Added udptunnel to circumvent some firewalls

This commit is contained in:
Héctor Molinero Fernández 2020-06-19 00:12:25 +02:00
parent cc4f0c40f1
commit de9b62e764
5 changed files with 64 additions and 2 deletions

View File

@ -43,12 +43,16 @@ build {
apt-get purge -y \ apt-get purge -y \
snapd snapd
apt-get install -y \ apt-get install -y \
build-essential \
dns-root-data \ dns-root-data \
git \
htop \ htop \
iperf3 \ iperf3 \
libsystemd-dev \
nano \ nano \
nftables \ nftables \
openresolv \ openresolv \
pkgconf \
qrencode \ qrencode \
rng-tools \ rng-tools \
ssh-import-id \ ssh-import-id \
@ -58,6 +62,14 @@ build {
apt-get autoremove -y apt-get autoremove -y
EOF EOF
, ,
<<EOF
mkdir /usr/local/src/udptunnel/ && cd /usr/local/src/udptunnel/
git clone 'https://github.com/hectorm/udptunnel.git' ./
git checkout '2e32c0db162c6bfb61031c90d23ad941bf65797f'
PREFIX=/usr/local ./udptunnel-installer.sh
udptunnel --help
EOF
,
<<EOF <<EOF
systemctl disable --now systemd-resolved.service systemctl disable --now systemd-resolved.service
unlink /etc/resolv.conf && printf 'nameserver 127.0.0.1\n' > /etc/resolv.conf unlink /etc/resolv.conf && printf 'nameserver 127.0.0.1\n' > /etc/resolv.conf
@ -67,7 +79,7 @@ build {
<<EOF <<EOF
systemctl enable --now nftables.service rng-tools.service ssh.service systemctl enable --now nftables.service rng-tools.service ssh.service
systemctl enable --now apt-daily-upgrade.timer apt-daily.timer unattended-upgrades.service systemctl enable --now apt-daily-upgrade.timer apt-daily.timer unattended-upgrades.service
systemctl enable wg-quick@wg0.service systemctl enable udptunnel.service wg-quick@wg0.service
EOF EOF
, ,
<<EOF <<EOF

View File

@ -24,11 +24,19 @@ cloud-localds "${USERDATA_DISK:?}" "${USERDATA_YAML:?}"
ssh-keygen -R '[127.0.0.1]:1122' ssh-keygen -R '[127.0.0.1]:1122'
ssh-keygen -R '[localhost]:1122' ssh-keygen -R '[localhost]:1122'
# hostfwd helper
hostfwd() { printf ',hostfwd=%s::%s-:%s' "$@"; }
# Launch VM # Launch VM
kvm \ kvm \
-smp 1 -m 512 \ -smp 1 -m 512 \
-nographic -serial mon:stdio \ -nographic -serial mon:stdio \
-device e1000,netdev=n0 \ -device e1000,netdev=n0 \
-netdev user,id=n0,hostfwd=tcp::1122-:122,hostfwd=udp::51820-:51820 \ -netdev user,id=n0"$(hostfwd \
tcp 1122 122 \
udp 51820 51820 \
udp 1053 53 \
tcp 1443 443 \
)" \
-drive file="${SNAPSHOT_DISK:?}",if=virtio,format=qcow2 \ -drive file="${SNAPSHOT_DISK:?}",if=virtio,format=qcow2 \
-drive file="${USERDATA_DISK:?}",if=virtio,format=raw -drive file="${USERDATA_DISK:?}",if=virtio,format=raw

View File

@ -29,6 +29,9 @@ table inet filter {
# Accept DNS traffic on the WireGuard interface. # Accept DNS traffic on the WireGuard interface.
iifname wg0 meta l4proto { tcp, udp } @th,16,16 53 accept; iifname wg0 meta l4proto { tcp, udp } @th,16,16 53 accept;
# Accept udptunnel traffic (to circumvent some firewalls).
tcp dport 443 accept;
# Count dropped packets. # Count dropped packets.
counter drop; counter drop;
} }

View File

@ -0,0 +1,30 @@
[Unit]
Description=udptunnel service
Requires=udptunnel.socket
ConditionPathExists=!/etc/udptunnel/udptunnel_not_to_be_run
[Service]
Type=notify
Restart=on-failure
ExecStart=/usr/local/bin/udptunnel --server --verbose 127.0.0.1:51820
StandardOutput=journal
StandardError=journal
DynamicUser=yes
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RemoveIPC=yes
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,9 @@
[Unit]
Description=udptunnel socket
[Socket]
ListenStream=443
BindIPv6Only=both
[Install]
WantedBy=sockets.target