This GitHub Action configures and initiates a secure WireGuard VPN connection in the calling workflow.
- uses: inpsyde/actions/setup-wireguard@v1
with:
# The full content of the WireGuard configuration file (`.conf`).
wireguard-configuration: ''- Validates the provided WireGuard configuration to prevent the execution of arbitrary commands
- Installs WireGuard on the runner
- Configures WireGuard using the provided configuration
- Sets up a secure connection with
wg-quick
- name: Set up WireGuard
uses: inpsyde/actions/setup-wireguard@v1
with:
wireguard-configuration: ${{ secrets.WIREGUARD_CONFIGURATION }}The WireGuard configuration must be stored as a secret in the calling GitHub repository. Do not hardcode sensitive information directly in workflow files.
To enhance security, this action includes validation logic that disallows certain directives in the WireGuard configuration that could execute arbitrary shell commands. Specifically, the following directives are disallowed:
- PreUp
- PostUp
- PreDown
- PostDown
These directives can execute shell commands when the WireGuard interface is brought up or down, posing a security risk if misused. If the configuration includes any of these directives, the action will fail with an error message:
Error: Configuration contains disallowed directives (PreUp, PostUp, PreDown, PostDown).
Ensure the WireGuard configuration does not include these directives. Only include the necessary configuration options within the [Interface] and [Peer] sections.
[Interface]
Address = 10.0.0.1/24
PrivateKey = Q29uZ3JhdHVsYXRpb25zLCB5b3UgZm91bmQgYW4gZWFzdGVyIGVnZyE=
ListenPort = 51820
[Peer]
PresharedKey = V2UgYXJlIGhpcmluZyEgQ2hlY2sgaGVyZSBzeWRlLmNvbS9jYXJlZXI=
PublicKey = U3lkZSDigJMgRXVyb3Bl4oCZcyBiaWdnZXN0IFdQIGFnZW5jeSE=
AllowedIPs = 0.0.0.0/0
Endpoint = peer.example.com:51820
PersistentKeepalive = 25