ungleich-tools/openwrt/openwrt-add-ipv4-vpn.sh
2022-05-02 10:30:03 +02:00

88 lines
2.5 KiB
Bash
Executable file

#!/bin/sh
# 2021-04-27
echo BUG: cannot use more than one due to port assignment
echo All WG IPv4 have same source port
if [ $# -lt 2 ]; then
echo "$0 host ipv4-address interface [private-key]"
echo " host: where to find the OpenWRT device"
echo " ipv4-address: which ipv4 address to use"
echo " private-key: Use this wireguard key instead of generating one"
exit 1
fi
my_ip=$1; shift
my_wireguard_ip=$1; shift
if [ $# -eq 1 ]; then
private_key=$1; shift
else
private_key=$(wg genkey)
fi
public_key=$(echo $private_key | wg pubkey)
case $my_wireguard_ip in
185.155.29.*)
vpn_endpoint_pubkey="6BRnQ+dmeFzVCH9RbM1pbJ7u3y3qrl+zUzzYCmC88kE="
;;
185.155.30.*)
vpn_endpoint_pubkey="5ach7pUQ57aa402LHz1MYh7lyBZS0GvBEw2PC6dMHW4="
;;
*)
echo "Unknown VPN host for IP $my_wireguard_ip" >&2
exit 1
;;
esac
interface="ip$(echo $my_wireguard_ip | awk -F. '{ print $1 $2 $3 $4 }')"
vpn_endpoint_host=vpn-$(echo $my_wireguard_ip | awk -F. '{ print $1 $2 $3 }').ungleich.ch
cat <<EOF | ssh -t "root@${my_ip}"
set -x
opkg update
opkg install libustream-openssl ca-bundle ca-certificates
opkg install wireguard
opkg install luci-app-wireguard
uci set network.${interface}=interface
uci set network.${interface}.proto='wireguard'
uci set network.${interface}.private_key='${private_key}'
uci set network.${interface}.listen_port='51828'
uci set network.${interface}.addresses='${my_wireguard_ip}/32'
if ! uci get network.@wireguard_${interface}[0]; then
uci add network wireguard_${interface}
fi
uci set network.@wireguard_${interface}[0]=wireguard_${interface}
uci set network.@wireguard_${interface}[0].persistent_keepalive='25'
uci set network.@wireguard_${interface}[0].public_key="${vpn_endpoint_pubkey}"
uci set network.@wireguard_${interface}[0].description="IPv4 as a service by ungleich"
uci set network.@wireguard_${interface}[0].allowed_ips='0.0.0.0/0'
uci set network.@wireguard_${interface}[0].endpoint_host="${vpn_endpoint_host}"
uci set network.@wireguard_${interface}[0].endpoint_port='51820'
uci set network.@wireguard_${interface}[0].route_allowed_ips='1'
# add to correct firewall zone
current_networks=\$(uci get firewall.@zone[1].network)
if ! echo \$current_networks | grep -q ${interface}; then
uci set firewall.@zone[1].network="\${current_networks} ${interface}"
fi
# commit
uci commit
EOF
echo "Host ${my_ip} uses ip ${my_wireguard_ip} with public key ${public_key}:"
cat <<EOF
#
[Peer]
PublicKey = ${public_key}
AllowedIPs = ${my_wireguard_ip}/32
EOF