From d6a8182d4191fd587d897c558e5f020099747df9 Mon Sep 17 00:00:00 2001 From: ale Date: Tue, 4 Feb 2025 20:35:21 +0100 Subject: [PATCH] initial commit Signed-off-by: ale --- Dockerfile | 2 ++ README.md | 19 +++++++++++++++++++ compose-client.yml | 31 +++++++++++++++++++++++++++++++ compose-server.yml | 30 ++++++++++++++++++++++++++++++ init.sh | 4 ++++ knockd.conf | 12 ++++++++++++ open-sesame.sh | 4 ++++ 7 files changed, 102 insertions(+) create mode 100644 Dockerfile create mode 100644 README.md create mode 100644 compose-client.yml create mode 100644 compose-server.yml create mode 100755 init.sh create mode 100644 knockd.conf create mode 100755 open-sesame.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..ff79280 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,2 @@ +FROM lscr.io/linuxserver/wireguard:latest +RUN apk add nmap-ncat knock iptables diff --git a/README.md b/README.md new file mode 100644 index 0000000..78c4f36 --- /dev/null +++ b/README.md @@ -0,0 +1,19 @@ +# Wireknock + +### Wireguard VPN + Port Knocking + +## Build + + docker-compose -f compose-client.yml build + +## Start + + docker-compose -f compose-client.yml up -d + +## Stop + + docker-compose -f compose-client.yml down + +## License + + MIT diff --git a/compose-client.yml b/compose-client.yml new file mode 100644 index 0000000..6e5d905 --- /dev/null +++ b/compose-client.yml @@ -0,0 +1,31 @@ +services: + wireknock-client: + image: wireknock + build: . + container_name: wireknock-client + hostname: wireknock-client + restart: always + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Madrid + - INTERNAL_SUBNET=192.168.9.0 + - ALLOWEDIPS=192.168.9.0/24,0.0.0.0/0 + - SERVERURL=wireknock-server + - SERVERPORT=51820 + - PERSISTENTKEEPALIVE_PEERS=all + - LOG_CONFS=false + - USE_COREDNS=false + volumes: + - ./config-client:/config + - /lib/modules:/lib/modules:ro + - ./open-sesame.sh:/custom-cont-init.d/open-sesame.sh:ro + cap_add: + - NET_ADMIN + - SYS_MODULE + healthcheck: + test: ncat -4 -z -u $SERVERURL $SERVERPORT || kill 1 + interval: 1m + retries: 2 + start_period: 1m + network_mode: host diff --git a/compose-server.yml b/compose-server.yml new file mode 100644 index 0000000..5ac8817 --- /dev/null +++ b/compose-server.yml @@ -0,0 +1,30 @@ +services: + wireknock-server: + image: wireknock + build: . + container_name: wireknock-server + hostname: wireknock-server + restart: always + environment: + - IFACE=eth0 + - PUID=1000 + - PGID=1000 + - TZ=Europe/Madrid + - SERVERURL=wireknock-server + - SERVERPORT=51820 + - PEERS=3 + - PEERDNS=auto + - INTERNAL_SUBNET=192.168.9.0 + - ALLOWEDIPS=192.168.9.0/24,192.168.1.0/24 + - PERSISTENTKEEPALIVE_PEERS=all + - LOG_CONFS=false + - USE_COREDNS=false + volumes: + - ./config-server:/config + - /lib/modules:/lib/modules:ro + - ./init.sh:/custom-cont-init.d/init.sh:ro + - ./knockd.conf:/etc/knockd.conf:ro + cap_add: + - NET_ADMIN + - SYS_MODULE + network_mode: host diff --git a/init.sh b/init.sh new file mode 100755 index 0000000..977fcff --- /dev/null +++ b/init.sh @@ -0,0 +1,4 @@ +#!/bin/bash +/usr/sbin/iptables -I INPUT -p udp --dport 51820 -j REJECT +/usr/sbin/iptables -I INPUT -p tcp --dport 51820 -j REJECT +/usr/sbin/knockd -d -i $IFACE diff --git a/knockd.conf b/knockd.conf new file mode 100644 index 0000000..e999928 --- /dev/null +++ b/knockd.conf @@ -0,0 +1,12 @@ +[options] + UseSyslog + +[openVPN] + sequence = 51830:udp,51833:udp,51831:udp + seq_timeout = 10 + command = /usr/sbin/iptables -I INPUT -s %IP% -p udp --dport 51820 -j ACCEPT + +[closeVPN] + sequence = 51831:udp,51833:udp,51830:udp + seq_timeout = 10 + command = /usr/sbin/iptables -D INPUT -s %IP% -p udp --dport 51820 -j ACCEPT diff --git a/open-sesame.sh b/open-sesame.sh new file mode 100755 index 0000000..9145fd9 --- /dev/null +++ b/open-sesame.sh @@ -0,0 +1,4 @@ +#!/bin/bash +while :; do ncat -4 -z -u -w 10 $SERVERURL $SERVERPORT && \ +knock -4 -d1000 $SERVERURL 51831:udp 51833:udp 51830:udp || break; done +knock -4 -d1000 $SERVERURL 51830:udp 51833:udp 51831:udp