Added udptunnel to circumvent some firewalls
This commit is contained in:
parent
cc4f0c40f1
commit
de9b62e764
@ -43,12 +43,16 @@ build {
|
||||
apt-get purge -y \
|
||||
snapd
|
||||
apt-get install -y \
|
||||
build-essential \
|
||||
dns-root-data \
|
||||
git \
|
||||
htop \
|
||||
iperf3 \
|
||||
libsystemd-dev \
|
||||
nano \
|
||||
nftables \
|
||||
openresolv \
|
||||
pkgconf \
|
||||
qrencode \
|
||||
rng-tools \
|
||||
ssh-import-id \
|
||||
@ -58,6 +62,14 @@ build {
|
||||
apt-get autoremove -y
|
||||
EOF
|
||||
,
|
||||
<<EOF
|
||||
mkdir /usr/local/src/udptunnel/ && cd /usr/local/src/udptunnel/
|
||||
git clone 'https://github.com/hectorm/udptunnel.git' ./
|
||||
git checkout '2e32c0db162c6bfb61031c90d23ad941bf65797f'
|
||||
PREFIX=/usr/local ./udptunnel-installer.sh
|
||||
udptunnel --help
|
||||
EOF
|
||||
,
|
||||
<<EOF
|
||||
systemctl disable --now systemd-resolved.service
|
||||
unlink /etc/resolv.conf && printf 'nameserver 127.0.0.1\n' > /etc/resolv.conf
|
||||
@ -67,7 +79,7 @@ build {
|
||||
<<EOF
|
||||
systemctl enable --now nftables.service rng-tools.service ssh.service
|
||||
systemctl enable --now apt-daily-upgrade.timer apt-daily.timer unattended-upgrades.service
|
||||
systemctl enable wg-quick@wg0.service
|
||||
systemctl enable udptunnel.service wg-quick@wg0.service
|
||||
EOF
|
||||
,
|
||||
<<EOF
|
||||
|
@ -24,11 +24,19 @@ cloud-localds "${USERDATA_DISK:?}" "${USERDATA_YAML:?}"
|
||||
ssh-keygen -R '[127.0.0.1]:1122'
|
||||
ssh-keygen -R '[localhost]:1122'
|
||||
|
||||
# hostfwd helper
|
||||
hostfwd() { printf ',hostfwd=%s::%s-:%s' "$@"; }
|
||||
|
||||
# Launch VM
|
||||
kvm \
|
||||
-smp 1 -m 512 \
|
||||
-nographic -serial mon:stdio \
|
||||
-device e1000,netdev=n0 \
|
||||
-netdev user,id=n0,hostfwd=tcp::1122-:122,hostfwd=udp::51820-:51820 \
|
||||
-netdev user,id=n0"$(hostfwd \
|
||||
tcp 1122 122 \
|
||||
udp 51820 51820 \
|
||||
udp 1053 53 \
|
||||
tcp 1443 443 \
|
||||
)" \
|
||||
-drive file="${SNAPSHOT_DISK:?}",if=virtio,format=qcow2 \
|
||||
-drive file="${USERDATA_DISK:?}",if=virtio,format=raw
|
||||
|
@ -29,6 +29,9 @@ table inet filter {
|
||||
# Accept DNS traffic on the WireGuard interface.
|
||||
iifname wg0 meta l4proto { tcp, udp } @th,16,16 53 accept;
|
||||
|
||||
# Accept udptunnel traffic (to circumvent some firewalls).
|
||||
tcp dport 443 accept;
|
||||
|
||||
# Count dropped packets.
|
||||
counter drop;
|
||||
}
|
||||
|
30
packer/rootfs/etc/systemd/system/udptunnel.service
Normal file
30
packer/rootfs/etc/systemd/system/udptunnel.service
Normal file
@ -0,0 +1,30 @@
|
||||
[Unit]
|
||||
Description=udptunnel service
|
||||
Requires=udptunnel.socket
|
||||
ConditionPathExists=!/etc/udptunnel/udptunnel_not_to_be_run
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
Restart=on-failure
|
||||
ExecStart=/usr/local/bin/udptunnel --server --verbose 127.0.0.1:51820
|
||||
StandardOutput=journal
|
||||
StandardError=journal
|
||||
DynamicUser=yes
|
||||
NoNewPrivileges=yes
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
ProtectSystem=strict
|
||||
ProtectHome=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectControlGroups=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RemoveIPC=yes
|
||||
SystemCallArchitectures=native
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
9
packer/rootfs/etc/systemd/system/udptunnel.socket
Normal file
9
packer/rootfs/etc/systemd/system/udptunnel.socket
Normal file
@ -0,0 +1,9 @@
|
||||
[Unit]
|
||||
Description=udptunnel socket
|
||||
|
||||
[Socket]
|
||||
ListenStream=443
|
||||
BindIPv6Only=both
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
Loading…
Reference in New Issue
Block a user