Skip to content

Commit

Permalink
dynamic wireguard private network
Browse files Browse the repository at this point in the history
  • Loading branch information
Tobias Lindenberg committed Sep 26, 2020
1 parent 8a55761 commit 4b5e629
Showing 1 changed file with 30 additions and 16 deletions.
46 changes: 30 additions & 16 deletions wireguard-install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,8 @@ new_client_dns () {
}

new_client_setup () {
# Get the first 3 octets of wireguard's `Address`
first3octets=$(grep Address /etc/wireguard/wg0.conf | grep -Pom 1 '[0-9.]{7,15}' | rev | cut -d "." -f2- | rev) && echo $first3octets
# Given a list of the assigned internal IPv4 addresses, obtain the lowest still
# available octet. Important to start looking at 2, because 1 is our gateway.
octet=2
Expand All @@ -156,13 +158,13 @@ new_client_setup () {
[Peer]
PublicKey = $(wg pubkey <<< $key)
PresharedKey = $psk
AllowedIPs = 10.7.0.$octet/32$(grep -q 'fddd:2c4:2c4:2c4::1' /etc/wireguard/wg0.conf && echo ", fddd:2c4:2c4:2c4::$octet/128")
AllowedIPs = $first3octets.$octet/32$(grep -q 'fddd:2c4:2c4:2c4::1' /etc/wireguard/wg0.conf && echo ", fddd:2c4:2c4:2c4::$octet/128")
# END_PEER $client
EOF
# Create client configuration
cat << EOF > ~/"$client".conf
[Interface]
Address = 10.7.0.$octet/24$(grep -q 'fddd:2c4:2c4:2c4::1' /etc/wireguard/wg0.conf && echo ", fddd:2c4:2c4:2c4::$octet/64")
Address = $first3octets.$octet/24$(grep -q 'fddd:2c4:2c4:2c4::1' /etc/wireguard/wg0.conf && echo ", fddd:2c4:2c4:2c4::$octet/64")
DNS = $dns
PrivateKey = $key
Expand Down Expand Up @@ -226,6 +228,18 @@ if [[ ! -e /etc/wireguard/wg0.conf ]]; then
[[ -z "$ip6_number" ]] && ip6_number="1"
ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p)
fi

echo
echo "Which private network should WireGuard use?"
read -p "WG Network [10.7.0.0/24]: " wg_private_net
# Check for valid IPv4 address and private address
until [[ -z "$wg_private_net" || "$wg_private_net" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ && "$wg_private_net" =~ ^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168) ]]; do
echo "$wg_private_net: invalid private network."
read -p "WG Network [10.7.0.0/24]: " wg_private_net
done
[[ -z "$wg_private_net" ]] && wg_private_net="10.7.0.0/24"
echo $wg_private_net

echo
echo "What port should WireGuard listen to?"
read -p "Port [51820]: " port
Expand Down Expand Up @@ -369,7 +383,7 @@ Environment=WG_SUDO=1" > /etc/systemd/system/[email protected]/boringtun.co
# ENDPOINT $([[ -n "$public_ip" ]] && echo "$public_ip" || echo "$ip")
[Interface]
Address = 10.7.0.1/24$([[ -n "$ip6" ]] && echo ", fddd:2c4:2c4:2c4::1/64")
Address = $wg_private_net$([[ -n "$ip6" ]] && echo ", fddd:2c4:2c4:2c4::1/64")
PrivateKey = $(wg genkey)
ListenPort = $port
Expand All @@ -389,12 +403,12 @@ EOF
# Using both permanent and not permanent rules to avoid a firewalld
# reload.
firewall-cmd --add-port="$port"/udp
firewall-cmd --zone=trusted --add-source=10.7.0.0/24
firewall-cmd --zone=trusted --add-source="$wg_private_net"
firewall-cmd --permanent --add-port="$port"/udp
firewall-cmd --permanent --zone=trusted --add-source=10.7.0.0/24
firewall-cmd --permanent --zone=trusted --add-source="$wg_private_net"
# Set NAT for the VPN subnet
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to "$ip"
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to "$ip"
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s "$wg_private_net" ! -d "$wg_private_net" -j SNAT --to "$ip"
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s "$wg_private_net" ! -d "$wg_private_net" -j SNAT --to "$ip"
if [[ -n "$ip6" ]]; then
firewall-cmd --zone=trusted --add-source=fddd:2c4:2c4:2c4::/64
firewall-cmd --permanent --zone=trusted --add-source=fddd:2c4:2c4:2c4::/64
Expand All @@ -415,13 +429,13 @@ EOF
Before=network.target
[Service]
Type=oneshot
ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
ExecStart=$iptables_path -t nat -A POSTROUTING -s $wg_private_net ! -d $wg_private_net -j SNAT --to $ip
ExecStart=$iptables_path -I INPUT -p udp --dport $port -j ACCEPT
ExecStart=$iptables_path -I FORWARD -s 10.7.0.0/24 -j ACCEPT
ExecStart=$iptables_path -I FORWARD -s $wg_private_net -j ACCEPT
ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
ExecStop=$iptables_path -t nat -D POSTROUTING -s $wg_private_net ! -d $wg_private_net -j SNAT --to $ip
ExecStop=$iptables_path -D INPUT -p udp --dport $port -j ACCEPT
ExecStop=$iptables_path -D FORWARD -s 10.7.0.0/24 -j ACCEPT
ExecStop=$iptables_path -D FORWARD -s $wg_private_net -j ACCEPT
ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/wg-iptables.service
if [[ -n "$ip6" ]]; then
echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
Expand Down Expand Up @@ -582,14 +596,14 @@ else
if [[ "$remove" =~ ^[yY]$ ]]; then
port=$(grep '^ListenPort' /etc/wireguard/wg0.conf | cut -d " " -f 3)
if systemctl is-active --quiet firewalld.service; then
ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.7.0.0/24 '"'"'!'"'"' -d 10.7.0.0/24' | grep -oE '[^ ]+$')
ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s $wg_private_net '"'"'!'"'"' -d $wg_private_net' | grep -oE '[^ ]+$')
# Using both permanent and not permanent rules to avoid a firewalld reload.
firewall-cmd --remove-port="$port"/udp
firewall-cmd --zone=trusted --remove-source=10.7.0.0/24
firewall-cmd --zone=trusted --remove-source="$wg_private_net"
firewall-cmd --permanent --remove-port="$port"/udp
firewall-cmd --permanent --zone=trusted --remove-source=10.7.0.0/24
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to "$ip"
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to "$ip"
firewall-cmd --permanent --zone=trusted --remove-source="$wg_private_net"
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s "$wg_private_net" ! -d "$wg_private_net" -j SNAT --to "$ip"
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s "$wg_private_net" ! -d "$wg_private_net" -j SNAT --to "$ip"
if grep -qs 'fddd:2c4:2c4:2c4::1/64' /etc/wireguard/wg0.conf; then
ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:2c4:2c4:2c4::/64 '"'"'!'"'"' -d fddd:2c4:2c4:2c4::/64' | grep -oE '[^ ]+$')
firewall-cmd --zone=trusted --remove-source=fddd:2c4:2c4:2c4::/64
Expand Down

0 comments on commit 4b5e629

Please sign in to comment.