API tools faq
paste
Advertisement
rs232

wg.sh noroutes (bird+ospf)

rs232
Mar 22nd, 2023 (edited)
175
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.01 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2. # wg.sh ver 1.31 - rs232 - 03/23
  3. # DO NOT EDIT THIS FILE!
  4. # All the config is placed in the wg0.conf and you can produce this automatically via "wg.sh makeconf"
  5. export PATH=/bin:/usr/bin:/sbin:/usr/sbin:/home/root:
  6. PID=$$
  7. black="\033[0;40m"
  8. grey="\033[0;5;238m"
  9. green="\033[48;2;32m"
  10. alias logw='logger -p WARN -t wg-sh[$PID]'
  11. DIR=$(dirname "$0")
  12. cd $DIR; DIR=$(pwd)
  13. int=wg0
  14. checkmin=$(grep 'checkmin=' ${DIR}/${int}.conf | cut -d= -f2)
  15. port=$(grep 'ListenPort' ${DIR}/${int}.conf | awk '{print $3}')
  16. vnet=$(grep 'vnet=' ${DIR}/${int}.conf | cut -d= -f2)
  17. #rnet=$(grep -Ev '^($|#|\[)' ${DIR}/${int}.conf | grep -Eo '(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])/..' | grep -v .*/32$)
  18. [ $# -gt 0 ] && {
  19. [ $1 == "stop" ] && {
  20. iptables -t mangle -nvL PREROUTING | grep -q '.*MARK.*all.*wg0.*0x1/0x7' && iptables -t mangle -D PREROUTING -i $int -j MARK --set-mark 0x01/0x7
  21. iptables -nvL INPUT | grep -q ".*ACCEPT.*udp.dpt.${port}$" && iptables -D INPUT -p udp --dport $port -j ACCEPT
  22. iptables -nvL INPUT | grep -q ".*ACCEPT.*all.*$int" && iptables -D INPUT -i $int -j ACCEPT
  23. iptables -nvL FORWARD | grep -q ".*ACCEPT.*all.*$int" && iptables -D FORWARD -i $int -j ACCEPT
  24. iptables -nvL INPUT | grep -q ".*ACCEPT.*89.*$int" && iptables -D INPUT -i $int -p 89 -j ACCEPT
  25. #ip route | grep -Eo ".*dev.$int.*" | while read line; do ip route del $(echo $line | awk '{print $1}'); done
  26. ifconfig $int down 2>/dev/null
  27. ip link del dev $int 2>/dev/null
  28. rmmod wireguard 2>/dev/null
  29. cru l | grep -q '#wireguard-check#' && cru d wireguard-check
  30. echo stopped.
  31. exit
  32. }
  33. [ $1 == "check" -a $(wg | wc -l) -gt 3 ] && {
  34. exit
  35. }
  36. [ $1 == "help" ] && {
  37. echo -e "
  38. ┌────────────────── FreshTomato ────────────────────┐
  39. wireguard
  40.  
  41. Usage:
  42.  
  43.  
  44. help this screen
  45. [empty] loads the script
  46. stop to unload the config
  47. check to verify and recover wg if broken
  48. makeconf a wizard to create multisite config
  49.  
  50.  
  51. The script can be run from anywhere but expects
  52. a wg0.conf file to be present in the same folder.
  53. makeconf is a good starting point.
  54.  
  55.  
  56. └───────────────────────────────────────────────────┘
  57. "
  58. exit
  59. }
  60. [ $1 == "makeconf" ] && {
  61. SCRIPT_PATH=$(dirname "$0")
  62. rm -fr /tmp/wireguard &>/dev/null
  63. mkdir /tmp/wireguard
  64. d="/tmp/wireguard"
  65. echo -e "
  66. ┌──────────────────────────────────────────────────────────────────────────────────────────┐
  67. │ This script will create the configuration for your wireguard site-to-site full mesh VPN. │
  68. │ Please follow carefully the instructions and beware: you will need to keep to hand the │
  69. ▌ LAN subnet used by each site (/24) and define a brand new privately (rfc1918) addressed ▐
  70. ▌ subnet /24 of choice to dedicate to the inter-VPN connectivity. The configurationis fully▐
  71. ▌ automated including key generation, just make sure you answer the questions correctly. ▐
  72. │ If any issue just re-run the makeconf. When finished you will just need to upload each │
  73. │ site-specific-config to the relevant router │
  74. └──────────────────────────────────────────────────────────────────────────────────────────┘"
  75. read -p "
  76. ┌──────┐ ┌──────┐
  77. │ rtrA │ │ rtrB │
  78. └──────┘\ /└──────┘
  79. *------------------*
  80. | 192.168.253.0/24 |
  81. *------------------*
  82. ┌──────┐/ \┌──────┐
  83. │ rtrC │ │ rtrN │
  84. └──────┘ └──────┘
  85.  
  86. Private /24 subnet to dedicate to the VPN interconnectivity in format X.X.X.0/24
  87. (empty uses 192.168.253.0/24) : " vpnnet
  88. [ -z $vpnnet ] && vpnnet=192.168.253.0/24
  89. echo "vnet=$vpnnet" > $d/wireguard.TCONF
  90. read -p "Port number to be used for wireguard communication
  91. (empty uses default 51820) : " vpnport
  92. [ -z $vpnport ] && vpnport=51280
  93. echo "port=$vpnport
  94. " >> $d/wireguard.TCONF
  95. read -p "How many sites do you want to interconnect?
  96. (default 2) : " vpnsites
  97. [ -z $vpnsites ] && vpnsites=2
  98. read -p "
  99. How often do you want to check the status of wg? If any issue it will try to recover.
  100. (0 to disable, 15 default) 0-60min : " ansp
  101. [ -z $ansp ] && ansp=15
  102. echo "
  103. We will now enter the site specific section of the configuration."
  104. i=1
  105. while [ $i -le $vpnsites ]; do
  106.  
  107. read -p "
  108. ┌────────────────────
  109. │ Site $i
  110. ├────────────────────
  111. │ port= $vpnport
  112. │ FQDN= ?
  113.  
  114. Name (FQDN) of the device : " ansa
  115. read -p "
  116. ┌────────────────────
  117. │ Site $i
  118. ├────────────────────
  119. │ port= $vpnport
  120. │ FQDN= $ansa
  121. │ LAN= ?
  122.  
  123. LAN Subnet at this site (in format X.X.X.0/24) : " ansb
  124. site=$(echo $ansb | grep -Eo '(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])/..' | grep .*/24$ | cut -d. -f3)
  125. vpnip=$(echo $(echo $vpnnet | cut -d. -f1-3).${site}/24)
  126. read -p "
  127. ┌────────────────────
  128. │ Site $i
  129. ├────────────────────
  130. │ port= $vpnport
  131. │ FQDN= $ansa
  132. │ LAN= $ansb
  133. │ SiteRef= $site
  134. │ VPNIP= $vpnip
  135. │ port-in= ?
  136.  
  137. Is port $vpnport inbound from Internet possible on this site (e.g. WAN its a public IP or a port-fowarding for $vpnport)?
  138. (default yes) y/n : " ansc
  139. [ -z $ansc ] && ansc=y
  140. # read -p "[Site $i] If this site subject to high packet loss e.g. WAN is 4G?
  141. # (default no) y/n : " ansd
  142. # [ -z $ansd ] && ansd=n
  143. echo -e "${green}
  144. ┌────────────────────
  145. │ Site $i
  146. ├────────────────────
  147. │ port= $vpnport
  148. │ FQDN= $ansa
  149. │ LAN= $ansb
  150. │ SiteRef= $site
  151. │ VPNIP= $vpnip
  152. │ port-in= $ansc
  153. └────────────────────
  154. ${black}"
  155. mkdir $d/$ansa
  156. wg genkey > $d/${ansa}/privateKey 2>/dev/null
  157. wg pubkey < $d/${ansa}/privateKey > $d/${ansa}/publicKey 2>/dev/null
  158. echo "[interface]
  159. PrivateKey = $(cat $d/$ansa/privateKey)
  160. ListenPort = $vpnport
  161. #vnet=$vpnip
  162. #checkmin=$ansp
  163. "> $d/${ansa}/wg0.conf
  164. echo "[peer] #$ansa
  165. EndPoint = $ansa
  166. PublicKey = $(cat $d/$ansa/publicKey)
  167. AllowedIPs = $vpnip, $ansb
  168. $([ $ansc == "n" ] && echo 'PersistentKeepalive = 25')
  169. " > $d/${ansa}.TEMPO
  170. i=$((i+1))
  171. done
  172. ls -p $d | grep .*/$ | cut -d/ -f1 | while read folder; do
  173. cd $d/$folder
  174. ls -1 ../*.TEMPO | grep -v "$folder" | while read line; do cat $line >> ./wg0.conf
  175. cp -f $SCRIPT_PATH/wg.sh ./wg.sh
  176. done
  177. done
  178. echo -e "
  179. ┌────────────────────────────────────────────────────────────────────────────────────────┐
  180. ▌ ${grey}Configuration completed.${black} ▐
  181. └────────────────────────────────────────────────────────────────────────────────────────┘
  182.  
  183. Find the each site relevant ${green}wg.sh${black} and ${green}wg0.conf${black} files in:${green}
  184. $(ls -l $d | grep ^d | awk '{print "/tmp/wireguard/"$9"/"}')${black}
  185. Copy each wg.sh & wg0.conf on the permanent storage of target router e.g. /jffs.
  186. Place them both in the same folder. Bring the VPN up calling /whateverpath/wg.sh
  187.  
  188. NOTEs:
  189. - do not edit the wg.sh or wg0.conf they are reaby to be used as they are
  190. - remember to ${green}chmod +x wg.sh${black} on the target device.
  191. - to autostart you could use something like this in the Administration/script/firewall:
  192. ${green}/jffs/wg.sh${black}
  193. "
  194. find $d -name '*.TCONF' -exec rm {} + &>/dev/null
  195. find $d -name '*.TEMPO' -exec rm {} + &>/dev/null
  196. find $d -name '*Key' -exec rm {} + &>/dev/null
  197. exit
  198. }
  199. }
  200. ifconfig $int down 2>/dev/null
  201. ip link del dev $int 2>/dev/null
  202. rmmod wireguard 2>/dev/null
  203. modprobe wireguard
  204. ip link add dev $int type wireguard
  205. ip address add dev $int $vnet
  206. wg setconf $int $DIR/$int.conf
  207. sleep 1
  208. ifconfig $int up
  209. # bypass CTF for wireguard
  210. [ $(nvram get ctf_disable) -eq 0 ] && {
  211. iptables -t mangle -nvL PREROUTING | grep -q '.*MARK.*all.*wg0.*0x1/0x7' || iptables -t mangle -I PREROUTING -i $int -j MARK --set-mark 0x01/0x7
  212. }
  213. # Open WireGuard port
  214. iptables -nvL INPUT | grep -q ".*ACCEPT.*udp.dpt.${port}$" || iptables -A INPUT -p udp --dport $port -j ACCEPT
  215. # Accept packets from WireGuard internal subnet
  216. iptables -nvL INPUT | grep -q ".*ACCEPT.*all.*$int" || iptables -A INPUT -i $int -j ACCEPT
  217. # Set up forwarding
  218. iptables -nvL FORWARD | grep -q ".*ACCEPT.*all.*$int" || iptables -A FORWARD -i $int -j ACCEPT
  219. # add periodic checks
  220. [ $checkmin -ne 0 ] && cru l | grep -q '#wireguard-check#' || cru a wireguard-check "*/${checkmin} * * * * ${DIR}/wg.sh check"
  221. # allow OSPF to run over wg0
  222. iptables -nvL INPUT | grep -q ".*ACCEPT.*89.*$int" || iptables -I INPUT -i $int -p 89 -j ACCEPT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!