Added udptunnel to circumvent some firewalls

packer/build.pkr.hcl

@@ -43,12 +43,16 @@ build {
         apt-get purge -y \
           snapd
         apt-get install -y \
+          build-essential \
           dns-root-data \
+          git \
           htop \
           iperf3 \
+          libsystemd-dev \
           nano \
           nftables \
           openresolv \
+          pkgconf \
           qrencode \
           rng-tools \
           ssh-import-id \
@@ -58,6 +62,14 @@ build {
         apt-get autoremove -y
       EOF
       ,
+      <<EOF
+        mkdir /usr/local/src/udptunnel/ && cd /usr/local/src/udptunnel/
+        git clone 'https://github.com/hectorm/udptunnel.git' ./
+        git checkout '2e32c0db162c6bfb61031c90d23ad941bf65797f'
+        PREFIX=/usr/local ./udptunnel-installer.sh
+        udptunnel --help
+      EOF
+      ,
       <<EOF
         systemctl disable --now systemd-resolved.service
         unlink /etc/resolv.conf && printf 'nameserver 127.0.0.1\n' > /etc/resolv.conf
@@ -67,7 +79,7 @@ build {
       <<EOF
         systemctl enable --now nftables.service rng-tools.service ssh.service
         systemctl enable --now apt-daily-upgrade.timer apt-daily.timer unattended-upgrades.service
-        systemctl enable wg-quick@wg0.service
+        systemctl enable udptunnel.service wg-quick@wg0.service
       EOF
       ,
       <<EOF

packer/qemu/start-vm.sh

@@ -24,11 +24,19 @@ cloud-localds "${USERDATA_DISK:?}" "${USERDATA_YAML:?}"
 ssh-keygen -R '[127.0.0.1]:1122'
 ssh-keygen -R '[localhost]:1122'
 
+# hostfwd helper
+hostfwd() { printf ',hostfwd=%s::%s-:%s' "$@"; }
+
 # Launch VM
 kvm \
 	-smp 1 -m 512 \
 	-nographic -serial mon:stdio \
 	-device e1000,netdev=n0 \
-	-netdev user,id=n0,hostfwd=tcp::1122-:122,hostfwd=udp::51820-:51820 \
+	-netdev user,id=n0"$(hostfwd \
+		tcp 1122    122 \
+		udp 51820 51820 \
+		udp 1053     53 \
+		tcp 1443    443 \
+	)" \
 	-drive file="${SNAPSHOT_DISK:?}",if=virtio,format=qcow2 \
 	-drive file="${USERDATA_DISK:?}",if=virtio,format=raw

packer/rootfs/etc/nftables.conf

@@ -29,6 +29,9 @@ table inet filter {
 		# Accept DNS traffic on the WireGuard interface.
 		iifname wg0 meta l4proto { tcp, udp } @th,16,16 53 accept;
 
+		# Accept udptunnel traffic (to circumvent some firewalls).
+		tcp dport 443 accept;
+
 		# Count dropped packets.
 		counter drop;
 	}

packer/rootfs/etc/systemd/system/udptunnel.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=udptunnel service
+Requires=udptunnel.socket
+ConditionPathExists=!/etc/udptunnel/udptunnel_not_to_be_run
+
+[Service]
+Type=notify
+Restart=on-failure
+ExecStart=/usr/local/bin/udptunnel --server --verbose 127.0.0.1:51820
+StandardOutput=journal
+StandardError=journal
+DynamicUser=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RemoveIPC=yes
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target

packer/rootfs/etc/systemd/system/udptunnel.socket

@@ -0,0 +1,9 @@
+[Unit]
+Description=udptunnel socket
+
+[Socket]
+ListenStream=443
+BindIPv6Only=both
+
+[Install]
+WantedBy=sockets.target