17dcee7e52
Add complete build infrastructure for football secure access system: - Minimal Debian base with only IceWM and Remmina - WireGuard-only networking with strict firewall (eth0 allows only WireGuard) - All network traffic routed through mandatory VPN tunnel - Secure Boot enforced for physical deployments - Zero remote access - SSH, telnet disabled and blocked - AppArmor, auditd, and fail2ban for security hardening Build system generates both VM (qcow2) and physical (raw) images. WireGuard endpoint IP and port configurable via build script variables. Includes: - Package list with minimal dependencies - System hardening scripts - WireGuard client and server configuration tools - Comprehensive documentation (README.md, QUICKSTART.md) - systemd services for firewall enforcement - User environment with automatic IceWM startup 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
80 lines
2.0 KiB
Bash
Executable File
80 lines
2.0 KiB
Bash
Executable File
#!/bin/bash
|
|
# WireGuard server setup script
|
|
# This script helps set up the VPN server that football systems connect to
|
|
|
|
set -e
|
|
|
|
echo "============================================="
|
|
echo "WireGuard VPN Server Setup for Football"
|
|
echo "============================================="
|
|
echo ""
|
|
|
|
# Check if running as root
|
|
if [ "$EUID" -ne 0 ]; then
|
|
echo "Please run as root"
|
|
exit 1
|
|
fi
|
|
|
|
# Install WireGuard
|
|
echo "Installing WireGuard..."
|
|
apt-get update
|
|
apt-get install -y wireguard wireguard-tools iptables-persistent
|
|
|
|
# Generate server keys
|
|
echo ""
|
|
echo "Generating server keys..."
|
|
SERVER_PRIVATE=$(wg genkey)
|
|
SERVER_PUBLIC=$(echo "$SERVER_PRIVATE" | wg pubkey)
|
|
|
|
echo "Server Public Key: $SERVER_PUBLIC"
|
|
echo "Server Private Key: $SERVER_PRIVATE"
|
|
|
|
# Create config directory
|
|
mkdir -p /etc/wireguard
|
|
|
|
# Create server configuration
|
|
cat > /etc/wireguard/wg0.conf << EOF
|
|
[Interface]
|
|
PrivateKey = $SERVER_PRIVATE
|
|
Address = 10.100.0.1/24
|
|
ListenPort = 51820
|
|
SaveConfig = true
|
|
|
|
# Enable IP forwarding
|
|
EOF
|
|
|
|
# Enable IP forwarding
|
|
echo "Enabling IP forwarding..."
|
|
sysctl -w net.ipv4.ip_forward=1
|
|
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
|
|
|
|
# Configure NAT
|
|
echo "Configuring NAT rules..."
|
|
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o $(ip route | grep default | awk '{print $5}') -j MASQUERADE
|
|
iptables-save > /etc/iptables/rules.v4
|
|
|
|
# Allow WireGuard port
|
|
iptables -A INPUT -p udp --dport 51820 -j ACCEPT
|
|
iptables-save > /etc/iptables/rules.v4
|
|
|
|
echo ""
|
|
echo "============================================="
|
|
echo "Server setup complete!"
|
|
echo "============================================="
|
|
echo ""
|
|
echo "Server Public Key: $SERVER_PUBLIC"
|
|
echo ""
|
|
echo "Next steps:"
|
|
echo "1. Add clients to /etc/wireguard/wg0.conf with their public keys"
|
|
echo "2. Enable the interface: systemctl enable wg-quick@wg0"
|
|
echo "3. Start the interface: systemctl start wg-quick@wg0"
|
|
echo "4. Configure firewall to allow UDP 51820"
|
|
echo ""
|
|
echo "Example client configuration:"
|
|
echo ""
|
|
echo "[Peer]"
|
|
echo "# Football Client 1"
|
|
echo "PublicKey = <CLIENT_PUBLIC_KEY>"
|
|
echo "AllowedIPs = 10.100.0.2/32"
|
|
echo ""
|