From a10bdceedb7392fbf748d80c32f34a85000d5926 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Mon, 20 Jan 2020 15:43:38 +0100 Subject: [PATCH] Add mailer and wireguard helper --- mailer | 25 +++++++++++++++++++ wireguard-fix-endpoint.sh | 51 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100755 mailer create mode 100644 wireguard-fix-endpoint.sh diff --git a/mailer b/mailer new file mode 100755 index 0000000..8d75ed9 --- /dev/null +++ b/mailer @@ -0,0 +1,25 @@ +#!/bin/sh + +if [ $# -ne 4 ]; then + echo "$0 subject from bcc-addr addressfile" + echo "f.i. $0 'How are you?' 'Some Body ' 'another@example.com' ./addresses " + echo "Address file format: | Name | Mail |" + exit 1 +fi + +subject=$1; shift +from=$1; shift +bcc=$1; shift +addresses_file=$1; shift + + +while read line; do + name=$(echo $line | awk -F '|' '{ print $2 }' | sed -e 's/^ *//' -e 's/ *$//') + email=$(echo $line | awk -F '|' '{ print $3 }' | sed -e 's/^ *//' -e 's/ *$//') + + sed "s/PERSON/$name/" mail | \ + mail -s "$subject" \ + -r "$from" \ + -b "$bcc" \ + "$name <$email>" +done < "$addresses_file" diff --git a/wireguard-fix-endpoint.sh b/wireguard-fix-endpoint.sh new file mode 100644 index 0000000..1b66c98 --- /dev/null +++ b/wireguard-fix-endpoint.sh @@ -0,0 +1,51 @@ +#!/bin/sh +# 2020-01-19 +# Nico Schottelius +# Periodically fix the wireguard endpoint + +endpoint=vpn-2a0ae5c1.ungleich.ch +tunnel=wgungleich +config=/etc/wireguard/${tunnel}.conf + +endpoint=$(grep -i ^endpoint ${config} | cut -d= -f2) +host=$(echo $endpoint| cut -d: -f1) +port=$(echo $endpoint| cut -d: -f2) +publickey=$(grep -i ^publickey ${config} | cut -d= -f2) + +# If wireguard is up, but with the wrong endpoint +# (v4 address in an v6 only network or +# v6 address in an v4 only network) the routing of +# wireguard can break connectivity (i.e. AllowedIPs = ::/0 +# breaks IPv6 connectivity) + +# Thus we first need to shutdown the wireguard VPN to confirm +# it's not wireguard preventing us to access the endpoint itself. +# It would certainly be better to not needing to shut it down, +# however I don't see a reliable way without skipping the wireguard +# set `ip rule` + +wg-quick down ${tunnel} + +# Now do the DNS lookups, which should work without a tunnel up +# (they also might have been prevented by wireguard up in the incorrect +# address family) +v6_addr=$(dig +short $endpoint aaaa) +v4_addr=$(dig +short $endpoint a) + +v6_ok="" +v4_ok="" + +ping -c3 $v6_addr >/dev/null && v6_ok=yes +ping -c3 $v4_addr >/dev/null && v4_ok=yes + +# Now verify/check what is reachable +if [ $v6_ok ]; then + wg-quick up ${tunnel} + wg set wgungleich peer ${publickey} endpoint ${v6_addr}:${port} +elif [ $v4_ok ]; then + wg-quick up ${tunnel} + wg set wgungleich peer ${publickey} endpoint ${v4!_addr}:${port} +else + echo "The endpoint ${endpoint} is unreachable, try again later" >&2 + exit 1 +fi