88 lines
2.5 KiB
Bash
Executable file
88 lines
2.5 KiB
Bash
Executable file
#!/bin/sh
|
|
# 2021-04-27
|
|
|
|
echo BUG: cannot use more than one due to port assignment
|
|
echo All WG IPv4 have same source port
|
|
|
|
if [ $# -lt 2 ]; then
|
|
echo "$0 host ipv4-address interface [private-key]"
|
|
echo " host: where to find the OpenWRT device"
|
|
echo " ipv4-address: which ipv4 address to use"
|
|
echo " private-key: Use this wireguard key instead of generating one"
|
|
exit 1
|
|
fi
|
|
|
|
my_ip=$1; shift
|
|
my_wireguard_ip=$1; shift
|
|
|
|
if [ $# -eq 1 ]; then
|
|
private_key=$1; shift
|
|
else
|
|
private_key=$(wg genkey)
|
|
fi
|
|
public_key=$(echo $private_key | wg pubkey)
|
|
|
|
case $my_wireguard_ip in
|
|
185.155.29.*)
|
|
vpn_endpoint_pubkey="6BRnQ+dmeFzVCH9RbM1pbJ7u3y3qrl+zUzzYCmC88kE="
|
|
;;
|
|
185.155.30.*)
|
|
vpn_endpoint_pubkey="5ach7pUQ57aa402LHz1MYh7lyBZS0GvBEw2PC6dMHW4="
|
|
;;
|
|
*)
|
|
echo "Unknown VPN host for IP $my_wireguard_ip" >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
interface="ip$(echo $my_wireguard_ip | awk -F. '{ print $1 $2 $3 $4 }')"
|
|
vpn_endpoint_host=vpn-$(echo $my_wireguard_ip | awk -F. '{ print $1 $2 $3 }').ungleich.ch
|
|
|
|
cat <<EOF | ssh -t "root@${my_ip}"
|
|
set -x
|
|
|
|
opkg update
|
|
opkg install libustream-openssl ca-bundle ca-certificates
|
|
opkg install wireguard
|
|
opkg install luci-app-wireguard
|
|
|
|
uci set network.${interface}=interface
|
|
uci set network.${interface}.proto='wireguard'
|
|
uci set network.${interface}.private_key='${private_key}'
|
|
uci set network.${interface}.listen_port='51828'
|
|
uci set network.${interface}.addresses='${my_wireguard_ip}/32'
|
|
|
|
if ! uci get network.@wireguard_${interface}[0]; then
|
|
uci add network wireguard_${interface}
|
|
fi
|
|
|
|
uci set network.@wireguard_${interface}[0]=wireguard_${interface}
|
|
uci set network.@wireguard_${interface}[0].persistent_keepalive='25'
|
|
uci set network.@wireguard_${interface}[0].public_key="${vpn_endpoint_pubkey}"
|
|
uci set network.@wireguard_${interface}[0].description="IPv4 as a service by ungleich"
|
|
uci set network.@wireguard_${interface}[0].allowed_ips='0.0.0.0/0'
|
|
uci set network.@wireguard_${interface}[0].endpoint_host="${vpn_endpoint_host}"
|
|
uci set network.@wireguard_${interface}[0].endpoint_port='51820'
|
|
uci set network.@wireguard_${interface}[0].route_allowed_ips='1'
|
|
|
|
# add to correct firewall zone
|
|
current_networks=\$(uci get firewall.@zone[1].network)
|
|
|
|
if ! echo \$current_networks | grep -q ${interface}; then
|
|
uci set firewall.@zone[1].network="\${current_networks} ${interface}"
|
|
fi
|
|
|
|
# commit
|
|
uci commit
|
|
|
|
EOF
|
|
|
|
echo "Host ${my_ip} uses ip ${my_wireguard_ip} with public key ${public_key}:"
|
|
|
|
cat <<EOF
|
|
|
|
#
|
|
[Peer]
|
|
PublicKey = ${public_key}
|
|
AllowedIPs = ${my_wireguard_ip}/32
|
|
EOF
|