GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → r-pufky → wireguard-initramfs

r-pufky / wireguard-initramfs

Licence: Unlicense License
Use dropbear over wireguard.

Programming Languages

shell
77523 projects
Makefile
30231 projects

Labels

debiandropbearinitramfswireguard

Projects that are alternatives of or similar to wireguard-initramfs

dracut-crypt-sshd
dracut initramfs module to start sshd on early boot to enter encryption passphrase from across the internets
Stars: ✭ 25 (-84.18%)
Mutual labels:  dropbear, initramfs
raspbian10-buster
Raspbian 10 (Buster) Lite Setup: with Wireguard, Pi-hole, Unbound
Stars: ✭ 54 (-65.82%)
Mutual labels:  debian, wireguard
AutoScriptVPS
VPN AutoScript
Stars: ✭ 59 (-62.66%)
Mutual labels:  dropbear, wireguard
netmaker
Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
Stars: ✭ 4,147 (+2524.68%)
Mutual labels:  wireguard
solr role
Ansible role to install an Apache Solr (Cloud) server/cluster
Stars: ✭ 21 (-86.71%)
Mutual labels:  debian
ipvpn
[WIP] Easy-to-use decentralized secure overlay private network (for any device)
Stars: ✭ 24 (-84.81%)
Mutual labels:  wireguard
Grub-Themes
Grub themes that will give a customized look to the Grub2 menu during boot.
Stars: ✭ 34 (-78.48%)
Mutual labels:  debian
xtrix
xtrix OS repo
Stars: ✭ 23 (-85.44%)
Mutual labels:  debian
wg-api
creates an HTTP endpoint for a Wireguard® VPN server
Stars: ✭ 61 (-61.39%)
Mutual labels:  wireguard
crosware
Tools, things, stuff, miscellaneous, etc., for Chrome OS / Chromium OS
Stars: ✭ 36 (-77.22%)
Mutual labels:  dropbear
ansible-role-docker-ce
Ansible role to install Docker CE on AlmaLinux/Rocky/CentOS/Fedora/RHEL(Redhat)/Ubuntu/Debian/Mint/Raspbian
Stars: ✭ 73 (-53.8%)
Mutual labels:  debian
imei
IMEI - ImageMagick Easy Install
Stars: ✭ 126 (-20.25%)
Mutual labels:  debian
docker-qbittorrentvpn
Docker container which runs a qBittorent-nox client with an optional WireGuard or OpenVPN connection
Stars: ✭ 76 (-51.9%)
Mutual labels:  wireguard
scale-build
TrueNAS SCALE Build System
Stars: ✭ 180 (+13.92%)
Mutual labels:  debian
wg-operator
Wireguard operator
Stars: ✭ 20 (-87.34%)
Mutual labels:  wireguard
thelounge-deb
📦 ‎ Debian/Ubuntu package for The Lounge
Stars: ✭ 16 (-89.87%)
Mutual labels:  debian
kernel-syslog
📝 Kernel module that can be used as a replacement for syslog, logger or logwrapper
Stars: ✭ 37 (-76.58%)
Mutual labels:  initramfs
ansible-ufw
Ansible role to set up ufw in Debian-like systems
Stars: ✭ 40 (-74.68%)
Mutual labels:  debian
Shell-Script
Shell Script on FreeBSD or Ubuntu
Stars: ✭ 34 (-78.48%)
Mutual labels:  debian
ansible-apt
Ansible role to manage packages and up(date|grade)s in Debian-like systems
Stars: ✭ 21 (-86.71%)
Mutual labels:  debian
View All Similar Projects ➔

wireguard-initramfs

Use dropbear over wireguard.

Enables wireguard networking during kernel boot, before encrypted partitions are mounted. Combined with dropbear this can enable FULLY ENCRYPTED remote booting without storing key material or exposing ports on the remote network. An Internet connection simply needs to exist that can reach the wireguard server endpoint.

Normal dropbear connections and DNS resolution can be used to find wireguard endpoints. This essentially enables the creation of a fully encrypted remote managed node, with the ability to prevent all local access.

Requirements

Working knowledge of Linux. Understanding of networking and Wireguard.

  1. Debian Bullseye (any version with wireguard support should work, but untested).
  2. Wireguard installed, configured and in a "known working" state.

Install

Installation is automated via make. Download, extract contents, and install on target machine.

Grab the latest release, untarball, and install.

wget https://github.com/r-pufky/wireguard-initramfs/archive/refs/tags/{RELEASE}.tar.gz
tar xvf {RELASE}.tar.gz
cd wireguard-initramfs-2021-07-04; make install

Configure

See comments in /etc/wireguard-initramfs/config. Be sure to set the private key as well.

Refer to wg set man page for additional information.

⚠️ Most installs do not currently encrypt /boot; and therefore the client private key should be considered untrusted/compromised. It is highly recommended that a separate point-to-point wireguard network with proper port blocking is used for remote unlocking.

Rebuild initramfs to use:

update-initramfs -u
update-grub
reboot

Any static errors will abort the build. Mis-configurations will not be caught. Be sure to test while you still have physical access to the machine.

Dropbear

wireguard-initramfs can be combined with dropbear to enable remote system unlocking without needing control over the remote network, or knowing what the public IP of that system is. It also creates an encrypted no-trust tunnel before SSH connections are attempted.

Requirements

  1. Dropbear installed, configured and in a "known working" state.

Configure

Set dropbear to use all network interfaces to ensure remote unlocks work over wireguard first. Then restrict to the wireguard network once it is working:

/etc/dropbear-initramfs/config

DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...'

Bug / Patches / Contributions?

All are welcome, please submit a pull request or open a bug!

Know debian packaging? Create a .deb package for this!

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].