GithubHelp home page GithubHelp logo

coxmic / wireguard-initramfs Goto Github PK

View Code? Open in Web Editor NEW

This project forked from r-pufky/wireguard-initramfs

0.0 0.0 0.0 25 KB

Use dropbear over wireguard.

License: The Unlicense

Shell 63.93% Makefile 36.07%

wireguard-initramfs's Introduction

wireguard-initramfs

Use dropbear over wireguard.

Enables wireguard networking during kernel boot, before encrypted partitions are mounted. Combined with dropbear this can enable FULLY ENCRYPTED remote booting without storing key material or exposing ports on the remote network. An Internet connection simply needs to exist that can reach the wireguard server endpoint.

Normal dropbear connections and DNS resolution can be used to find wireguard endpoints. This essentially enables the creation of a fully encrypted remote managed node, with the ability to prevent all local access.

Requirements

Working knowledge of Linux. Understanding of networking and Wireguard.

  1. Debian Bullseye/Bookworm (any version with wireguard support should work, but untested).
  2. Wireguard installed, configured and in a "known working" state.

Install

Installation is automated via make. Download, extract contents, and install on target machine.

Grab the latest release, untarball, and install.

wget https://github.com/r-pufky/wireguard-initramfs/archive/refs/tags/{RELEASE}.tar.gz
tar xvf {RELASE}.tar.gz
cd wireguard-initramfs-{RELEASE}; make install

Configure

See comments in /etc/wireguard-initramfs/config. Be sure to set the private and preshared keys (optional) as well.

Refer to wg set man page for additional information.

โš ๏ธ Most installs do not currently encrypt /boot; and therefore the client private key should be considered untrusted/compromised. It is highly recommended that a separate point-to-point wireguard network with proper port blocking is used for remote unlocking.

Rebuild initramfs to use:

update-initramfs -u
update-grub
reboot

Any static errors will abort the build. Mis-configurations will not be caught. Be sure to test while you still have physical access to the machine.

Dropbear

wireguard-initramfs can be combined with dropbear to enable remote system unlocking without needing control over the remote network, or knowing what the public IP of that system is. It also creates an encrypted no-trust tunnel before SSH connections are attempted.

Requirements

  1. Dropbear installed, configured and in a "known working" state.

Configure

Set dropbear to use all network interfaces to ensure remote unlocks work over wireguard first. Then restrict to the wireguard network once it is working:

/etc/dropbear-initramfs/config

DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...'

Bug / Patches / Contributions?

All are welcome, please submit a pull request or open a bug!

Know debian packaging? Create a .deb package for this!

wireguard-initramfs's People

Contributors

r-pufky avatar rmf1995 avatar a-gave avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.