Skip to content

Instantly share code, notes, and snippets.

View insdavm's full-sized avatar

insdavm insdavm

1 follower · 0 following
View GitHub Profile
@insdavm
insdavm / wireguard-over-tcp.md
Last active April 25, 2024 22:26
WireGuard over TCP with udptunnel

WireGuard over TCP with udptunnel

udptunnel is a small program which can tunnel UDP packets bi-directionally over a TCP connection. Its primary purpose (and original motivation) is to allow multi-media conferences to traverse a firewall which allows only outgoing TCP connections.

Server

# udptunnel -s 443 127.0.0.1/51820

Client

@insdavm
insdavm / f28.md
Last active February 28, 2019 18:39
/u/c5cf2ee6-1901-40a9

/u/c5cf2ee6-1901-40a9

  • Tunnel Subnet 10.7.0.0/24
  • Host C Public IP 66.10.10.1 (just for the example)
  • Host A - 10.7.0.2
  • Host B - 10.7.0.3
  • Host C - 10.7.0.1

Host A wg0.conf

@insdavm
insdavm / GlassOnion420.conf
Created February 16, 2019 18:45
for GlassOnion420
# SERVER wg0.conf
[Interface]
PrivateKey = <PRIVKEY of SERVER>
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = <PUBKEY of CLIENT 1>
AllowedIPs = 10.0.0.2/32
@insdavm
insdavm / WireGuard-site-to-site.md
Last active April 21, 2024 19:53
Accessing a subnet that is behind a WireGuard client using a site-to-site setup

WireGuard Site-to-Site

Accessing a subnet that is behind a WireGuard client using a site-to-site setup

Problem Summary

We want to access a local subnet remotely, but it is behind a NAT firewall and we can't setup port forwarding. Outgoing connections work, but all incoming connections get DROPPED by the ISP's routing policy.

Solution Summary

@insdavm
insdavm / unbound-setup.md
Last active November 15, 2023 07:35
Setup unbound for DNS

Unbound

Install
$ sudo apt install unbound unbound-host

Get latest list of root DNS servers
$ curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

Setup /etc/unbound/unbound.conf:

@insdavm
insdavm / wg0.conf
Created December 30, 2018 22:04
Wireguard server conf for classic VPN server where the LAN and all Internet is accesible
[Interface]
Address = 10.8.1.1
PrivateKey = <SERVER-PRIVATE-KEY>
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <CLIENT-1-PUBLIC-KEY>
@insdavm
insdavm / iptables.rules
Created December 24, 2018 15:44
Stateful firewall for laptop/personal computer that isn't running any services like HTTP or SSH
# Generated by iptables-save v1.8.2 on Mon Dec 24 10:42:19 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [6:852]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
@insdavm
insdavm / libinput-gestures.conf
Last active December 21, 2018 15:13
Gestures for libinput on a MacBook Pro running KDE Plasma 5.14
# I have 4 workspaces arranged in a quad pattern...
# [ 1 ][ 2 ]
# [ 3 ][ 4 ]
# up/down/left/right moves to the next workspace:
gesture swipe up 3 xdotool key ctrl+alt+Down
gesture swipe down 3 xdotool key ctrl+alt+Up
gesture swipe left 3 xdotool key ctrl+alt+Left
gesture swipe right 3 xdotool key ctrl+alt+Right
@insdavm
insdavm / 01-netcfg.yaml
Created December 13, 2018 20:28
Basic netplan config for DHCP ethernet on Ubuntu Server 18.04.1 LTS
# file in /etc/netplan/01-netcfg.yaml
# spacing for indents just need to be consistent
network:
version: 2
renderer: networkd
ethernets:
enp2s0:
addresses: []
dhcp4: true
@insdavm
insdavm / mkinitcpio.conf
Last active September 14, 2018 20:09
My mkinitcpio.conf for initramfs creation on a Macbook Pro 8,1 running Arch
MODULES=(ext4)
BINARIES=()
FILES=()
HOOKS=(base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck)
# Initial attempt, but had issues with unlocking the cryptlvm volume with this...
# But who the fuck wants a systemd-based initramfs anyway!? /s
#
# We can still use systemd-boot to use Apple's native bootloader and read the .efi