Added amnezia WG
This commit is contained in:
Ultradesu
@@ -0,0 +1,151 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: amneziawg-scripts
|
||||
data:
|
||||
firewall-up.sh: |
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
PORT="${1:-5847}"
|
||||
VPN_CIDR="${2:-10.8.1.0/24}"
|
||||
|
||||
external_interface() {
|
||||
ip route get 1.1.1.1 | awk '{for (i=1;i<=NF;i++) if ($i=="dev") {print $(i+1); exit}}'
|
||||
}
|
||||
|
||||
ensure_insert_rule() {
|
||||
local table_args=()
|
||||
if [ "${1:-}" = "-t" ]; then
|
||||
table_args=("$1" "$2")
|
||||
shift 2
|
||||
fi
|
||||
|
||||
local chain="$1"
|
||||
shift
|
||||
|
||||
if ! iptables "${table_args[@]}" -C "${chain}" "$@" >/dev/null 2>&1; then
|
||||
iptables "${table_args[@]}" -I "${chain}" 1 "$@"
|
||||
fi
|
||||
}
|
||||
|
||||
ensure_append_rule() {
|
||||
local table_args=()
|
||||
if [ "${1:-}" = "-t" ]; then
|
||||
table_args=("$1" "$2")
|
||||
shift 2
|
||||
fi
|
||||
|
||||
local chain="$1"
|
||||
shift
|
||||
|
||||
if ! iptables "${table_args[@]}" -C "${chain}" "$@" >/dev/null 2>&1; then
|
||||
iptables "${table_args[@]}" -A "${chain}" "$@"
|
||||
fi
|
||||
}
|
||||
|
||||
EXT_IF="$(external_interface || true)"
|
||||
if [ -z "${EXT_IF}" ]; then
|
||||
EXT_IF="$(ip route show default | awk '{print $5; exit}')"
|
||||
fi
|
||||
if [ -z "${EXT_IF}" ]; then
|
||||
echo "Unable to detect external interface"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
sysctl -w net.ipv4.ip_forward=1
|
||||
|
||||
ensure_insert_rule INPUT -i "${EXT_IF}" -p udp --dport "${PORT}" -m comment --comment amneziawg-allow-external -j ACCEPT
|
||||
ensure_insert_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP
|
||||
ensure_append_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT
|
||||
ensure_append_rule FORWARD -i awg0 -m comment --comment amneziawg-forward-in -j ACCEPT
|
||||
ensure_append_rule FORWARD -o awg0 -m comment --comment amneziawg-forward-out -j ACCEPT
|
||||
ensure_append_rule -t nat POSTROUTING -s "${VPN_CIDR}" -o "${EXT_IF}" -m comment --comment amneziawg-masquerade -j MASQUERADE
|
||||
|
||||
firewall-down.sh: |
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
PORT="${1:-5847}"
|
||||
VPN_CIDR="${2:-10.8.1.0/24}"
|
||||
|
||||
external_interface() {
|
||||
ip route get 1.1.1.1 | awk '{for (i=1;i<=NF;i++) if ($i=="dev") {print $(i+1); exit}}'
|
||||
}
|
||||
|
||||
delete_rule() {
|
||||
local table_args=()
|
||||
if [ "${1:-}" = "-t" ]; then
|
||||
table_args=("$1" "$2")
|
||||
shift 2
|
||||
fi
|
||||
|
||||
local chain="$1"
|
||||
shift
|
||||
|
||||
while iptables "${table_args[@]}" -D "${chain}" "$@" >/dev/null 2>&1; do
|
||||
true
|
||||
done
|
||||
}
|
||||
|
||||
EXT_IF="$(external_interface || true)"
|
||||
if [ -z "${EXT_IF}" ]; then
|
||||
EXT_IF="$(ip route show default | awk '{print $5; exit}')"
|
||||
fi
|
||||
|
||||
if [ -n "${EXT_IF}" ]; then
|
||||
delete_rule INPUT -i "${EXT_IF}" -p udp --dport "${PORT}" -m comment --comment amneziawg-allow-external -j ACCEPT
|
||||
delete_rule -t nat POSTROUTING -s "${VPN_CIDR}" -o "${EXT_IF}" -m comment --comment amneziawg-masquerade -j MASQUERADE
|
||||
fi
|
||||
|
||||
delete_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP
|
||||
delete_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT
|
||||
delete_rule FORWARD -i awg0 -m comment --comment amneziawg-forward-in -j ACCEPT
|
||||
delete_rule FORWARD -o awg0 -m comment --comment amneziawg-forward-out -j ACCEPT
|
||||
|
||||
run.sh: |
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
SERVER_CONFIG="/etc/amnezia/server/awg0.conf"
|
||||
CLIENTS_DIR="/etc/amnezia/clients"
|
||||
RUNTIME_CONFIG="/run/amnezia/awg0.conf"
|
||||
|
||||
cleanup() {
|
||||
if awg show awg0 >/dev/null 2>&1; then
|
||||
awg-quick down "${RUNTIME_CONFIG}" || ip link delete awg0 || true
|
||||
fi
|
||||
}
|
||||
|
||||
render_config() {
|
||||
mkdir -p "$(dirname "${RUNTIME_CONFIG}")"
|
||||
cp "${SERVER_CONFIG}" "${RUNTIME_CONFIG}"
|
||||
chmod 0600 "${RUNTIME_CONFIG}"
|
||||
|
||||
local clients_found=0
|
||||
for client_config in "${CLIENTS_DIR}"/*; do
|
||||
[ -f "${client_config}" ] || continue
|
||||
[ -s "${client_config}" ] || continue
|
||||
printf '\n' >> "${RUNTIME_CONFIG}"
|
||||
cat "${client_config}" >> "${RUNTIME_CONFIG}"
|
||||
clients_found=1
|
||||
done
|
||||
|
||||
if [ "${clients_found}" = "0" ]; then
|
||||
echo "No client peer configs found in ${CLIENTS_DIR}; starting without peers"
|
||||
fi
|
||||
}
|
||||
|
||||
trap cleanup EXIT
|
||||
trap 'exit 0' TERM INT
|
||||
|
||||
render_config
|
||||
cleanup
|
||||
awg-quick up "${RUNTIME_CONFIG}"
|
||||
awg show awg0 || true
|
||||
|
||||
while true; do
|
||||
sleep 3600 &
|
||||
wait "$!"
|
||||
done
|
||||
Reference in New Issue
Block a user