Wireguard instructions added, nextdns container updates

README.md

@@ -11,6 +11,11 @@ Enables init.d style scripts to run on every boot of your UDM. Includes a wpa-su
 ### python
 If you need python3 on your UDM, generally not recommended, can always use it in unifi-os container
 
+## VPN Servers / Clients
+
+### wireguard-go
+Run a Wireguard client/server on your UDM/P.  Utilizes wireguard-go, not linux kernel modules.  The performance will take a hit due to that.
+
 ## DNS Providers
 ### dns-common
 Configurations for DNS containers, both IPv4 and IPv6.  Utilizes MacVLAN CNI plugins to completely isolate the network stack.

nextdns/README.md

@@ -25,7 +25,7 @@ podman build . -t nextdns-udm:latest
 ```
 Building from another device is possible.  You must have [buildx](https://github.com/docker/buildx/) installed to do cross platform builds. This is useful if you want to mirror to a private repo
 ```shell script
-docker buildx build --platform linux/arm64 -t nextdns-udm:latest .
+docker buildx build --platform linux/arm64/v8 -t nextdns-udm:latest .
 ```
 
 ### Steps

nextdns/docker/Dockerfile

@@ -1,11 +1,11 @@
-FROM alpine
+FROM alpine as builder
 ENV VERSION=1.7.0
 LABEL maintainer="John Dorman <dorman@ataxia.cloud>"
-RUN apk add --no-cache ca-certificates \
-    && mkdir -p /opt/nextdns \
-    && wget -O /tmp/nextdns.tar.gz https://github.com/nextdns/nextdns/releases/download/v${VERSION}/nextdns_${VERSION}_linux_arm64.tar.gz  \
-    && tar zxf /tmp/nextdns.tar.gz -C /opt/nextdns \
-    && rm /tmp/nextdns.tar.gz
+RUN wget -O /tmp/nextdns.tar.gz https://github.com/nextdns/nextdns/releases/download/v${VERSION}/nextdns_${VERSION}_linux_arm64.tar.gz  \
+    && mkdir /tmp/nextdns && tar zxf /tmp/nextdns.tar.gz -C /tmp/nextdns
+
+FROM arm64v8/alpine
+RUN apk add --no-cache ca-certificates
+COPY --from=builder /tmp/nextdns /opt/nextdns
 EXPOSE 53/tcp 53/udp
 ENTRYPOINT ["/opt/nextdns/nextdns","run", "-config-file", "/etc/nextdns/nextdns.conf"]
-CMD []

wireguard-go/README.md

@@ -0,0 +1,36 @@
+# Wireguard VPN server / client
+
+### Features
+1. Wireguard VPN to anywhere! Uses wireguard-go, not the kernel module.
+1. Persists through reboots and firmware updates.
+1. Tested with a Wireguard Server in AWS.
+
+### Requirements
+1. You have successfully setup the on boot script described [here](https://github.com/boostchicken/udm-utilities/tree/master/on-boot-script)
+1. Not recommended for Wireguard newbies. Set it up on other devices first. This document does not include iptables / nat rules.
+
+### Customization
+* Update [wg0.conf](configs/wg0.conf) to match your env
+
+### Steps
+1. Create your public and private keys
+    ```shell script
+    podman run -i --rm --net=host --name wireguard_conf masipcat/wireguard-go wg genkey > /mnt/data/wireguard/privatekey
+    podman run -i --rm --net=host --name wireguard_conf masipcat/wireguard-go wg genkey < /mnt/data/wireguard/privatekey > /mnt/data/wireguard/publickey
+    ```
+1. Make configurations dir
+    ```shell script
+    mkdir -p /mnt/data/wireguard
+    ```
+1. Create wireguard configuration file in /mnt/data/wireguard.  Template: [wg0.conf](configs/wg0.conf)    
+1. Copy [20-wireguard.sh](on_boot.d/20-wireguard.sh) to /mnt/data/on_boot.d and update its values to reflect your environment
+1. Execute /mnt/data/on_boot.d/20-wireguard.sh
+1. If you are running a server, make the appropriate firewall rules / port forwards
+
+### Useful commands
+```shell script
+podman exec -it wireguard wg
+podman exec -it wireguard wg-quick up wg0
+podman exec -it wireguard wg-quick down wg0
+```
+

wireguard-go/configs/wg0.conf

@@ -0,0 +1,12 @@
+[Interface]
+# Change to map to your subnet
+Address = 10.20.0.3/24
+PrivateKey = <server privatekey>
+# Can be whatever port you like
+ListenPort = 51820
+
+[Peer]
+PublicKey = <client public key>
+Endpoint = <server ip>:<server port>
+# Change to the CIDRs you want routed over the VPN
+AllowedIPs = 10.20.0.0/24

wireguard-go/on_boot.d/20-wireguard.sh

@@ -0,0 +1 @@
+podman run -i -d --rm --net=host --name wireguard --privileged -v /mnt/data/wireguard:/etc/wireguard -v /dev/net/tun:/dev/net/tun  -e LOG_LEVEL=info -e WG_COLOR_MODE=always masipcat/wireguard-go