Last active
December 6, 2022 02:09
-
-
Save jtmoon79/217e55272c55631ba6025c9f890b3dde to your computer and use it in GitHub Desktop.
Revisions
-
jtmoon79 revised this gist
Dec 6, 2022 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -193,7 +193,7 @@ trap exit_ EXIT ) # enable forwarding, enable debug logging if available SITE12_PREUP="set -x; sysctl -w net.ipv4.ip_forward=1; ([[ -e /sys/kernel/debug/dynamic_debug/control ]] && (modprobe wireguard && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control)) || true; ip -4 -N route list;" # create iptables rules to forward and masquerade between the different networks # comments added to clarify the rule source and help debugging/fixing rules @@ -202,7 +202,7 @@ SITE12_PREUP="set -x; sysctl -w net.ipv4.ip_forward=1; ([[ -e /sys/kernel/debug/ # on up: delete prior rules (if any) then create iptables SITE_CONF_POSTUP="set -x;\ ip -4 -N route list;\ iptables -v -t nat -D POSTROUTING -o ${SITE_LAN_DEV} -j MASQUERADE -m comment --comment 'wireguard-a-${SITE_WG_DEV}' || true;\ iptables -v -D INPUT -i %i -j ACCEPT -m comment --comment 'wireguard-b-${SITE_WG_DEV}' || true;\ iptables -v -D FORWARD -i ${SITE_LAN_DEV} -o ${SITE_WG_DEV} -j ACCEPT -m comment --comment 'wireguard-c-${SITE_WG_DEV}' || true;\ -
Dec 6, 2022 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -197,6 +197,8 @@ SITE12_PREUP="set -x; sysctl -w net.ipv4.ip_forward=1; ([[ -e /sys/kernel/debug/ # create iptables rules to forward and masquerade between the different networks # comments added to clarify the rule source and help debugging/fixing rules # # the `ip route` comamnds are informational only # on up: delete prior rules (if any) then create iptables SITE_CONF_POSTUP="set -x;\ -
Dec 6, 2022 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -193,13 +193,14 @@ trap exit_ EXIT ) # enable forwarding, enable debug logging if available SITE12_PREUP="set -x; sysctl -w net.ipv4.ip_forward=1; ([[ -e /sys/kernel/debug/dynamic_debug/control ]] && (modprobe wireguard && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control)) || true; ip -4 -N route;" # create iptables rules to forward and masquerade between the different networks # comments added to clarify the rule source and help debugging/fixing rules # on up: delete prior rules (if any) then create iptables SITE_CONF_POSTUP="set -x;\ ip -4 -N route;\ iptables -v -t nat -D POSTROUTING -o ${SITE_LAN_DEV} -j MASQUERADE -m comment --comment 'wireguard-a-${SITE_WG_DEV}' || true;\ iptables -v -D INPUT -i %i -j ACCEPT -m comment --comment 'wireguard-b-${SITE_WG_DEV}' || true;\ iptables -v -D FORWARD -i ${SITE_LAN_DEV} -o ${SITE_WG_DEV} -j ACCEPT -m comment --comment 'wireguard-c-${SITE_WG_DEV}' || true;\ -
Dec 6, 2022 . No changes.There are no files selected for viewing
-
Dec 6, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,7 +6,7 @@ # configuration files, and commands for systemd services. # This script only covers a narrow scope of possible networking arrangements. # It may not perfectly fit the user's needs, but it may provide the user with # a working example that they can modify for their needs. # # Site is the Wireguard server. Presumed to use systemd services. # Client is the Wireguard client. -
Dec 6, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -198,7 +198,7 @@ SITE12_PREUP="set -x; sysctl -w net.ipv4.ip_forward=1; ([[ -e /sys/kernel/debug/ # create iptables rules to forward and masquerade between the different networks # comments added to clarify the rule source and help debugging/fixing rules # on up: delete prior rules (if any) then create iptables SITE_CONF_POSTUP="set -x;\ iptables -v -t nat -D POSTROUTING -o ${SITE_LAN_DEV} -j MASQUERADE -m comment --comment 'wireguard-a-${SITE_WG_DEV}' || true;\ iptables -v -D INPUT -i %i -j ACCEPT -m comment --comment 'wireguard-b-${SITE_WG_DEV}' || true;\ -
Dec 4, 2022 . No changes.There are no files selected for viewing
-
Dec 4, 2022 . No changes.There are no files selected for viewing
-
Dec 4, 2022 . 1 changed file with 18 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -198,21 +198,26 @@ SITE12_PREUP="set -x; sysctl -w net.ipv4.ip_forward=1; ([[ -e /sys/kernel/debug/ # create iptables rules to forward and masquerade between the different networks # comments added to clarify the rule source and help debugging/fixing rules # on up: delete prior rules then create iptables SITE_CONF_POSTUP="set -x;\ iptables -v -t nat -D POSTROUTING -o ${SITE_LAN_DEV} -j MASQUERADE -m comment --comment 'wireguard-a-${SITE_WG_DEV}' || true;\ iptables -v -D INPUT -i %i -j ACCEPT -m comment --comment 'wireguard-b-${SITE_WG_DEV}' || true;\ iptables -v -D FORWARD -i ${SITE_LAN_DEV} -o ${SITE_WG_DEV} -j ACCEPT -m comment --comment 'wireguard-c-${SITE_WG_DEV}' || true;\ iptables -v -D FORWARD -i %i -o ${SITE_LAN_DEV} -j ACCEPT -m comment --comment 'wireguard-d-${SITE_WG_DEV}' || true;\ iptables -v -D INPUT -i ${SITE_LAN_DEV} -p udp --dport ${SITE_PORT} -j ACCEPT -m comment --comment 'wireguard-e-${SITE_WG_DEV}' || true;\ iptables -v -t nat -I POSTROUTING 1 -o ${SITE_LAN_DEV} -j MASQUERADE -m comment --comment 'wireguard-a-${SITE_WG_DEV}'\ && iptables -v -I INPUT 1 -i %i -j ACCEPT -m comment --comment 'wireguard-b-${SITE_WG_DEV}'\ && iptables -v -I FORWARD 1 -i ${SITE_LAN_DEV} -o ${SITE_WG_DEV} -j ACCEPT -m comment --comment 'wireguard-c-${SITE_WG_DEV}'\ && iptables -v -I FORWARD 1 -i %i -o ${SITE_LAN_DEV} -j ACCEPT -m comment --comment 'wireguard-d-${SITE_WG_DEV}'\ && iptables -v -I INPUT 1 -i ${SITE_LAN_DEV} -p udp --dport ${SITE_PORT} -j ACCEPT -m comment --comment 'wireguard-e-${SITE_WG_DEV}'" # on down: delete iptables rules, `iptables -D` is very picky about rule matching SITE_CONF_POSTDOWN="set -x;\ iptables -v -t nat -D POSTROUTING -o ${SITE_LAN_DEV} -j MASQUERADE -m comment --comment 'wireguard-a-${SITE_WG_DEV}'\ && iptables -v -D INPUT -i %i -j ACCEPT -m comment --comment 'wireguard-b-${SITE_WG_DEV}'\ && iptables -v -D FORWARD -i ${SITE_LAN_DEV} -o ${SITE_WG_DEV} -j ACCEPT -m comment --comment 'wireguard-c-${SITE_WG_DEV}'\ && iptables -v -D FORWARD -i %i -o ${SITE_LAN_DEV} -j ACCEPT -m comment --comment 'wireguard-d-${SITE_WG_DEV}'\ && iptables -v -D INPUT -i ${SITE_LAN_DEV} -p udp --dport ${SITE_PORT} -j ACCEPT -m comment --comment 'wireguard-e-${SITE_WG_DEV}'" DATE=$(date) -
Nov 3, 2022 . 1 changed file with 0 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -169,7 +169,6 @@ CLIENT_PUB=${TEMPD}/client-${CLIENT_NAME}.pub SITE_CLIENT_PSK=${TEMPD}/psk-${SITE_NAME}-${CLIENT_NAME}.psk # remind user how to check iptables rules and fix bad/duplicate rules. COMMENT_LIST_RULES="\ # This WireGuard configuration should create 5 iptables rules. # To list the rules by line number: -
Nov 2, 2022 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,7 @@ #!/usr/bin/env bash # # https://gist.github.com/jtmoon79/217e55272c55631ba6025c9f890b3dde # # Script to generate a client-to-site Wireguard IPv4 VPN tunnel # configuration files, and commands for systemd services. # This script only covers a narrow scope of possible networking arrangements. -
Nov 2, 2022 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,6 +30,9 @@ # # XXX: User can unset DNS entry as desired. It is commented by default. # # Also see `wireguard-site-to-site.sh` # https://gist.github.com/jtmoon79/c951f81f621bb87ddb60836245aca4ff # set -euo pipefail -
Nov 2, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -333,7 +333,7 @@ echo "HEREDOC n hl echo # Wireguard mobile phone clients can input a configuration from a QR code qrencode --margin 2 --type ansiutf8 < "${CLIENT_WG_CONF_TEMP}" echo hl -
Nov 2, 2022 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -333,6 +333,7 @@ echo "HEREDOC n hl echo # Wireguard mobile phone clients can often input a configuration from a QR code qrencode --margin 2 --type ansiutf8 < "${CLIENT_WG_CONF_TEMP}" echo hl -
Nov 2, 2022 . No changes.There are no files selected for viewing
-
Nov 2, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -147,7 +147,7 @@ SITE_DNS=${5} SITE12_VNET=${SITE12_VLAN_FIRST3}.0/24 CLIENT_NAME=${3} #CLIENT_ETH_DEV=${CLIENT_ETH_DEV-eth0} # presume Debian location of wireguard configuration CLIENT_WG_CONF=/etc/wireguard/${WG_DEV}.conf CLIENT_WG_CONF_TEMP=${TEMPD}/${WG_DEV}.conf -
Nov 2, 2022 . No changes.There are no files selected for viewing
-
Nov 2, 2022 . No changes.There are no files selected for viewing
-
Nov 2, 2022 . 1 changed file with 0 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -144,8 +144,6 @@ SITE_MTU=${SITE_MTU-1340} SITE_DNS=${5} # site and client virtual network SITE12_VNET=${SITE12_VLAN_FIRST3}.0/24 CLIENT_NAME=${3} @@ -157,9 +155,6 @@ CLIENT_WG_CONF_TEMP=${TEMPD}/${WG_DEV}.conf CLIENT_ADDR=${SITE12_VLAN_FIRST3}.2 CLIENT_ADDR_CIDR=${CLIENT_ADDR}/24 CLIENT_WG_PORT=${CLIENT_WG_PORT-$((51000 + ${OFFSET}))} CLIENT_MTU=${CLIENT_MTU-1340} SITE_KEY=${TEMPD}/site-${SITE_NAME}.key @@ -323,8 +318,6 @@ PublicKey = $(cat ${SITE_PUB}) PresharedKey = $(cat ${SITE_CLIENT_PSK}) AllowedIPs = ${SITE12_VNET} AllowedIPs = ${SITE_NET} # including Endpoint treats the peer as a server and this host as a client Endpoint = ${SITE_ENDPOINT} PersistentKeepalive = 300 -
Nov 2, 2022 . No changes.There are no files selected for viewing
-
Nov 2, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -157,7 +157,7 @@ CLIENT_WG_CONF_TEMP=${TEMPD}/${WG_DEV}.conf CLIENT_ADDR=${SITE12_VLAN_FIRST3}.2 CLIENT_ADDR_CIDR=${CLIENT_ADDR}/24 CLIENT_WG_PORT=${CLIENT_WG_PORT-$((51000 + ${OFFSET}))} # CIDR network of client, can be left as-is CLIENT_NET=${CLIENT_NET-192.168.2.0/24} #CLIENT_VNET=${SITE12_VLAN_FIRST3}.1/24 CLIENT_MTU=${CLIENT_MTU-1340} -
Nov 2, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -157,7 +157,7 @@ CLIENT_WG_CONF_TEMP=${TEMPD}/${WG_DEV}.conf CLIENT_ADDR=${SITE12_VLAN_FIRST3}.2 CLIENT_ADDR_CIDR=${CLIENT_ADDR}/24 CLIENT_WG_PORT=${CLIENT_WG_PORT-$((51000 + ${OFFSET}))} # CIDR network of client CLIENT_NET=${CLIENT_NET-192.168.2.0/24} #CLIENT_VNET=${SITE12_VLAN_FIRST3}.1/24 CLIENT_MTU=${CLIENT_MTU-1340} -
Nov 2, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -157,7 +157,7 @@ CLIENT_WG_CONF_TEMP=${TEMPD}/${WG_DEV}.conf CLIENT_ADDR=${SITE12_VLAN_FIRST3}.2 CLIENT_ADDR_CIDR=${CLIENT_ADDR}/24 CLIENT_WG_PORT=${CLIENT_WG_PORT-$((51000 + ${OFFSET}))} # CIDR network of client, must match actual network! CLIENT_NET=${CLIENT_NET-192.168.2.0/24} #CLIENT_VNET=${SITE12_VLAN_FIRST3}.1/24 CLIENT_MTU=${CLIENT_MTU-1340} -
Nov 2, 2022 . No changes.There are no files selected for viewing
-
Nov 2, 2022 . 1 changed file with 0 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -148,7 +148,6 @@ SITE_DNS=${5} # must agree with $SITE_ADDR and $CLIENT_ADDR SITE12_VNET=${SITE12_VLAN_FIRST3}.0/24 CLIENT_NAME=${3} CLIENT_ETH_DEV=${CLIENT_ETH_DEV-eth0} # presume Debian location of wireguard configuration -
Nov 2, 2022 . No changes.There are no files selected for viewing
-
Nov 2, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -115,7 +115,7 @@ if [[ ${OFFSET} -eq 0 ]] || [[ ${OFFSET} -gt 255 ]]; then exit 1 fi TEMPD=$(umask 0077; mktemp -d -t "${SCRIPT}.XXX") # first 3 IPv4 network octets of the virtual LAN, make it unique and obvious SITE12_VLAN_FIRST3=${SITE12_VLAN_FIRST3-"10.0.${OFFSET}"} -
Nov 2, 2022 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -90,6 +90,7 @@ done function hl() { # print a horizontal line echo -n '# ' declare i= for i in $(seq 1 $((${COLUMNS} - 2))); do echo -n '-'; done echo } -
Nov 2, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -48,7 +48,7 @@ Usage: For example: ${SCRIPT} 55 my-wireguard-server.domain.org MySmartPhone 192.168.1.0/24 192.168.1.1 OFFSET is an arbitrary numeric offset to disambiguate potentially multiple Wireguard interfaces and VLAN networks. Value must be [1, 255]. -
Nov 2, 2022 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -58,6 +58,8 @@ port will shown in the output, or can be overridden via SITE_PORT, e.g. SITE_PORT=12345 ${SCRIPT} … SITE_DNS is added but commented. Review the script for other optional environment variable settings. To allow other hosts on the site network to connect to the client through
NewerOlder