wg-sh 1.1 (deprecated)

#!/bin/sh
# version 1.1
export PATH=/bin:/usr/bin:/sbin:/usr/sbin:/home/root:
#<configuration>
DIR="/jffs" #this script and the conf file are both expected to be found here
int=wg0 #don't change unless you know what you're doing
port=51820 # make sure this consistent amongst all the sites
site=1 #this is unique per site and defines "the site" e.g. LAN network number like 10.10.$site.0/24 and the inter-VPN IP address e.g. 192.168.192.$site/32
vnet="192.168.192.${site}/24" #define the site to site VPN as a global /24
checkmin=15 # how often destination needs to be verified (in minutes 1-60)
#</configuration>
rnet=$(grep -Ev '^($|#|\[)' ${DIR}/${int}.conf | grep -Eo '(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])/..' | grep -v .*/32$)
[ $# -gt 0 ] && {
[ $1 == "stop" ] && {
iptables -t mangle -nvL PREROUTING | grep -q '.*MARK.*all.*wg0.*0x1/0x7' && iptables -t mangle -D PREROUTING -i $int -j MARK --set-mark 0x01/0x7
iptables -nvL INPUT | grep -q ".*ACCEPT.*udp.dpt.${port}$" && iptables -D INPUT -p udp --dport $port -j ACCEPT
iptables -nvL INPUT | grep -q ".*ACCEPT.*all.*$int" && iptables -D INPUT -i $int -j ACCEPT
iptables -nvL FORWARD | grep -q ".*ACCEPT.*all.*$int" && iptables -D FORWARD -i $int -j ACCEPT
ip route | grep -Eo ".*dev.$int.*" | while read line; do ip route del $(echo $line | awk '{print $1}'); done
ifconfig $int down 2>/dev/null
ip link del dev $int 2>/dev/null
rmmod wireguard 2>/dev/null
cru l | grep -q '#wireguard-check#' && cru d wireguard-check
echo stopped.
exit
}
[ $1 == "check" ] && {
echo $rnet | tr " " "\n" | while read line; do
	rsite=$(echo $line | cut -d. -f3 | grep -Eo '^[0-9]{0,3}')
	sitesup=$(echo $vnet | cut -d. -f0-3)
	sitehop=$(echo ${sitesup}.${rsite})
	ip route | grep -q "^${line}.*dev.${int}" && {
	ping -4 -I ${int} -c3 -A -q ${sitehop} &>/dev/null && echo "$line reachable" || { echo "$line = unreachable - removing" ; ip route del $(echo $line | awk '{print $1}') ;}
	} || {
	ping -4 -I ${int} -c3 -A -q ${sitehop} &>/dev/null && { echo "$line = reachable + adding" ; ip route add $line dev $int ;}
	}
	done
}
exit
}
ifconfig $int down 2>/dev/null
ip link del dev $int 2>/dev/null
rmmod wireguard 2>/dev/null
modprobe wireguard
ip link add dev $int type wireguard
ip address add dev $int $vnet
wg setconf $int $DIR/$int.conf
sleep 1
ifconfig $int up
# bypass CTF for wireguard
[ $(nvram get ctf_disable) -eq 0 ] && {
iptables -t mangle -nvL PREROUTING | grep -q '.*MARK.*all.*wg0.*0x1/0x7' || iptables -t mangle -I PREROUTING -i $int -j MARK --set-mark 0x01/0x7
}
# Open WireGuard port
iptables -nvL INPUT | grep -q ".*ACCEPT.*udp.dpt.${port}$" || iptables -A INPUT -p udp --dport $port -j ACCEPT
# Accept packets from WireGuard internal subnet
iptables -nvL INPUT | grep -q ".*ACCEPT.*all.*$int" || iptables -A INPUT -i $int -j ACCEPT
# Set up forwarding
iptables -nvL FORWARD | grep -q ".*ACCEPT.*all.*$int" || iptables -A FORWARD -i $int -j ACCEPT
# add routes to opposite lan
echo $rnet | tr " " "\n" | while read line; do ip route | grep -q  "^${line}.*dev.$int.*" || ip route add $line dev $int; done
# add periodic checks
[ $checkmin -ne 0 ] && cru l | grep -q '#wireguard-check#' || cru a wireguard-check "*/${checkmin} * * * * $DIR/wg.sh check"