Wireguard protocol + refactoring

2021-06-12 11:59:36 +03:00 · 2021-06-12 11:59:36 +03:00 · 2f6fb0d557
commit 2f6fb0d557
parent 8bdfe1741a
41 changed files with 1245 additions and 152 deletions
--- a/client/server_scripts/openvpn/configure_container.sh
+++ b/client/server_scripts/openvpn/configure_container.sh
@ -7,7 +7,7 @@ ca /opt/amnezia/openvpn/ca.crt \\n\
 cert /opt/amnezia/openvpn/AmneziaReq.crt \\n\
 key /opt/amnezia/openvpn/AmneziaReq.key \\n\
 dh /opt/amnezia/openvpn/dh.pem \\n\
-server $VPN_SUBNET_IP $VPN_SUBNET_MASK \\n\
+server $OPENVPN_SUBNET_IP $OPENVPN_SUBNET_MASK \\n\
 ifconfig-pool-persist ipp.txt \\n\
 duplicate-cn \\n\
 keepalive 10 120 \\n\
--- a/client/server_scripts/openvpn/start.sh
+++ b/client/server_scripts/openvpn/start.sh
@ -3,6 +3,7 @@
 # This scripts copied from Amnezia client to Docker container to /opt/amnezia and launched every time container starts

 echo "Container startup"
+ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up

 if [ ! -c /dev/net/tun ]; then mkdir -p /dev/net; mknod /dev/net/tun c 10 200; fi

@ -12,10 +13,10 @@ iptables -A FORWARD -i tun0 -j ACCEPT
 iptables -A OUTPUT -o tun0 -j ACCEPT

 # Allow forwarding traffic only from the VPN.
-iptables -A FORWARD -i tun0 -o eth0 -s $VPN_SUBNET_IP/$VPN_SUBNET_MASK_VAL -j ACCEPT
+iptables -A FORWARD -i tun0 -o eth0 -s $OPENVPN_SUBNET_IP/$OPENVPN_SUBNET_CIDR -j ACCEPT
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-iptables -t nat -A POSTROUTING -s $VPN_SUBNET_IP/$VPN_SUBNET_MASK_VAL -o eth0 -j MASQUERADE
+iptables -t nat -A POSTROUTING -s $OPENVPN_SUBNET_IP/$OPENVPN_SUBNET_CIDR -o eth0 -j MASQUERADE

 # kill daemons in case of restart
 killall -KILL openvpn
--- a/client/server_scripts/openvpn_cloak/configure_container.sh
+++ b/client/server_scripts/openvpn_cloak/configure_container.sh
@ -7,7 +7,7 @@ ca /opt/amnezia/openvpn/ca.crt \\n\
 cert /opt/amnezia/openvpn/AmneziaReq.crt \\n\
 key /opt/amnezia/openvpn/AmneziaReq.key \\n\
 dh /opt/amnezia/openvpn/dh.pem \\n\
-server $VPN_SUBNET_IP $VPN_SUBNET_MASK \\n\
+server $OPENVPN_SUBNET_IP $OPENVPN_SUBNET_MASK \\n\
 ifconfig-pool-persist ipp.txt \\n\
 duplicate-cn \\n\
 keepalive 10 120 \\n\
--- a/client/server_scripts/openvpn_cloak/start.sh
+++ b/client/server_scripts/openvpn_cloak/start.sh
@ -3,6 +3,7 @@
 # This scripts copied from Amnezia client to Docker container to /opt/amnezia and launched every time container starts

 echo "Container startup"
+ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up

 if [ ! -c /dev/net/tun ]; then mkdir -p /dev/net; mknod /dev/net/tun c 10 200; fi

@ -12,10 +13,10 @@ iptables -A FORWARD -i tun0 -j ACCEPT
 iptables -A OUTPUT -o tun0 -j ACCEPT

 # Allow forwarding traffic only from the VPN.
-iptables -A FORWARD -i tun0 -o eth0 -s $VPN_SUBNET_IP/$VPN_SUBNET_MASK_VAL -j ACCEPT
+iptables -A FORWARD -i tun0 -o eth0 -s $OPENVPN_SUBNET_IP/$OPENVPN_SUBNET_CIDR -j ACCEPT
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-iptables -t nat -A POSTROUTING -s $VPN_SUBNET_IP/$VPN_SUBNET_MASK_VAL -o eth0 -j MASQUERADE
+iptables -t nat -A POSTROUTING -s $OPENVPN_SUBNET_IP/$OPENVPN_SUBNET_CIDR -o eth0 -j MASQUERADE

 # kill daemons in case of restart
 killall -KILL openvpn
--- a/client/server_scripts/openvpn_shadowsocks/configure_container.sh
+++ b/client/server_scripts/openvpn_shadowsocks/configure_container.sh
@ -7,7 +7,7 @@ ca /opt/amnezia/openvpn/ca.crt \\n\
 cert /opt/amnezia/openvpn/AmneziaReq.crt \\n\
 key /opt/amnezia/openvpn/AmneziaReq.key \\n\
 dh /opt/amnezia/openvpn/dh.pem \\n\
-server $VPN_SUBNET_IP $VPN_SUBNET_MASK \\n\
+server $OPENVPN_SUBNET_IP $OPENVPN_SUBNET_MASK \\n\
 ifconfig-pool-persist ipp.txt \\n\
 duplicate-cn \\n\
 keepalive 10 120 \\n\
--- a/client/server_scripts/openvpn_shadowsocks/start.sh
+++ b/client/server_scripts/openvpn_shadowsocks/start.sh
@ -3,6 +3,7 @@
 # This scripts copied from Amnezia client to Docker container to /opt/amnezia and launched every time container starts

 echo "Container startup"
+ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up

 if [ ! -c /dev/net/tun ]; then mkdir -p /dev/net; mknod /dev/net/tun c 10 200; fi

@ -12,10 +13,10 @@ iptables -A FORWARD -i tun0 -j ACCEPT
 iptables -A OUTPUT -o tun0 -j ACCEPT

 # Allow forwarding traffic only from the VPN.
-iptables -A FORWARD -i tun0 -o eth0 -s $VPN_SUBNET_IP/$VPN_SUBNET_MASK_VAL -j ACCEPT
+iptables -A FORWARD -i tun0 -o eth0 -s $OPENVPN_SUBNET_IP/$OPENVPN_SUBNET_CIDR -j ACCEPT
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-iptables -t nat -A POSTROUTING -s $VPN_SUBNET_IP/$VPN_SUBNET_MASK_VAL -o eth0 -j MASQUERADE
+iptables -t nat -A POSTROUTING -s $OPENVPN_SUBNET_IP/$OPENVPN_SUBNET_CIDR -o eth0 -j MASQUERADE

 # kill daemons in case of restart
 killall -KILL openvpn
--- a/client/server_scripts/wireguard/Dockerfile
+++ b/client/server_scripts/wireguard/Dockerfile
@ -0,0 +1,47 @@
+#FROM alpine:latest
+FROM itsthenetwork/alpine-tcpdump:latest
+
+LABEL maintainer="AmneziaVPN"
+
+#Install required packages
+RUN apk add --no-cache curl wireguard-tools dumb-init
+RUN apk --update upgrade --no-cache
+
+RUN mkdir -p /opt/amnezia
+RUN echo -e "#!/bin/bash\ntail -f /dev/null" > /opt/amnezia/start.sh
+RUN chmod a+x /opt/amnezia/start.sh
+
+# Tune network  
+RUN echo -e " \n\
+  fs.file-max = 51200 \n\
+  \n\
+  net.core.rmem_max = 67108864 \n\
+  net.core.wmem_max = 67108864 \n\
+  net.core.netdev_max_backlog = 250000 \n\
+  net.core.somaxconn = 4096 \n\
+  \n\
+  net.ipv4.tcp_syncookies = 1 \n\
+  net.ipv4.tcp_tw_reuse = 1 \n\
+  net.ipv4.tcp_tw_recycle = 0 \n\
+  net.ipv4.tcp_fin_timeout = 30 \n\
+  net.ipv4.tcp_keepalive_time = 1200 \n\
+  net.ipv4.ip_local_port_range = 10000 65000 \n\
+  net.ipv4.tcp_max_syn_backlog = 8192 \n\
+  net.ipv4.tcp_max_tw_buckets = 5000 \n\
+  net.ipv4.tcp_fastopen = 3 \n\
+  net.ipv4.tcp_mem = 25600 51200 102400 \n\
+  net.ipv4.tcp_rmem = 4096 87380 67108864 \n\
+  net.ipv4.tcp_wmem = 4096 65536 67108864 \n\
+  net.ipv4.tcp_mtu_probing = 1 \n\
+  net.ipv4.tcp_congestion_control = hybla \n\
+  # for low-latency network, use cubic instead \n\
+  # net.ipv4.tcp_congestion_control = cubic \n\
+  " | sed -e 's/^\s\+//g' | tee -a /etc/sysctl.conf && \
+  mkdir -p /etc/security && \
+  echo -e " \n\
+  * soft nofile 51200 \n\
+  * hard nofile 51200 \n\
+  " | sed -e 's/^\s\+//g' | tee -a /etc/security/limits.conf  
+
+ENTRYPOINT [ "dumb-init", "/opt/amnezia/start.sh" ]
+CMD [ "" ]
--- a/client/server_scripts/wireguard/configure_container.sh
+++ b/client/server_scripts/wireguard/configure_container.sh
@ -0,0 +1,13 @@
+# Wireguard config
+sudo docker exec -i $CONTAINER_NAME bash -c '\
+mkdir -p /opt/amnezia/wireguard; \
+cd /opt/amnezia/wireguard || exit 1; \
+WIREGUARD_SERVER_PRIVATE_KEY=$(wg genkey) && echo $WIREGUARD_SERVER_PRIVATE_KEY > /opt/amnezia/wireguard/wireguard_server_private_key.key; \
+WIREGUARD_SERVER_PUBLIC_KEY=$(echo $WIREGUARD_SERVER_PRIVATE_KEY | wg pubkey) && echo $WIREGUARD_SERVER_PUBLIC_KEY > /opt/amnezia/wireguard/wireguard_server_public_key.key; \
+WIREGUARD_PSK=$(wg genpsk) && echo $WIREGUARD_PSK > /opt/amnezia/wireguard/wireguard_psk.key; \
+echo -e "\
+[Interface]\\n\
+PrivateKey = $WIREGUARD_SERVER_PRIVATE_KEY \\n\
+Address = $WIREGUARD_SUBNET_IP/$WIREGUARD_SUBNET_CIDR \\n\
+ListenPort = $WIREGUARD_SERVER_PORT \\n\
+" >/opt/amnezia/wireguard/wg0.conf'
--- a/client/server_scripts/wireguard/run_container.sh
+++ b/client/server_scripts/wireguard/run_container.sh
@ -0,0 +1,15 @@
+# Run container
+sudo docker run -d \
+--restart always \
+--privileged \
+--cap-add=NET_ADMIN \
+--cap-add=SYS_MODULE \
+-p $WIREGUARD_SERVER_PORT:$WIREGUARD_SERVER_PORT/udp \
+-v /lib/modules:/lib/modules \
+--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
+--name $CONTAINER_NAME \
+$CONTAINER_NAME
+
+# Prevent to route packets outside of the container in case if server behind of the NAT
+#sudo docker exec -i $CONTAINER_NAME sh -c "ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up"
+
--- a/client/server_scripts/wireguard/start.sh
+++ b/client/server_scripts/wireguard/start.sh
@ -0,0 +1,25 @@
+#!/bin/bash
+
+# This scripts copied from Amnezia client to Docker container to /opt/amnezia and launched every time container starts
+
+echo "Container startup"
+#ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up
+
+# kill daemons in case of restart
+wg-quick down /opt/amnezia/wireguard/wg0.conf
+
+# start daemons if configured
+if [ -f /opt/amnezia/wireguard/wg0.conf ]; then (wg-quick up /opt/amnezia/wireguard/wg0.conf); fi
+
+# Allow traffic on the TUN interface.
+iptables -A INPUT -i wg0 -j ACCEPT
+iptables -A FORWARD -i wg0 -j ACCEPT
+iptables -A OUTPUT -o wg0 -j ACCEPT
+
+# Allow forwarding traffic only from the VPN.
+iptables -A FORWARD -i wg0 -o eth0 -s $WIREGUARD_SUBNET_IP/$WIREGUARD_SUBNET_MASK_CIDR -j ACCEPT
+iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+iptables -t nat -A POSTROUTING -s $WIREGUARD_SUBNET_IP/$OPENVPN_SUBNET_CIDR -o eth0 -j MASQUERADE
+
+tail -f /dev/null
--- a/client/server_scripts/wireguard/template.conf
+++ b/client/server_scripts/wireguard/template.conf
@ -0,0 +1,11 @@
+[Interface]
+Address = 10.8.1.2/32
+DNS = 1.1.1.1, 1.0.0.1
+PrivateKey = $WIREGUARD_CLIENT_PRIVATE_KEY
+
+[Peer]
+PublicKey = $WIREGUARD_SERVER_PUBLIC_KEY
+PresharedKey = $WIREGUARD_PSK
+AllowedIPs = 0.0.0.0/0, ::/0
+Endpoint = $SERVER_IP_ADDRESS:$WIREGUARD_SERVER_PORT
+PersistentKeepalive = 25