Added udptunnel to circumvent some firewalls
This commit is contained in:
parent
cc4f0c40f1
commit
de9b62e764
@ -43,12 +43,16 @@ build {
|
|||||||
apt-get purge -y \
|
apt-get purge -y \
|
||||||
snapd
|
snapd
|
||||||
apt-get install -y \
|
apt-get install -y \
|
||||||
|
build-essential \
|
||||||
dns-root-data \
|
dns-root-data \
|
||||||
|
git \
|
||||||
htop \
|
htop \
|
||||||
iperf3 \
|
iperf3 \
|
||||||
|
libsystemd-dev \
|
||||||
nano \
|
nano \
|
||||||
nftables \
|
nftables \
|
||||||
openresolv \
|
openresolv \
|
||||||
|
pkgconf \
|
||||||
qrencode \
|
qrencode \
|
||||||
rng-tools \
|
rng-tools \
|
||||||
ssh-import-id \
|
ssh-import-id \
|
||||||
@ -58,6 +62,14 @@ build {
|
|||||||
apt-get autoremove -y
|
apt-get autoremove -y
|
||||||
EOF
|
EOF
|
||||||
,
|
,
|
||||||
|
<<EOF
|
||||||
|
mkdir /usr/local/src/udptunnel/ && cd /usr/local/src/udptunnel/
|
||||||
|
git clone 'https://github.com/hectorm/udptunnel.git' ./
|
||||||
|
git checkout '2e32c0db162c6bfb61031c90d23ad941bf65797f'
|
||||||
|
PREFIX=/usr/local ./udptunnel-installer.sh
|
||||||
|
udptunnel --help
|
||||||
|
EOF
|
||||||
|
,
|
||||||
<<EOF
|
<<EOF
|
||||||
systemctl disable --now systemd-resolved.service
|
systemctl disable --now systemd-resolved.service
|
||||||
unlink /etc/resolv.conf && printf 'nameserver 127.0.0.1\n' > /etc/resolv.conf
|
unlink /etc/resolv.conf && printf 'nameserver 127.0.0.1\n' > /etc/resolv.conf
|
||||||
@ -67,7 +79,7 @@ build {
|
|||||||
<<EOF
|
<<EOF
|
||||||
systemctl enable --now nftables.service rng-tools.service ssh.service
|
systemctl enable --now nftables.service rng-tools.service ssh.service
|
||||||
systemctl enable --now apt-daily-upgrade.timer apt-daily.timer unattended-upgrades.service
|
systemctl enable --now apt-daily-upgrade.timer apt-daily.timer unattended-upgrades.service
|
||||||
systemctl enable wg-quick@wg0.service
|
systemctl enable udptunnel.service wg-quick@wg0.service
|
||||||
EOF
|
EOF
|
||||||
,
|
,
|
||||||
<<EOF
|
<<EOF
|
||||||
|
@ -24,11 +24,19 @@ cloud-localds "${USERDATA_DISK:?}" "${USERDATA_YAML:?}"
|
|||||||
ssh-keygen -R '[127.0.0.1]:1122'
|
ssh-keygen -R '[127.0.0.1]:1122'
|
||||||
ssh-keygen -R '[localhost]:1122'
|
ssh-keygen -R '[localhost]:1122'
|
||||||
|
|
||||||
|
# hostfwd helper
|
||||||
|
hostfwd() { printf ',hostfwd=%s::%s-:%s' "$@"; }
|
||||||
|
|
||||||
# Launch VM
|
# Launch VM
|
||||||
kvm \
|
kvm \
|
||||||
-smp 1 -m 512 \
|
-smp 1 -m 512 \
|
||||||
-nographic -serial mon:stdio \
|
-nographic -serial mon:stdio \
|
||||||
-device e1000,netdev=n0 \
|
-device e1000,netdev=n0 \
|
||||||
-netdev user,id=n0,hostfwd=tcp::1122-:122,hostfwd=udp::51820-:51820 \
|
-netdev user,id=n0"$(hostfwd \
|
||||||
|
tcp 1122 122 \
|
||||||
|
udp 51820 51820 \
|
||||||
|
udp 1053 53 \
|
||||||
|
tcp 1443 443 \
|
||||||
|
)" \
|
||||||
-drive file="${SNAPSHOT_DISK:?}",if=virtio,format=qcow2 \
|
-drive file="${SNAPSHOT_DISK:?}",if=virtio,format=qcow2 \
|
||||||
-drive file="${USERDATA_DISK:?}",if=virtio,format=raw
|
-drive file="${USERDATA_DISK:?}",if=virtio,format=raw
|
||||||
|
@ -29,6 +29,9 @@ table inet filter {
|
|||||||
# Accept DNS traffic on the WireGuard interface.
|
# Accept DNS traffic on the WireGuard interface.
|
||||||
iifname wg0 meta l4proto { tcp, udp } @th,16,16 53 accept;
|
iifname wg0 meta l4proto { tcp, udp } @th,16,16 53 accept;
|
||||||
|
|
||||||
|
# Accept udptunnel traffic (to circumvent some firewalls).
|
||||||
|
tcp dport 443 accept;
|
||||||
|
|
||||||
# Count dropped packets.
|
# Count dropped packets.
|
||||||
counter drop;
|
counter drop;
|
||||||
}
|
}
|
||||||
|
30
packer/rootfs/etc/systemd/system/udptunnel.service
Normal file
30
packer/rootfs/etc/systemd/system/udptunnel.service
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=udptunnel service
|
||||||
|
Requires=udptunnel.socket
|
||||||
|
ConditionPathExists=!/etc/udptunnel/udptunnel_not_to_be_run
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=notify
|
||||||
|
Restart=on-failure
|
||||||
|
ExecStart=/usr/local/bin/udptunnel --server --verbose 127.0.0.1:51820
|
||||||
|
StandardOutput=journal
|
||||||
|
StandardError=journal
|
||||||
|
DynamicUser=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
ProtectSystem=strict
|
||||||
|
ProtectHome=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
LockPersonality=yes
|
||||||
|
MemoryDenyWriteExecute=yes
|
||||||
|
RestrictRealtime=yes
|
||||||
|
RemoveIPC=yes
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
9
packer/rootfs/etc/systemd/system/udptunnel.socket
Normal file
9
packer/rootfs/etc/systemd/system/udptunnel.socket
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=udptunnel socket
|
||||||
|
|
||||||
|
[Socket]
|
||||||
|
ListenStream=443
|
||||||
|
BindIPv6Only=both
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sockets.target
|
Loading…
Reference in New Issue
Block a user