Use wg setconf instead of wg-quick on the server
Properly handle the masquerade interface not being 'eth0' Cleaned up code a little with 'SERVER_LIB'
This commit is contained in:
114
vpnerator.sh
114
vpnerator.sh
@ -8,9 +8,12 @@
|
||||
HOST=$1
|
||||
HOST_ADDR=$(echo ${HOST} | awk -F '@' '{ print $NF }')
|
||||
|
||||
INTERFACE_NAME=tun
|
||||
RAND=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 8 | head -1)
|
||||
SERVER_ADDR=10.99.255.1/24
|
||||
CLIENT_ADDR=10.99.255.2/32
|
||||
DNS=8.8.8.8
|
||||
#INTERFACE_NAME=${INTERFACE_PFX}-${RAND}
|
||||
|
||||
echo "Generating keys..."
|
||||
SERVER_KEY=$(wg genkey)
|
||||
@ -21,47 +24,93 @@ PSK=$(wg genpsk)
|
||||
echo " Server pubkey: ${SERVER_PUB}"
|
||||
echo " Client pubkey: ${CLIENT_PUB}"
|
||||
|
||||
SERVER_SETUP=$(cat << END
|
||||
if [ -z "\$(which wg-quick 2>/dev/null)" ]; then
|
||||
echo "wg-quick not found, installing..."
|
||||
sudo apt install -y wireguard-tools 2>/dev/null \
|
||||
|| sudo pacman -S --noconfirm wireguard-tools 2>/dev/null \
|
||||
|| sudo dnf install -y wireguard-tools iptables 2>/dev/null \
|
||||
[ "\$?" -eq 0 ] || { echo "Could not install wireguard-tools, aborting."; exit 1; }
|
||||
fi
|
||||
SERVER_LIB=$(cat << END
|
||||
DEFAULT_IFACE=\$(awk '\$2 == 00000000 { print \$1 }' /proc/net/route)
|
||||
|
||||
exec_sudo() {
|
||||
echo "[#] \$@"
|
||||
sudo \$@ 2>/dev/null
|
||||
}
|
||||
|
||||
deps() {
|
||||
if ! type -p wg iptables >/dev/null ; then
|
||||
echo "wireguard-tools or iptables missing, installing..."
|
||||
sudo apt install -y wireguard-tools iptables 2>/dev/null \
|
||||
|| sudo pacman -S --noconfirm wireguard-tools iptables 2>/dev/null \
|
||||
|| sudo dnf install -y wireguard-tools iptables 2>/dev/null
|
||||
if [ "\$?" -ne 0 ] ; then
|
||||
echo "Could not install wireguard-tools and/or iptables. Aborting."
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
cleanup() {
|
||||
if ip link show ${INTERFACE_NAME} type wireguard > /dev/null 2>&1 ; then
|
||||
exec_sudo iptables -D FORWARD -i ${INTERFACE_NAME} -j ACCEPT
|
||||
exec_sudo iptables -D FORWARD -o ${INTERFACE_NAME} -j ACCEPT
|
||||
exec_sudo iptables -t nat -D POSTROUTING -o \${DEFAULT_IFACE} -j MASQUERADE
|
||||
exec_sudo ip link del dev ${INTERFACE_NAME}
|
||||
exec_sudo sysctl -wq net.ipv4.ip_forward=0
|
||||
return 0
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
END
|
||||
)
|
||||
|
||||
echo
|
||||
echo "Starting server..."
|
||||
ssh -T ${HOST} /bin/bash << END
|
||||
# include SERVER_LIB
|
||||
${SERVER_LIB}
|
||||
|
||||
# Install depends
|
||||
deps || exit 1
|
||||
|
||||
# Cleanup previous tunnel
|
||||
cleanup
|
||||
|
||||
sysctl -w net.ipv4.ip_forward=1
|
||||
umask 0177
|
||||
|
||||
cat << CONF > /tmp/tun.conf
|
||||
exec_sudo ip link add "${INTERFACE_NAME}" type wireguard
|
||||
|
||||
TMP=\$(mktemp)
|
||||
cat << EOF > \${TMP}
|
||||
[Interface]
|
||||
Address = ${SERVER_ADDR}
|
||||
ListenPort = 51820
|
||||
PrivateKey = ${SERVER_KEY}
|
||||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
[Peer]
|
||||
# foo
|
||||
PublicKey = ${CLIENT_PUB}
|
||||
PresharedKey = ${PSK}
|
||||
AllowedIPs = ${CLIENT_ADDR}
|
||||
CONF
|
||||
EOF
|
||||
|
||||
sudo wg-quick up /tmp/tun.conf
|
||||
exec_sudo wg setconf "${INTERFACE_NAME}" "\${TMP}"
|
||||
rm "\${TMP}"
|
||||
|
||||
exec_sudo sysctl -wq net.ipv4.ip_forward=1
|
||||
|
||||
exec_sudo ip addr add "${SERVER_ADDR}" dev "${INTERFACE_NAME}"
|
||||
exec_sudo ip link set mtu 1420 up dev "${INTERFACE_NAME}"
|
||||
|
||||
exec_sudo iptables -A FORWARD -i "${INTERFACE_NAME}" -j ACCEPT
|
||||
exec_sudo iptables -A FORWARD -o "${INTERFACE_NAME}" -j ACCEPT
|
||||
exec_sudo iptables -t nat -A POSTROUTING -o "\${DEFAULT_IFACE}" -j MASQUERADE
|
||||
END
|
||||
)
|
||||
|
||||
echo
|
||||
echo "Starting server..."
|
||||
ssh -T ${HOST} sh <<< "${SERVER_SETUP}" 1>/dev/null
|
||||
if [ "$?" -ne 0 ]; then
|
||||
echo "Error starting server, aborting."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
umask 0177
|
||||
cat << CONF > /tmp/tun.conf
|
||||
FILE="/tmp/${INTERFACE_NAME}.conf"
|
||||
cat << CONF > "${FILE}"
|
||||
[Interface]
|
||||
Address = ${CLIENT_ADDR}
|
||||
PrivateKey = ${CLIENT_KEY}
|
||||
@ -76,31 +125,32 @@ CONF
|
||||
|
||||
echo
|
||||
echo "Starting client..."
|
||||
sudo wg-quick up /tmp/tun.conf
|
||||
|
||||
# clear these variables from memory
|
||||
PSK=
|
||||
CLIENT_KEY=
|
||||
SERVER_KEY=
|
||||
sudo wg-quick up "${FILE}"
|
||||
|
||||
sleep 1
|
||||
echo
|
||||
sudo wg show tun
|
||||
sudo wg show "${INTERFACE_NAME}"
|
||||
echo
|
||||
echo "Connected! Interrupt or press Enter to disconnect and stop server."
|
||||
|
||||
# clear sensitive variables from memory
|
||||
PSK=
|
||||
CLIENT_KEY=
|
||||
SERVER_KEY=
|
||||
|
||||
cleanup() {
|
||||
set -e
|
||||
echo
|
||||
echo "Stopping client..."
|
||||
sudo wg-quick down /tmp/tun.conf
|
||||
rm /tmp/tun.conf
|
||||
sudo wg-quick down ${FILE}
|
||||
rm ${FILE}
|
||||
|
||||
echo
|
||||
echo "Stopping server..."
|
||||
ssh -T ${HOST} <<- END
|
||||
wg-quick down /tmp/tun.conf
|
||||
rm /tmp/tun.conf
|
||||
ssh -T ${HOST} /bin/bash <<- END
|
||||
${SERVER_LIB}
|
||||
|
||||
cleanup || echo "Server was already shut down."
|
||||
END
|
||||
|
||||
echo
|
||||
|
||||
Reference in New Issue
Block a user