From 2c902bdddf56adab80116fdf18929876e5a89e88 Mon Sep 17 00:00:00 2001 From: moparisthebest Date: Sun, 22 Dec 2019 01:54:52 -0500 Subject: [PATCH] Add example hardened systemd template unit --- systemd/client.conf | 11 ++++++ systemd/server.conf | 14 ++++++++ systemd/wireguard-proxy@.service | 59 ++++++++++++++++++++++++++++++++ 3 files changed, 84 insertions(+) create mode 100644 systemd/client.conf create mode 100644 systemd/server.conf create mode 100644 systemd/wireguard-proxy@.service diff --git a/systemd/client.conf b/systemd/client.conf new file mode 100644 index 0000000..26c502e --- /dev/null +++ b/systemd/client.conf @@ -0,0 +1,11 @@ +# refer to wireguard-proxy --help for info on what these are + +WGP_TCP_TARGET=192.168.1.1:5555 +#WGP_TCP_TARGET=example.org:5555 +WGP_UDP_HOST=127.0.0.1:51820 + +#WGP_TLS=true +#WGP_PINNEDPUBKEY=sha256//YhKJKSzoTt2b5FP18fvpHo7fJYqQCjAa3HWY3tvRMwE=;sha256//t62CeU2tQiqkexU74Gxa2eg7fRbEgoChTociMee9wno= +#WGP_TLS_HOSTNAME=example.org + +#WGP_SOCKET_TIMEOUT=0 diff --git a/systemd/server.conf b/systemd/server.conf new file mode 100644 index 0000000..0cac9eb --- /dev/null +++ b/systemd/server.conf @@ -0,0 +1,14 @@ +# refer to wireguard-proxy --help for info on what these are + +WGP_TCP_HOST=0.0.0.0:5555 +WGP_UDP_TARGET=127.0.0.1:51820 +WGP_UDP_BIND_HOST_RANGE=127.0.0.1:30000-40000 + +# if you don't want proper cert generate with: +# openssl req -new -x509 -days 3650 -nodes -out cert.pem -keyout key.pem +# optionally (but recommended) extract pinnedpubkey hash from the above generated cert like so: +# openssl x509 -in cert.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 +#WGP_TLS_KEY=/etc/wireguard-proxy/key.pem +#WGP_TLS_CERT=/etc/wireguard-proxy/cert.pem + +#WGP_SOCKET_TIMEOUT=0 diff --git a/systemd/wireguard-proxy@.service b/systemd/wireguard-proxy@.service new file mode 100644 index 0000000..f84b91d --- /dev/null +++ b/systemd/wireguard-proxy@.service @@ -0,0 +1,59 @@ +[Unit] +Description=wireguard-proxy for %I +After=network-online.target nss-lookup.target +Wants=network-online.target nss-lookup.target +StartLimitIntervalSec=0 +Documentation=https://code.moparisthebest.com/moparisthebest/wireguard-proxy +Documentation=https://github.com/moparisthebest/wireguard-proxy + +[Service] +EnvironmentFile=/etc/wireguard-proxy/%i.conf +ExecStart=/usr/bin/wireguard-proxy +Restart=always +RestartSec=1s +# anything under here isn't strictly needed, but probably good +# to lock this down with the minimal permissions necessary +# which are not many at all +User=wireguard-proxy +DynamicUser=yes +ConfigurationDirectory=wireguard-proxy +ConfigurationDirectoryMode=0750 +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=net +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +SystemCallArchitectures=native +# these are just needed to bind to low ports +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE + +# this is any existing group the key/cert can be owned by +# so that our random user can read them +# not needed at all without TLS, can comment out +# see https://github.com/systemd/systemd/issues/9535 +SupplementaryGroups=systemd-network + +# this would be ideal because you wouldn't need file permissions +# on the key so wireguard-proxy could read it, only systemd +# but only the first of these works which doesn't make this +# feasible for a template... +#StandardInput=file:/full/hardcoded/path/to/key_and_cert.pem +#StandardInput=${WGP_STDIN} +#StandardInput=file:${WGP_STDIN} +#StandardInput=file:/etc/wireguard-proxy/%i.pem +#StandardOutput=journal + +[Install] +WantedBy=multi-user.target