Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- # version 1.1
- export PATH=/bin:/usr/bin:/sbin:/usr/sbin:/home/root:
- #<configuration>
- DIR="/jffs" #this script and the conf file are both expected to be found here
- int=wg0 #don't change unless you know what you're doing
- port=51820 # make sure this consistent amongst all the sites
- site=1 #this is unique per site and defines "the site" e.g. LAN network number like 10.10.$site.0/24 and the inter-VPN IP address e.g. 192.168.192.$site/32
- vnet="192.168.192.${site}/24" #define the site to site VPN as a global /24
- checkmin=15 # how often destination needs to be verified (in minutes 1-60)
- #</configuration>
- rnet=$(grep -Ev '^($|#|\[)' ${DIR}/${int}.conf | grep -Eo '(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])/..' | grep -v .*/32$)
- [ $# -gt 0 ] && {
- [ $1 == "stop" ] && {
- iptables -t mangle -nvL PREROUTING | grep -q '.*MARK.*all.*wg0.*0x1/0x7' && iptables -t mangle -D PREROUTING -i $int -j MARK --set-mark 0x01/0x7
- iptables -nvL INPUT | grep -q ".*ACCEPT.*udp.dpt.${port}$" && iptables -D INPUT -p udp --dport $port -j ACCEPT
- iptables -nvL INPUT | grep -q ".*ACCEPT.*all.*$int" && iptables -D INPUT -i $int -j ACCEPT
- iptables -nvL FORWARD | grep -q ".*ACCEPT.*all.*$int" && iptables -D FORWARD -i $int -j ACCEPT
- ip route | grep -Eo ".*dev.$int.*" | while read line; do ip route del $(echo $line | awk '{print $1}'); done
- ifconfig $int down 2>/dev/null
- ip link del dev $int 2>/dev/null
- rmmod wireguard 2>/dev/null
- cru l | grep -q '#wireguard-check#' && cru d wireguard-check
- echo stopped.
- exit
- }
- [ $1 == "check" ] && {
- echo $rnet | tr " " "\n" | while read line; do
- rsite=$(echo $line | cut -d. -f3 | grep -Eo '^[0-9]{0,3}')
- sitesup=$(echo $vnet | cut -d. -f0-3)
- sitehop=$(echo ${sitesup}.${rsite})
- ip route | grep -q "^${line}.*dev.${int}" && {
- ping -4 -I ${int} -c3 -A -q ${sitehop} &>/dev/null && echo "$line reachable" || { echo "$line = unreachable - removing" ; ip route del $(echo $line | awk '{print $1}') ;}
- } || {
- ping -4 -I ${int} -c3 -A -q ${sitehop} &>/dev/null && { echo "$line = reachable + adding" ; ip route add $line dev $int ;}
- }
- done
- }
- exit
- }
- ifconfig $int down 2>/dev/null
- ip link del dev $int 2>/dev/null
- rmmod wireguard 2>/dev/null
- modprobe wireguard
- ip link add dev $int type wireguard
- ip address add dev $int $vnet
- wg setconf $int $DIR/$int.conf
- sleep 1
- ifconfig $int up
- # bypass CTF for wireguard
- [ $(nvram get ctf_disable) -eq 0 ] && {
- iptables -t mangle -nvL PREROUTING | grep -q '.*MARK.*all.*wg0.*0x1/0x7' || iptables -t mangle -I PREROUTING -i $int -j MARK --set-mark 0x01/0x7
- }
- # Open WireGuard port
- iptables -nvL INPUT | grep -q ".*ACCEPT.*udp.dpt.${port}$" || iptables -A INPUT -p udp --dport $port -j ACCEPT
- # Accept packets from WireGuard internal subnet
- iptables -nvL INPUT | grep -q ".*ACCEPT.*all.*$int" || iptables -A INPUT -i $int -j ACCEPT
- # Set up forwarding
- iptables -nvL FORWARD | grep -q ".*ACCEPT.*all.*$int" || iptables -A FORWARD -i $int -j ACCEPT
- # add routes to opposite lan
- echo $rnet | tr " " "\n" | while read line; do ip route | grep -q "^${line}.*dev.$int.*" || ip route add $line dev $int; done
- # add periodic checks
- [ $checkmin -ne 0 ] && cru l | grep -q '#wireguard-check#' || cru a wireguard-check "*/${checkmin} * * * * $DIR/wg.sh check"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement