Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2025-09-19 12:04:45 -04:00
Code Issues Projects Releases Packages Wiki Activity

fix: clean Wireguard rules

Browse source 
- Remove OpenVPN code comments;
- Reorganize rules for easier reading;
- Server can connect without having client attached;
- Systemd service for easier monitoring of wg-quick; and
- Firewall also restarts wg-quick and apply new endpoint rules.
This commit is contained in:
Ben Grande 2024-06-19 15:08:03 +02:00
parent f86e30a6b6
commit 6ec0768f13
No known key found for this signature in database
GPG key ID: 00C64E14F51F9E56
10 changed files with 106 additions and 103 deletions
Download patch file Download diff file Expand all files Collapse all files

72
salt/sys-wireguard/files/admin/bin/qvm-wireguard Executable file
View file

@ -0,0 +1,72 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
set -eu
test "$(id -u)" = "0" || exec sudo "$0" "$@"
usage(){
echo "Usage: ${0##*/} [QUBE]"
exit "${1:-1}"
}
case "${1-}" in
-h|--help) usage 0;;
-*) usage 1;;
"") qube="sys-wireguard";;
*) qube="${1}";;
esac
if ! qvm-check -q -- "$qube" >/dev/null 2>&1; then
echo "Qube '$qube' doesn't exist" >&2
usage 1
fi
user_conf="/home/user/wireguard.conf"
system_conf="/etc/wireguard/wireguard.conf"
qvm-run "$qube" -- "test -f ${user_conf}" || {
echo "File '${user_conf}' was not found" >&2
exit 1
}
qvm-run -u root "$qube" -- "cp ${user_conf} ${system_conf}"
## TOFU
# shellcheck disable=SC2016
endpoint="$(qvm-run -p -u root "$qube" -- awk '/Endpoint/{print $3}' "${system_conf}")"
if echo "${endpoint}" | grep -qF "["; then
ip="${ip##[\[]}"
ip="${ip%%\]*}"
port="${endpoint##*:}"
else
ip="${endpoint%%:*}"
port="${endpoint##*:}"
fi
if test -z "$ip" || test -z "$port";then
echo "Endpoint (IP:Port) not found: ${system_conf}" >&2
exit 1
fi
if qvm-check -q --running -- "$qube" >/dev/null 2>&1; then
qvm-pause --verbose -- "$qube"
fi
echo "Firewalling $qube to reach only '$ip:$port'"
qvm-firewall --verbose -- "$qube" reset
qvm-firewall --verbose -- "$qube" del --rule-no 0
qvm-firewall --verbose -- "$qube" add accept dsthost="$ip" dstports="$port" proto=udp
qvm-firewall --verbose -- "$qube" add accept dsthost="$ip" dstports="$port" proto=tcp
qvm-firewall --verbose -- "$qube" add drop
if qvm-check -q --paused -- "$qube" >/dev/null 2>&1; then
qvm-unpause --verbose -- "$qube"
fi
qvm-run -u root "$qube" -- "systemctl restart wg-quick@wireguard"
qvm-run -u root "$qube" -- "/rw/config/network-hooks.d/50-sys-wireguard"