Docker/Wireguard-Tor-Tunnel
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Wireguard-Tor-Tunnel/wg/entrypoint.sh
johan 7a77645510 initial release
2025-10-05 13:32:48 +01:00

69 lines
2.1 KiB
Bash
Raw Permalink Blame History

#!/usr/bin/env bash
set -euo pipefail
# Ensure forwarding is on
sysctl -w net.ipv4.ip_forward=1 >/dev/null
# Bring up WireGuard. wg0.conf must define Address=10.66.0.1/24 etc.
ip link add dev wg0 type wireguard || true
wg-quick up wg0
# Tor transparent proxy ports in THIS namespace (shared with tor service)
TOR_TRANS=9040
TOR_DNS=5353
# Flush any old rules
iptables -t nat -F || true
iptables -t mangle -F || true
iptables -F || true
# Default policies
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Allow WireGuard UDP port 51820
iptables -A INPUT -p udp --dport 51820 -j ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# FORWARD: allow from wg0 to local stack (tor) and back
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -A FORWARD -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# === Transparent redirection of wg0 traffic into Tor ===
# DNS: redirect all DNS from wg clients to Tor DNSPort (supports TCP & UDP)
iptables -t nat -A PREROUTING -i wg0 -p udp --dport 53 -j REDIRECT --to-ports ${TOR_DNS}
iptables -t nat -A PREROUTING -i wg0 -p tcp --dport 53 -j REDIRECT --to-ports ${TOR_DNS}
# TCP: redirect everything to Tor TransPort
iptables -t nat -A PREROUTING -i wg0 -p tcp -j REDIRECT --to-ports ${TOR_TRANS}
# Drop any UDP trying to escape (Tor can't carry UDP; better to fail closed)
iptables -A FORWARD -i wg0 -p udp -j REJECT --reject-with icmp-port-unreachable
# (Optional) prevent bypass: block direct internet from wg0 that is NOT redirected (belt & braces)
# For non-TCP/UDP, just drop
iptables -A FORWARD -i wg0 -p icmp -j REJECT --reject-with icmp-host-unreachable
iptables -A FORWARD -i wg0 -p all -j DROP
# Health: show status then sleep forever
echo "===== WireGuard status ====="
wg show
echo "===== IP addresses ====="
ip addr
echo "===== iptables (nat) ====="
iptables -t nat -S
echo "===== iptables (filter) ====="
iptables -S
# Daemonize to keep container alive
tail -f /dev/null
Reference in New Issue View Git Blame Copy Permalink