qusal/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-var

#!/bin/sh

# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

set -eu

wg_conf="/etc/wireguard/wireguard.conf"
nft_conf="/var/run/wireguard/dnat.nft"

mkdir -p "${nft_conf%/*}"
rm -f "${nft_conf}"
touch "${nft_conf}"

set_nft(){
  echo "${*}" | tee -a "${nft_conf}" >/dev/null
}

set_nft_dnat(){
  ipv="${1}" # empty(4), 6
  proto="${2}" # tcp, udp
  dns_host="${3}"
  set_nft "insert rule ip${ipv} qubes custom-dnat iifgroup 2 ${proto} dport 53 dnat to ${dns_host}"
}

dns="$(grep -s "^\s*DNS\s*=\s*\S\+" "${wg_conf}" | sed "s/.*=//;s/ //g")"

if test -z "${dns}"; then
  set_nft "insert rule ip  qubes custom-dnat drop"
  set_nft "insert rule ip6 qubes custom-dnat drop"
  exit
fi

dns_primary="$(echo "${dns}" | cut -d "," -f 1)"
dns_secondary="$(echo "${dns}" | cut -d "," -f 2)"

dns_primary_ipv=""
if echo "${dns_primary}" | grep -qF ":"; then
  dns_primary_ipv=6
fi

dns_secondary_ipv=""
if echo "${dns_secondary}" | grep -qF ":"; then
  dns_secondary_ipv=6
fi

if test -n "${dns}"; then
  set_nft_dnat "${dns_primary_ipv}" udp "${dns_primary}"
  set_nft_dnat "${dns_primary_ipv}" tcp "${dns_primary}"
  if echo "${dns}" | grep -qF ","; then
    set_nft_dnat "${dns_secondary_ipv}" udp "${dns_secondary}"
    set_nft_dnat "${dns_secondary_ipv}" tcp "${dns_secondary}"
  fi
fi
fix: sys-wireguard compatible with Qubes 4.2 2024-01-08 14:07:20 -05:00			`#!/bin/sh`

chore: copyright update 2024-01-29 10:49:54 -05:00			`# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>`
fix: sys-wireguard compatible with Qubes 4.2 2024-01-08 14:07:20 -05:00			`#`
			`# SPDX-License-Identifier: AGPL-3.0-or-later`

			`set -eu`

fix: clean Wireguard rules - Remove OpenVPN code comments; - Reorganize rules for easier reading; - Server can connect without having client attached; - Systemd service for easier monitoring of wg-quick; and - Firewall also restarts wg-quick and apply new endpoint rules. 2024-06-19 09:08:03 -04:00			`wg_conf="/etc/wireguard/wireguard.conf"`
fix: sys-wireguard compatible with Qubes 4.2 2024-01-08 14:07:20 -05:00			`nft_conf="/var/run/wireguard/dnat.nft"`

fix: clean Wireguard rules - Remove OpenVPN code comments; - Reorganize rules for easier reading; - Server can connect without having client attached; - Systemd service for easier monitoring of wg-quick; and - Firewall also restarts wg-quick and apply new endpoint rules. 2024-06-19 09:08:03 -04:00			`mkdir -p "${nft_conf%/*}"`
fix: sys-wireguard compatible with Qubes 4.2 2024-01-08 14:07:20 -05:00			`rm -f "${nft_conf}"`
			`touch "${nft_conf}"`

			`set_nft(){`
			`echo "${*}" \| tee -a "${nft_conf}" >/dev/null`
			`}`

			`set_nft_dnat(){`
			`ipv="${1}" # empty(4), 6`
			`proto="${2}" # tcp, udp`
			`dns_host="${3}"`
			`set_nft "insert rule ip${ipv} qubes custom-dnat iifgroup 2 ${proto} dport 53 dnat to ${dns_host}"`
			`}`

			`dns="$(grep -s "^\sDNS\s=\s\S\+" "${wg_conf}" \| sed "s/.=//;s/ //g")"`
fix: clean Wireguard rules - Remove OpenVPN code comments; - Reorganize rules for easier reading; - Server can connect without having client attached; - Systemd service for easier monitoring of wg-quick; and - Firewall also restarts wg-quick and apply new endpoint rules. 2024-06-19 09:08:03 -04:00
			`if test -z "${dns}"; then`
			`set_nft "insert rule ip qubes custom-dnat drop"`
			`set_nft "insert rule ip6 qubes custom-dnat drop"`
			`exit`
			`fi`

fix: sys-wireguard compatible with Qubes 4.2 2024-01-08 14:07:20 -05:00			`dns_primary="$(echo "${dns}" \| cut -d "," -f 1)"`
			`dns_secondary="$(echo "${dns}" \| cut -d "," -f 2)"`

			`dns_primary_ipv=""`
			`if echo "${dns_primary}" \| grep -qF ":"; then`
			`dns_primary_ipv=6`
			`fi`

			`dns_secondary_ipv=""`
			`if echo "${dns_secondary}" \| grep -qF ":"; then`
			`dns_secondary_ipv=6`
			`fi`

			`if test -n "${dns}"; then`
			`set_nft_dnat "${dns_primary_ipv}" udp "${dns_primary}"`
			`set_nft_dnat "${dns_primary_ipv}" tcp "${dns_primary}"`
			`if echo "${dns}" \| grep -qF ","; then`
			`set_nft_dnat "${dns_secondary_ipv}" udp "${dns_secondary}"`
			`set_nft_dnat "${dns_secondary_ipv}" tcp "${dns_secondary}"`
			`fi`
			`fi`