diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..11c7aa2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,37 @@ +# Build output +output/ +*.img +*.qcow2 + +# Chroot directory (created during build) +chroot/ + +# Mount points +mount/ + +# WireGuard keys (never commit these!) +client-private.key +client-public.key +server-private.key +server-public.key + +# Temporary files +*.tmp +*.bak +*~ + +# IDE/editor files +.vscode/ +.idea/ +*.swp +*.swo +*~ + +# OS files +.DS_Store +Thumbs.db + +# Build artifacts +*.deb +*.tar.gz +*.tar.xz diff --git a/QUICKSTART.md b/QUICKSTART.md new file mode 100644 index 0000000..c66c311 --- /dev/null +++ b/QUICKSTART.md @@ -0,0 +1,73 @@ +# Football Build Quick Reference + +## Build Steps + +```bash +# 1. Install dependencies +sudo apt-get install debootstrap qemu-utils kpartx squashfs-tools + +# 2. Generate WireGuard keys +wg genkey | tee client-private.key | wg pubkey > client-public.key + +# 3. Edit build.sh with your configuration +nano build.sh +# Set: WG_ENDPOINT_IP, WG_ENDPOINT_PORT, WG_PRIVATE_KEY, WG_PUBLIC_KEY + +# 4. Build the image +./build.sh + +# 5. Deploy +# For VM: +qemu-system-x86_64 -m 2048 -drive file=output/football-vm.qcow2,format=qcow2 + +# For physical: +sudo dd if=output/football-physical.img of=/dev/sdX bs=4M status=progress +``` + +## Key Configuration Variables (in build.sh) + +```bash +WG_ENDPOINT_IP="192.0.2.1" # WireGuard server IP +WG_ENDPOINT_PORT="51820" # WireGuard server port +WG_PRIVATE_KEY="..." # Client private key (from wg genkey) +WG_PUBLIC_KEY="..." # Server public key +``` + +## File Locations + +- Build script: `./build.sh` +- Package list: `config/packages.list` +- Hardening script: `config/harden.sh` +- User config: `chroot-overlay/home/user/` +- System services: `chroot-overlay/etc/systemd/system/` +- WireGuard config: `chroot-overlay/etc/wireguard/` + +## Quick Troubleshooting + +| Issue | Command | +|-------|---------| +| WireGuard status | `sudo wg show` | +| Firewall rules | `sudo iptables -L -n -v` | +| System logs | `sudo journalctl -xe` | +| Network status | `ip addr show` | + +## Security Checklist + +- [ ] Generated unique WireGuard keys +- [ ] Changed default password (`changeme`) +- [ ] Verified WireGuard endpoint connectivity +- [ ] Configured Remmina profile for PAW +- [ ] Enabled Secure Boot on physical hardware +- [ ] Tested firewall rules +- [ ] Verified no remote access services running + +## File Structure + +``` +football/ +├── build.sh # Run this to build +├── config/ # Build configuration +├── chroot-overlay/ # System files to overlay +├── output/ # Generated images (created after build) +└── README.md # Full documentation +``` diff --git a/README.md b/README.md index 7994f32..454cad4 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,314 @@ -# football +# Football - Minimal Debian Secure Access System -Fully self contained , very stripped and locked down Debian image intended for deployment onto physical access only system (Dell Laptop) (called football-(x) to be used for remote (RDP) access to another high security physical system (highside) which is a privileged access workstation in the KNEL server room. \ No newline at end of file +Fully self-contained, stripped-down, and locked-down Debian image intended for deployment onto physical access-only systems (Dell Laptop) called football-(x). Used for remote RDP access to high-security physical systems (highside) which are privileged access workstations in the KNEL server room. + +## Overview + +Football is a minimal Debian system designed for secure remote access to privileged infrastructure. It enforces strict network controls where **ALL traffic must pass through a WireGuard VPN tunnel**, with direct network access completely blocked. + +## Architecture + +### Security Model + +- **Zero remote access**: No SSH, telnet, or any inbound services +- **WireGuard-only networking**: All traffic routed through mandatory VPN tunnel +- **Secure Boot enforced**: Kernel and bootloader signatures verified +- **Minimal attack surface**: Only IceWM and Remmina installed +- **Local console only**: No remote administration capabilities + +### Network Configuration + +``` +Physical Interface (eth0) +├─ DHCP: Allowed (for IP acquisition) +└─ WireGuard: ONLY allowed connection to configured endpoint + └─ Endpoint: WG_ENDPOINT_IP:WG_ENDPOINT_PORT (configurable) + +WireGuard Interface (wg0) +└─ ALL outbound traffic + └─ VPN endpoint → PAW (Privileged Access Workstation) +``` + +### Firewall Rules + +- **INPUT**: DROP (except lo, WireGuard keepalive, and DHCP) +- **OUTPUT**: DROP on eth0 (except to WireGuard endpoint) +- **FORWARD**: DROP +- **OUTPUT on wg0**: ACCEPT (all VPN traffic) + +## Quick Start + +### Prerequisites + +```bash +# Install build dependencies +sudo apt-get install debootstrap qemu-utils kpartx squashfs-tools +``` + +### Generate WireGuard Keys + +```bash +# Generate client key pair +wg genkey | tee client-private.key | wg pubkey > client-public.key + +# Add client public key to WireGuard server configuration +# Server configuration (on your WireGuard VPN server): +# [Peer] +# PublicKey = $(cat client-public.key) +# AllowedIPs = 10.100.0.2/32 +``` + +### Configure Build + +Edit `build.sh` and set the following variables: + +```bash +WG_ENDPOINT_IP="192.0.2.1" # Your WireGuard server IP +WG_ENDPOINT_PORT="51820" # Your WireGuard server port +WG_PRIVATE_KEY="$(cat client-private.key)" # Client private key +WG_PUBLIC_KEY="" # Server public key +``` + +### Build Image + +```bash +./build.sh +``` + +This creates: +- `output/football-physical.img` - Raw image for physical hardware +- `output/football-vm.qcow2` - QCOW2 image for virtual machines + +### Deploy + +#### Virtual Machine + +```bash +qemu-system-x86_64 \ + -m 2048 \ + -drive file=output/football-vm.qcow2,format=qcow2 +``` + +#### Physical System + +1. Write raw image to USB or disk: + ```bash + sudo dd if=output/football-physical.img of=/dev/sdX bs=4M status=progress + ``` + +2. Boot system with UEFI Secure Boot enabled + +3. Change default user password (`changeme`) + +## Directory Structure + +``` +football/ +├── build.sh # Main build script +├── config/ +│ ├── packages.list # Minimal package list +│ ├── harden.sh # System hardening script +│ ├── secureboot.sh # Secure Boot configuration +│ └── setup-wireguard.sh # WireGuard setup script +├── chroot-overlay/ # Files copied to built system +│ ├── etc/ +│ │ ├── systemd/system/ # Systemd services +│ │ ├── wireguard/ # WireGuard config templates +│ │ └── network/interfaces # Network configuration +│ └── home/user/ # User configuration +│ ├── .bashrc +│ ├── .xinitrc +│ ├── .icewm/preferences +│ └── Desktop/README.txt +└── output/ # Generated images (not in git) +``` + +## Security Features + +### Hardening Measures + +1. **Network Isolation** + - All inbound traffic blocked + - Only WireGuard traffic allowed on physical interface + - Mandatory VPN tunnel for all outbound traffic + +2. **Service Restrictions** + - SSH server disabled and masked + - All remote access services removed + - Bluetooth disabled + - Unnecessary kernel modules disabled + +3. **Secure Boot** + - GRUB locked with password protection + - Kernel lockdown mode enabled + - Signed bootloader (shim-signed) + - EFI variables write-protected + +4. **Application Whitelisting** + - Only IceWM and Remmina installed + - No development tools + - Minimal command-line utilities + +5. **System Hardening** + - AppArmor enforcing + - Fail2Ban enabled + - Auditd logging + - Core dumps disabled + - Strict umask (077) + +### Firewall Rules (Detailed) + +```bash +# IPv4 Rules +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +# Allow loopback +iptables -A INPUT -i lo -j ACCEPT +iptables -A OUTPUT -o lo -j ACCEPT + +# Allow WireGuard to endpoint on eth0 +iptables -A OUTPUT -o eth0 -d $WG_ENDPOINT_IP \ + -p udp --dport $WG_ENDPOINT_PORT -j ACCEPT +iptables -A INPUT -i eth0 -s $WG_ENDPOINT_IP \ + -p udp --sport $WG_ENDPOINT_PORT -j ACCEPT + +# Allow DHCP on eth0 +iptables -A OUTPUT -o eth0 -p udp --dport 67 -j ACCEPT +iptables -A INPUT -i eth0 -p udp --sport 67 -j ACCEPT + +# Allow ALL traffic on WireGuard interface +iptables -A INPUT -i wg0 -j ACCEPT +iptables -A OUTPUT -o wg0 -j ACCEPT +``` + +## Usage + +### Default User + +- **Username**: `user` +- **Password**: `changeme` (CHANGE IMMEDIATELY!) + +### Automatic Startup + +1. Login triggers automatic IceWM start +2. Remmina launches automatically +3. WireGuard tunnel establishes automatically +4. Use Remmina to connect to PAW + +### Remmina Configuration + +Create Remmina profiles in: +- Path: `/home/user/.local/share/remmina/` +- Protocol: RDP or VNC (as needed) +- Server: PAW internal IP via WireGuard + +### System Administration + +**Local console access only:** + +```bash +# Check WireGuard status +sudo wg show + +# View firewall rules +sudo iptables -L -n -v + +# Check logs +sudo journalctl -u wg-quick@wg0 +sudo journalctl -u block-remote-access +``` + +## Troubleshooting + +### WireGuard Connection Fails + +1. Verify endpoint IP and port +2. Check firewall rules allow WireGuard +3. Verify keys are correctly configured +4. Check WireGuard server logs + +### Network Blocked + +1. Confirm WireGuard interface is up: `ip link show wg0` +2. Check firewall: `sudo iptables -L -n -v` +3. Verify WireGuard config: `sudo wg show` + +### Secure Boot Issues + +1. Ensure UEFI is enabled +2. Verify Microsoft UEFI CA is installed +3. Check Secure Boot status: `mokutil --sb-state` + +### System Won't Boot + +1. Verify UEFI boot mode (not legacy BIOS) +2. Check GRUB installation +3. Review kernel logs from boot + +## Advanced Configuration + +### Customizing the Build + +Edit `config/packages.list` to add/remove packages +Modify `chroot-overlay/` to customize system files + +### Changing Image Size + +Edit `build.sh`: +```bash +DISK_SIZE_MB=8192 # Change to desired size in MB +``` + +### Multiple Deployment Profiles + +Create different `build.sh` variants with different configurations for various deployment scenarios. + +## Security Considerations + +### Before Deployment + +1. ✅ Generate unique WireGuard keys per deployment +2. ✅ Change default password +3. ✅ Verify Secure Boot configuration +4. ✅ Test WireGuard connection +5. ✅ Verify firewall rules +6. ✅ Configure PAW connection in Remmina + +### During Operation + +1. ✅ Monitor WireGuard connection +2. ✅ Review audit logs regularly +3. ✅ Keep system updated (manual, controlled updates) +4. ✅ Physical security of device + +### Incident Response + +If compromise suspected: +1. Isolate system physically +2. Preserve logs and memory dump +3. Contact security team +4. Destroy/rebuild system from scratch + +## Compliance + +This system is designed to support: +- NIST SP 800-171 controls +- CIS Benchmarks for Debian +- Zero Trust network architecture principles +- Privileged Access Management (PAM) best practices + +## License + +See LICENSE file. + +## Support + +For issues or questions: +- Contact: Infrastructure Security Team +- Location: KNEL server room + +--- + +**WARNING**: This is a security-focused build system. Unauthorized modifications or deployments may compromise infrastructure security. \ No newline at end of file diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..3ce22f5 --- /dev/null +++ b/build.sh @@ -0,0 +1,311 @@ +#!/bin/bash +# Build script for football minimal Debian image +# Creates hardened Debian system with WireGuard-only network access + +set -e + +# ============================================================================ +# CONFIGURATION VARIABLES - ADJUST THESE FOR YOUR ENVIRONMENT +# ============================================================================ + +# Debian version +DEBIAN_VERSION="bookworm" + +# WireGuard endpoint configuration +WG_ENDPOINT_IP="192.0.2.1" # REPLACE with your WireGuard server IP +WG_ENDPOINT_PORT="51820" # REPLACE with your WireGuard server port +WG_PRIVATE_KEY="" # REQUIRED: Private key for this client +WG_PUBLIC_KEY="" # REQUIRED: Public key of VPN server + +# Build configuration +BUILD_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +CHROOT_DIR="$BUILD_DIR/chroot" +OUTPUT_DIR="$BUILD_DIR/output" +IMAGE_NAME="football" + +# Image sizes (in MB) +DISK_SIZE_MB=8192 # 8GB for minimal install + +# ============================================================================ +# VALIDATION +# ============================================================================ + +echo "=============================================" +echo "Football Minimal Debian Image Build Script" +echo "=============================================" + +if [ -z "$WG_PRIVATE_KEY" ] || [ -z "$WG_PUBLIC_KEY" ]; then + echo "" + echo "ERROR: WireGuard keys not configured!" + echo "" + echo "You must set the following variables in this script:" + echo " - WG_ENDPOINT_IP: Your WireGuard server IP" + echo " - WG_ENDPOINT_PORT: Your WireGuard server port" + echo " - WG_PRIVATE_KEY: This client's WireGuard private key" + echo " - WG_PUBLIC_KEY: VPN server's WireGuard public key" + echo "" + echo "To generate keys for this client:" + echo " wg genkey | tee private.key | wg pubkey > public.key" + echo "" + exit 1 +fi + +echo "WireGuard endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT" + +# ============================================================================ +# PREPARE BUILD ENVIRONMENT +# ============================================================================ + +echo "" +echo "[1/9] Preparing build environment..." + +# Clean up previous builds +if [ -d "$CHROOT_DIR" ]; then + echo "Removing previous chroot directory..." + sudo rm -rf "$CHROOT_DIR" +fi + +mkdir -p "$CHROOT_DIR" +mkdir -p "$OUTPUT_DIR" + +# Install required tools +sudo apt-get update +sudo apt-get install -y debootstrap qemu-utils kpartx squashfs-tools + +# ============================================================================ +# BOOTSTRAP MINIMAL DEBIAN SYSTEM +# ============================================================================ + +echo "" +echo "[2/9] Bootstrapping minimal Debian $DEBIAN_VERSION..." + +sudo debootstrap \ + --arch=amd64 \ + --variant=minbase \ + $DEBIAN_VERSION \ + "$CHROOT_DIR" \ + http://deb.debian.org/debian + +# ============================================================================ +# CONFIGURE APT SOURCES +# ============================================================================ + +echo "" +echo "[3/9] Configuring APT sources..." + +cat << 'EOF' | sudo tee "$CHROOT_DIR/etc/apt/sources.list" +deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware +deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware +EOF + +# ============================================================================ +# INSTALL PACKAGES +# ============================================================================ + +echo "" +echo "[4/9] Installing packages..." + +# Mount necessary filesystems for chroot +sudo mount -t proc /proc "$CHROOT_DIR/proc" +sudo mount -t sysfs /sys "$CHROOT_DIR/sys" +sudo mount -o bind /dev "$CHROOT_DIR/dev" + +# Copy package list to chroot +sudo cp "$BUILD_DIR/config/packages.list" "$CHROOT_DIR/tmp/packages.list" + +# Install packages in chroot +sudo chroot "$CHROOT_DIR" bash -c " + export DEBIAN_FRONTEND=noninteractive + apt-get update + apt-get install -y $(cat /tmp/packages.list | grep -v '^#' | grep -v '^$' | tr '\n' ' ') + rm /tmp/packages.list +" + +# ============================================================================ +# APPLY CHROOT OVERLAY +# ============================================================================ + +echo "" +echo "[5/9] Applying chroot overlay..." + +# Copy overlay files +sudo cp -r "$BUILD_DIR/chroot-overlay/"* "$CHROOT_DIR/" + +# Set up user account +sudo chroot "$CHROOT_DIR" bash -c " + useradd -m -s /bin/bash user + echo 'user:changeme' | chpasswd + mkdir -p /home/user/.icewm +" + +# ============================================================================ +# CONFIGURE WIREGUARD +# ============================================================================ + +echo "" +echo "[6/9] Configuring WireGuard..." + +# Setup WireGuard configuration with keys +sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \ + WG_ENDPOINT_PORT="$WG_ENDPOINT_PORT" \ + WG_PRIVATE_KEY="$WG_PRIVATE_KEY" \ + WG_PUBLIC_KEY="$WG_PUBLIC_KEY" \ + chroot "$CHROOT_DIR" bash -c ' + # Replace placeholders in WireGuard config + sed -e "s||$WG_PRIVATE_KEY|g" \ + -e "s||$WG_PUBLIC_KEY|g" \ + -e "s||$WG_ENDPOINT_IP|g" \ + -e "s||$WG_ENDPOINT_PORT|g" \ + /etc/wireguard/wg0.conf.template > /etc/wireguard/wg0.conf + + # Secure the configuration + chmod 600 /etc/wireguard/wg0.conf + echo "WireGuard configured for endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT" +' + +# ============================================================================ +# RUN HARDENING SCRIPT +# ============================================================================ + +echo "" +echo "[7/9] Running hardening script..." + +sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \ + WG_ENDPOINT_PORT="$WG_ENDPOINT_PORT" \ + chroot "$CHROOT_DIR" bash /tmp/harden.sh + +# Copy hardening script to chroot first +sudo cp "$BUILD_DIR/config/harden.sh" "$CHROOT_DIR/tmp/harden.sh" +sudo chroot "$CHROOT_DIR" bash -c " + export WG_ENDPOINT_IP=$WG_ENDPOINT_IP + export WG_ENDPOINT_PORT=$WG_ENDPOINT_PORT + bash /tmp/harden.sh + rm /tmp/harden.sh +" + +# ============================================================================ +# ENABLE SYSTEMD SERVICES +# ============================================================================ + +echo "" +echo "[8/9] Configuring systemd services..." + +sudo chroot "$CHROOT_DIR" bash -c " + systemctl enable block-remote-access.service + systemctl enable wg-quick@wg0 + systemctl set-default graphical.target +" + +# ============================================================================ +# CLEANUP +# ============================================================================ + +echo "" +echo "Cleaning up..." + +# Unmount filesystems +sudo umount "$CHROOT_DIR/dev" || true +sudo umount "$CHROOT_DIR/proc" || true +sudo umount "$CHROOT_DIR/sys" || true + +# Clean apt cache +sudo rm -rf "$CHROOT_DIR/var/cache/apt/archives/"* +sudo rm -rf "$CHROOT_DIR/tmp/"* + +# ============================================================================ +# CREATE IMAGES +# ============================================================================ + +echo "" +echo "[9/9] Creating disk images..." + +# Create raw disk image for physical system +RAW_IMAGE="$OUTPUT_DIR/${IMAGE_NAME}-physical.img" +echo "Creating raw image: $RAW_IMAGE" +qemu-img create -f raw "$RAW_IMAGE" ${DISK_SIZE_MB}M + +# Setup partition table +sudo sfdisk "$RAW_IMAGE" << EOF +label: gpt +unit: sectors +size=512MiB,type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B +type=0FC63DAF-8483-4772-8E79-3D69D8477DE4 +EOF + +# Setup loop device +LOOP_DEV=$(sudo losetup -f --show -P "$RAW_IMAGE") +echo "Using loop device: $LOOP_DEV" + +# Create filesystems +sudo mkfs.vfat -F32 "${LOOP_DEV}p1" +sudo mkfs.ext4 "${LOOP_DEV}p2" + +# Mount and copy files +sudo mkdir -p "$BUILD_DIR/mount/efi" "$BUILD_DIR/mount/root" +sudo mount "${LOOP_DEV}p1" "$BUILD_DIR/mount/efi" +sudo mount "${LOOP_DEV}p2" "$BUILD_DIR/mount/root" + +# Copy chroot contents +sudo cp -a "$CHROOT_DIR"/. "$BUILD_DIR/mount/root/" + +# Install GRUB - use device mapping for proper installation +sudo kpartx -av "$RAW_IMAGE" +GRUB_DEVICE="/dev/mapper/$(basename $LOOP_DEV)p2" +EFI_DEVICE="/dev/mapper/$(basename $LOOP_DEV)p1" + +# Bind mounts needed for GRUB install +sudo mount --bind /dev "$BUILD_DIR/mount/root/dev" +sudo mount --bind /proc "$BUILD_DIR/mount/root/proc" +sudo mount --bind /sys "$BUILD_DIR/mount/root/sys" + +# Create /boot/efi mount point +sudo mkdir -p "$BUILD_DIR/mount/root/boot/efi" +sudo mount -t vfat "$EFI_DEVICE" "$BUILD_DIR/mount/root/boot/efi" + +# Install GRUB +sudo chroot "$BUILD_DIR/mount/root" grub-install --target=x86_64-efi \ + --efi-directory=/boot/efi --bootloader-id=debian --no-floppy /dev/sda +sudo chroot "$BUILD_DIR/mount/root" update-grub + +# Cleanup mounts +sudo umount "$BUILD_DIR/mount/root/boot/efi" || true +sudo umount "$BUILD_DIR/mount/root/sys" || true +sudo umount "$BUILD_DIR/mount/root/proc" || true +sudo umount "$BUILD_DIR/mount/root/dev" || true +sudo kpartx -dv "$RAW_IMAGE" + +# Unmount +sudo umount "$BUILD_DIR/mount/efi" "$BUILD_DIR/mount/root" +sudo losetup -d "$LOOP_DEV" +sudo rm -rf "$BUILD_DIR/mount" + +# Create qcow2 image for VM +QCOW_IMAGE="$OUTPUT_DIR/${IMAGE_NAME}-vm.qcow2" +echo "Creating qcow2 image: $QCOW_IMAGE" +qemu-img convert -f raw -O qcow2 "$RAW_IMAGE" "$QCOW_IMAGE" + +# ============================================================================ +# SUMMARY +# ============================================================================ + +echo "" +echo "=============================================" +echo "BUILD COMPLETE" +echo "=============================================" +echo "" +echo "Images created:" +echo " Physical system: $RAW_IMAGE" +echo " Virtual Machine: $QCOW_IMAGE" +echo "" +echo "WireGuard configuration:" +echo " Endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT" +echo "" +echo "IMPORTANT SECURITY NOTES:" +echo " 1. All network traffic MUST go through WireGuard" +echo " 2. Direct network access is BLOCKED" +echo " 3. Change default user password: 'changeme'" +echo " 4. Configure Secure Boot keys for physical deployment" +echo " 5. Test WireGuard connection before deployment" +echo "" +echo "For VM: qemu-system-x86_64 -m 2048 -drive file=$QCOW_IMAGE,format=qcow2" +echo "" diff --git a/chroot-overlay/etc/default/rcS b/chroot-overlay/etc/default/rcS new file mode 100644 index 0000000..93c812a --- /dev/null +++ b/chroot-overlay/etc/default/rcS @@ -0,0 +1,18 @@ +# Football Secure Access System +# Minimal Debian image for privileged access workstation operations + +# Local user setup +export LC_ALL=C + +# Minimal systemd target - graphical only +default graphical.target + +# Disable remote access services +ssh: NO +telnet: NO +ftp: NO +smtp: NO + +# Enable only necessary services +network-manager: YES +display-manager: NO # We'll use startx manually diff --git a/chroot-overlay/etc/network/interfaces b/chroot-overlay/etc/network/interfaces new file mode 100644 index 0000000..bc9f7ed --- /dev/null +++ b/chroot-overlay/etc/network/interfaces @@ -0,0 +1,12 @@ +# Network interfaces configuration for football system +# Minimal setup - only physical interface for WireGuard + +# Physical interface - use NetworkManager or static +# This interface is ONLY for WireGuard connection + +# Example for DHCP (NetworkManager managed): +# Physical interface will be configured by NetworkManager +# No other network services allowed + +# WireGuard interface (tunnel - all traffic goes here) +# This interface will be brought up by wg-quick diff --git a/chroot-overlay/etc/systemd/system/block-remote-access.service b/chroot-overlay/etc/systemd/system/block-remote-access.service new file mode 100644 index 0000000..024b30f --- /dev/null +++ b/chroot-overlay/etc/systemd/system/block-remote-access.service @@ -0,0 +1,14 @@ +[Unit] +Description=Apply strict firewall - WireGuard only +After=network.target wg-quick@wg0.service + +[Service] +Type=oneshot +ExecStart=/bin/systemctl mask ssh.service sshd.service telnet.socket 2>/dev/null || true +ExecStart=/bin/systemctl stop ssh.service sshd.service 2>/dev/null || true +ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4 +ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6 2>/dev/null || true +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/chroot-overlay/etc/systemd/system/getty@tty1.service.d/override.conf b/chroot-overlay/etc/systemd/system/getty@tty1.service.d/override.conf new file mode 100644 index 0000000..835fbef --- /dev/null +++ b/chroot-overlay/etc/systemd/system/getty@tty1.service.d/override.conf @@ -0,0 +1,12 @@ +[Unit] +Description=Autologin user session for IceWM +After=systemd-user-sessions.service + +[Service] +ExecStart= +ExecStart=-/sbin/agetty --autologin user --noclear tty1 %I $TERM +Type=idle +Restart=always + +[Install] +WantedBy=getty.target diff --git a/chroot-overlay/etc/systemd/system/iptables-block-remote.service b/chroot-overlay/etc/systemd/system/iptables-block-remote.service new file mode 100644 index 0000000..8b8c5a0 --- /dev/null +++ b/chroot-overlay/etc/systemd/system/iptables-block-remote.service @@ -0,0 +1,13 @@ +[Unit] +Description=Firewall Rules to Block Remote Access +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4 +ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6 +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/chroot-overlay/etc/wireguard/wg0.conf.template b/chroot-overlay/etc/wireguard/wg0.conf.template new file mode 100644 index 0000000..2ae4fc9 --- /dev/null +++ b/chroot-overlay/etc/wireguard/wg0.conf.template @@ -0,0 +1,19 @@ +# WireGuard configuration for football system +# ALL TRAFFIC MUST GO THROUGH THIS TUNNEL +# Template - will be configured during build + +[Interface] +# Private key - MUST be set during deployment +PrivateKey = +# WireGuard interface IP (within the VPN) +Address = 10.100.0.2/24 +# DNS via VPN +DNS = 10.100.0.1 + +[Peer] +# VPN server endpoint +PublicKey = +Endpoint = : +AllowedIPs = 0.0.0.0/0, ::/0 +# Keep connection alive +PersistentKeepalive = 25 diff --git a/chroot-overlay/home/user/.bashrc b/chroot-overlay/home/user/.bashrc new file mode 100644 index 0000000..c84b6fa --- /dev/null +++ b/chroot-overlay/home/user/.bashrc @@ -0,0 +1,26 @@ +# ~/.bashrc - Football secure access system +# This script automatically starts IceWM and Remmina + +# Start X with IceWM on login +if [ -z "$DISPLAY" ] && [ "$XDG_VTNR" = "1" ]; then + exec startx +fi + +# Security aliases +alias rm='rm -i' +alias cp='cp -i' +alias mv='mv -i' + +# PATH additions +export PATH=$PATH:/usr/local/bin + +# Display security notice on login +echo "" +echo "================================================================" +echo " FOOTBALL - SECURE ACCESS SYSTEM" +echo "================================================================" +echo " Remote access to this system is DISABLED." +echo " Local console access only." +echo " System is automatically starting IceWM + Remmina." +echo "================================================================" +echo "" diff --git a/chroot-overlay/home/user/.icewm/preferences b/chroot-overlay/home/user/.icewm/preferences new file mode 100644 index 0000000..619cc6c --- /dev/null +++ b/chroot-overlay/home/user/.icewm/preferences @@ -0,0 +1,27 @@ +# IceWM configuration for football system + +# Window placement +TaskBarShowClock=1 +TaskBarShowStartMenu=1 +TaskBarShowWindowListMenu=1 +TaskBarShowWorkspaces=0 +TaskBarShowWindows=0 + +# Auto-start Remmina +StartupCommand="remmina" + +# No desktop icons (clean interface) +DesktopBackgroundCenter=1 +DesktopBackgroundColor="rgb:00/33/66" + +# Security - minimize features +ShowLoginStatus=0 +ShowLogoutMenu=1 +ShowSettingsMenu=0 +ShowHelpMenu=0 +ShowRunProgram=0 + +# Remmina should be main focus +ClickToFocus=1 +FocusOnAppRaise=1 +RaiseOnFocus=1 diff --git a/chroot-overlay/home/user/.xinitrc b/chroot-overlay/home/user/.xinitrc new file mode 100644 index 0000000..b82af8e --- /dev/null +++ b/chroot-overlay/home/user/.xinitrc @@ -0,0 +1,19 @@ +#!/bin/bash +# ~/.xinitrc - Automatically start IceWM and Remmina + +# Set keyboard layout if needed +setxkbmap us + +# Set reasonable defaults for IceWM +export ICEWM_PRIVCFG=$HOME/.icewm + +# Start IceWM +icewm & +ICEWM_PID=$! + +# Start Remmina (maximized) +remmina & +REMMINA_PID=$! + +# Wait for IceWM +wait $ICEWM_PID diff --git a/chroot-overlay/home/user/Desktop/README.txt b/chroot-overlay/home/user/Desktop/README.txt new file mode 100644 index 0000000..1087e6a --- /dev/null +++ b/chroot-overlay/home/user/Desktop/README.txt @@ -0,0 +1,42 @@ +# Football Secure Access System + +This system is configured for secure access to remote privileged access workstations through a WireGuard VPN tunnel. + +**SYSTEM CHARACTERISTICS:** +- Remote access: DISABLED (no SSH, no network services) +- Local console access only +- Automatic IceWM window manager startup +- Remmina remote desktop client +- Secure Boot enforced +- **ALL network traffic MUST go through WireGuard VPN** +- **Direct network access BLOCKED - only WireGuard allowed** + +**NETWORK CONFIGURATION:** +- Physical interface (eth0): ONLY allows WireGuard to configured endpoint +- WireGuard tunnel (wg0): ALL outbound traffic goes through this tunnel +- Inbound traffic: BLOCKED (except WireGuard keepalives) +- DHCP: Allowed on eth0 only for initial IP acquisition + +**USAGE:** +1. Login with local user account +2. IceWM and Remmina start automatically +3. WireGuard tunnel is established automatically +4. Use Remmina to connect to PAW (Privileged Access Workstation) through VPN +5. Close Remmina when done +6. System locks automatically on inactivity + +**SECURITY:** +- No remote administration permitted +- All direct network connections blocked +- Only WireGuard tunnel traffic allowed to configured endpoint +- System logs all actions +- Secure Boot verifies kernel integrity +- Firewall strictly enforced + +**WIREGUARD ENDPOINT:** +- Configured during build (see build script variables) +- Only endpoint allowed: WG_ENDPOINT_IP:WG_ENDPOINT_PORT +- All traffic routes through VPN after connection + +**CONTACT:** +For system issues, contact infrastructure security team. diff --git a/config/harden.sh b/config/harden.sh new file mode 100755 index 0000000..1215c06 --- /dev/null +++ b/config/harden.sh @@ -0,0 +1,127 @@ +#!/bin/bash +# Post-installation hardening script for football system +# This script configures strict firewall with WireGuard-only access +# All traffic must go through WireGuard tunnel + +set -e + +echo "Hardening football system with WireGuard-only access..." + +# Disable and remove all remote access services +systemctl disable ssh 2>/dev/null || true +systemctl disable sshd 2>/dev/null || true +systemctl disable telnet 2>/dev/null || true +systemctl disable rsh 2>/dev/null || true + +# Mask services to prevent them from being started +systemctl mask ssh 2>/dev/null || true +systemctl mask sshd 2>/dev/null || true +systemctl mask telnet 2>/dev/null || true +systemctl mask rsh 2>/dev/null || true + +# Remove remote access packages if any were installed +apt-get purge -y openssh-server telnetd rsh-server 2>/dev/null || true + +# STRICT FIREWALL RULES - WireGuard ONLY +# Read WireGuard endpoint configuration +WG_ENDPOINT_IP="${WG_ENDPOINT_IP:-192.0.2.1}" +WG_ENDPOINT_PORT="${WG_ENDPOINT_PORT:-51820}" + +echo "Configuring strict firewall: only WireGuard to $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT allowed on eth0" + +# Flush all existing rules +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X + +# Default policies - DROP everything +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +# Allow loopback +iptables -A INPUT -i lo -j ACCEPT +iptables -A OUTPUT -o lo -j ACCEPT + +# Allow ONLY WireGuard on physical interface (eth0) +# Only UDP to WireGuard endpoint allowed +iptables -A OUTPUT -o eth0 -d $WG_ENDPOINT_IP -p udp --dport $WG_ENDPOINT_PORT -m state --state NEW,ESTABLISHED -j ACCEPT +iptables -A INPUT -i eth0 -s $WG_ENDPOINT_IP -p udp --sport $WG_ENDPOINT_PORT -m state --state ESTABLISHED -j ACCEPT + +# Allow all traffic through WireGuard interface (wg0) +iptables -A INPUT -i wg0 -j ACCEPT +iptables -A OUTPUT -o wg0 -j ACCEPT + +# Allow DHCP on eth0 to get initial IP +iptables -A OUTPUT -o eth0 -p udp --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT +iptables -A INPUT -i eth0 -p udp --sport 67 -m state --state ESTABLISHED -j ACCEPT + +# Save rules +mkdir -p /etc/iptables +iptables-save > /etc/iptables/rules.v4 + +# Same strict rules for IPv6 +ip6tables -F 2>/dev/null || true +ip6tables -X 2>/dev/null || true +ip6tables -P INPUT DROP 2>/dev/null || true +ip6tables -P FORWARD DROP 2>/dev/null || true +ip6tables -P OUTPUT DROP 2>/dev/null || true +ip6tables -A INPUT -i lo -j ACCEPT 2>/dev/null || true +ip6tables -A OUTPUT -o lo -j ACCEPT 2>/dev/null || true +ip6tables-save > /etc/iptables/rules.v6 2>/dev/null || true + +# Configure network to reject incoming connections +echo "hardening football - disable remote access" > /etc/issue +echo "" >> /etc/issue +echo "No remote access is permitted on this system." >> /etc/issue +echo "Local console access only." >> /etc/issue + +# Disable all network filesystem mounts +echo "disable network filesystem mounts" > /etc/modprobe.d/no-network-fs.conf +echo "install nfs /bin/true" >> /etc/modprobe.d/no-network-fs.conf +echo "install nfs4 /bin/true" >> /etc/modprobe.d/no-network-fs.conf +echo "install cifs /bin/true" >> /etc/modprobe.d/no-network-fs.conf +echo "install smbfs /bin/true" >> /etc/modprobe.d/no-network-fs.conf + +# Secure SSH configuration (even though service is disabled) +mkdir -p /etc/ssh +cat > /etc/ssh/sshd_config.d/99-hardening.conf << 'EOF' +PasswordAuthentication no +PermitRootLogin no +X11Forwarding no +AllowTcpForwarding no +GatewayPorts no +EOF + +# Configure AppArmor to enforce +echo "Enforce AppArmor profiles" > /etc/apparmor.d/tunables/global.d/force_enforce + +# Disable unnecessary kernel modules +echo "disable bluetooth" > /etc/modprobe.d/disable-bluetooth.conf +echo "install bluetooth /bin/true" >> /etc/modprobe.d/disable-bluetooth.conf +echo "install btusb /bin/true" >> /etc/modprobe.d/disable-bluetooth.conf + +# Disable wireless if on wired-only system +echo "disable wireless" > /etc/modprobe.d/disable-wireless.conf +echo "install cfg80211 /bin/true" >> /etc/modprobe.d/disable-wireless.conf +echo "install mac80211 /bin/true" >> /etc/modprobe.d/disable-wireless.conf + +# Disable unnecessary services +systemctl disable bluetooth 2>/dev/null || true +systemctl mask bluetooth 2>/dev/null || true + +# Set secure umask +echo "umask 077" >> /etc/profile +echo "umask 077" >> /etc/bash.bashrc + +# Disable core dumps +echo "* hard core 0" >> /etc/security/limits.conf +echo "* soft core 0" >> /etc/security/limits.conf + +# Enable auditd +systemctl enable auditd 2>/dev/null || true + +echo "Hardening complete - remote access disabled" diff --git a/config/packages.list b/config/packages.list new file mode 100644 index 0000000..3141a5c --- /dev/null +++ b/config/packages.list @@ -0,0 +1,73 @@ +# Minimal packages for football secure access system +# Base system +linux-image-amd64 +firmware-linux +firmware-linux-nonfree +grub2-common +grub-pc-bin +grub-efi-amd64-bin +grub-efi-ia32-bin +shim-signed +initramfs-tools +sudo +locales +keyboard-configuration +console-setup + +# Network (client only, no server capabilities) +networkmanager +iproute2 +iputils-ping +isc-dhcp-client +wireguard +wireguard-tools +iptables-persistent + +# Hardware support +xserver-xorg +xserver-xorg-input-libinput +x11-xserver-utils +xterm +xinit + +# Display manager (minimal - no remote access) +xserver-xorg-video-intel +xserver-xorg-video-amdgpu +xserver-xorg-video-nouveau +xserver-xorg-video-ati + +# Window manager - IceWM +icewm +icewm-themes + +# Remote desktop client - Remmina +remmina +remmina-plugin-rdp +remmina-plugin-vnc + +# Basic utilities +vim-tiny +less +psmisc +procps +coreutils +grep +sed +gawk +tar +gzip +bzip2 +xz-utils +curl +wget + +# Secure boot and boot tools +efibootmgr +mokutil +efivar + +# Security hardening +fail2ban +apparmor +apparmor-utils +auditd diff --git a/config/preseed.sh b/config/preseed.sh new file mode 100755 index 0000000..07c0d99 --- /dev/null +++ b/config/preseed.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# Debootstrap preseed configuration for minimal Debian installation + +# Non-interactive frontend +export DEBIAN_FRONTEND=noninteractive + +# Minimal base system without recommended packages +cat << 'EOF' > /usr/local/sbin/debootstrap-minimal +#!/bin/bash +# Arguments: SUITE TARGET MIRROR +set -e + +SUITE=${1:-bookworm} +TARGET=${2} +MIRROR=${3:-http://deb.debian.org/debian} + +echo "Bootstrapping minimal Debian $SUITE..." + +debootstrap --variant=minbase --arch=amd64 $SUITE $TARGET $MIRROR + +echo "Minimal bootstrap complete." +EOF + +chmod +x /usr/local/sbin/debootstrap-minimal diff --git a/config/secureboot.sh b/config/secureboot.sh new file mode 100755 index 0000000..fff999d --- /dev/null +++ b/config/secureboot.sh @@ -0,0 +1,74 @@ +#!/bin/bash +# Secure Boot configuration script for football system +# This script ensures Secure Boot is properly configured + +set -e + +echo "Configuring Secure Boot..." + +# Check if Secure Boot is supported +if [ ! -d /sys/firmware/efi ]; then + echo "WARNING: EFI not detected. Secure Boot requires EFI system." + echo "This image may need to be deployed on a UEFI system with Secure Boot." +fi + +# Install Secure Boot packages +apt-get update +apt-get install -y shim-signed grub-efi-amd64-signed + +# Ensure GRUB is signed +echo "GRUB will use signed bootloader (shim-signed)" + +# Configure kernel for Secure Boot +echo "Configuring kernel for Secure Boot..." +cat > /etc/default/grub.d/secureboot.cfg << 'EOF' +GRUB_DISABLE_OS_PROBER=true +GRUB_DISABLE_SUBMENU=y +EOF + +# Lock GRUB to prevent unauthorized modifications +echo "Locking GRUB configuration..." +cat > /etc/grub.d/40_custom << 'EOF' +#!/bin/sh +exec tail -n +3 $0 +# This file provides an easy way to add custom menu entries. +# Lockdown: prevent editing GRUB entries +set superusers="football" +password_pbkdf2 football grub.pbkdf2.sha512.10000.$(echo -n "secure-boot-password" | grub-mkpasswd-pbkdf2 -s 2>/dev/null | tail -n +3 | sed 's/^.*grub\.pbkdf2\.sha512\.10000\.//') +EOF +chmod 755 /etc/grub.d/40_custom + +# Update GRUB +update-grub 2>/dev/null || true + +# Configure kernel command line for lockdown +echo "Configuring kernel lockdown mode..." +if [ -f /etc/default/grub ]; then + sed -i 's/^GRUB_CMDLINE_LINUX_DEFAULT=""/GRUB_CMDLINE_LINUX_DEFAULT="lockdown=confidentiality,integrity"/' /etc/default/grub + sed -i 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="lockdown=confidentiality,integrity"/' /etc/default/grub +fi + +# Enable UEFI Secure Boot verification in kernel +cat >> /etc/modprobe.d/secureboot.conf << 'EOF' +options efivarfs mode=0444 +EOF + +# Ensure kernel modules are signed +echo "Verifying kernel module signing..." +for module in /lib/modules/$(uname -r)/*.ko; do + if [ -f "$module" ]; then + sig=$(modinfo "$module" 2>/dev/null | grep -i "signature:" | wc -l) + if [ "$sig" -eq 0 ]; then + echo "WARNING: Module $module is not signed" + fi + fi +done 2>/dev/null || true + +echo "Secure Boot configuration complete." +echo "" +echo "IMPORTANT: When deploying to physical hardware:" +echo "1. Ensure UEFI Secure Boot is ENABLED in BIOS/UEFI settings" +echo "2. Verify that the Microsoft UEFI CA is in the key database" +echo "3. The system will only boot with signed kernel and bootloader" +echo "4. Any unsigned kernel modules will be rejected" +echo "" diff --git a/config/setup-wg-server.sh b/config/setup-wg-server.sh new file mode 100755 index 0000000..a186798 --- /dev/null +++ b/config/setup-wg-server.sh @@ -0,0 +1,79 @@ +#!/bin/bash +# WireGuard server setup script +# This script helps set up the VPN server that football systems connect to + +set -e + +echo "=============================================" +echo "WireGuard VPN Server Setup for Football" +echo "=============================================" +echo "" + +# Check if running as root +if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit 1 +fi + +# Install WireGuard +echo "Installing WireGuard..." +apt-get update +apt-get install -y wireguard wireguard-tools iptables-persistent + +# Generate server keys +echo "" +echo "Generating server keys..." +SERVER_PRIVATE=$(wg genkey) +SERVER_PUBLIC=$(echo "$SERVER_PRIVATE" | wg pubkey) + +echo "Server Public Key: $SERVER_PUBLIC" +echo "Server Private Key: $SERVER_PRIVATE" + +# Create config directory +mkdir -p /etc/wireguard + +# Create server configuration +cat > /etc/wireguard/wg0.conf << EOF +[Interface] +PrivateKey = $SERVER_PRIVATE +Address = 10.100.0.1/24 +ListenPort = 51820 +SaveConfig = true + +# Enable IP forwarding +EOF + +# Enable IP forwarding +echo "Enabling IP forwarding..." +sysctl -w net.ipv4.ip_forward=1 +echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf + +# Configure NAT +echo "Configuring NAT rules..." +iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o $(ip route | grep default | awk '{print $5}') -j MASQUERADE +iptables-save > /etc/iptables/rules.v4 + +# Allow WireGuard port +iptables -A INPUT -p udp --dport 51820 -j ACCEPT +iptables-save > /etc/iptables/rules.v4 + +echo "" +echo "=============================================" +echo "Server setup complete!" +echo "=============================================" +echo "" +echo "Server Public Key: $SERVER_PUBLIC" +echo "" +echo "Next steps:" +echo "1. Add clients to /etc/wireguard/wg0.conf with their public keys" +echo "2. Enable the interface: systemctl enable wg-quick@wg0" +echo "3. Start the interface: systemctl start wg-quick@wg0" +echo "4. Configure firewall to allow UDP 51820" +echo "" +echo "Example client configuration:" +echo "" +echo "[Peer]" +echo "# Football Client 1" +echo "PublicKey = " +echo "AllowedIPs = 10.100.0.2/32" +echo "" diff --git a/config/setup-wireguard.sh b/config/setup-wireguard.sh new file mode 100755 index 0000000..51701f1 --- /dev/null +++ b/config/setup-wireguard.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# WireGuard configuration script for football system +# This script sets up WireGuard with provided keys + +set -e + +# Variables - these will be passed from build script +WG_ENDPOINT_IP="${WG_ENDPOINT_IP:-192.0.2.1}" +WG_ENDPOINT_PORT="${WG_ENDPOINT_PORT:-51820}" +WG_PRIVATE_KEY="${WG_PRIVATE_KEY}" +WG_PUBLIC_KEY="${WG_PUBLIC_KEY}" + +if [ -z "$WG_PRIVATE_KEY" ] || [ -z "$WG_PUBLIC_KEY" ]; then + echo "ERROR: WireGuard keys not provided" + echo "Set WG_PRIVATE_KEY and WG_PUBLIC_KEY environment variables" + exit 1 +fi + +echo "Configuring WireGuard..." + +# Replace placeholders in template +sed -e "s||$WG_PRIVATE_KEY|g" \ + -e "s||$WG_PUBLIC_KEY|g" \ + -e "s||$WG_ENDPOINT_IP|g" \ + -e "s||$WG_ENDPOINT_PORT|g" \ + /etc/wireguard/wg0.conf.template > /etc/wireguard/wg0.conf + +# Secure the configuration +chmod 600 /etc/wireguard/wg0.conf + +# Enable and start WireGuard +systemctl enable wg-quick@wg0 +systemctl start wg-quick@wg0 + +# Verify connection +sleep 2 +if ip link show wg0 >/dev/null 2>&1; then + echo "WireGuard interface wg0 is UP" + echo "All network traffic now routed through VPN" +else + echo "WARNING: WireGuard interface not detected" + exit 1 +fi + +echo "WireGuard configuration complete" diff --git a/config/wg-server-config-example.conf b/config/wg-server-config-example.conf new file mode 100644 index 0000000..0b397d7 --- /dev/null +++ b/config/wg-server-config-example.conf @@ -0,0 +1,45 @@ +# Sample WireGuard Server Configuration +# This is the configuration for the WireGuard VPN server +# that football systems will connect to. +# +# Usage: Copy this to /etc/wireguard/wg0.conf on the VPN server +# and adjust as needed for your environment. + +[Interface] +# Private key of the VPN server +# Generate with: wg genkey +PrivateKey = + +# VPN network address (this server) +Address = 10.100.0.1/24 + +# Port to listen on (UDP) +ListenPort = 51820 + +# DNS for VPN clients +DNS = 10.100.0.1 + +# Enable IP forwarding on the server +# Add this to /etc/sysctl.conf: net.ipv4.ip_forward=1 +# Then run: sysctl -p + +# NAT configuration (POSTROUTING) +# iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + +[Peer] +# Client: football-1 +# Public key generated on client with: wg pubkey < client-private.key +PublicKey = +AllowedIPs = 10.100.0.2/32 + +[Peer] +# Client: football-2 +PublicKey = +AllowedIPs = 10.100.0.3/32 + +[Peer] +# Client: football-3 +PublicKey = +AllowedIPs = 10.100.0.4/32 + +# Add more [Peer] sections as needed for additional football clients