Git-Mirrors/shaker
1
0
Fork 0
mirror of https://github.com/unman/shaker.git synced 2025-02-02 09:35:25 -05:00
Code Issues Packages Projects Releases Wiki Activity

Mullvad - full files. Fix typo in install script

Browse Source
This commit is contained in:
unman 2022-11-29 14:03:45 +00:00
parent 97fa742c74
commit 0e1c255aeb
No known key found for this signature in database
GPG Key ID: FDD1B8244731B36C
6 changed files with 110 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
mullvad.spec
View File

@ -1,5 +1,5 @@
Name: 3isec-qubes-mullvad-vpn Name: 3isec-qubes-mullvad-vpn
Version: 1.0 Version: 1.1
Release: 1%{?dist} Release: 1%{?dist}
Summary: Set up a Mullvad wireguard proxy in Qubes Summary: Set up a Mullvad wireguard proxy in Qubes
@ -44,7 +44,11 @@ You can, of course, use template-mullvad to create other VPN gateways.
%install %install
rm -rf %{buildroot} rm -rf %{buildroot}
mkdir -p %{buildroot}/srv/salt mkdir -p %{buildroot}/srv/salt
mkdir -p %{buildroot}/usr/bin
mkdir -p %{buildroot}/usr/share/applications
cp -rv %{SOURCE0}/ %{buildroot}/srv/salt cp -rv %{SOURCE0}/ %{buildroot}/srv/salt
cp -rv %{SOURCE0}/qubes-setup-MullvadVPN.desktop %{buildroot}/usr/share/applications
cp -rv %{SOURCE0}/setup_MullvadVPN.sh %{buildroot}/usr/bin/setup_MullvadVPN.sh
%files %files
%defattr(-,root,root,-) %defattr(-,root,root,-)
@ -52,9 +56,8 @@ cp -rv %{SOURCE0}/ %{buildroot}/srv/salt
%post %post
if [ $1 -eq 1 ]; then if [ $1 -eq 1 ]; then
qubesctl state.apply mullvad.clone
qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.install
qubesctl state.apply mullvad.create qubesctl state.apply mullvad.create
qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.install
qubesctl --skip-dom0 --targets=MullvadVPN state.apply mullvad.configure qubesctl --skip-dom0 --targets=MullvadVPN state.apply mullvad.configure
fi fi
@ -66,5 +69,7 @@ if [ $1 -eq 0 ]; then
fi fi
%changelog %changelog
* Mon Nov 28 2022 unman <unman@thirdeyesecurity.org> - 1.1
- Fix wireshark typo
* Mon Aug 08 2022 unman <unman@thirdeyesecurity.org> - 1.0 * Mon Aug 08 2022 unman <unman@thirdeyesecurity.org> - 1.0
- First Build - First Build

11
mullvad/dns_hijack.sh Normal file
View File

@ -0,0 +1,11 @@
virtualif=`ip -o -4 addr show eth0|awk '{ print $4}'`
vpndns1=10.8.0.1
vpndns2=10.14.0.1
iptables -F OUTPUT
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
iptables -F PR-QBS -t nat
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns2
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns2

26
mullvad/firewall.sh Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
# Block forwarding of connections through upstream network device
# (in case the vpn tunnel breaks):
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP
# Accept traffic to VPN
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -I OUTPUT -o lo -j ACCEPT
# Add the `qvpn` group to system, if it doesn't already exist
if ! grep -q "^qvpn:" /etc/group ; then
groupadd -rf qvpn
sync
fi
sleep 2s
# Block non-VPN traffic to clearnet
iptables -I OUTPUT -o eth0 -j DROP
# Allow traffic from the `qvpn` group to the uplink interface (eth0);
# Our VPN client will run with group `qvpn`.
iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT
iptables -I OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT

38
mullvad/install.sh Executable file
View File

@ -0,0 +1,38 @@
#!/usr/bin/bash
if [ "`id -u`" -ne 0 ]; then
exec sudo "$0"
exit 99
fi
target_file='/rw/config/wireguard.conf'
cd /rw/config/vpn
zenity --question --text="Do you have a zip file from Mullvad?" --ok-label="Yes" --cancel-label="No"
if [ $? = 0 ] ; then
client_file=`zenity --file-selection`
if [ $(mimetype -b $client_file) == "application/zip" ]; then
unzip -j -d /rw/config/vpn "$client_file"
else
zenity --error --text="That doesn't look like a zip file"
exit
fi
fi
zenity --question --text="Have you copied the wireguard config file to /rw/config/vpn/ ?" --ok-label="Yes" --cancel-label="No"
if [ $? = 0 ] ; then
zenity --question --text="Please select the wireguard configuration file you want to use" --ok-label="OK" --cancel-label="No"
if [ $? = 0 ] ; then
client_file=`zenity --file-selection`
if grep -q '^PrivateKey' "$client_file" ; then
if [ "$client_file" != "$target_file" ]; then
cp $client_file $target_file
fi
zenity --info --text="Restart this qube. The VPN service will start automatically."
else
zenity --error --text="That doesn't look like a client config file"
exit
fi
else
zenity --error --text="You need a config file\nCheck with Mullvad VPN"
exit
fi
else
exit
fi

10
mullvad/qubes-setup-MullvadVPN.desktop Normal file
View File

@ -0,0 +1,10 @@
[Desktop Entry]
Type=Application
Exec=setup_MullvadVPN.sh
Path=/usr/bin
Icon=qubes-manager
Terminal=false
Name=Setup Mullvad VPN
GenericName=Setup Mullvad VPN
StartupNotify=false
Categories=Settings;X-XFCE-SettingsDialog

17
mullvad/setup_MullvadVPN.sh Executable file
View File

@ -0,0 +1,17 @@
#!/usr/bin/bash
qvm-run MullvadVPN /home/user/install.sh
if ! (qvm-firewall MullvadVPN|tail -n1 |grep -q '.*drop.*-.*-'.*-);then
qvm-firewall MullvadVPN add --before 0 drop && qvm-firewall MullvadVPN del --rule-no 1
fi
endpoint=$(qvm-run -p MullvadVPN 'awk "/Endpoint/{print \$3}" /rw/config/wireguard.conf')
IFS=":" read -r server_ip server_port PORT <<< $endpoint
if ! (qvm-firewall MullvadVPN |grep -q 'accept.*-.*tcp.*53'); then
qvm-firewall MullvadVPN add --before 0 proto=tcp dstports=53 accept
fi
if ! (qvm-firewall MullvadVPN |grep -q 'accept.*-.*udp.*53'); then
qvm-firewall MullvadVPN add --before 0 proto=udp dstports=53 accept
fi
if ! (qvm-firewall MullvadVPN |grep -q "$server_ip");then
qvm-firewall MullvadVPN add --before 0 dsthost=$server_ip proto=udp dstports=$server_port accept
fi