--- apiVersion: v1 kind: ConfigMap metadata: name: amneziawg-scripts data: firewall-up.sh: | #!/usr/bin/env bash set -euo pipefail PORT="${1:-5847}" VPN_CIDR="${2:-10.8.0.0/16}" external_interface() { ip route get 1.1.1.1 | awk '{for (i=1;i<=NF;i++) if ($i=="dev") {print $(i+1); exit}}' } ensure_insert_rule() { local table_args=() if [ "${1:-}" = "-t" ]; then table_args=("$1" "$2") shift 2 fi local chain="$1" shift if ! iptables "${table_args[@]}" -C "${chain}" "$@" >/dev/null 2>&1; then iptables "${table_args[@]}" -I "${chain}" 1 "$@" fi } ensure_append_rule() { local table_args=() if [ "${1:-}" = "-t" ]; then table_args=("$1" "$2") shift 2 fi local chain="$1" shift if ! iptables "${table_args[@]}" -C "${chain}" "$@" >/dev/null 2>&1; then iptables "${table_args[@]}" -A "${chain}" "$@" fi } EXT_IF="$(external_interface || true)" if [ -z "${EXT_IF}" ]; then EXT_IF="$(ip route show default | awk '{print $5; exit}')" fi if [ -z "${EXT_IF}" ]; then echo "Unable to detect external interface" exit 1 fi sysctl -w net.ipv4.ip_forward=1 ensure_insert_rule INPUT -i "${EXT_IF}" -p udp --dport "${PORT}" -m comment --comment amneziawg-allow-external -j ACCEPT ensure_insert_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP ensure_append_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT ensure_append_rule FORWARD -i awg0 -m comment --comment amneziawg-forward-in -j ACCEPT ensure_append_rule FORWARD -o awg0 -m comment --comment amneziawg-forward-out -j ACCEPT ensure_append_rule -t nat POSTROUTING -s "${VPN_CIDR}" -o "${EXT_IF}" -m comment --comment amneziawg-masquerade -j MASQUERADE firewall-down.sh: | #!/usr/bin/env bash set -euo pipefail PORT="${1:-5847}" VPN_CIDR="${2:-10.8.0.0/16}" external_interface() { ip route get 1.1.1.1 | awk '{for (i=1;i<=NF;i++) if ($i=="dev") {print $(i+1); exit}}' } delete_rule() { local table_args=() if [ "${1:-}" = "-t" ]; then table_args=("$1" "$2") shift 2 fi local chain="$1" shift while iptables "${table_args[@]}" -D "${chain}" "$@" >/dev/null 2>&1; do true done } EXT_IF="$(external_interface || true)" if [ -z "${EXT_IF}" ]; then EXT_IF="$(ip route show default | awk '{print $5; exit}')" fi if [ -n "${EXT_IF}" ]; then delete_rule INPUT -i "${EXT_IF}" -p udp --dport "${PORT}" -m comment --comment amneziawg-allow-external -j ACCEPT delete_rule -t nat POSTROUTING -s "${VPN_CIDR}" -o "${EXT_IF}" -m comment --comment amneziawg-masquerade -j MASQUERADE fi delete_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP delete_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT delete_rule FORWARD -i awg0 -m comment --comment amneziawg-forward-in -j ACCEPT delete_rule FORWARD -o awg0 -m comment --comment amneziawg-forward-out -j ACCEPT run.sh: | #!/usr/bin/env bash set -euo pipefail SERVER_CONFIG="/etc/amnezia/server/awg0.conf" CLIENTS_DIR="/etc/amnezia/clients" RUNTIME_CONFIG="/run/amnezia/awg0.conf" cleanup() { if awg show awg0 >/dev/null 2>&1; then awg-quick down "${RUNTIME_CONFIG}" || ip link delete awg0 || true fi } render_config() { mkdir -p "$(dirname "${RUNTIME_CONFIG}")" cp "${SERVER_CONFIG}" "${RUNTIME_CONFIG}" chmod 0600 "${RUNTIME_CONFIG}" local clients_found=0 for client_config in "${CLIENTS_DIR}"/*; do [ -f "${client_config}" ] || continue [ -s "${client_config}" ] || continue printf '\n' >> "${RUNTIME_CONFIG}" cat "${client_config}" >> "${RUNTIME_CONFIG}" clients_found=1 done if [ "${clients_found}" = "0" ]; then echo "No client peer configs found in ${CLIENTS_DIR}; starting without peers" fi } trap cleanup EXIT trap 'exit 0' TERM INT render_config cleanup awg-quick up "${RUNTIME_CONFIG}" awg show awg0 || true while true; do sleep 3600 & wait "$!" done