From c7c6d48fad65a9befc8de00f4d814c6de203462e Mon Sep 17 00:00:00 2001 From: gyurix Date: Mon, 27 Feb 2023 22:14:47 +0000 Subject: [PATCH] Added dockerfile for build alpine based boringtun wireguard client --- Dockerfile | 27 +++++++++++++++++++++++++++ README.md | 8 ++++++++ entrypoint.sh | 32 ++++++++++++++++++++++++++++++++ set_gateway.sh | 4 ++++ wg_config_sample | 12 ++++++++++++ 5 files changed, 83 insertions(+) create mode 100644 Dockerfile create mode 100755 entrypoint.sh create mode 100755 set_gateway.sh create mode 100644 wg_config_sample diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..59e9663 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,27 @@ +FROM alpine:latest + +RUN apk add --no-cache alpine-sdk rustup \ + && rustup-init -y --target x86_64-unknown-linux-musl --default-toolchain beta --profile minimal \ + #&& curl https://sh.rustup.rs -sSf | sh -s -- -y --default-host x86_64-unknown-linux-musl --profile minimal \ + && source ~/.cargo/env \ + && cargo install --target x86_64-unknown-linux-musl boringtun-cli + +FROM alpine:latest + +COPY --from=0 /root/.cargo/bin/boringtun-cli /usr/bin/boringtun + +RUN apk add --no-cache tini wireguard-tools \ + && apk add --no-cache --virtual .build-deps libcap \ + && setcap cap_net_admin+ep /usr/bin/boringtun \ + && apk del --purge .build-deps \ + && printf '%s\n' '#!/bin/sh' 'mkdir -p /var/run/wireguard && chown "$LOGNAME:" /var/run/wireguard && exec su -s /usr/bin/boringtun -- "$LOGNAME" "$@"' \ + | tee /usr/local/bin/boringtun \ + && printf '%s\n' '#!/bin/bash' 'if [[ $# -eq 2 && $1 == up ]]; then' ' eval "$(sed -e "/^# ~~ function override insertion point ~~$/q" /usr/bin/wg-quick)"' ' add_if() { kill -18 $$ && until test -S "/var/run/wireguard/$INTERFACE.sock"; do sleep 1 && kill -0 $$ || return; done; }' ' die() { echo "$PROGRAM: $*" >&2; kill -9 $$; exit 1; }' ' auto_su' ' parse_options "$2"' ' ( cmd_up & )' ' kill -19 $$' ' cmd exec "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" --foreground "$INTERFACE"' 'else' ' exec /usr/bin/wg-quick "$@"' 'fi' \ + | tee /usr/local/bin/wg-quick \ + && chmod a+x /usr/local/bin/boringtun /usr/local/bin/wg-quick + +VOLUME ["/etc/wireguard"] + +ENV WG_QUICK_USERSPACE_IMPLEMENTATION=boringtun LOGNAME=nobody INTERFACE=wg0 +COPY set_gateway.sh /etc/wireguard/ +ENTRYPOINT ["/sbin/tini", "--", "/bin/sh", "-c", "test -f \"/etc/wireguard/$INTERFACE.conf\" || ( umask 077 && printf '%s\\n' '[Interface]' 'Address = 10.8.0.1/24' 'PostUp = iptables --table nat --append POSTROUTING --jump MASQUERADE' 'PostDown = iptables --table nat --delete POSTROUTING --jump MASQUERADE' 'ListenPort = 51820' \"PrivateKey = $(wg genkey)\" | tee \"/etc/wireguard/$INTERFACE.conf\" ) && test -c /dev/net/tun || { mkdir -p /dev/net && mknod -m 666 /dev/net/tun c 10 200; } && exec wg-quick up \"$INTERFACE\"", "--"] diff --git a/README.md b/README.md index e69de29..d879bd9 100644 --- a/README.md +++ b/README.md @@ -0,0 +1,8 @@ +Boringtun based wireguard client for linux. Modifyed Dockerfile to correct borintun-cli install and copy. The sample wireguard config uses a set_gateway script to excluding from the default route the wireguard vpn server. + +Needed container parameters: +--cap-add=NET_ADMIN +--cap-add MKNOD +--cap-add NET_RAW +--privileged +--device=/dev/net/tun diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..eb43fc3 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash + +set -e + +declare -r WG_INTERFACE=${1:-wg0} + +function infinite_loop() { + # Handle shutdown behavior + trap 'shutdown_wg "$1"' SIGTERM SIGINT SIGQUIT + + sleep infinity & + wait $! +} + +function shutdown_wg() { + echo "Shutting down Wireguard (boringtun)" + wg-quick down "$1" + exit 0 +} + +function start_wg() { + echo "Starting up Wireguard (boringtun)" + wg-quick up "$1" + infinite_loop "$1" +} + +#if [[ "$1" =~ ^wg.*$ ]]; then +if [ -f "/etc/wireguard/${WG_INTERFACE}.conf" ]; then + start_wg ${WG_INTERFACE} +else + exec "$@" +fi diff --git a/set_gateway.sh b/set_gateway.sh new file mode 100755 index 0000000..eae3c47 --- /dev/null +++ b/set_gateway.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +IP_GATEWAY=$(route -n | grep 'UG[ \t]' | awk '{print $2}'); +route add -host vps.vizpartingatlan.hu gw $IP_GATEWAY diff --git a/wg_config_sample b/wg_config_sample new file mode 100644 index 0000000..9887fab --- /dev/null +++ b/wg_config_sample @@ -0,0 +1,12 @@ +[Interface] +Address = +PrivateKey = +DNS = 1.1.1.1 +PreUp = /etc/wireguard/set_gateway.sh + +[Peer] +PublicKey = +PresharedKey = +AllowedIPs = 0.0.0.0/0 +Endpoint = +PersistentKeepalive = 15