - INTERNAL_SUBNET=192.168.9.0 + - ALLOWEDIPS=192.168.9.0/24,192.168.1.0/24 + - PERSISTENTKEEPALIVE_PEERS=all + - LOG_CONFS=false + - USE_COREDNS=false + volumes: + - ./config-server:/config + - /lib/modules:/lib/modules:ro + - ./init.sh:/custom-cont-init.d/init.sh:ro + - ./knockd.conf:/etc/knockd.conf:ro + cap_add: + - NET_ADMIN + - SYS_MODULE + network_mode: host diff --git a/init.sh b/init.sh new file mode 100755 index 0000000..977fcff --- /dev/null +++ b/init.sh @@ -0,0 +1,4 @@ +#!/bin/bash +/usr/sbin/iptables -I INPUT -p udp --dport 51820 -j REJECT +/usr/sbin/iptables -I INPUT -p tcp --dport 51820 -j REJECT +/usr/sbin/knockd -d -i $IFACE diff --git a/knockd.conf b/knockd.conf new file mode 100644 index 0000000..e999928 --- /dev/null +++ b/knockd.conf @@ -0,0 +1,12 @@ +[options] + UseSyslog + +[openVPN] + sequence = 51830:udp,51833:udp,51831:udp + seq_timeout = 10 + command = /usr/sbin/iptables -I INPUT -s %IP% -p udp --dport 51820 -j ACCEPT + +[closeVPN] + sequence = 51831:udp,51833:udp,51830:udp + seq_timeout = 10 + command = /usr/sbin/iptables -D INPUT -s %IP% -p udp --dport 51820 -j ACCEPT diff --git a/open-sesame.sh b/open-sesame.sh new file mode 100755 index 0000000..9145fd9 --- /dev/null +++ b/open-sesame.sh @@ -0,0 +1,4 @@ +#!/bin/bash +while :; do ncat -4 -z -u -w 10 $SERVERURL $SERVERPORT && \ +knock -4 -d1000 $SERVERURL 51831:udp 51833:udp 51830:udp || break; done +knock -4 -d1000 $SERVERURL 51830:udp 51833:udp 51831:udp