Add example hardened systemd template unit

3 years ago · 2c902bdddf
3 changed files with 84 additions and 0 deletions
--- a/systemd/client.conf
+++ b/systemd/client.conf
@ -0,0 +1,11 @@
				@@ -0,0 +1,11 @@
+# refer to wireguard-proxy --help for info on what these are
+
+WGP_TCP_TARGET=192.168.1.1:5555
+#WGP_TCP_TARGET=example.org:5555
+WGP_UDP_HOST=127.0.0.1:51820
+
+#WGP_TLS=true
+#WGP_PINNEDPUBKEY=sha256//YhKJKSzoTt2b5FP18fvpHo7fJYqQCjAa3HWY3tvRMwE=;sha256//t62CeU2tQiqkexU74Gxa2eg7fRbEgoChTociMee9wno=
+#WGP_TLS_HOSTNAME=example.org
+
+#WGP_SOCKET_TIMEOUT=0
--- a/systemd/server.conf
+++ b/systemd/server.conf
@ -0,0 +1,14 @@
				@@ -0,0 +1,14 @@
+# refer to wireguard-proxy --help for info on what these are
+
+WGP_TCP_HOST=0.0.0.0:5555
+WGP_UDP_TARGET=127.0.0.1:51820
+WGP_UDP_BIND_HOST_RANGE=127.0.0.1:30000-40000
+
+# if you don't want proper cert generate with:
+# openssl req -new -x509 -days 3650 -nodes -out cert.pem -keyout key.pem
+# optionally (but recommended) extract pinnedpubkey hash from the above generated cert like so:
+# openssl x509 -in cert.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+#WGP_TLS_KEY=/etc/wireguard-proxy/key.pem
+#WGP_TLS_CERT=/etc/wireguard-proxy/cert.pem
+
+#WGP_SOCKET_TIMEOUT=0
--- a/systemd/wireguard-proxy@.service
+++ b/systemd/wireguard-proxy@.service
@ -0,0 +1,59 @@
				@@ -0,0 +1,59 @@
+[Unit]
+Description=wireguard-proxy for %I
+After=network-online.target nss-lookup.target
+Wants=network-online.target nss-lookup.target
+StartLimitIntervalSec=0
+Documentation=https://code.moparisthebest.com/moparisthebest/wireguard-proxy
+Documentation=https://github.com/moparisthebest/wireguard-proxy
+
+[Service]
+EnvironmentFile=/etc/wireguard-proxy/%i.conf
+ExecStart=/usr/bin/wireguard-proxy
+Restart=always
+RestartSec=1s
+# anything under here isn't strictly needed, but probably good
+# to lock this down with the minimal permissions necessary
+# which are not many at all
+User=wireguard-proxy
+DynamicUser=yes
+ConfigurationDirectory=wireguard-proxy
+ConfigurationDirectoryMode=0750
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=net
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+SystemCallArchitectures=native
+# these are just needed to bind to low ports
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# this is any existing group the key/cert can be owned by
+# so that our random user can read them
+# not needed at all without TLS, can comment out
+# see https://github.com/systemd/systemd/issues/9535
+SupplementaryGroups=systemd-network
+
+# this would be ideal because you wouldn't need file permissions
+# on the key so wireguard-proxy could read it, only systemd
+# but only the first of these works which doesn't make this
+# feasible for a template...
+#StandardInput=file:/full/hardcoded/path/to/key_and_cert.pem
+#StandardInput=${WGP_STDIN}
+#StandardInput=file:${WGP_STDIN}
+#StandardInput=file:/etc/wireguard-proxy/%i.pem
+#StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target