wireguard-tools: adopted port

2022-12-22 09:49:09 +00:00 · 2022-12-22 09:49:09 +00:00 · 281395695e
parent 8392c1b0fa
commit 281395695e
4 changed files with 21 additions and 282 deletions
--- a/wireguard-tools/.footprint
+++ b/wireguard-tools/.footprint
@ -1,7 +1,11 @@
+drwxr-xr-x	root/root	etc/
+drwx------	root/root	etc/wireguard/
 drwxr-xr-x	root/root	usr/
 drwxr-xr-x	root/root	usr/bin/
 -rwxr-xr-x	root/root	usr/bin/wg
+-rwxr-xr-x	root/root	usr/bin/wg-quick
 drwxr-xr-x	root/root	usr/share/
 drwxr-xr-x	root/root	usr/share/man/
 drwxr-xr-x	root/root	usr/share/man/man8/
+-rw-r--r--	root/root	usr/share/man/man8/wg-quick.8.gz
 -rw-r--r--	root/root	usr/share/man/man8/wg.8.gz
--- a/wireguard-tools/.signature
+++ b/wireguard-tools/.signature
@ -1,6 +1,5 @@
 untrusted comment: verify with /etc/ports/contrib.pub
-RWSagIOpLGJF30cgZpCi5GRLes7cprgiExYaPvWj0kqcLOvFkuDJWUJ2JO/ApYpXIG7PowKVFCC/EvMdpOsC+zikGLPa1/yPygs=
-SHA256 (Pkgfile) = 99c3d0c40ad297f6be4f85a120d9d83a3443828db8e442b5a75ca2e26d1fdde4
-SHA256 (.footprint) = d283d75961bbb0a088b71aba318def5a86976ed952b2f3cb9f6542b061b89a47
+RWSagIOpLGJF328ojqAjzvxOFjbpeNqvL4blCFUE0voxveAsPp4IZvwmRQ6OB/ovhlHuj264tec9ho+N1pI40AtPzboL/mM78AE=
+SHA256 (Pkgfile) = 9a6a8b48d1c9e1374c57b56dd99b4faf09fba393dd0b00561d1c488ee74f5c1e
+SHA256 (.footprint) = b889f453214f56cce90887f0f29782238690ec0135732313253e57c9fe8b42df
 SHA256 (wireguard-tools-1.0.20210914.tar.xz) = 97ff31489217bb265b7ae850d3d0f335ab07d2652ba1feec88b734bc96bd05ac
-SHA256 (README) = 5ca9ee9a84a3d548d4ebf1238a458fda056205aaa19614bfdd85ec6673baef22
--- a/wireguard-tools/Pkgfile
+++ b/wireguard-tools/Pkgfile
@ -1,25 +1,23 @@
 # Description: Tools for configuring WireGuard
-# URL:         https://git.zx2c4.com/wireguard-tools/
-# Maintainer:  Steffen Nurpmeso, steffen at sdaoden dot eu
+# URL: https://git.zx2c4.com/wireguard-tools/
+# Maintainer: Tim Biermann, tbier at posteo dot de

 name=wireguard-tools
 version=1.0.20210914
 release=1
-source=(https://git.zx2c4.com/wireguard-tools/snapshot/\
-wireguard-tools-${version}.tar.xz README)
+source=(https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-$version.tar.xz)

 build() {
-   cd ${name}-${version}
+  cd $name-$version

-   cd src
-   make
-   make install \
-      DESTDIR="${PKG}" \
-      PREFIX=/usr \
-      RUNSTATEDIR=/run \
-      WITH_BASHCOMPLETION=no \
-      WITH_SYSTEMDUNITS=no \
-      WITH_WGQUICK=no
+  prt-get isinst bash-completions && PKGMK_WGTOOLS+=' WITH_BASHCOMPLETION=yes' || PKGMK_WGTOOLS+=' WITH_BASHCOMPLETION=NO'
+
+  cd src
+  make
+  make install $PKGMK_WGTOOLS \
+    DESTDIR=$PKG \
+    PREFIX=/usr \
+    RUNSTATEDIR=/run \
+    WITH_WGQUICK=yes \
+    WITH_SYSTEMDUNITS=no
 }
-
-# s-sh-mode
--- a/wireguard-tools/README
+++ b/wireguard-tools/README
@ -1,262 +0,0 @@
-README for WireGuard
-
-  WireGuard is a thrilling VirtualPrivateNetwork option.
-
-  It uses stateless UDP connections, and looks like a server socket, for
-  example in output of "ss -l", but also "iptables -nvL".  It uses today's
-  state-of-the-art algorithms, is extremely simple to setup and maintain, and
-  has really nifty properties.  For example, you can load /dev/null as the key
-  to make the VPN unusable, then just put back the correct key and it
-  functions again.  You can also create a VPN with a single command line (plus
-  firewall).
-
-  It is possible to create point-to-point connections where the endpoints can
-  communicate only with each other, but on the other hand dedicated "servers"
-  can be used to which all traffic can be forwarded, so that laptops and other
-  end-devices can be boxed into a totally detached environment, having
-  internet access only through (the) VPN(s).
-
-  In all cases you need the kernel option
-
-    CONFIG_WIREGUARD=y
-
-  and generate keys:
-
-    # wg genkey | tee private.key | wg pubkey > public.key
-
-  You should also create a preshared key (may not work otherwise with
-  software before 2021-03-15):
-
-    # wg genpsk
-
-  Nothing magic about the keys, base64 encoded random of the correct
-  length (should do; and except for pubkey, which applies algorithms).
-
-Simple point-to-point VPN
-
-  Say this is a VPN of two boxes plus broadcast, server on 10.0.0.2,
-  laptop on 10.0.0.1.  The laptop has no fixed IP:
-
-  Server.conf:
-    [Interface]
-    PrivateKey = SERVER-PRIKEY
-    ListenPort = SERVER-PORT
-
-    [Peer]
-    PublicKey = LAPTOP-PUBKEY
-    # (Or only 10.0.0.1/32)
-    AllowedIPs = 10.0.0.0/30
-
-  Laptop.conf:
-    [Interface]
-    PrivateKey = LAPTOP-PRIKEY
-    # (Actually unused)
-    ListenPort = LAPTOP-PORT
-
-    [Peer]
-    PublicKey = SERVER-PUBKEY
-    Endpoint = SERVER-IP:SERVER-PORT
-    AllowedIPs = 10.0.0.2/32
-
-  Assuming these are the first interfaces we ever created:
-
-    # wg setconf wg0 Server.conf
-
-  We need some firewall rules.  For the case as shown here no forwarding or
-  masquerading is required -- and it is _never_, but on those peers which play
-  a server rule!  The Laptop should get away with
-
-    # ip link add dev wg0 type wireguard
-    # ip address add 10.0.0.1/30 dev wg0
-    # iptables -A OUTPUT -o wg0 -j ACCEPT
-    # # not even iptables -A INPUT -i wg0 -j ACCEPT
-    # iptables -A OUTPUT -p udp --dst SRV-IP --dport SRV-PORT -j ACCEPT
-    # ip link set wg0 up
-    # ip route add 10.0.0.1 dev wg0
-
-  That is it (beat me if i am wrong)!  Different iptables on the server:
-
-    # iptables -I INPUT -i wg0 -j ACCEPT
-    # # not even iptables -A OUTPUT -o wg0 -j ACCEPT
-    # iptables -A INPUT -p udp --dport SRV-PORT -j ACCEPT
-
-  Finished.  You could track the endpoint as they show up, and update the
-  rules with the exact address of the endpoint(s).  Like this the last shown
-  rule of the server can apply blacklisting rules.  This works easily because
-  once a handshake is completed the defined ListenPort and thus NETFILTER is
-  bypassed (at filter level), and only fewest packets actually show up on
-  --dport SRV-PORT.  A working watchdog below. 
-
-End-user having access only via VPN
-
-  In fact this is easy.  Of course you can create a wg, then a network
-  namespace, then move the wg to that namespace via "ip link set wg0 netns
-  NSNAME", then add the default route there via "ip -n NSNAME route add
-  default dev wg0", and be done with it.  Linux even seems to allow to move
-  the physical hardware to a network namespace, then go the reverse way with
-  the new wg, leaving only wg in the base namespace, and the physical devices
-  boxed somewhere else.  Really important differences are:
-
-    - The laptop must change the AllowedIPs of the server [Peer] to
-
-        AllowedIPs = 0.0.0.0/0
-
-      Only like this all the traffic is forwarded to the server.
-
-    - The server now needs forwarding and masquerading enabled:
-
-        # sysctl -w net.ipv4.conf.ETH0.forwarding=1
-        # sysctl -w net.ipv4.conf.WG0.forwarding=1
-        # iptables -A FORWARD -i WG0 -o ETH0 -j ACCEPT
-        # iptables -A FORWARD -o WG0 -i ETH0 -j ACCEPT
-        # iptables -t nat -A POSTROUTING -o ETH0 -j MASQUERADE
-
-      Exchange WG0/ETH0 with your devices.  You may want to have a final
-      FORWARDING rule like
-
-        # iptables -A FORWARD -j REJECT --reject-with icmp-proto-unreachable
-
-  You may want to create an additional veth pair that links into the
-  namespace, so that a local DNS proxy like dnsmasq could serve the DNS of
-  that VPN network namespace as well as any other namespace ("interface
-  NSNAME" in dnsmasq.conf).  No need to start multiple instances, just share
-  the DNS cache.  Of course that single dnsmasq instance could also have
-  a configured upstream that is reached via VPN, maybe just another channel.
-  Luckily "ip link" and "ip netns" names can coexist, so:
-
-      # Placing this in 10.4.0.8/30
-      ip=ip ns=NSNAME 1=10.4.0.9 2=10.4.0.10 p_domain=53
-      ...
-
-       ${ip} link add ${ns} type veth peer name ${ns}_peer
-       ${ip} link set ${ns}_peer netns ${ns}
-
-       ${ip} addr add ${1}/30 dev ${ns}
-       ${ip} link set ${ns} up
-       #${ip} route add ${1} dev ${ns}
-
-       ${ip} -n ${ns} addr add ${2}/30 dev ${ns}_peer broadcast +
-       ${ip} -n ${ns} link set ${ns}_peer up
-       ${ip} -n ${ns} route add ${1} dev ${ns}_peer
-
-       iptables_rule filter INPUT -A -i ${ns} \
-          -p tcp --dport ${p_domain} -j ${ACC}
-       iptables_rule filter INPUT -A -i ${ns} \
-          -p udp --dport ${p_domain} -j ${ACC}
-       iptables_rule filter INPUT -A -i ${ns} -j REJECT
-
-  So now only DNS is allowed from the network namespace to the base namespace,
-  where dnsmasq is listening on "interface NSNAME" (maybe after a restart).
-  All other traffic generated in NSNAME but to 10.4.0.9 is routed through the
-  WireGuard VPN.
-
-A watchdog
-
-  Driven by cron one can selectively whitelist endpoints without fixed
-  IP addresses, in order to apply strict black listing on those
-
-    # iptables -A INPUT -p udp --dport PORT -j ACCEPT
-
-  rules that are needed (on servers).  Here is one idea, it is pretty fresh
-  but working for some time here.  Imagine a configuration
-
-    : ${RUNDIR:=/run}
-
-    # (y/empty) Wireguard VPN (ie: look for WG_digit_ADDR settings)?
-    : ${WG:=}
-       #     If empty
-       : ${WG_WATCHDOG:=${RUNDIR}/.net-qos-wg-watch}
-       #  For wg_watchdog() (aka "$0 watchdog-wg"): persistance data file.
-       #  Watchdog only works if non-empty.
-       # -> WG_digit_ADDR='any wg(8) address:LISTEN-PORT'
-       #     Ie address+CIDR netmask plus listen port.  Whether we create it.
-    ....
-
-  In the following, please substitute ACCEPT for f_m1, and INPUT for i_good.
-  I currently use primitive CONNMARK jumps for all my traffic, instead of
-  using the "fwmark" feature of WireGuard to shortcut that for the VPN.
-
-wg_watchdog() {
-   [ -n "${WG_WATCHDOG}" ] || {
-      echo >&2 '$WG_WATCHDOG is not set'
-      return 0
-   }
-
-   touch "${WG_WATCHDOG}" "${WG_WATCHDOG}".new "${WG_WATCHDOG}".lck
-   chown root:root "${WG_WATCHDOG}" "${WG_WATCHDOG}".new "${WG_WATCHDOG}".lck
-   chmod 0600 "${WG_WATCHDOG}" "${WG_WATCHDOG}".new "${WG_WATCHDOG}".lck
-
-   if exec 7>"${WG_WATCHDOG}.lck" && flock 7; then :; else
-      echo >&2 'Cannot aquire lock file '${WG_WATCHDOG}.lck
-      return 1
-   fi
-
-   # New list of peers
-   printf '' > "${WG_WATCHDOG}".new
-   wl=
-
-   id=0
-   while :; do
-      eval x=\$WG_${id}_ADDR
-      [ -z "${x}" ] && break
-
-      wg__splita "${x}"
-      dport=${port}
-
-      x=`${wg} show wg${id} endpoints 2>/dev/null`
-      if [ ${?} -eq 0 ]; then
-         x=`echo ${x} | cut -f2 -d' '`
-         if [ "${x}" != '(none)' ]; then
-            wg__splita "${x}"
-            wl=${wl}' '${addr}
-            printf -- "-p udp --src %s --dport %s -j f_m1\n" \
-               "${addr}" "${dport}" >> "${WG_WATCHDOG}".new
-            #--sport ${port}
-         fi
-      fi
-
-      id=$((id + 1))
-   done
-
-   # ..if different to old one, recreate firewall rules
-   if cmp "${WG_WATCHDOG}".new "${WG_WATCHDOG}" >/dev/null 2>&1; then :; else
-      if [ -s "${WG_WATCHDOG}" ]; then
-         while read l; do
-            iptables_rule filter i_good -D ${l}
-         done < "${WG_WATCHDOG}"
-      fi
-
-      # Add new list of peers
-      if [ -n "${wl}" ]; then
-         while read l; do
-            iptables_rule filter i_good -I 1 ${l}
-         done < "${WG_WATCHDOG}".new
-         logger -t /root/bin/net-qos.sh/WG 'whitelist: '${wl}
-      fi
-
-      cp -f "${WG_WATCHDOG}".new "${WG_WATCHDOG}"
-   fi
-
-   exec 7>&-
-}
-
-wg__splita() {
-   addr=${1%:*}
-   port=${1##*:}
-   ip6=0
-
-   if [ "${addr}" != "${addr%]*}" ]; then
-      ip6=1
-      addr=${addr%]*}
-      addr=${addr#[*}
-   fi
-
-   if [ "${addr}" != "${addr%/*}" ]; then
-      mask=/${addr#*/}
-      addr=${addr%/*}
-   else
-      mask=/32
-   fi
-}
-
-# s-ts-mode