diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2020-12-13 10:23:13 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2020-12-13 10:23:13 -0300 |
| commit | 0c1141e3ec4611e52e0876bb9dfaf14135862414 (patch) | |
| tree | 032cb4204a6912c4e89fe6a9d1bbeb7ab3ac011e | |
| parent | 299719becdf9e6e1f7889d61ead45b7023811d43 (diff) | |
| download | trashman-0c1141e3ec4611e52e0876bb9dfaf14135862414.tar.gz trashman-0c1141e3ec4611e52e0876bb9dfaf14135862414.tar.bz2 | |
Feat: adds njalla-openvpn, njalla-wireguard and riseup-vpn systemd service
12 files changed, 551 insertions, 0 deletions
diff --git a/share/trashman/njalla-openvpn/info b/share/trashman/njalla-openvpn/info new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/share/trashman/njalla-openvpn/info diff --git a/share/trashman/njalla-openvpn/unix/linux/debian/files/etc/ferm/ferm.conf b/share/trashman/njalla-openvpn/unix/linux/debian/files/etc/ferm/ferm.conf new file mode 100644 index 0000000..a25a3d2 --- /dev/null +++ b/share/trashman/njalla-openvpn/unix/linux/debian/files/etc/ferm/ferm.conf @@ -0,0 +1,181 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# +# V: 0.1 +# +# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html +# Blog post: https://blog.ipredator.se/linux-firewall-howto.html +# + +# Really make sure that these modules exist and are loaded. +@hook pre "/sbin/modprobe nf_conntrack_ftp"; +@hook pre "/sbin/modprobe nfnetlink_log"; + +# Network interfaces. +#@def $DEV_LAN = eth0; +@def $DEV_LAN = ens3; +@def $DEV_LOOPBACK = lo0; +@def $DEV_VPN = tun0; + +# Network definition for the loopback device. This is needed to allow +# DNS resolution on Ubuntu Linux where the local resolver is bound +# to 127.0.1.1 - as opposed to the default 127.0.0.1. +@def $NET_LOOPBACK = 127.0.0.0/8; + +# Common application ports. +@def $PORT_DNS = 53; +@def $PORT_FTP = ( 20 21 ); +@def $PORT_NTP = 123; +@def $PORT_SSH = 22; +@def $PORT_WEB = ( 80 443 ); + +# The ports we allow OpenVPN to connect to. IPredator allows you +# to connect on _any_ port. Simply add more ports if desired but +# stick to only those that you really need. +@def $PORT_OPENVPN = (1194 1234 1337 2342 5060); + +# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html +# Ports Transmission is allowed to use. +@def $PORT_TRANSMISSION = 16384:65535; + +# Public DNS servers and those that are only reachable via VPN. +# DNS servers are specified in the outbound DNS rules to prevent DNS leaks +# (https://www.dnsleaktest.com/). The public DNS servers configured on your +# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns), +# but you need to verify this. +# +@def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32); + +# Add your ISP name server to this object if you want to restrict +# which DNS servers can be queried. +@def $IP_DNS_PUBLIC = 0.0.0.0/0; + +# DNS server available within the VPN. +@def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 ); + +# Make sure to use the proper VPN interface (e.g. tun0 in this case). +# Note: You cannot reference $DEV_VPN here, substition does not take +# place for commands passed to a sub shell. +@def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`; + +# VPN interface conditional. If true the following rules are loaded. +@if $VPN_ACTIVE { + domain ip { + table filter { + chain INPUT { + interface $DEV_VPN { + proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT; + } + } + chain OUTPUT { + # Default allowed outbound services on the VPN interface. + # If you need more simply add your rules here. + outerface $DEV_VPN { + proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT; + proto tcp dport $PORT_FTP ACCEPT; + proto udp dport $PORT_NTP ACCEPT; + proto tcp dport $PORT_SSH ACCEPT; + proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT; + proto tcp dport $PORT_WEB ACCEPT; + } + } + } + } +} + +# The main IPv4 rule set. +domain ip { + table filter { + chain INPUT { + # The default policy for the chain. Usually ACCEPT or DROP or REJECT. + policy DROP; + + # Connection tracking. + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # Allow local traffic to loopback interface. + daddr $NET_LOOPBACK ACCEPT; + + # Allow inbound SSH on your LAN interface _only_. + interface $DEV_LAN { + proto tcp dport $PORT_SSH ACCEPT; + } + + # Respond to ping ... makes debugging easier. + proto icmp icmp-type echo-request ACCEPT; + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + + chain OUTPUT { + policy DROP; + + # Connection tracking. + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # Allow local traffic from the loopback interface. + saddr $NET_LOOPBACK ACCEPT; + + # Respond to ping. + proto icmp icmp-type echo-request ACCEPT; + + # Allowed services on the LAN interface. + outerface $DEV_LAN { + proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT; + proto udp dport $PORT_NTP ACCEPT; + proto (tcp udp) dport $PORT_OPENVPN ACCEPT; + proto tcp dport $PORT_SSH ACCEPT; + } + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + + chain FORWARD { + policy DROP; + + # If you use your machine to route traffic eg. + # from a VM you have to add rules here! + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + } +} + +# IPv6 is generally disabled, communication on the loopback device is allowed. +domain ip6 { + table filter { + chain INPUT { + policy DROP; + + # Allow local traffic. + interface $DEV_LOOPBACK ACCEPT; + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + chain OUTPUT { + policy DROP; + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + chain FORWARD { + policy DROP; + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + } +} diff --git a/share/trashman/njalla-openvpn/unix/linux/debian/files/etc/udev/rules.d/81-vpn-firewall.rules b/share/trashman/njalla-openvpn/unix/linux/debian/files/etc/udev/rules.d/81-vpn-firewall.rules new file mode 100644 index 0000000..64d8bd1 --- /dev/null +++ b/share/trashman/njalla-openvpn/unix/linux/debian/files/etc/udev/rules.d/81-vpn-firewall.rules @@ -0,0 +1,2 @@ +KERNEL=="tun0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add" +KERNEL=="tun0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove" diff --git a/share/trashman/njalla-openvpn/unix/linux/debian/files/usr/local/bin/fermreload.sh b/share/trashman/njalla-openvpn/unix/linux/debian/files/usr/local/bin/fermreload.sh new file mode 100755 index 0000000..cebf7cc --- /dev/null +++ b/share/trashman/njalla-openvpn/unix/linux/debian/files/usr/local/bin/fermreload.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# +# fermreload.sh +# V: 0.1 +# +# Reloads the ferm firewall ruleset and is invoked by +# the udev via /etc/udev/rules.d/81-vpn-firewall.rules. +# +# IPredator 2014 +# Released under the Kopimi license. +# +# Blog post: https://blog.ipredator.se/linux-firewall-howto.html +# + +LOGGER=/usr/bin/logger +LOGGER_TAG=$0 + +UDEV_ACTION=$1 + +FERM=/usr/sbin/ferm +FERM_CONF=/etc/ferm/ferm.conf + +MSG_FW_RULE_ADD="Adding VPN firewall rules." +MSG_FW_RULE_REMOVE="Removing VPN firewall rules." +MSG_UDEV_ACTION_UNKNOWN="Unknown udev action." + +case "$UDEV_ACTION" in + add) + $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD + $FERM $FERM_CONF + ;; + remove) + $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE + $FERM $FERM_CONF + ;; + *) + $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN + exit 1 +esac diff --git a/share/trashman/njalla-openvpn/unix/linux/debian/install b/share/trashman/njalla-openvpn/unix/linux/debian/install new file mode 100755 index 0000000..e3f235a --- /dev/null +++ b/share/trashman/njalla-openvpn/unix/linux/debian/install @@ -0,0 +1,49 @@ +#!/usr/bin/env bash +# +# Full desktop provision example +# +# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published +# by the Free Software Foundation, either version 3 of the License, +# or any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +# Parameters +SHARE="$1" +LIB="$2" + +# Include basic functions +. $LIB/trashman/functions || exit 1 +. $LIB/trashman/debian || exit 1 + +# Requirements +trashman_apt_install openvpn resolvconf dnsutils curl + +# Firewall +trashman_apt_install ferm ulogd2 ulogd2-pcap +cp $SHARE/njalla-openvpn/unix/linux/debian/files/etc/ferm/ferm.conf /etc/ferm +cp $SHARE/njalla-openvpn/unix/linux/debian/files/etc/udev/rules.d/81-vpn-firewall.rules /etc/udev/rules.d +cp $SHARE/njalla-openvpn/unix/linux/debian/files/usr/local/bin/fermreload.sh /usr/local/bin +chmod 555 /usr/local/bin/fermreload.sh +sed -i -e 's/^ENABLED=.*$/ENABLED="yes"/' /etc/default/ferm +service ferm restart + +# Njalla +#sudo cp $DIRNAME/files/njalla/etc/openvpn/njalla.conf /etc/openvpn +#sudo touch /etc/openvpn/njalla.auth +#sudo chown root:root /etc/openvpn/njalla.conf +#sudo chown root:root /etc/openvpn/njalla.auth +#sudo chmod 400 /etc/openvpn/njalla.conf +#sudo chmod 400 /etc/openvpn/njalla.auth +#echo "Please set user/password at /etc/openvpn/njalla.auth" +echo "Please configure /etc/openvpn/njalla.conf" diff --git a/share/trashman/njalla-wireguard/info b/share/trashman/njalla-wireguard/info new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/share/trashman/njalla-wireguard/info diff --git a/share/trashman/njalla-wireguard/unix/linux/debian/files/etc/ferm/ferm.conf b/share/trashman/njalla-wireguard/unix/linux/debian/files/etc/ferm/ferm.conf new file mode 100644 index 0000000..9ef8208 --- /dev/null +++ b/share/trashman/njalla-wireguard/unix/linux/debian/files/etc/ferm/ferm.conf @@ -0,0 +1,179 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# +# V: 0.1 +# +# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html +# Blog post: https://blog.ipredator.se/linux-firewall-howto.html +# + +# Really make sure that these modules exist and are loaded. +@hook pre "/sbin/modprobe nf_conntrack_ftp"; +@hook pre "/sbin/modprobe nfnetlink_log"; + +# Network interfaces. +#@def $DEV_LAN = eth0; +@def $DEV_LAN = ens3; +@def $DEV_LOOPBACK = lo0; +@def $DEV_VPN = wg0; + +# Network definition for the loopback device. This is needed to allow +# DNS resolution on Ubuntu Linux where the local resolver is bound +# to 127.0.1.1 - as opposed to the default 127.0.0.1. +@def $NET_LOOPBACK = 127.0.0.0/8; + +# Common application ports. +@def $PORT_DNS = 53; +@def $PORT_FTP = ( 20 21 ); +@def $PORT_NTP = 123; +@def $PORT_SSH = 22; +@def $PORT_WEB = ( 80 443 ); + +# The ports we allow to connect to. +@def $PORT_WIREGUARD = ( 51820 ); + +# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html +# Ports Transmission is allowed to use. +@def $PORT_TRANSMISSION = 16384:65535; + +# Public DNS servers and those that are only reachable via VPN. +# DNS servers are specified in the outbound DNS rules to prevent DNS leaks +# (https://www.dnsleaktest.com/). The public DNS servers configured on your +# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns), +# but you need to verify this. +# +@def $IP_DNS_IPR_PUBLIC = ( 95.215.19.53/32 ); + +# Add your ISP name server to this object if you want to restrict +# which DNS servers can be queried. +@def $IP_DNS_PUBLIC = 0.0.0.0/0; + +# DNS server available within the VPN. +@def $IP_DNS_VPN = ( 95.215.19.53/32 ); + +# Make sure to use the proper VPN interface (e.g. wg0 in this case). +# Note: You cannot reference $DEV_VPN here, substition does not take +# place for commands passed to a sub shell. +@def $VPN_ACTIVE = `ip link show wg0 >/dev/null 2>/dev/null && echo 1 || echo`; + +# VPN interface conditional. If true the following rules are loaded. +@if $VPN_ACTIVE { + domain ip { + table filter { + chain INPUT { + interface $DEV_VPN { + proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT; + } + } + chain OUTPUT { + # Default allowed outbound services on the VPN interface. + # If you need more simply add your rules here. + outerface $DEV_VPN { + proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT; + proto tcp dport $PORT_FTP ACCEPT; + proto udp dport $PORT_NTP ACCEPT; + proto tcp dport $PORT_SSH ACCEPT; + proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT; + proto tcp dport $PORT_WEB ACCEPT; + } + } + } + } +} + +# The main IPv4 rule set. +domain ip { + table filter { + chain INPUT { + # The default policy for the chain. Usually ACCEPT or DROP or REJECT. + policy DROP; + + # Connection tracking. + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # Allow local traffic to loopback interface. + daddr $NET_LOOPBACK ACCEPT; + + # Allow inbound SSH on your LAN interface _only_. + interface $DEV_LAN { + proto tcp dport $PORT_SSH ACCEPT; + } + + # Respond to ping ... makes debugging easier. + proto icmp icmp-type echo-request ACCEPT; + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + + chain OUTPUT { + policy DROP; + + # Connection tracking. + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # Allow local traffic from the loopback interface. + saddr $NET_LOOPBACK ACCEPT; + + # Respond to ping. + proto icmp icmp-type echo-request ACCEPT; + + # Allowed services on the LAN interface. + outerface $DEV_LAN { + proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT; + proto udp dport $PORT_NTP ACCEPT; + proto (tcp udp) dport $PORT_WIREGUARD ACCEPT; + proto tcp dport $PORT_SSH ACCEPT; + } + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + + chain FORWARD { + policy DROP; + + # If you use your machine to route traffic eg. + # from a VM you have to add rules here! + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + } +} + +# IPv6 is generally disabled, communication on the loopback device is allowed. +domain ip6 { + table filter { + chain INPUT { + policy DROP; + + # Allow local traffic. + interface $DEV_LOOPBACK ACCEPT; + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + chain OUTPUT { + policy DROP; + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + chain FORWARD { + policy DROP; + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + } +} diff --git a/share/trashman/njalla-wireguard/unix/linux/debian/files/etc/udev/rules.d/81-vpn-firewall.rules b/share/trashman/njalla-wireguard/unix/linux/debian/files/etc/udev/rules.d/81-vpn-firewall.rules new file mode 100644 index 0000000..8c9d744 --- /dev/null +++ b/share/trashman/njalla-wireguard/unix/linux/debian/files/etc/udev/rules.d/81-vpn-firewall.rules @@ -0,0 +1,2 @@ +KERNEL=="wg0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add" +KERNEL=="wg0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove" diff --git a/share/trashman/njalla-wireguard/unix/linux/debian/files/usr/local/bin/fermreload.sh b/share/trashman/njalla-wireguard/unix/linux/debian/files/usr/local/bin/fermreload.sh new file mode 100755 index 0000000..cebf7cc --- /dev/null +++ b/share/trashman/njalla-wireguard/unix/linux/debian/files/usr/local/bin/fermreload.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# +# fermreload.sh +# V: 0.1 +# +# Reloads the ferm firewall ruleset and is invoked by +# the udev via /etc/udev/rules.d/81-vpn-firewall.rules. +# +# IPredator 2014 +# Released under the Kopimi license. +# +# Blog post: https://blog.ipredator.se/linux-firewall-howto.html +# + +LOGGER=/usr/bin/logger +LOGGER_TAG=$0 + +UDEV_ACTION=$1 + +FERM=/usr/sbin/ferm +FERM_CONF=/etc/ferm/ferm.conf + +MSG_FW_RULE_ADD="Adding VPN firewall rules." +MSG_FW_RULE_REMOVE="Removing VPN firewall rules." +MSG_UDEV_ACTION_UNKNOWN="Unknown udev action." + +case "$UDEV_ACTION" in + add) + $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD + $FERM $FERM_CONF + ;; + remove) + $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE + $FERM $FERM_CONF + ;; + *) + $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN + exit 1 +esac diff --git a/share/trashman/njalla-wireguard/unix/linux/debian/install b/share/trashman/njalla-wireguard/unix/linux/debian/install new file mode 100755 index 0000000..4ff6d7d --- /dev/null +++ b/share/trashman/njalla-wireguard/unix/linux/debian/install @@ -0,0 +1,42 @@ +#!/usr/bin/env bash +# +# Full desktop provision example +# +# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published +# by the Free Software Foundation, either version 3 of the License, +# or any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +# Parameters +SHARE="$1" +LIB="$2" + +# Include basic functions +. $LIB/trashman/functions || exit 1 +. $LIB/trashman/debian || exit 1 + +# Requirements +trashman_apt_install wireguard-tools resolvconf dnsutils curl + +# Firewall +$APT_INSTALL ferm ulogd2 ulogd2-pcap +cp $SHARE/njalla-wireguard/unix/linux/debian/files/etc/ferm/ferm.conf /etc/ferm +cp $SHARE/njalla-wireguard/unix/linux/debian/files/etc/udev/rules.d/81-vpn-firewall.rules /etc/udev/rules.d +cp $SHARE/njalla-wireguard/unix/linux/debian/files/usr/local/bin/fermreload.sh /usr/local/bin +chmod 555 /usr/local/bin/fermreload.sh +sed -i -e 's/^ENABLED=.*$/ENABLED="yes"/' /etc/default/ferm +service ferm restart + +# Njalla +echo "Please configure /etc/wireguard/ng0.conf" diff --git a/share/trashman/riseup-vpn/unix/linux/debian/files/etc/systemd/system/riseup-vpn.service b/share/trashman/riseup-vpn/unix/linux/debian/files/etc/systemd/system/riseup-vpn.service new file mode 100644 index 0000000..694d374 --- /dev/null +++ b/share/trashman/riseup-vpn/unix/linux/debian/files/etc/systemd/system/riseup-vpn.service @@ -0,0 +1,11 @@ +[Unit] +Description=riseup-vpn service +After=network.target + +[Service] +Type=simple +Restart=always +ExecStart=/snap/bin/riseup-vpn.launcher + +[Install] +WantedBy=multi-user.target diff --git a/share/trashman/riseup-vpn/unix/linux/debian/install b/share/trashman/riseup-vpn/unix/linux/debian/install index 7303f40..e268548 100755 --- a/share/trashman/riseup-vpn/unix/linux/debian/install +++ b/share/trashman/riseup-vpn/unix/linux/debian/install @@ -21,6 +21,13 @@ trashman_apt_install snapd gnome-software-plugin-snap desktop-file-utils dnsutil # Riseup VPN snap install --classic riseup-vpn +# Systemd service +cp $SHARE/riseup-vpn/files/etc/systemd/system/riseup-vpn.service /etc/systemd/system +chown root. /etc/systemd/system/riseup-vpn.service +systemctl daemon-reload +systemctl enable --now riseup-vpn.service +systemctl start riseup-vpn.service + # To launch manually as a regular user # See https://riseup.net/en/vpn/linux #/snap/bin/riseup-vpn.launcher |