This repository has been archived by the owner on Jan 17, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrun
141 lines (119 loc) · 4.27 KB
/
run
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/bin/bash
if [ "$FIREWALL" -eq 1 ]; then
# Block everything by default
ip6tables -P OUTPUT DROP &> /dev/null
ip6tables -P INPUT DROP &> /dev/null
ip6tables -P FORWARD DROP &> /dev/null
iptables -P OUTPUT DROP &> /dev/null
iptables -P INPUT DROP &> /dev/null
iptables -P FORWARD DROP &> /dev/null
# Temporarily allow DNS queries
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# We also need to temporarily allow the following
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport "$PEER_PORT" -j ACCEPT
fi
# Bring up Wireguard interfaces
start_interface() {
for interface in $interfaces; do
echo "$(date): Bringing up WireGuard interface $interface"
if [ "$WG_USERSPACE" -eq 1 ]; then
WG_QUICK_USERSPACE_IMPLEMENTATION=wireguard-go wg-quick up "$interface" || fatal_error
else
wg-quick up "$interface" || fatal_error
fi
done
}
# Handle shutdown behavior
finish () {
echo "$(date): Shutting down WireGuard"
for interface in $interfaces; do
if [ "$WG_USERSPACE" -eq 1 ]; then
WG_QUICK_USERSPACE_IMPLEMENTATION=wireguard-go wg-quick down "$interface"
else
wg-quick down "$interface"
fi
done
exit 0
}
# All done. Sleep and wait for termination.
now_sleep () {
sleep infinity &
wait $!
}
# An error with no recovery logic occured. Either go to sleep or exit.
fatal_error () {
echo "$(date): Fatal error"
[ "$EXIT_ON_FATAL" -eq 1 ] && exit 1
sleep infinity &
wait $!
}
# Find a Wireguard interface
interfaces=$(find /etc/wireguard -type f | rev | cut -f 1 -d '/' | cut -f 2 -d '.' | rev)
if [ -z "$interfaces" ]; then
echo "$(date): Interface not found in /etc/wireguard" >&2
fatal_error
fi
# Add PersistentKeepalive if KEEPALIVE is set
#[ $KEEPALIVE -gt 0 ] && echo "PersistentKeepalive = $KEEPALIVE" >> "$wg_conf"
# Wait for termination signal, then finish it!
trap finish SIGTERM SIGINT SIGQUIT
# Get it up!
start_interface
# Print out wg interface info
echo
wg
echo
echo "$(date): WireGuard successfully started"
if [ "$FIREWALL" -eq 1 ]; then
iptables -F OUTPUT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -F INPUT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Allow docker network input/output
for eth in $(find /sys/class/net -name "eth*" -type l | cut -f 5 -d '/'); do
docker_network="$(ip -o addr show dev "$eth"|
awk '$3 == "inet" {print $4}')"
echo "$(date): Allowing network access to $docker_network on $eth"
iptables -A OUTPUT -o "$eth" --destination "$docker_network" -j ACCEPT
iptables -A INPUT -i "$eth" --source "$docker_network" -j ACCEPT
done
# Allow WG stuff
for interface in $interfaces; do
iptables -A OUTPUT -o "$interface" -j ACCEPT
iptables -I OUTPUT -m mark --mark "$(wg show "$interface" fwmark)" -j ACCEPT
done
echo "$(date): Firewall enabled: Blocking non-WireGuard traffic"
fi
# Set env var LOCAL_NETWORK=192.168.1.0/24 to allow LAN input/output
# Accept comma separated as well as space separated list
if [ -n "$LOCAL_NETWORK" ]; then
for range in ${LOCAL_NETWORK//,/ }; do
if [ "$FIREWALL" -eq 1 ]; then
echo "$(date): Allowing network access to $range"
iptables -A OUTPUT -o eth0 --destination "$range" -j ACCEPT
iptables -A INPUT -i eth0 --source "$range" -j ACCEPT
fi
echo "$(date): Adding route to $range"
ip route add "$range" via "$(ip route show 0.0.0.0/0 dev eth0 | cut -d\ -f3)"
done
fi
# Workaround a NAT bug when using Wireguard behind a particular Asus router by regularly changing the local port
# Set env var CYCLE_PORTS to a space-separated list of ports to cycle through
# Eg: CYCLE_PORTS=50001 50002 50003
# Optionally set CYCLE_INTERVAL to number of seconds to use each port for. Defaults to 180 (3mins)
#if [ -n "$CYCLE_PORTS" ]; then
# echo "$(date): Changing Wireguard's local port every ${CYCLE_INTERVAL:-180}s"
# while true; do
# for port in $CYCLE_PORTS; do
# wg set wg0 listen-port $port
# sleep "${CYCLE_INTERVAL:-180}" & wait $!
# done
# done
#fi
now_sleep