2024-06-19 15:08:03 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
|
|
# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
|
2025-01-08 15:52:34 +01:00
|
|
|
# SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
2024-06-19 15:08:03 +02:00
|
|
|
#
|
|
|
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
|
|
|
|
|
|
set -eu
|
|
|
|
|
|
2024-07-10 14:36:05 +02:00
|
|
|
uid="$(id -u)"
|
|
|
|
|
test "${uid}" = "0" || exec sudo "$0" "${@}"
|
2024-06-19 15:08:03 +02:00
|
|
|
|
|
|
|
|
usage(){
|
2024-08-06 18:15:24 +02:00
|
|
|
printf '%s\n' "Usage: ${0##*/} [QUBE]"
|
2024-06-19 15:08:03 +02:00
|
|
|
exit "${1:-1}"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case "${1-}" in
|
|
|
|
|
-h|--help) usage 0;;
|
|
|
|
|
-*) usage 1;;
|
|
|
|
|
"") qube="sys-wireguard";;
|
|
|
|
|
*) qube="${1}";;
|
|
|
|
|
esac
|
|
|
|
|
|
2024-07-10 14:36:05 +02:00
|
|
|
if ! qvm-check -q -- "${qube}" >/dev/null 2>&1; then
|
2024-08-06 18:15:24 +02:00
|
|
|
printf '%s\n' "Qube '${qube}' doesn't exist" >&2
|
2024-06-19 15:08:03 +02:00
|
|
|
usage 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
user_conf="/home/user/wireguard.conf"
|
|
|
|
|
system_conf="/etc/wireguard/wireguard.conf"
|
|
|
|
|
|
2025-01-08 15:52:34 +01:00
|
|
|
qvm-run --no-gui -- "${qube}" test -f "${user_conf}" || {
|
2024-08-06 18:15:24 +02:00
|
|
|
printf '%s\n' "File '${user_conf}' was not found" >&2
|
2024-07-10 14:36:05 +02:00
|
|
|
if qvm-check -q --running -- "${qube}" >/dev/null 2>&1; then
|
|
|
|
|
qvm-pause --verbose -- "${qube}"
|
2024-07-05 12:02:40 +02:00
|
|
|
fi
|
2024-08-06 18:15:24 +02:00
|
|
|
printf '%s\n' "Firewalling ${qube} to drop all connections"
|
2024-07-10 14:36:05 +02:00
|
|
|
qvm-firewall --verbose -- "${qube}" reset
|
|
|
|
|
qvm-firewall --verbose -- "${qube}" del --rule-no 0
|
|
|
|
|
qvm-firewall --verbose -- "${qube}" add drop
|
|
|
|
|
if qvm-check -q --paused -- "${qube}" >/dev/null 2>&1; then
|
|
|
|
|
qvm-unpause --verbose -- "${qube}"
|
2024-07-05 12:02:40 +02:00
|
|
|
fi
|
2024-06-19 15:08:03 +02:00
|
|
|
exit 1
|
|
|
|
|
}
|
|
|
|
|
|
2025-01-08 15:52:34 +01:00
|
|
|
qvm-run --no-gui -u root -- "${qube}" cp -- "${user_conf}" "${system_conf}"
|
2024-06-19 15:08:03 +02:00
|
|
|
|
|
|
|
|
## TOFU
|
|
|
|
|
# shellcheck disable=SC2016
|
2025-01-08 15:52:34 +01:00
|
|
|
endpoint="$(qvm-run --no-gui -p -u root -- "${qube}" \
|
|
|
|
|
awk -- '/Endpoint/{print $3}' "${system_conf}")"
|
2024-08-06 18:15:24 +02:00
|
|
|
if printf '%s\n' "${endpoint}" | grep -qF -e "["; then
|
2024-06-19 15:08:03 +02:00
|
|
|
ip="${ip##[\[]}"
|
|
|
|
|
ip="${ip%%\]*}"
|
|
|
|
|
port="${endpoint##*:}"
|
|
|
|
|
else
|
|
|
|
|
ip="${endpoint%%:*}"
|
|
|
|
|
port="${endpoint##*:}"
|
|
|
|
|
fi
|
|
|
|
|
|
2024-07-10 14:36:05 +02:00
|
|
|
if test -z "${ip}" || test -z "${port}";then
|
2024-08-06 18:15:24 +02:00
|
|
|
printf '%s\n' "Endpoint (IP:Port) not found: ${system_conf}" >&2
|
2024-06-19 15:08:03 +02:00
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
2024-07-10 14:36:05 +02:00
|
|
|
if qvm-check -q --running -- "${qube}" >/dev/null 2>&1; then
|
|
|
|
|
qvm-pause --verbose -- "${qube}"
|
2024-06-19 15:08:03 +02:00
|
|
|
fi
|
|
|
|
|
|
2024-08-06 18:15:24 +02:00
|
|
|
printf '%s\n' "Firewalling ${qube} to reach only '${ip}:${port}'"
|
2024-07-10 14:36:05 +02:00
|
|
|
qvm-firewall --verbose -- "${qube}" reset
|
|
|
|
|
qvm-firewall --verbose -- "${qube}" del --rule-no 0
|
|
|
|
|
qvm-firewall --verbose -- "${qube}" add accept dsthost="${ip}" \
|
|
|
|
|
dstports="${port}" proto=udp
|
|
|
|
|
qvm-firewall --verbose -- "${qube}" add accept dsthost="${ip}" \
|
|
|
|
|
dstports="${port}" proto=tcp
|
|
|
|
|
qvm-firewall --verbose -- "${qube}" add drop
|
2024-06-19 15:08:03 +02:00
|
|
|
|
2024-07-10 14:36:05 +02:00
|
|
|
if qvm-check -q --paused -- "${qube}" >/dev/null 2>&1; then
|
|
|
|
|
qvm-unpause --verbose -- "${qube}"
|
2024-06-19 15:08:03 +02:00
|
|
|
fi
|
|
|
|
|
|
2025-01-08 15:52:34 +01:00
|
|
|
qvm-run --no-gui -u root -- "${qube}" \
|
|
|
|
|
"systemctl restart wg-quick@wireguard
|
|
|
|
|
/rw/config/network-hooks.d/50-sys-wireguard"
|
