fix: clean Wireguard rules

- Remove OpenVPN code comments; - Reorganize rules for easier reading; - Server can connect without having client attached; - Systemd service for easier monitoring of wg-quick; and - Firewall also restarts wg-quick and apply new endpoint rules.
2024-10-01 02:35:49 -04:00 · 2024-06-19 15:08:03 +02:00 · 2024-06-19 15:08:03 +02:00 · 6ec0768f13
commit 6ec0768f13
parent f86e30a6b6
10 changed files with 106 additions and 103 deletions
--- a/salt/sys-wireguard/configure.sls
+++ b/salt/sys-wireguard/configure.sls
@ -8,15 +8,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
  - dev.home-cleanup

-"{{ slsdotpath }}-rc.local":
-  file.managed:
-    - name: /rw/config/rc.local.d/50-sys-wireguard.rc
-    - source: salt://{{ slsdotpath }}/files/server/rc.local.d/50-sys-wireguard.rc
-    - user: root
-    - group: root
-    - mode: '0755'
-    - makedirs: True
-
 "{{ slsdotpath }}-qubes-firewall":
  file.recurse:
    - name: /rw/config/qubes-firewall.d/
--- a/salt/sys-wireguard/create.sls
+++ b/salt/sys-wireguard/create.sls
@ -50,7 +50,7 @@ features:
 "{{ slsdotpath }}-qvm-wireguard":
  file.managed:
    - name: /usr/local/bin/qvm-wireguard
-    - source: salt://{{ slsdotpath }}/files/admin/qvm-wireguard
+    - source: salt://{{ slsdotpath }}/files/admin/bin/qvm-wireguard
    - user: root
    - group: root
    - mode: '0755'
--- a/salt/sys-wireguard/files/admin/bin/qvm-wireguard
+++ b/salt/sys-wireguard/files/admin/bin/qvm-wireguard
@ -0,0 +1,72 @@
+#!/bin/sh
+
+# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
+# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -eu
+
+test "$(id -u)" = "0" || exec sudo "$0" "$@"
+
+usage(){
+  echo "Usage: ${0##*/} [QUBE]"
+  exit "${1:-1}"
+}
+
+case "${1-}" in
+  -h|--help) usage 0;;
+  -*) usage 1;;
+  "") qube="sys-wireguard";;
+  *) qube="${1}";;
+esac
+
+if ! qvm-check -q -- "$qube" >/dev/null 2>&1; then
+  echo "Qube '$qube' doesn't exist" >&2
+  usage 1
+fi
+
+user_conf="/home/user/wireguard.conf"
+system_conf="/etc/wireguard/wireguard.conf"
+
+qvm-run "$qube" -- "test -f ${user_conf}" || {
+  echo "File '${user_conf}' was not found" >&2
+  exit 1
+}
+
+qvm-run -u root "$qube" -- "cp ${user_conf} ${system_conf}"
+
+## TOFU
+# shellcheck disable=SC2016
+endpoint="$(qvm-run -p -u root "$qube" -- awk '/Endpoint/{print $3}' "${system_conf}")"
+if echo "${endpoint}" | grep -qF "["; then
+  ip="${ip##[\[]}"
+  ip="${ip%%\]*}"
+  port="${endpoint##*:}"
+else
+  ip="${endpoint%%:*}"
+  port="${endpoint##*:}"
+fi
+
+if test -z "$ip" || test -z "$port";then
+  echo "Endpoint (IP:Port) not found: ${system_conf}" >&2
+  exit 1
+fi
+
+if qvm-check -q --running -- "$qube" >/dev/null 2>&1; then
+  qvm-pause --verbose -- "$qube"
+fi
+
+echo "Firewalling $qube to reach only '$ip:$port'"
+qvm-firewall --verbose -- "$qube" reset
+qvm-firewall --verbose -- "$qube" del --rule-no 0
+qvm-firewall --verbose -- "$qube" add accept dsthost="$ip" dstports="$port" proto=udp
+qvm-firewall --verbose -- "$qube" add accept dsthost="$ip" dstports="$port" proto=tcp
+qvm-firewall --verbose -- "$qube" add drop
+
+if qvm-check -q --paused -- "$qube" >/dev/null 2>&1; then
+  qvm-unpause --verbose -- "$qube"
+fi
+
+qvm-run -u root "$qube" -- "systemctl restart wg-quick@wireguard"
+qvm-run -u root "$qube" -- "/rw/config/network-hooks.d/50-sys-wireguard"
--- a/salt/sys-wireguard/files/admin/qvm-wireguard
+++ b/salt/sys-wireguard/files/admin/qvm-wireguard
@ -1,46 +0,0 @@
-#!/bin/sh
-
-# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
-# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-set -eu
-
-test "$(id -u)" = "0" || exec sudo "$0" "$@"
-qube="${1:-"sys-wireguard"}"
-
-if ! qvm-check -q "$qube" >/dev/null 2>&1; then
-  echo "Qube '$qube' doesn't exist" >&2
-  exit 1
-fi
-
-qvm-run "$qube" -- test -f /home/user/wireguard.conf || {
-  echo "File /home/user/wireguard.conf was not found" >&2
-  exit 1
-}
-
-## TOFU
-# shellcheck disable=SC2016
-endpoint="$(qvm-run -p "$qube" -- awk '/Endpoint/{print $3}' /home/user/wireguard.conf)"
-ip="$(echo "$endpoint" | cut -d ":" -f 1)"
-port="$(echo "$endpoint" | cut -d ":" -f 2)"
-if test -z "$ip" || test -z "$port";then
-  echo "Endpoint (IP:Port) not found in /home/user/wireguard.conf" >&2
-  exit 1
-fi
-
-if qvm-check -q --running "$qube" >/dev/null 2>&1; then
-  qvm-pause --verbose "$qube"
-fi
-
-echo "Firewalling $qube"
-qvm-firewall --verbose "$qube" reset
-qvm-firewall --verbose "$qube" del --rule-no 0
-qvm-firewall --verbose "$qube" add accept dsthost="$ip" dstports="$port" proto=udp
-qvm-firewall --verbose "$qube" add accept dsthost="$ip" dstports="$port" proto=tcp
-qvm-firewall --verbose "$qube" add drop
-
-if qvm-check -q --paused "$qube" >/dev/null 2>&1; then
-  qvm-unpause --verbose "$qube"
-fi
--- a/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-var
+++ b/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-var
@ -6,10 +6,10 @@

 set -eu

-wg_conf="/home/user/wireguard.conf"
+wg_conf="/etc/wireguard/wireguard.conf"
 nft_conf="/var/run/wireguard/dnat.nft"

-mkdir -p /var/run/wireguard/
+mkdir -p "${nft_conf%/*}"
 rm -f "${nft_conf}"
 touch "${nft_conf}"

@ -25,6 +25,13 @@ set_nft_dnat(){
 }

 dns="$(grep -s "^\s*DNS\s*=\s*\S\+" "${wg_conf}" | sed "s/.*=//;s/ //g")"
+
+if test -z "${dns}"; then
+  set_nft "insert rule ip  qubes custom-dnat drop"
+  set_nft "insert rule ip6 qubes custom-dnat drop"
+  exit
+fi
+
 dns_primary="$(echo "${dns}" | cut -d "," -f 1)"
 dns_secondary="$(echo "${dns}" | cut -d "," -f 2)"

--- a/salt/sys-wireguard/files/server/qubes-firewall.d/55-sys-wireguard-tunnel
+++ b/salt/sys-wireguard/files/server/qubes-firewall.d/55-sys-wireguard-tunnel
@ -10,34 +10,14 @@
 add chain ip  qubes output { type filter hook output priority 0; policy accept; }
 add chain ip6 qubes output { type filter hook output priority 0; policy accept; }

-## Stop leaks between downstream (vif+) and upstream (eth0)
-#chain ip  qubes forward { policy drop; }
-#chain ip  qubes input   { policy drop; }
-#chain ip  qubes output  { policy drop; }
-#chain ip6 qubes forward { policy drop; }
-#chain ip6 qubes input   { policy drop; }
-#chain ip6 qubes output  { policy drop; }
-
-insert rule ip  qubes custom-forward oifgroup 1 drop
+flush chain ip  qubes custom-forward
+flush chain ip6 qubes custom-forward
 insert rule ip  qubes custom-forward iifgroup 1 drop
-insert rule ip6 qubes custom-forward oifgroup 1 drop
 insert rule ip6 qubes custom-forward iifgroup 1 drop
+insert rule ip  qubes custom-forward oifgroup 1 drop
+insert rule ip6 qubes custom-forward oifgroup 1 drop

-## Accept forward traffic between dowstream vif+ (group 2) and VPN (group 9)
-#insert rule ip  qubes custom-forward iifgroup 2 oifgroup 9 accept
-#insert rule ip  qubes custom-forward iifgroup 9 oifgroup 2 accept
-#insert rule ip6 qubes custom-forward iifgroup 2 oifgroup 9 accept
-#insert rule ip6 qubes custom-forward iifgroup 9 oifgroup 2 accept
-
-## Drop ICMP
 insert rule ip  qubes custom-input      meta l4proto icmp drop
 insert rule ip6 qubes custom-input      meta l4proto icmp drop
 insert rule ip  qubes output oifgroup 1 meta l4proto icmp drop
 insert rule ip6 qubes output oifgroup 1 meta l4proto icmp drop
-
-## Allow traffic from the "qvpn" group to the uplink interface (eth0);
-## Our VPN client will run with group "qvpn".
-#insert rule ip  qubes output oifname "lo"            accept
-#insert rule ip  qubes output oifgroup 1 skgid "qvpn" accept
-#insert rule ip6 qubes output oifname "lo"            accept
-#insert rule ip6 qubes output oifgroup 1 skgid "qvpn" accept
--- a/salt/sys-wireguard/files/server/qubes-firewall.d/60-sys-wireguard-nat
+++ b/salt/sys-wireguard/files/server/qubes-firewall.d/60-sys-wireguard-nat
@ -6,13 +6,6 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

-flush chain ip  qubes custom-forward
-flush chain ip6 qubes custom-forward
-insert rule ip  qubes custom-forward oifgroup 1 drop
-insert rule ip  qubes custom-forward iifgroup 1 drop
-insert rule ip6 qubes custom-forward oifgroup 1 drop
-insert rule ip6 qubes custom-forward iifgroup 1 drop
-
 add chain ip6 qubes dnat-dns { type nat hook prerouting priority dstnat; policy accept; }
 add chain ip  qubes custom-dnat { type nat hook prerouting priority dstnat; policy accept; }
 add chain ip6 qubes custom-dnat { type nat hook prerouting priority dstnat; policy accept; }
--- a/salt/sys-wireguard/files/server/rc.local.d/50-sys-wireguard.rc
+++ b/salt/sys-wireguard/files/server/rc.local.d/50-sys-wireguard.rc
@ -1,7 +0,0 @@
-#!/bin/sh
-# vim: ft=sh
-# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-wg-quick up /home/user/wireguard.conf
--- a/salt/sys-wireguard/files/server/systemd/wg-quick@wireguard.service.d/50_qusal.conf
+++ b/salt/sys-wireguard/files/server/systemd/wg-quick@wireguard.service.d/50_qusal.conf
@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# vim: ft=systemd
+
+[Unit]
+ConditionPathExists=/etc/wireguard/wireguard.conf
--- a/salt/sys-wireguard/install.sls
+++ b/salt/sys-wireguard/install.sls
@ -11,13 +11,6 @@ include:
  - utils.tools.common.update
  - sys-net.install-proxy

-{#
-"{{ slsdotpath }}-qvpn-group":
-  group.present:
-    - name: qvpn
-    - system: True
-#}
-
 "{{ slsdotpath }}-installed":
  pkg.installed:
    - require:
@ -34,4 +27,17 @@ include:
      - curl
      - man-db

+"{{ slsdotpath }}-systemd-service":
+  file.managed:
+    - name: /usr/lib/systemd/system/wg-quick@wireguard.service.d/50_qusal.conf
+    - source: salt://{{ slsdotpath }}/files/server/systemd/wg-quick@wireguard.service.d/50_qusal.conf
+    - user: root
+    - group: root
+    - mode: '0644'
+    - makedirs: True
+
+"{{ slsdotpath }}-enable-wg-quick@wireguard":
+  service.enabled:
+    - name: wg-quick@wireguard
+
 {% endif -%}