Use wg setconf instead of wg-quick on the server

Properly handle the masquerade interface not being 'eth0'

Cleaned up code a little with 'SERVER_LIB'
This commit is contained in:
Matt Low 2020-12-31 18:09:11 -07:00
parent 3022712fe6
commit e4afb7f972

View File

@ -8,9 +8,12 @@
HOST=$1 HOST=$1
HOST_ADDR=$(echo ${HOST} | awk -F '@' '{ print $NF }') HOST_ADDR=$(echo ${HOST} | awk -F '@' '{ print $NF }')
INTERFACE_NAME=tun
RAND=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 8 | head -1)
SERVER_ADDR=10.99.255.1/24 SERVER_ADDR=10.99.255.1/24
CLIENT_ADDR=10.99.255.2/32 CLIENT_ADDR=10.99.255.2/32
DNS=8.8.8.8 DNS=8.8.8.8
#INTERFACE_NAME=${INTERFACE_PFX}-${RAND}
echo "Generating keys..." echo "Generating keys..."
SERVER_KEY=$(wg genkey) SERVER_KEY=$(wg genkey)
@ -21,47 +24,93 @@ PSK=$(wg genpsk)
echo " Server pubkey: ${SERVER_PUB}" echo " Server pubkey: ${SERVER_PUB}"
echo " Client pubkey: ${CLIENT_PUB}" echo " Client pubkey: ${CLIENT_PUB}"
SERVER_SETUP=$(cat << END SERVER_LIB=$(cat << END
if [ -z "\$(which wg-quick 2>/dev/null)" ]; then DEFAULT_IFACE=\$(awk '\$2 == 00000000 { print \$1 }' /proc/net/route)
echo "wg-quick not found, installing..."
sudo apt install -y wireguard-tools 2>/dev/null \ exec_sudo() {
|| sudo pacman -S --noconfirm wireguard-tools 2>/dev/null \ echo "[#] \$@"
|| sudo dnf install -y wireguard-tools iptables 2>/dev/null \ sudo \$@ 2>/dev/null
[ "\$?" -eq 0 ] || { echo "Could not install wireguard-tools, aborting."; exit 1; } }
fi
deps() {
if ! type -p wg iptables >/dev/null ; then
echo "wireguard-tools or iptables missing, installing..."
sudo apt install -y wireguard-tools iptables 2>/dev/null \
|| sudo pacman -S --noconfirm wireguard-tools iptables 2>/dev/null \
|| sudo dnf install -y wireguard-tools iptables 2>/dev/null
if [ "\$?" -ne 0 ] ; then
echo "Could not install wireguard-tools and/or iptables. Aborting."
return 1
fi
fi
return 0
}
cleanup() {
if ip link show ${INTERFACE_NAME} type wireguard > /dev/null 2>&1 ; then
exec_sudo iptables -D FORWARD -i ${INTERFACE_NAME} -j ACCEPT
exec_sudo iptables -D FORWARD -o ${INTERFACE_NAME} -j ACCEPT
exec_sudo iptables -t nat -D POSTROUTING -o \${DEFAULT_IFACE} -j MASQUERADE
exec_sudo ip link del dev ${INTERFACE_NAME}
exec_sudo sysctl -wq net.ipv4.ip_forward=0
return 0
else
return 1
fi
}
END
)
echo
echo "Starting server..."
ssh -T ${HOST} /bin/bash << END
# include SERVER_LIB
${SERVER_LIB}
# Install depends
deps || exit 1
# Cleanup previous tunnel
cleanup
sysctl -w net.ipv4.ip_forward=1
umask 0177 umask 0177
cat << CONF > /tmp/tun.conf exec_sudo ip link add "${INTERFACE_NAME}" type wireguard
TMP=\$(mktemp)
cat << EOF > \${TMP}
[Interface] [Interface]
Address = ${SERVER_ADDR}
ListenPort = 51820 ListenPort = 51820
PrivateKey = ${SERVER_KEY} PrivateKey = ${SERVER_KEY}
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer] [Peer]
# foo # foo
PublicKey = ${CLIENT_PUB} PublicKey = ${CLIENT_PUB}
PresharedKey = ${PSK} PresharedKey = ${PSK}
AllowedIPs = ${CLIENT_ADDR} AllowedIPs = ${CLIENT_ADDR}
CONF EOF
sudo wg-quick up /tmp/tun.conf exec_sudo wg setconf "${INTERFACE_NAME}" "\${TMP}"
rm "\${TMP}"
exec_sudo sysctl -wq net.ipv4.ip_forward=1
exec_sudo ip addr add "${SERVER_ADDR}" dev "${INTERFACE_NAME}"
exec_sudo ip link set mtu 1420 up dev "${INTERFACE_NAME}"
exec_sudo iptables -A FORWARD -i "${INTERFACE_NAME}" -j ACCEPT
exec_sudo iptables -A FORWARD -o "${INTERFACE_NAME}" -j ACCEPT
exec_sudo iptables -t nat -A POSTROUTING -o "\${DEFAULT_IFACE}" -j MASQUERADE
END END
)
echo
echo "Starting server..."
ssh -T ${HOST} sh <<< "${SERVER_SETUP}" 1>/dev/null
if [ "$?" -ne 0 ]; then if [ "$?" -ne 0 ]; then
echo "Error starting server, aborting." echo "Error starting server, aborting."
exit 1 exit 1
fi fi
umask 0177 umask 0177
cat << CONF > /tmp/tun.conf FILE="/tmp/${INTERFACE_NAME}.conf"
cat << CONF > "${FILE}"
[Interface] [Interface]
Address = ${CLIENT_ADDR} Address = ${CLIENT_ADDR}
PrivateKey = ${CLIENT_KEY} PrivateKey = ${CLIENT_KEY}
@ -76,31 +125,32 @@ CONF
echo echo
echo "Starting client..." echo "Starting client..."
sudo wg-quick up /tmp/tun.conf sudo wg-quick up "${FILE}"
# clear these variables from memory
PSK=
CLIENT_KEY=
SERVER_KEY=
sleep 1 sleep 1
echo echo
sudo wg show tun sudo wg show "${INTERFACE_NAME}"
echo echo
echo "Connected! Interrupt or press Enter to disconnect and stop server." echo "Connected! Interrupt or press Enter to disconnect and stop server."
# clear sensitive variables from memory
PSK=
CLIENT_KEY=
SERVER_KEY=
cleanup() { cleanup() {
set -e set -e
echo echo
echo "Stopping client..." echo "Stopping client..."
sudo wg-quick down /tmp/tun.conf sudo wg-quick down ${FILE}
rm /tmp/tun.conf rm ${FILE}
echo echo
echo "Stopping server..." echo "Stopping server..."
ssh -T ${HOST} <<- END ssh -T ${HOST} /bin/bash <<- END
wg-quick down /tmp/tun.conf ${SERVER_LIB}
rm /tmp/tun.conf
cleanup || echo "Server was already shut down."
END END
echo echo