add a choice to select network base
This commit is contained in:
Jason Sun
parent
98f45f883c
commit
5b59b4ac88
1 changed files with 51 additions and 16 deletions
|
|
@ -136,6 +136,39 @@ new_client_dns () {
|
|||
esac
|
||||
}
|
||||
|
||||
new_network () {
|
||||
if [[ -f "/etc/wireguard/wg0.conf" ]]; then
|
||||
network=$(grep Address /etc/wireguard/wg0.conf | cut -d',' -f 1 | grep -E -o "([0-9]{1,3}[\.]){2}[0-9]{1,3}")
|
||||
echo "Using existing $network network."
|
||||
else
|
||||
echo "Select a network base:"
|
||||
echo " 1) 10.7.0"
|
||||
echo " 2) 10.0.7"
|
||||
echo " 3) 172.16.7"
|
||||
echo " 4) 192.168.7"
|
||||
read -p "Network [1]: " network
|
||||
until [[ -z "$network" || "$network" =~ ^[1-6]$ ]]; do
|
||||
echo "$network: invalid selection."
|
||||
read -p "network server [1]: " network
|
||||
done
|
||||
# network
|
||||
case "$network" in
|
||||
1|"")
|
||||
network="10.7.0"
|
||||
;;
|
||||
2)
|
||||
network="10.0.7"
|
||||
;;
|
||||
3)
|
||||
network="172.16.7"
|
||||
;;
|
||||
4)
|
||||
network="192.168.7"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
new_client_setup () {
|
||||
# Given a list of the assigned internal IPv4 addresses, obtain the lowest still
|
||||
# available octet. Important to start looking at 2, because 1 is our gateway.
|
||||
|
|
@ -156,13 +189,13 @@ new_client_setup () {
|
|||
[Peer]
|
||||
PublicKey = $(wg pubkey <<< $key)
|
||||
PresharedKey = $psk
|
||||
AllowedIPs = 10.7.0.$octet/32$(grep -q 'fddd:2c4:2c4:2c4::1' /etc/wireguard/wg0.conf && echo ", fddd:2c4:2c4:2c4::$octet/128")
|
||||
AllowedIPs = $network.$octet/32$(grep -q 'fddd:2c4:2c4:2c4::1' /etc/wireguard/wg0.conf && echo ", fddd:2c4:2c4:2c4::$octet/128")
|
||||
# END_PEER $client
|
||||
EOF
|
||||
# Create client configuration
|
||||
cat << EOF > ~/"$client".conf
|
||||
[Interface]
|
||||
Address = 10.7.0.$octet/24$(grep -q 'fddd:2c4:2c4:2c4::1' /etc/wireguard/wg0.conf && echo ", fddd:2c4:2c4:2c4::$octet/64")
|
||||
Address = $network.$octet/24$(grep -q 'fddd:2c4:2c4:2c4::1' /etc/wireguard/wg0.conf && echo ", fddd:2c4:2c4:2c4::$octet/64")
|
||||
DNS = $dns
|
||||
PrivateKey = $key
|
||||
|
||||
|
|
@ -249,6 +282,7 @@ if [[ ! -e /etc/wireguard/wg0.conf ]]; then
|
|||
[[ -z "$client" ]] && client="client"
|
||||
echo
|
||||
new_client_dns
|
||||
new_network
|
||||
# Set up automatic updates for BoringTun if the user is fine with that
|
||||
if [[ "$is_container" -eq 0 ]]; then
|
||||
echo
|
||||
|
|
@ -394,7 +428,7 @@ Environment=WG_SUDO=1" > /etc/systemd/system/wg-quick@wg0.service.d/boringtun.co
|
|||
# ENDPOINT $([[ -n "$public_ip" ]] && echo "$public_ip" || echo "$ip")
|
||||
|
||||
[Interface]
|
||||
Address = 10.7.0.1/24$([[ -n "$ip6" ]] && echo ", fddd:2c4:2c4:2c4::1/64")
|
||||
Address = $network.1/24$([[ -n "$ip6" ]] && echo ", fddd:2c4:2c4:2c4::1/64")
|
||||
PrivateKey = $(wg genkey)
|
||||
ListenPort = $port
|
||||
|
||||
|
|
@ -414,12 +448,12 @@ EOF
|
|||
# Using both permanent and not permanent rules to avoid a firewalld
|
||||
# reload.
|
||||
firewall-cmd --add-port="$port"/udp
|
||||
firewall-cmd --zone=trusted --add-source=10.7.0.0/24
|
||||
firewall-cmd --zone=trusted --add-source=$network.0/24
|
||||
firewall-cmd --permanent --add-port="$port"/udp
|
||||
firewall-cmd --permanent --zone=trusted --add-source=10.7.0.0/24
|
||||
firewall-cmd --permanent --zone=trusted --add-source=$network.0/24
|
||||
# Set NAT for the VPN subnet
|
||||
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to "$ip"
|
||||
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to "$ip"
|
||||
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s $network.0/24 ! -d $network.0/24 -j SNAT --to "$ip"
|
||||
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s $network.0/24 ! -d $network.0/24 -j SNAT --to "$ip"
|
||||
if [[ -n "$ip6" ]]; then
|
||||
firewall-cmd --zone=trusted --add-source=fddd:2c4:2c4:2c4::/64
|
||||
firewall-cmd --permanent --zone=trusted --add-source=fddd:2c4:2c4:2c4::/64
|
||||
|
|
@ -440,13 +474,13 @@ EOF
|
|||
Before=network.target
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
|
||||
ExecStart=$iptables_path -t nat -A POSTROUTING -s $network.0/24 ! -d $network.0/24 -j SNAT --to $ip
|
||||
ExecStart=$iptables_path -I INPUT -p udp --dport $port -j ACCEPT
|
||||
ExecStart=$iptables_path -I FORWARD -s 10.7.0.0/24 -j ACCEPT
|
||||
ExecStart=$iptables_path -I FORWARD -s $network.0/24 -j ACCEPT
|
||||
ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
|
||||
ExecStop=$iptables_path -t nat -D POSTROUTING -s $network.0/24 ! -d $network.0/24 -j SNAT --to $ip
|
||||
ExecStop=$iptables_path -D INPUT -p udp --dport $port -j ACCEPT
|
||||
ExecStop=$iptables_path -D FORWARD -s 10.7.0.0/24 -j ACCEPT
|
||||
ExecStop=$iptables_path -D FORWARD -s $network.0/24 -j ACCEPT
|
||||
ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/wg-iptables.service
|
||||
if [[ -n "$ip6" ]]; then
|
||||
echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
|
||||
|
|
@ -549,6 +583,7 @@ else
|
|||
done
|
||||
echo
|
||||
new_client_dns
|
||||
new_network
|
||||
new_client_setup
|
||||
# Append new client configuration to the WireGuard interface
|
||||
wg addconf wg0 <(sed -n "/^# BEGIN_PEER $client/,/^# END_PEER $client/p" /etc/wireguard/wg0.conf)
|
||||
|
|
@ -607,14 +642,14 @@ else
|
|||
if [[ "$remove" =~ ^[yY]$ ]]; then
|
||||
port=$(grep '^ListenPort' /etc/wireguard/wg0.conf | cut -d " " -f 3)
|
||||
if systemctl is-active --quiet firewalld.service; then
|
||||
ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.7.0.0/24 '"'"'!'"'"' -d 10.7.0.0/24' | grep -oE '[^ ]+$')
|
||||
ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s $network.0/24 '"'"'!'"'"' -d $network.0/24' | grep -oE '[^ ]+$')
|
||||
# Using both permanent and not permanent rules to avoid a firewalld reload.
|
||||
firewall-cmd --remove-port="$port"/udp
|
||||
firewall-cmd --zone=trusted --remove-source=10.7.0.0/24
|
||||
firewall-cmd --zone=trusted --remove-source=$network.0/24
|
||||
firewall-cmd --permanent --remove-port="$port"/udp
|
||||
firewall-cmd --permanent --zone=trusted --remove-source=10.7.0.0/24
|
||||
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to "$ip"
|
||||
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to "$ip"
|
||||
firewall-cmd --permanent --zone=trusted --remove-source=$network.0/24
|
||||
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s $network.0/24 ! -d $network.0/24 -j SNAT --to "$ip"
|
||||
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s $network.0/24 ! -d $network.0/24 -j SNAT --to "$ip"
|
||||
if grep -qs 'fddd:2c4:2c4:2c4::1/64' /etc/wireguard/wg0.conf; then
|
||||
ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:2c4:2c4:2c4::/64 '"'"'!'"'"' -d fddd:2c4:2c4:2c4::/64' | grep -oE '[^ ]+$')
|
||||
firewall-cmd --zone=trusted --remove-source=fddd:2c4:2c4:2c4::/64
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue