Merge pull request #1 from leonjza/main

Bug fixes, doc improvements and a configuration refactor. Awesome :D

.env.example

@@ -0,0 +1,29 @@
+# the upstream proxy server location
+#
+# supports any of the uri formats in the proxy models
+# docs here: https://github.com/xjasonlyu/tun2socks/wiki/Proxy-Models
+PROXY_ADDRESS=socks4://host.docker.internal:48501
+
+# target information.
+#
+# this is where you specify information about the remote network.
+# you want to provide the subnets you want to to route to (over
+# socks), and a dns server (typically a domain controller) to use
+# for the internal domain.
+
+# comma seperated list of routes to route
+TARGET_ROUTES=10.10.10.0/24
+TARGET_DNS_SERVER=10.10.10.254
+TARGET_ROOT_DOMAIN=domain.local
+
+# wireguard information.
+#
+# this is information about where your wireguard server is
+# available, how many peers would want to connect to it and
+# which port to use for wireguard.
+
+# external host where this wireguard server will be reachable
+WG_HOST=server.name.or.ip
+# number of wireguard client (peer) configurations to generate
+WG_PEERS=1
+WG_UDP_PORT=51820

.gitignore

@@ -0,0 +1 @@
+.env

README.md

@@ -1,82 +1,81 @@
 # WireSocks
 
-<a href="https://twitter.com/_cablethief"><img src="https://img.shields.io/badge/twitter-%40_cablethief-blue.svg" alt="@_cablethief" height="18"></a>  <a href="https://github.com/sensepost/wiresocks/actions/workflows/docker-image.yml"><img src="https://github.com/sensepost/wiresocks/actions/workflows/docker-image.yml/badge.svg" alt="docker builds" height="18"></a> 
+<a href="https://twitter.com/_cablethief"><img src="https://img.shields.io/badge/twitter-%40_cablethief-blue.svg" alt="@_cablethief" height="18"></a>  <a href="https://github.com/sensepost/wiresocks/actions/workflows/docker-image.yml"><img src="https://github.com/sensepost/wiresocks/actions/workflows/docker-image.yml/badge.svg" alt="docker builds" height="18"></a>
 
-Docker-compose and Dockerfile to setup a wireguard VPN connection to force TCP traffic through a socks proxy. 
+Docker-compose and Dockerfile to setup a wireguard VPN connection, forcing specific TCP traffic through a socks proxy.
 
 I set this up after fighting with socks proxies and Windows offensive tooling.
 
-The intention is to facilitate tooling on Windows and MacOS that ignore things like [proxychains](https://github.com/rofl0r/proxychains-ng), [proxifier](https://www.proxifier.com/), and [proxycap](https://www.proxycap.com/). This is done by using wireguard to VPN to a Linux which has routing setup to force traffic via [tun2socks](https://github.com/xjasonlyu/tun2socks) into a Socks5 proxy.  
+The intention is to facilitate tooling on Windows and MacOS that ignore things like [proxychains](https://github.com/rofl0r/proxychains-ng), [proxifier](https://www.proxifier.com/), and [proxycap](https://www.proxycap.com/). This is done by leveraging a wireguard to VPN to a Linux host running this project which has routing setup to force traffic via [tun2socks](https://github.com/xjasonlyu/tun2socks) into a Socks5 proxy.  
 
 ## Warning
 
-Currently this will only capture TCP traffic and not do DNS for you. So use the coredns file with wireguard to configure a tcp dns forwarder. Please see the [DNS](##DNS) section below.
+`docker-compose` provided by ubuntu (and other distributions) is old and doesnt support versions that allow networking fancyness. Please make sure you are using a recent version `of docker-compose`. One way to check if you have a recent enough version is to run `docker compose version`. If either the command is not available, or the version reported is not at least version 2.10+, then you need to upgrade.
 
-Docker-compose provided by ubuntu is old and doesnt support versions that allow networking fancyness. So please use a recent version of docker-compose if it complains about Versions.
+## Usage
 
-# Usage
+A `docker-compose` has been provided to setup both the tun2socks and wireguard.
 
-## Docker Compose
+Copy the example `.env.example` file to `.env` and tweak the values as needed (it should have enough documentation to know what each value is for). Then, start the stack with:
 
-A docker-compose has been provided to setup both the tun2socks and wireguard. 
-
-Edit the variables as desired withing the `docker-compose.yml` and to start the stack in the background use:
-
-```
+```bash
 docker-compose up -d
 ```
 
 You can view the logs from tun2socks to check what is being proxied and errors with:
 
-```
-docker-compose logs wiresocks
+```bash
+docker-compose logs -f
 ```
 
-Docker-compose will also setup wireguard, depending on where you set your wireguard config directory you should be able to find the peer config you want to use. Grab that and edit it so that it is reasonable. AllowedIPs can be used to further target the internal network. 
+The docker-compose will also setup wireguard and you should be able to find the peer config you want to use in the `./config/peer*` directories (depending on how many peers you configured). Grab that and import it into your client where you want to proxy communications from.
 
-You can then take that wireguard config and place it into Windows or MacOS, or whatever OS you require and connect to the VPN. Now all traffic should be forced through the SOCKS proxy without hastle.
+**Note:** In some cases it may be useful to add the `PersistentKeepalive = 2` directive in the `[peer]` section if you experience random timeouts.
 
-## DNS
+Now all traffic should be forced through the SOCKS proxy without hastle for the networks you want to reach, together with DNS.
 
-For DNS I have provided a example Corefile for CoreDNS which will take DNS requests for a specific domain and forward them on but with TCP. This effectivly gets us DNS through the SOCKS tunnel. So for DNS to work you will need to edit the domain and DNS server to use.
+### DNS
 
-This file gets mounted in the Wireguard docker to be used by the VPN so that if your client is using the DNS provided by the docker it should be able to resolve DNS through the SOCKS proxy using the domain and server you provided.
+For DNS we leverage CoreDNS to translate DNS requests for a specific domain and forward them using a TCP lookup. This effectivly gets us DNS through the SOCKS tunnel.
 
-## Information about the tun2socks docker
+## Technical Details
 
-Runs a docker image with `--cap-add=NET_ADMIN --sysctl="net.ipv4.ip_forward=1" --device=/dev/net/tun:/dev/net/tun` to allow the container to create a tun interface as well as set routes for it. 
+Below is some more technical information about the containers used in the docker-compose.yml file.
 
-You specify the socks proxy using the `PROXY` environment variable, make sure your docker can reach that proxy. 
+### Information about the tun2socks docker (wiresocks)
 
-```
+The wiresocks service runs a docker image with `--cap-add=NET_ADMIN --sysctl="net.ipv4.ip_forward=1" --device=/dev/net/tun:/dev/net/tun` flags to allow the container to create a tun interface as well as set routes for it.
+
+You specify the socks proxy using the `PROXY` environment variable, make sure your docker can reach that proxy. It the same as the `-e` flag given to `tun2socks`.
+
+```text
 -e PROXY=socks5://socksaddress:1080
 ```
 
-You can specify which ranges you want to have rediected to the socks proxy by providing a `TUN_INCLUDED_ROUTES` environment variable:
+You can also specify which ranges you want to have redirected to the socks proxy by providing a `TUN_INCLUDED_ROUTES` environment variable:
 
-```
+```text
 -e TUN_INCLUDED_ROUTES=192.168.165.0/24
 ```
 
 The `TUN_INCLUDED_ROUTES` may be comma seperated for multiple ranges.
 
 The container will start tun2socks and configure routes to forward traffic of the routes provided in `TUN_INCLUDED_ROUTES` through the created TUN interface.
 
-## Socksing other dockers
+### Socksing other dockers
 
-You can use the `--net container:wiresocks` option with other dockers to get them to share the same network namespace as the wiresocks docker. This includes the setup routes as well as access to the TUN interface.
-This essentially means you can tunnel arbitary dockers using tun2socks with this option. In the docker-compose we use it for WireGuard so that Windows/MacOS just need a WireGuard config and they can have their traffic transparently proxied. 
+You can use the `--net container:wiresocks` option with other docker containers to get them to share the same network namespace as the wiresocks docker. This includes the setup routes as well as access to the TUN interface. This essentially means you can tunnel arbitary dockers using tun2socks with this option. In the docker-compose we use it for WireGuard so that Windows/MacOS just need a WireGuard config and they can have their traffic transparently proxied.
 
-# Other
+## Other
 
-## Thanks
+### Thanks
 
-Original idea used Darkks [redsocks](https://github.com/darkk/redsocks/) which is amazing! 
+The original idea used Darkks [redsocks](https://github.com/darkk/redsocks/) which is amazing!
 
-This version uses the equally amazing [tun2socks](https://github.com/xjasonlyu/tun2socks) by xjasonlyu! 
+This version uses the equally amazing [tun2socks](https://github.com/xjasonlyu/tun2socks) by xjasonlyu!
 
 Uses [LinuxServers wireguard](https://github.com/linuxserver/docker-wireguard) image to setup the wireguard vpn to connect into the socks network
 
 ## license
 
-`WireSocks` is licensed under a [GNU General Public v3 License](https://www.gnu.org/licenses/gpl-3.0.en.html). Permissions beyond the scope of this license may be available at <http://sensepost.com/contact/>.
+`WireSocks` is licensed under a [GNU General Public v3 License](https://www.gnu.org/licenses/gpl-3.0.en.html). Permissions beyond the scope of this license may be available at <http://sensepost.com/contact/>.

docker-compose.yml

@@ -5,67 +5,71 @@ services:
   wiresocks:
     image: ghcr.io/sensepost/wiresocks:latest
     container_name: wiresocks
-    mem_limit: 1000000000
-    memswap_limit: 2000000000
+    mem_limit: 1gb
+    memswap_limit: 2gb
     mem_reservation: 512m
     cap_add:
       - NET_ADMIN
     devices:
-        - '/dev/net/tun:/dev/net/tun'
+      - /dev/net/tun:/dev/net/tun
     environment:
-      - LOGLEVEL=info             # default
-      - TUN=tun0                  # default
-      - ADDR=198.18.0.1/15        # default
-      - MTU=9000                  # default
+      - LOGLEVEL=info
+      - TUN=tun0
+      - ADDR=198.18.0.1/15
+      - MTU=9000
 
       # What we care about:
-      - PROXY=                    # *required
-      - TUN_INCLUDED_ROUTES=      # The routes you want to route through the socks
+      - PROXY=${PROXY_ADDRESS}
+      - TUN_INCLUDED_ROUTES=${TARGET_ROUTES}
 
-      # Other options avaliable with tun2socks
-      - STATS=:8080               # optional
-      - RESTAPI=                  # optional
-      - TCP_SNDBUF=.              # optional
-      - TCP_RCVBUF=.              # optional
-      - TCP_AUTO_TUNING=.         # optional
-      - UDP_TIMEOUT=              # optional
-      - EXTRA_COMMANDS=           # optional
+      # optional options avaliable with tun2socks
+      #- STATS=:8080
+      - RESTAPI=
+      - TCP_SNDBUF=
+      - TCP_RCVBUF=
+      - TCP_AUTO_TUNING=1
+      - UDP_TIMEOUT=
+      - EXTRA_COMMANDS=
     networks:
-      wiresocks
+      - wiresocks
     extra_hosts:
-    # So you can easily reference your host docker interface for the docker network
-      - "host.docker.internal:host-gateway" 
+      # So you can easily reference your host docker interface for the docker network
+      - host.docker.internal:host-gateway
     sysctls:
       - net.ipv4.ip_forward=1
       - net.ipv4.conf.all.src_valid_mark=1
-      # - net.ipv4.conf.all.rp_filter=0
     ports:
-    # Because we are going to use this containers network for wireguard we have to port forward here
-      - 51820:51820/udp
+      # Because we are going to use this containers network for wireguard we have to port forward here
+      - ${WG_UDP_PORT}:${WG_UDP_PORT}/udp
     restart: unless-stopped
 
   wireguard:
     image: lscr.io/linuxserver/wireguard
-    container_name: wiresocks-wg
+    container_name: wireguard
+    depends_on:
+      - wiresocks
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
+    env_file:
+      - .env
     environment:
       - PUID=1000
       - PGID=1000
       - TZ=Europe/London
-      - SERVERPORT=51820
+      - SERVERPORT=${WG_UDP_PORT}
       # These are just settings that get populated into the client configs, you can edit the config after creation
-      - SERVERURL=wireguard.domain.com #optional - your server address
-      - PEERS=1 #optional - Amount of client configs to generate
-      - INTERNAL_SUBNET=10.13.13.0 #optional - What IPs to use for wireguard VPN
-
-      # Will likely match with TUN_INCLUDED_ROUTES above
-      - ALLOWEDIPS=0.0.0.0/0 #optional - Set in clients to say what should be sent to wireguard
+      - SERVERURL=${WG_HOST}
+      - PEERS=${WG_PEERS}
+      - INTERNAL_SUBNET=10.13.13.0
+      - ALLOWEDIPS=10.13.13.0/24,${TARGET_ROUTES}
     volumes:
-      - /tmp/config:/config # Set where you want your configs written
+      # this is where the wireguard peer configs will live
+      - ./config:/config
       - /lib/modules:/lib/modules
-      - ./coredns:/config/coredns
+      #
+      - ./init.d:/custom-cont-init.d:ro
+      #- ./coredns:/config/coredns
     sysctls:
       - net.ipv4.conf.all.src_valid_mark=1
     network_mode: container:wiresocks

init.d/config-dns.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# a shell script to configure coredns to forward DNS traffic to
+# an upstream server, forcing TCP lookups to be socks friendly
+
+echo "configuring dns to ${TARGET_ROOT_DOMAIN} to lookup at ${TARGET_DNS_SERVER}..."
+
+cat << EOF > /config/coredns/Corefile
+${TARGET_ROOT_DOMAIN} {
+    loop
+    log
+    forward . ${TARGET_DNS_SERVER}:53 {
+        force_tcp
+    }
+}
+. {
+    loop
+    forward . /etc/resolv.conf
+}
+EOF