Compare commits
5 Commits
Author | SHA1 | Date |
---|---|---|
Steven Polley | b318bcb3c1 | |
Steven Polley | 390fabe1b4 | |
Steven Polley | 92f5c579e6 | |
Steven Polley | 305ba29c50 | |
Steven Polley | f8be95c8d0 |
|
@ -3,4 +3,6 @@ hyp.secret
|
|||
hypd/hypd
|
||||
hyp/hyp
|
||||
hypd/hypdconfig.json
|
||||
hypd/secrets/
|
||||
hypd/secrets/
|
||||
hypd/server/*.o
|
||||
env.sh
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
{
|
||||
"networkInterface": "enp0s3",
|
||||
"preSharedKeyDirectory": "./secrets/",
|
||||
"successAction": "./examples/fortigate/openfortigate.sh %s",
|
||||
"timeoutSeconds": 0,
|
||||
"timeoutAction": ""
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Make sure you have environment variables set for FORTIGATE_MGMT_URL, FORTIGATE_API_TOKEN and FORTIGATE_ADDRESS_OBJECT_GROUP
|
||||
# Examples:
|
||||
export FORTIGATE_MGMT_URL="https://69.4.20.10:8443"
|
||||
export FORTIGATE_API_KEY="5fkwkkzgQ4s31bdH60qsxxfN093zgt"
|
||||
export FORTIGATE_ADDRESS_OBJECT_GROUP="hyp-allowed-clients"
|
||||
|
||||
|
||||
if [ $# -lt 1 ]; then
|
||||
echo "Usage: $0 <srcip>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo $FORTIGATE_MGMT_URL
|
||||
echo $1
|
||||
|
||||
# Create the address object
|
||||
curl "$FORTIGATE_MGMT_URL/api/v2/cmdb/firewall/address?datasource=1" \
|
||||
-X "POST" \
|
||||
-H "Authorization: Bearer $FORTIGATE_API_KEY" \
|
||||
-H "Content-Type: application/json" \
|
||||
--data-raw "{\"name\":\"hyp_$1\",\"subnet\":\"$1/32\",\"color\":\"0\"}" \
|
||||
--insecure # LOL - remove this if you want, but I want this to be easy for noobs
|
||||
|
||||
|
||||
# Add to address object group
|
||||
curl "$FORTIGATE_MGMT_URL/api/v2/cmdb/firewall/addrgrp/$FORTIGATE_ADDRESS_OBJECT_GROUP/member" \
|
||||
-X "POST" \
|
||||
-H "Authorization: Bearer $FORTIGATE_API_KEY" \
|
||||
-H "Content-Type: application/json" \
|
||||
--data-raw "{\"name\":\"hyp_$1\"}" \
|
||||
--insecure # And here too
|
|
@ -0,0 +1,12 @@
|
|||
# Using hyp with OpenWrt Wireguard
|
||||
|
||||
This example case is to deploy hypd on OpenWrt to open up access to the WireGuard VPN service.
|
||||
|
||||
hyp utilizes eBPF technology to ensure runtime overhead is extremely small (in a way, but in a way not). Most Linux distributions have support for this out of the box, however OpenWrt does not. OpenWrt has a very stripped down, purpose-configured kernel and does not have the requirements built in to run hyp.
|
||||
|
||||
The good news is, you can build OpenWrt yourself and configure it with the requirements. Follow the directions at this page: https://openwrt.org/docs/guide-developer/toolchain/use-buildsystem
|
||||
|
||||
When you run *make menuconfig*, make sure you check off *Enable additional BTF type information* which is also known as CONFIG_KERNEL_DEBUG_INFO_BTF. This is required to support eBPF CO:RE.
|
||||
|
||||
![Kernel Config](https://deadbeef.codes/steven/hyp/raw/branch/main/hypd/examples/openwrt-wireguard/kernel_config.png)
|
||||
|
Binary file not shown.
After Width: | Height: | Size: 148 KiB |
|
@ -35,32 +35,40 @@ int xdp_prog_func(struct xdp_md *ctx) {
|
|||
|
||||
// A knock should not contain any data
|
||||
if (data_end - data > 60) {
|
||||
goto done;
|
||||
return XDP_PASS;
|
||||
}
|
||||
|
||||
// parse ethernet header
|
||||
struct ethhdr *eth = data;
|
||||
if ((void *)eth + sizeof(*eth) <= data_end) {
|
||||
// parse IP header
|
||||
struct iphdr *ip = data + sizeof(*eth);
|
||||
if ((void *)ip + sizeof(*ip) <= data_end) {
|
||||
if (ip->protocol == IPPROTO_UDP) {
|
||||
// parse UDP header
|
||||
struct udphdr *udp = (void *)ip + sizeof(*ip);
|
||||
if ((void *)udp + sizeof(*udp) <= data_end)
|
||||
{
|
||||
// pack into knock structure and send to userspace
|
||||
struct knock_data knock = {
|
||||
.srcip = bpf_ntohl(ip->saddr),
|
||||
.dstport = bpf_htons(udp->dest),
|
||||
.pad = 0
|
||||
};
|
||||
bpf_ringbuf_output(&rb, &knock, sizeof(knock), BPF_RB_FORCE_WAKEUP);
|
||||
}
|
||||
}
|
||||
}
|
||||
if ((void *)eth + sizeof(*eth) > data_end) {
|
||||
return XDP_PASS;
|
||||
}
|
||||
done:
|
||||
|
||||
// parse IP header
|
||||
struct iphdr *ip = data + sizeof(*eth);
|
||||
if ((void *)ip + sizeof(*ip) > data_end) {
|
||||
return XDP_PASS;
|
||||
}
|
||||
|
||||
// Ensure IP header protocol field is UDP (protocol 17)
|
||||
if (ip->protocol != IPPROTO_UDP) {
|
||||
return XDP_PASS;
|
||||
}
|
||||
|
||||
// parse UDP header
|
||||
struct udphdr *udp = (void *)ip + sizeof(*ip);
|
||||
if ((void *)udp + sizeof(*udp) > data_end) {
|
||||
return XDP_PASS;
|
||||
}
|
||||
|
||||
// pack into knock structure and send to userspace
|
||||
struct knock_data knock = {
|
||||
.srcip = bpf_ntohl(ip->saddr),
|
||||
.dstport = bpf_htons(udp->dest),
|
||||
.pad = 0
|
||||
};
|
||||
bpf_ringbuf_output(&rb, &knock, sizeof(knock), BPF_RB_FORCE_WAKEUP);
|
||||
|
||||
// We send everything to XDP_PASS
|
||||
return XDP_PASS;
|
||||
}
|
||||
|
|
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue