initial commit

Signed-off-by: ale <ale@manalejandro.com>

Dockerfile

@@ -0,0 +1,2 @@
+FROM lscr.io/linuxserver/wireguard:latest
+RUN apk add nmap-ncat knock iptables

README.md

@@ -0,0 +1,19 @@
+# Wireknock
+
+### Wireguard VPN + Port Knocking
+
+## Build
+
+	docker-compose -f compose-client.yml build
+
+## Start
+
+	docker-compose -f compose-client.yml up -d
+
+## Stop
+
+	docker-compose -f compose-client.yml down
+
+## License
+
+	MIT

compose-client.yml

@@ -0,0 +1,31 @@
+services:
+  wireknock-client:
+    image: wireknock
+    build: .
+    container_name: wireknock-client
+    hostname: wireknock-client
+    restart: always
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Madrid
+      - INTERNAL_SUBNET=192.168.9.0
+      - ALLOWEDIPS=192.168.9.0/24,0.0.0.0/0
+      - SERVERURL=wireknock-server
+      - SERVERPORT=51820
+      - PERSISTENTKEEPALIVE_PEERS=all
+      - LOG_CONFS=false
+      - USE_COREDNS=false
+    volumes:
+      - ./config-client:/config
+      - /lib/modules:/lib/modules:ro
+      - ./open-sesame.sh:/custom-cont-init.d/open-sesame.sh:ro
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    healthcheck:
+        test: ncat -4 -z -u $SERVERURL $SERVERPORT || kill 1
+        interval: 1m
+        retries: 2
+        start_period: 1m
+    network_mode: host

compose-server.yml

@@ -0,0 +1,30 @@
+services:
+  wireknock-server:
+    image: wireknock
+    build: .
+    container_name: wireknock-server
+    hostname: wireknock-server
+    restart: always
+    environment:
+      - IFACE=eth0
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Madrid
+      - SERVERURL=wireknock-server
+      - SERVERPORT=51820
+      - PEERS=3
+      - PEERDNS=auto
+      - INTERNAL_SUBNET=192.168.9.0
+      - ALLOWEDIPS=192.168.9.0/24,192.168.1.0/24
+      - PERSISTENTKEEPALIVE_PEERS=all
+      - LOG_CONFS=false
+      - USE_COREDNS=false
+    volumes:
+      - ./config-server:/config
+      - /lib/modules:/lib/modules:ro
+      - ./init.sh:/custom-cont-init.d/init.sh:ro
+      - ./knockd.conf:/etc/knockd.conf:ro
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    network_mode: host

init.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+/usr/sbin/iptables -I INPUT -p udp --dport 51820 -j REJECT
+/usr/sbin/iptables -I INPUT -p tcp --dport 51820 -j REJECT
+/usr/sbin/knockd -d -i $IFACE

knockd.conf

@@ -0,0 +1,12 @@
+[options]
+	UseSyslog
+
+[openVPN]
+	sequence    = 51830:udp,51833:udp,51831:udp
+	seq_timeout = 10
+	command     = /usr/sbin/iptables -I INPUT -s %IP% -p udp --dport 51820 -j ACCEPT
+
+[closeVPN]
+	sequence    = 51831:udp,51833:udp,51830:udp
+	seq_timeout = 10
+	command     = /usr/sbin/iptables -D INPUT -s %IP% -p udp --dport 51820 -j ACCEPT

open-sesame.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+while :; do ncat -4 -z -u -w 10 $SERVERURL $SERVERPORT && \
+knock -4 -d1000 $SERVERURL 51831:udp 51833:udp 51830:udp || break; done
+knock -4 -d1000 $SERVERURL 51830:udp 51833:udp 51831:udp