From 7645e2359a347afb3fab6455246b303ade1d97ef Mon Sep 17 00:00:00 2001 From: tavo-wasd Date: Fri, 23 Feb 2024 20:44:33 -0600 Subject: [PATCH] finished script i think --- .../{ => backup}/iptables/iptables-down.sh | 0 .../{ => backup}/iptables/iptables-up.sh | 0 .../bypass_cgnat/{ => backup}/local.sh | 0 .../bypass_cgnat/{ => backup}/server.sh | 0 self_hosting/bypass_cgnat/bypasscgnat.sh | 99 +++++++++++++++++++ 5 files changed, 99 insertions(+) rename self_hosting/bypass_cgnat/{ => backup}/iptables/iptables-down.sh (100%) rename self_hosting/bypass_cgnat/{ => backup}/iptables/iptables-up.sh (100%) rename self_hosting/bypass_cgnat/{ => backup}/local.sh (100%) rename self_hosting/bypass_cgnat/{ => backup}/server.sh (100%) create mode 100644 self_hosting/bypass_cgnat/bypasscgnat.sh diff --git a/self_hosting/bypass_cgnat/iptables/iptables-down.sh b/self_hosting/bypass_cgnat/backup/iptables/iptables-down.sh similarity index 100% rename from self_hosting/bypass_cgnat/iptables/iptables-down.sh rename to self_hosting/bypass_cgnat/backup/iptables/iptables-down.sh diff --git a/self_hosting/bypass_cgnat/iptables/iptables-up.sh b/self_hosting/bypass_cgnat/backup/iptables/iptables-up.sh similarity index 100% rename from self_hosting/bypass_cgnat/iptables/iptables-up.sh rename to self_hosting/bypass_cgnat/backup/iptables/iptables-up.sh diff --git a/self_hosting/bypass_cgnat/local.sh b/self_hosting/bypass_cgnat/backup/local.sh similarity index 100% rename from self_hosting/bypass_cgnat/local.sh rename to self_hosting/bypass_cgnat/backup/local.sh diff --git a/self_hosting/bypass_cgnat/server.sh b/self_hosting/bypass_cgnat/backup/server.sh similarity index 100% rename from self_hosting/bypass_cgnat/server.sh rename to self_hosting/bypass_cgnat/backup/server.sh diff --git a/self_hosting/bypass_cgnat/bypasscgnat.sh b/self_hosting/bypass_cgnat/bypasscgnat.sh new file mode 100644 index 0000000..d7723e6 --- /dev/null +++ b/self_hosting/bypass_cgnat/bypasscgnat.sh @@ -0,0 +1,99 @@ +#!/bin/sh +TCP="80 443" +UDP="80 443" + +iptables_setup() { + MODE="$1" + SERVER_INT="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)" + WG_SERVER_IP="10.0.0.1" + WG_CLIENT_IP="10.0.0.2" + : "${tcpports:=$TCP}" + : "${udpports:=$UDP}" + + if [ "$MODE" = "up" ] ; then + for port in $tcpports; do + iptables -A FORWARD -i "$SERVER_INT" -o wg0 -p tcp --syn --dport "$port" -m conntrack --ctstate NEW -j ACCEPT + iptables -t nat -A PREROUTING -i "$SERVER_INT" -p tcp --dport "$port" -j DNAT --to-destination "$WG_CLIENT_IP" + iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport "$port" -d "$WG_CLIENT_IP" -j SNAT --to-source "$WG_SERVER_IP" + ufw allow "$port"/tcp + done + for port in $udpports; do + iptables -A FORWARD -i "$SERVER_INT" -o wg0 -p udp --dport "$port" -m conntrack --ctstate NEW -j ACCEPT + iptables -t nat -A PREROUTING -i "$SERVER_INT" -p udp --dport "$port" -j DNAT --to-destination "$WG_CLIENT_IP" + iptables -t nat -A POSTROUTING -o wg0 -p udp --dport "$port" -d "$WG_CLIENT_IP" -j SNAT --to-source "$WG_SERVER_IP" + ufw allow "$port"/udp + done + fi + + if [ "$MODE" = "down" ] ; then + for port in $tcpports; do + iptables -D FORWARD -i "$SERVER_INT" -o wg0 -p tcp --syn --dport "$port" -m conntrack --ctstate NEW -j ACCEPT + iptables -t nat -D PREROUTING -i "$SERVER_INT" -p tcp --dport "$port" -j DNAT --to-destination "$WG_CLIENT_IP" + iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport "$port" -d "$WG_CLIENT_IP" -j SNAT --to-source "$WG_SERVER_IP" + ufw deny "$port"/tcp + done + for port in $udpports; do + iptables -D FORWARD -i "$SERVER_INT" -o wg0 -p udp --dport "$port" -m conntrack --ctstate NEW -j ACCEPT + iptables -t nat -D PREROUTING -i "$SERVER_INT" -p udp --dport "$port" -j DNAT --to-destination "$WG_CLIENT_IP" + iptables -t nat -D POSTROUTING -o wg0 -p udp --dport "$port" -d "$WG_CLIENT_IP" -j SNAT --to-source "$WG_SERVER_IP" + ufw deny "$port"/udp + done + fi + + ufw reload + return 0 +} + +[ "$1" = "up" ] && iptables_setup up && exit 0 +[ "$1" = "down" ] && iptables_setup down && exit 0 + +install_wireguard() { + apt-get install -y wireguard iptables resolvconf + mkdir -p /etc/wireguard + chmod 600 -R /etc/wireguard/ +} + +wireguard_config() { + echo "net.ipv4.ip_forward = 1" >/etc/sysctl.d/wg.conf + sysctl -p + sysctl --system + + SERVER_IP4="$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | awk '{print $1}' | head -1)" + SERVER_PRV_KEY=$(wg genkey) + SERVER_PUB_KEY=$(echo "${SERVER_PRV_KEY}" | wg pubkey) + + CLIENT_PRV_KEY=$(wg genkey) + CLIENT_PUB_KEY=$(echo "${CLIENT_PRV_KEY}" | wg pubkey) + CLIENT_PRE_KEY=$(wg genpsk) +} + +install_wireguard +wireguard_config + +echo "[Interface] +PrivateKey = ${SERVER_PRV_KEY} +ListenPort = 55107 +Address = 10.0.0.1/24 + +PostUp = /opt/bypasscgnat/bypasscgnat.sh up +PostDown = /opt/bypasscgnat/bypasscgnat.sh down + +[Peer] +PublicKey = ${CLIENT_PUB_KEY} +PresharedKey = ${CLIENT_PRE_KEY} +AllowedIPs = 10.0.0.2/32" > /etc/wireguard/wg0.conf + +printf '\n\033[1m\033[34m=== client configuration ===\033[0m\n\n' + +echo "[Interface] +PrivateKey = ${CLIENT_PRV_KEY} +Address = 10.0.0.2 + +[Peer] +PublicKey = ${SERVER_PUB_KEY} +PresharedKey = ${CLIENT_PRE_KEY} +AllowedIPs = 10.0.0.1/32 +Endpoint = ${SERVER_IP4}:55107 +PersistentKeepalive = 25" | tee client.conf + +echo