MySpace/Docs
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update Wireguard with allowed destination IPs

Browse Source
This commit is contained in:
Johan 2024-03-23 13:52:34 +01:00
parent 8745dba834
commit b0e45fe0f7
1 changed files with 24 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
BashScripts/install-wireguard-server.sh
View File

@ -8,11 +8,12 @@ read -e -p "Enter lan NIC: " -i $(ip route | grep default | sed -e 's/^.*dev.//'
read -e -p "Enter VPN subnet: " -i "192.168.200" VPN_SUBNET read -e -p "Enter VPN subnet: " -i "192.168.200" VPN_SUBNET
read -e -p "Enter LAN subnet: " -i "192.168.0" LAN_SUBNET read -e -p "Enter LAN subnet: " -i "192.168.0" LAN_SUBNET
read -e -p "Enter VPN public hostname: " -i "home.myspace.nu" VPN_PUBLIC_HOST read -e -p "Enter VPN public hostname: " -i "home.myspace.nu" VPN_PUBLIC_HOST
read -e -p "Allowed destination LAN IPs (empty for all): " -i "${LAN_SUBNET}.1,${LAN_SUBNET}.2" ALLOWED_HOST_IPs
if [ $(dpkg-query -W -f='${Status}' wireguard 2>/dev/null | grep -c "ok installed") -eq 0 ]; if [ $(dpkg-query -W -f='${Status}' wireguard 2>/dev/null | grep -c "ok installed") -eq 0 ];
then then
echo "Installing Wireguard" echo "Installing Wireguard..."
apt install wireguard apt install wireguard -y
fi fi
mkdir -m 0700 /etc/wireguard/ > /dev/null 2>&1 mkdir -m 0700 /etc/wireguard/ > /dev/null 2>&1
@ -33,22 +34,36 @@ if ! grep -q "net.ipv4.ip_forward" "/etc/sysctl.d/10-wireguard.conf"; then
sysctl -p /etc/sysctl.d/10-wireguard.conf sysctl -p /etc/sysctl.d/10-wireguard.conf
fi fi
if [ -z "$ALLOWED_HOST_IPs" ]
then
POSTUP="$POSTUP""PostUp = iptables -A FORWARD -i %i -d $LAN_SUBNET.0/24 -j ACCEPT
"
POSTDOWN="$POSTDOWN""PostDown = iptables -D FORWARD -i %i -d $LAN_SUBNET.0/24 -j ACCEPT
"
else
for i in ${ALLOWED_HOST_IPs//,/ }
do
POSTUP="$POSTUP""PostUp = iptables -A FORWARD -i %i -d $i/32 -j ACCEPT
"
POSTDOWN="$POSTDOWN""PostDown = iptables -D FORWARD -i %i -d $i/32 -j ACCEPT
"
done
fi
sudo tee /etc/wireguard/wg0.conf.base > /dev/null <<EOL sudo tee /etc/wireguard/wg0.conf.base > /dev/null <<EOL
[Interface] [Interface]
Address = $VPN_SUBNET.1/24 Address = $VPN_SUBNET.1/24
ListenPort = 51820 ListenPort = 51820
PrivateKey = ${SERVER_PRIVATEKEY} PrivateKey = ${SERVER_PRIVATEKEY}
PostUp = iptables -A FORWARD -i %i -d 192.168.0.1/32 -j ACCEPT ${POSTUP}
PostUp = iptables -A FORWARD -i %i -d 192.168.0.3/32 -j ACCEPT PostUp = iptables -A FORWARD -i %i -d $VPN_SUBNET.0/24 -j ACCEPT
PostUp = iptables -A FORWARD -i %i -d 192.168.200.0/24 -j ACCEPT
PostUp = iptables -A FORWARD -i %i -d 0.0.0.0/0 -j DROP PostUp = iptables -A FORWARD -i %i -d 0.0.0.0/0 -j DROP
PostUp = iptables -A FORWARD -o %i -j ACCEPT PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ${NIC_NAME,,} -j MASQUERADE PostUp = iptables -t nat -A POSTROUTING -o ${NIC_NAME,,} -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -d 192.168.0.1/32 -j ACCEPT ${POSTDOWN}
PostDown = iptables -D FORWARD -i %i -d 192.168.0.3/32 -j ACCEPT PostDown = iptables -D FORWARD -i %i -d $VPN_SUBNET.0/24 -j ACCEPT
PostDown = iptables -D FORWARD -i %i -d 192.168.200.0/24 -j ACCEPT
PostDown = iptables -D FORWARD -i %i -d 0.0.0.0/0 -j DROP PostDown = iptables -D FORWARD -i %i -d 0.0.0.0/0 -j DROP
PostDown = iptables -D FORWARD -o %i -j ACCEPT PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ${NIC_NAME,,} -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o ${NIC_NAME,,} -j MASQUERADE
@ -56,7 +71,7 @@ PostDown = iptables -t nat -D POSTROUTING -o ${NIC_NAME,,} -j MASQUERADE
# [Peer] # [Peer]
# Client 1 # Client 1
# PublicKey = ... # PublicKey = ...
# AllowedIPs = 192.168.200.2/32 # AllowedIPs = $VPN_SUBNET.2/32
EOL EOL
cat /etc/wireguard/wg0.conf.base /etc/wireguard/wg0.conf.clients > /etc/wireguard/wg0.conf cat /etc/wireguard/wg0.conf.base /etc/wireguard/wg0.conf.clients > /etc/wireguard/wg0.conf