#!/bin/sh
# 2020-01-19
# Nico Schottelius
# Periodically fix the wireguard endpoint

endpoint=vpn-2a0ae5c1.ungleich.ch
tunnel=wgungleich
config=/etc/wireguard/${tunnel}.conf

endpoint=$(grep -i ^endpoint ${config}  | cut -d= -f2)
host=$(echo $endpoint| cut -d: -f1)
port=$(echo $endpoint| cut -d: -f2)
publickey=$(grep -i ^publickey ${config}  | cut -d= -f2)

# If wireguard is up, but with the wrong endpoint
# (v4 address in an v6 only network or
# v6 address in an v4 only network) the routing of
# wireguard can break connectivity (i.e. AllowedIPs = ::/0
# breaks IPv6 connectivity)

# Thus we first need to shutdown the wireguard VPN to confirm
# it's not wireguard preventing us to access the endpoint itself.
# It would certainly be better to not needing to shut it down,
# however I don't see a reliable way without skipping the wireguard
# set `ip rule`

wg-quick down ${tunnel}

# Now do the DNS lookups, which should work without a tunnel up
# (they also might have been prevented by wireguard up in the incorrect
# address family)
v6_addr=$(dig +short $endpoint aaaa)
v4_addr=$(dig +short $endpoint a)

v6_ok=""
v4_ok=""

ping -c3 $v6_addr >/dev/null && v6_ok=yes
ping -c3 $v4_addr >/dev/null && v4_ok=yes

# Now verify/check what is reachable
if [ $v6_ok ]; then
    wg-quick up ${tunnel}
    wg set wgungleich peer ${publickey} endpoint ${v6_addr}:${port}
elif [ $v4_ok ]; then
    wg-quick up ${tunnel}
    wg set wgungleich peer ${publickey} endpoint ${v4!_addr}:${port}
else
    echo "The endpoint ${endpoint} is unreachable, try again later" >&2
    exit 1
fi