# # LightTPD server in a Wireguard VPN # # Once the scenario is running and DHCP is done, you can reach the server from # your host system via 10.0.9.2:80 . The traffic is going through a host # Wireguard device 'wg0' that puts it into an encrypted UDP tunnel towards the # TAP device 'tap0' where it enters Qemu and reaches the inner Genode router # at domain 'uplink'. The inner router port-forwards the traffic to its # 'downlink' domain to which the tunnel side (10.0.3.2) of the Genode Wireguard # component is connected . This component unpacks the original packets # from the tunnel. The back side of the component is connected to the inner # Genode router at domain 'uplink' and sends the plain packets unmodified a # this connection. The routers IP identity in that domain is the Wireguard # device IP, speak the VPN-internal IP 10.0.9.2 of the server. The inner # router now forwards the different ports to the corresponding peers, in # this case TCP port 80 to the LightTPD server (10.0.5.2) at the inner # router domain "downlink". # source ${genode_dir}/repos/dde_linux/run/wg_qemu_tap_preamble.inc create_boot_directory import_from_depot [depot_user]/src/[base_src] \ [depot_user]/pkg/[drivers_nic_pkg] \ [depot_user]/src/init \ [depot_user]/src/nic_router \ [depot_user]/src/libc \ [depot_user]/src/libssh \ [depot_user]/src/lighttpd \ [depot_user]/src/openssl \ [depot_user]/src/posix \ [depot_user]/src/vfs \ [depot_user]/src/vfs_lwip \ [depot_user]/src/zlib install_config { <config> <parent-provides> <service name="ROM"/> <service name="IRQ"/> <service name="IO_MEM"/> <service name="IO_PORT"/> <service name="PD"/> <service name="RM"/> <service name="CPU"/> <service name="LOG"/> </parent-provides> <start name="timer" caps="100"> <resource name="RAM" quantum="1M"/> <provides> <service name="Timer"/> </provides> <route> <service name="ROM"> <parent/> </service> <service name="PD"> <parent/> </service> <service name="CPU"> <parent/> </service> <service name="LOG"> <parent/> </service> </route> </start> <start name="drivers" caps="1000" managing_system="yes"> <resource name="RAM" quantum="32M"/> <binary name="init"/> <route> <service name="ROM" label="config"> <parent label="drivers.config"/> </service> <service name="Timer"> <child name="timer"/> </service> <service name="Uplink"> <child name="outer_router"/> </service> <service name="IO_MEM"> <parent/> </service> <service name="IO_PORT"> <parent/> </service> <service name="IRQ"> <parent/> </service> <service name="RM"> <parent/> </service> <service name="ROM"> <parent/> </service> <service name="PD"> <parent/> </service> <service name="CPU"> <parent/> </service> <service name="LOG"> <parent/> </service> </route> </start> <start name="outer_router" caps="200"> <binary name="nic_router"/> <resource name="RAM" quantum="10M"/> <provides> <service name="Nic"/> <service name="Uplink"/> </provides> <config verbose_domain_state="yes" dhcp_discover_timeout_sec="1"> <policy label_prefix="drivers" domain="uplink"/> <policy label="wireguard -> nic_session" domain="downlink"/> <domain name="uplink"> <udp-forward port="49002" domain="downlink" to="10.0.3.2"/> </domain> <domain name="downlink" interface="10.0.3.1/24"> <dhcp-server ip_first="10.0.3.2" ip_last="10.0.3.2" dns_config_from="uplink"/> </domain> </config> <route> <service name="Timer"> <child name="timer"/> </service> <service name="ROM"> <parent/> </service> <service name="PD"> <parent/> </service> <service name="CPU"> <parent/> </service> <service name="LOG"> <parent/> </service> </route> </start> <start name="inner_router" caps="200"> <binary name="nic_router"/> <resource name="RAM" quantum="10M"/> <provides> <service name="Nic"/> <service name="Uplink"/> </provides> <config verbose_domain_state="yes" dhcp_discover_timeout_sec="1"> <policy label="wireguard -> uplink_session" domain="uplink"/> <policy label_prefix="lighttpd" domain="downlink"/> <domain name="uplink" interface="10.0.9.2/24" use_arp="no"> <tcp-forward port="80" domain="downlink" to="10.0.5.2"/> </domain> <domain name="downlink" interface="10.0.5.1/24"> <dhcp-server ip_first="10.0.5.2" ip_last="10.0.5.2"/> </domain> </config> <route> <service name="Timer"> <child name="timer"/> </service> <service name="ROM"> <parent/> </service> <service name="PD"> <parent/> </service> <service name="CPU"> <parent/> </service> <service name="LOG"> <parent/> </service> </route> </start> <start name="wireguard" caps="200"> <resource name="RAM" quantum="10M"/> <config private_key="8GRSQZMgG1uuvz4APIBqrDmiLj8L886r++hzixjjHFc=" listen_port="49002"> <peer public_key="r1Gslnm82X8NaijsWzPoSFzDZGl2tTJoPa+EJL4gYQw=" allowed_ip="10.0.9.1/32" /> </config> <route> <service name="Timer"> <child name="timer"/> </service> <service name="Nic"> <child name="outer_router"/> </service> <service name="Uplink"> <child name="inner_router"/> </service> <service name="ROM"> <parent/> </service> <service name="PD"> <parent/> </service> <service name="CPU"> <parent/> </service> <service name="LOG"> <parent/> </service> </route> </start> <start name="lighttpd" caps="200"> <resource name="RAM" quantum="1G" /> <config> <arg value="lighttpd" /> <arg value="-f" /> <arg value="/etc/lighttpd/lighttpd.conf" /> <arg value="-D" /> <vfs> <dir name="dev"> <log/> <null/> <inline name="rtc">2000-01-01 00:00</inline> <inline name="random">0123456789012345678901234567890123456789</inline> </dir> <dir name="socket"> <lwip dhcp="yes"/> </dir> <dir name="etc"> <dir name="lighttpd"> <inline name="lighttpd.conf"> # lighttpd configuration server.port = 80 server.document-root = "/website" server.event-handler = "select" server.network-backend = "write" server.upload-dirs = ( "/tmp" ) server.modules = ("mod_openssl") index-file.names = ( "index.xhtml", "index.html", "index.htm" ) mimetype.assign = ( ".html" => "text/html", ".htm" => "text/html" ) $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/example.pem" } </inline> <inline name="example.pem"> -----BEGIN PRIVATE KEY----- MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4KHUZjDRew89c wDlYPz9XFigcMDnDlHzdg2ByrGZIOUNYC5LH1QUK0TDbPP45Xx455niA0QY85dMQ 4DQx0Qk6+TDpVD3F2MYQgbIX6YkX9kgqX+jiHgsNzRD4KamNYmfUY+dJhlZEXWAF uNSnRLvg4EH72AVKLLKiruGwkisW/AYU6dNE8iFOYL8Q75bBUADiQSDdD8vkpeXg 1NqxNyHPR6YRbA+vqcK0kbC8btKR9wG6m99OhTR4x3M87vtFFLNtJNEf54fYxi+L 1rljSqHbaXD+XJsVKgX+UlI1ZlYW4KqlMciMemkBp0CovCxLfsbMmkXAW2RONpkm +sdO3CXFAgMBAAECggEAIKv00nqAVAuzP0ZPJivaZe3lYdLgfKVcXcRQGSgi4U9f dkBfYxqU0W15mHvCspUAfM85s8jhrW4suwK739axJ4hMOCkc6Hvj78vCt+FT1C96 cCIh4/PmjCVEjHJ/xTifKRwsTWwK5AgY4AsBl0dneabvremOTrGNY7VZDwVvpZz1 qXkSNjQ63tZKj9cESO5ceGLzuBAG6JDDpqJM5fmdsQ36/QVz9Gogr8bXEWFM1TOo lWVAPB/l6nqKurfMv+5th354+owv9CGKxqLBE1fujwE2VogBz7mkR/rnABOPU5ev wQVLXoUkO2bI8Uvc28lChaiG6ihfdmNCmwoi56HFRQKBgQDj0WoIxiY7H42KV7Hh uQZv/0aoQyjXuqJ7Vq0HdxOAxZr0GpSYgo3MTZWooI2AnAstPHXo0BsQr+XVijWm xiDxMM4p9nrBzjEIHwyDaf62Pz/6lIPdenynLiEIOUbocJ3r0/3tCrY3U7fgjzYY f9PZmXKEOOKdbVPyXG0OIJ/ADwKBgQDO8GkCdVGy/YB0X7ntqcBG0xgmDnKRmYpQ X7Tb377AT2lzvftxaRVrx+UXtvFdy4xdrxjqHJCgOHT/fsAfjJlo7v1+KhTvE0pt jCdJPLbzXJRwaISaeEaMJ/N8Vv/j2/YuoS5M5vh4NlWeO16HtF7N9V9cMEZ5iRW1 9G/eWgOo6wKBgQCY6rn3xblnuhgxogd+ccmGZ50v2FST6WyiyV0/Q4hNyVXnP+g6 LneriPBJzertRtChvpGOghGIs+jb2veESD1YZ+Aafp2LdTGoN98YXo9gGTiCpCmX Al6lgOsfMAMOhnkaEKPC9ou0u3cTPk2bSEIVL1CUu/IwpW/RoIR7FR7ltQKBgQDA RAmsqQfhPzqL5SzALclhhFuZcC7uLDOf/WvyJW37C000pjzp3/JxE2Y8pFKZDLc7 i6WgTi3pTssVXtRt+5nFLtcC02Jjxg6OvXr6xphMf6XC0rjxM/KH4c6Npd9V+1Y9 eK+l76rHNeRSgWKQvvqebO3On2O7I6yyQ4t0kTl5RQKBgQCbX1cTtNmNr6HNleXL zfclKESSYy57uq3fQxhRrEE2ZNbemLOxEuoBCFYoMwpZEjC1GZyICrM7o5673/Ih I0oZerUBmt2l8noZCQoITEa97bCbp2vIdHYnCf/H3Nf2qM329fc00kAmm7vUVRgM 4BqXnuFcAOuY68sgp9JArzK+EQ== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDazCCAlOgAwIBAgIUYPOYXijLmMjjlgRCGHuZeyP0iPEwDQYJKoZIhvcNAQEL BQAwRTELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxDTALBgNVBAoM BFRlc3QxEjAQBgNVBAMMCTEwLjAuMi41NTAeFw0yMDA1MTQxNDQ0MzlaFw00NzA5 MzAxNDQ0MzlaMEUxCzAJBgNVBAYTAkRFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0w CwYDVQQKDARUZXN0MRIwEAYDVQQDDAkxMC4wLjIuNTUwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQC4KHUZjDRew89cwDlYPz9XFigcMDnDlHzdg2ByrGZI OUNYC5LH1QUK0TDbPP45Xx455niA0QY85dMQ4DQx0Qk6+TDpVD3F2MYQgbIX6YkX 9kgqX+jiHgsNzRD4KamNYmfUY+dJhlZEXWAFuNSnRLvg4EH72AVKLLKiruGwkisW /AYU6dNE8iFOYL8Q75bBUADiQSDdD8vkpeXg1NqxNyHPR6YRbA+vqcK0kbC8btKR 9wG6m99OhTR4x3M87vtFFLNtJNEf54fYxi+L1rljSqHbaXD+XJsVKgX+UlI1ZlYW 4KqlMciMemkBp0CovCxLfsbMmkXAW2RONpkm+sdO3CXFAgMBAAGjUzBRMB0GA1Ud DgQWBBQvSHuosL/SDn/8sKl0dpyPeFvOfjAfBgNVHSMEGDAWgBQvSHuosL/SDn/8 sKl0dpyPeFvOfjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBR sGYEuRwIU/tmAmTbniptItN9VE0NNj9QeKh+hKQ9cHvhxmlBlf5b7Vb2JaRZdy88 kRIFKiNkyjgQVg+5KuEIcg17mHSal7zG+jIZ3c1bIpVCM4AjUe7EXl8LM4+dJ5sX Bwpd34tUk2edOiT8R/dU7uesxCdeIQ2FfvKyrXca73nj+UTvFGXUk/9mWY8KAaYc F/PWBhiZhJD4/dkUHJnrVtjpcqW2Io8bFmrMq2vfqQv+W2FZGCsHgXkAZO2E0jyQ 5eOrwzgWRtMc5PvoGvqQfefseaLs0fvSQdcPqfv88Eqk5NGTOCIW8/KEsBwFJuwa EpA5DBBklj8UE2CdONvN -----END CERTIFICATE----- </inline> </dir> </dir> <dir name="website"> <inline name="index.html"> <html> <head> <title>Hello</title> </head> <body> <p>Hello Genode!</p> <b>I am bold ;-)</b> </body> </html> </inline> </dir> <dir name="tmp"> <ram/> </dir> </vfs> <libc stdin="/dev/null" stdout="/dev/log" stderr="/dev/log" rtc="/dev/rtc/" rng="/dev/random" socket="/socket"/> </config> <route> <service name="Nic"> <child name="inner_router"/> </service> <service name="Timer"> <child name="timer"/> </service> <service name="ROM"> <parent/> </service> <service name="PD"> <parent/> </service> <service name="CPU"> <parent/> </service> <service name="LOG"> <parent/> </service> </route> </start> </config> } build { app/wireguard } build_boot_image { wireguard } run_genode_until forever