Use wg setconf
instead of wg-quick
on the server
Properly handle the masquerade interface not being 'eth0' Cleaned up code a little with 'SERVER_LIB'
This commit is contained in:
parent
3022712fe6
commit
e4afb7f972
114
vpnerator.sh
114
vpnerator.sh
@ -8,9 +8,12 @@
|
|||||||
HOST=$1
|
HOST=$1
|
||||||
HOST_ADDR=$(echo ${HOST} | awk -F '@' '{ print $NF }')
|
HOST_ADDR=$(echo ${HOST} | awk -F '@' '{ print $NF }')
|
||||||
|
|
||||||
|
INTERFACE_NAME=tun
|
||||||
|
RAND=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 8 | head -1)
|
||||||
SERVER_ADDR=10.99.255.1/24
|
SERVER_ADDR=10.99.255.1/24
|
||||||
CLIENT_ADDR=10.99.255.2/32
|
CLIENT_ADDR=10.99.255.2/32
|
||||||
DNS=8.8.8.8
|
DNS=8.8.8.8
|
||||||
|
#INTERFACE_NAME=${INTERFACE_PFX}-${RAND}
|
||||||
|
|
||||||
echo "Generating keys..."
|
echo "Generating keys..."
|
||||||
SERVER_KEY=$(wg genkey)
|
SERVER_KEY=$(wg genkey)
|
||||||
@ -21,47 +24,93 @@ PSK=$(wg genpsk)
|
|||||||
echo " Server pubkey: ${SERVER_PUB}"
|
echo " Server pubkey: ${SERVER_PUB}"
|
||||||
echo " Client pubkey: ${CLIENT_PUB}"
|
echo " Client pubkey: ${CLIENT_PUB}"
|
||||||
|
|
||||||
SERVER_SETUP=$(cat << END
|
SERVER_LIB=$(cat << END
|
||||||
if [ -z "\$(which wg-quick 2>/dev/null)" ]; then
|
DEFAULT_IFACE=\$(awk '\$2 == 00000000 { print \$1 }' /proc/net/route)
|
||||||
echo "wg-quick not found, installing..."
|
|
||||||
sudo apt install -y wireguard-tools 2>/dev/null \
|
exec_sudo() {
|
||||||
|| sudo pacman -S --noconfirm wireguard-tools 2>/dev/null \
|
echo "[#] \$@"
|
||||||
|| sudo dnf install -y wireguard-tools iptables 2>/dev/null \
|
sudo \$@ 2>/dev/null
|
||||||
[ "\$?" -eq 0 ] || { echo "Could not install wireguard-tools, aborting."; exit 1; }
|
}
|
||||||
fi
|
|
||||||
|
deps() {
|
||||||
|
if ! type -p wg iptables >/dev/null ; then
|
||||||
|
echo "wireguard-tools or iptables missing, installing..."
|
||||||
|
sudo apt install -y wireguard-tools iptables 2>/dev/null \
|
||||||
|
|| sudo pacman -S --noconfirm wireguard-tools iptables 2>/dev/null \
|
||||||
|
|| sudo dnf install -y wireguard-tools iptables 2>/dev/null
|
||||||
|
if [ "\$?" -ne 0 ] ; then
|
||||||
|
echo "Could not install wireguard-tools and/or iptables. Aborting."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
cleanup() {
|
||||||
|
if ip link show ${INTERFACE_NAME} type wireguard > /dev/null 2>&1 ; then
|
||||||
|
exec_sudo iptables -D FORWARD -i ${INTERFACE_NAME} -j ACCEPT
|
||||||
|
exec_sudo iptables -D FORWARD -o ${INTERFACE_NAME} -j ACCEPT
|
||||||
|
exec_sudo iptables -t nat -D POSTROUTING -o \${DEFAULT_IFACE} -j MASQUERADE
|
||||||
|
exec_sudo ip link del dev ${INTERFACE_NAME}
|
||||||
|
exec_sudo sysctl -wq net.ipv4.ip_forward=0
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
END
|
||||||
|
)
|
||||||
|
|
||||||
|
echo
|
||||||
|
echo "Starting server..."
|
||||||
|
ssh -T ${HOST} /bin/bash << END
|
||||||
|
# include SERVER_LIB
|
||||||
|
${SERVER_LIB}
|
||||||
|
|
||||||
|
# Install depends
|
||||||
|
deps || exit 1
|
||||||
|
|
||||||
|
# Cleanup previous tunnel
|
||||||
|
cleanup
|
||||||
|
|
||||||
sysctl -w net.ipv4.ip_forward=1
|
|
||||||
umask 0177
|
umask 0177
|
||||||
|
|
||||||
cat << CONF > /tmp/tun.conf
|
exec_sudo ip link add "${INTERFACE_NAME}" type wireguard
|
||||||
|
|
||||||
|
TMP=\$(mktemp)
|
||||||
|
cat << EOF > \${TMP}
|
||||||
[Interface]
|
[Interface]
|
||||||
Address = ${SERVER_ADDR}
|
|
||||||
ListenPort = 51820
|
ListenPort = 51820
|
||||||
PrivateKey = ${SERVER_KEY}
|
PrivateKey = ${SERVER_KEY}
|
||||||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
||||||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
|
||||||
|
|
||||||
[Peer]
|
[Peer]
|
||||||
# foo
|
# foo
|
||||||
PublicKey = ${CLIENT_PUB}
|
PublicKey = ${CLIENT_PUB}
|
||||||
PresharedKey = ${PSK}
|
PresharedKey = ${PSK}
|
||||||
AllowedIPs = ${CLIENT_ADDR}
|
AllowedIPs = ${CLIENT_ADDR}
|
||||||
CONF
|
EOF
|
||||||
|
|
||||||
sudo wg-quick up /tmp/tun.conf
|
exec_sudo wg setconf "${INTERFACE_NAME}" "\${TMP}"
|
||||||
|
rm "\${TMP}"
|
||||||
|
|
||||||
|
exec_sudo sysctl -wq net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
exec_sudo ip addr add "${SERVER_ADDR}" dev "${INTERFACE_NAME}"
|
||||||
|
exec_sudo ip link set mtu 1420 up dev "${INTERFACE_NAME}"
|
||||||
|
|
||||||
|
exec_sudo iptables -A FORWARD -i "${INTERFACE_NAME}" -j ACCEPT
|
||||||
|
exec_sudo iptables -A FORWARD -o "${INTERFACE_NAME}" -j ACCEPT
|
||||||
|
exec_sudo iptables -t nat -A POSTROUTING -o "\${DEFAULT_IFACE}" -j MASQUERADE
|
||||||
END
|
END
|
||||||
)
|
|
||||||
|
|
||||||
echo
|
|
||||||
echo "Starting server..."
|
|
||||||
ssh -T ${HOST} sh <<< "${SERVER_SETUP}" 1>/dev/null
|
|
||||||
if [ "$?" -ne 0 ]; then
|
if [ "$?" -ne 0 ]; then
|
||||||
echo "Error starting server, aborting."
|
echo "Error starting server, aborting."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
umask 0177
|
umask 0177
|
||||||
cat << CONF > /tmp/tun.conf
|
FILE="/tmp/${INTERFACE_NAME}.conf"
|
||||||
|
cat << CONF > "${FILE}"
|
||||||
[Interface]
|
[Interface]
|
||||||
Address = ${CLIENT_ADDR}
|
Address = ${CLIENT_ADDR}
|
||||||
PrivateKey = ${CLIENT_KEY}
|
PrivateKey = ${CLIENT_KEY}
|
||||||
@ -76,31 +125,32 @@ CONF
|
|||||||
|
|
||||||
echo
|
echo
|
||||||
echo "Starting client..."
|
echo "Starting client..."
|
||||||
sudo wg-quick up /tmp/tun.conf
|
sudo wg-quick up "${FILE}"
|
||||||
|
|
||||||
# clear these variables from memory
|
|
||||||
PSK=
|
|
||||||
CLIENT_KEY=
|
|
||||||
SERVER_KEY=
|
|
||||||
|
|
||||||
sleep 1
|
sleep 1
|
||||||
echo
|
echo
|
||||||
sudo wg show tun
|
sudo wg show "${INTERFACE_NAME}"
|
||||||
echo
|
echo
|
||||||
echo "Connected! Interrupt or press Enter to disconnect and stop server."
|
echo "Connected! Interrupt or press Enter to disconnect and stop server."
|
||||||
|
|
||||||
|
# clear sensitive variables from memory
|
||||||
|
PSK=
|
||||||
|
CLIENT_KEY=
|
||||||
|
SERVER_KEY=
|
||||||
|
|
||||||
cleanup() {
|
cleanup() {
|
||||||
set -e
|
set -e
|
||||||
echo
|
echo
|
||||||
echo "Stopping client..."
|
echo "Stopping client..."
|
||||||
sudo wg-quick down /tmp/tun.conf
|
sudo wg-quick down ${FILE}
|
||||||
rm /tmp/tun.conf
|
rm ${FILE}
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "Stopping server..."
|
echo "Stopping server..."
|
||||||
ssh -T ${HOST} <<- END
|
ssh -T ${HOST} /bin/bash <<- END
|
||||||
wg-quick down /tmp/tun.conf
|
${SERVER_LIB}
|
||||||
rm /tmp/tun.conf
|
|
||||||
|
cleanup || echo "Server was already shut down."
|
||||||
END
|
END
|
||||||
|
|
||||||
echo
|
echo
|
||||||
|
Loading…
Reference in New Issue
Block a user