tavo/guides
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

finished script i think

Browse source
This commit is contained in:
tavo-wasd 2024-02-23 20:44:33 -06:00
parent 14fd21ab80
commit 7645e2359a
5 changed files with 99 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
self_hosting/bypass_cgnat/iptables/iptables-down.sh → self_hosting/bypass_cgnat/backup/iptables/iptables-down.sh
View file

0
self_hosting/bypass_cgnat/iptables/iptables-up.sh → self_hosting/bypass_cgnat/backup/iptables/iptables-up.sh
View file

0
self_hosting/bypass_cgnat/local.sh → self_hosting/bypass_cgnat/backup/local.sh
View file

0
self_hosting/bypass_cgnat/server.sh → self_hosting/bypass_cgnat/backup/server.sh
View file

99
self_hosting/bypass_cgnat/bypasscgnat.sh Normal file
View file

@ -0,0 +1,99 @@
#!/bin/sh
TCP="80 443"
UDP="80 443"
iptables_setup() {
MODE="$1"
SERVER_INT="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)"
WG_SERVER_IP="10.0.0.1"
WG_CLIENT_IP="10.0.0.2"
: "${tcpports:=$TCP}"
: "${udpports:=$UDP}"
if [ "$MODE" = "up" ] ; then
for port in $tcpports; do
iptables -A FORWARD -i "$SERVER_INT" -o wg0 -p tcp --syn --dport "$port" -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A PREROUTING -i "$SERVER_INT" -p tcp --dport "$port" -j DNAT --to-destination "$WG_CLIENT_IP"
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport "$port" -d "$WG_CLIENT_IP" -j SNAT --to-source "$WG_SERVER_IP"
ufw allow "$port"/tcp
done
for port in $udpports; do
iptables -A FORWARD -i "$SERVER_INT" -o wg0 -p udp --dport "$port" -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A PREROUTING -i "$SERVER_INT" -p udp --dport "$port" -j DNAT --to-destination "$WG_CLIENT_IP"
iptables -t nat -A POSTROUTING -o wg0 -p udp --dport "$port" -d "$WG_CLIENT_IP" -j SNAT --to-source "$WG_SERVER_IP"
ufw allow "$port"/udp
done
fi
if [ "$MODE" = "down" ] ; then
for port in $tcpports; do
iptables -D FORWARD -i "$SERVER_INT" -o wg0 -p tcp --syn --dport "$port" -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -D PREROUTING -i "$SERVER_INT" -p tcp --dport "$port" -j DNAT --to-destination "$WG_CLIENT_IP"
iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport "$port" -d "$WG_CLIENT_IP" -j SNAT --to-source "$WG_SERVER_IP"
ufw deny "$port"/tcp
done
for port in $udpports; do
iptables -D FORWARD -i "$SERVER_INT" -o wg0 -p udp --dport "$port" -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -D PREROUTING -i "$SERVER_INT" -p udp --dport "$port" -j DNAT --to-destination "$WG_CLIENT_IP"
iptables -t nat -D POSTROUTING -o wg0 -p udp --dport "$port" -d "$WG_CLIENT_IP" -j SNAT --to-source "$WG_SERVER_IP"
ufw deny "$port"/udp
done
fi
ufw reload
return 0
}
[ "$1" = "up" ] && iptables_setup up && exit 0
[ "$1" = "down" ] && iptables_setup down && exit 0
install_wireguard() {
apt-get install -y wireguard iptables resolvconf
mkdir -p /etc/wireguard
chmod 600 -R /etc/wireguard/
}
wireguard_config() {
echo "net.ipv4.ip_forward = 1" >/etc/sysctl.d/wg.conf
sysctl -p
sysctl --system
SERVER_IP4="$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | awk '{print $1}' | head -1)"
SERVER_PRV_KEY=$(wg genkey)
SERVER_PUB_KEY=$(echo "${SERVER_PRV_KEY}" | wg pubkey)
CLIENT_PRV_KEY=$(wg genkey)
CLIENT_PUB_KEY=$(echo "${CLIENT_PRV_KEY}" | wg pubkey)
CLIENT_PRE_KEY=$(wg genpsk)
}
install_wireguard
wireguard_config
echo "[Interface]
PrivateKey = ${SERVER_PRV_KEY}
ListenPort = 55107
Address = 10.0.0.1/24
PostUp = /opt/bypasscgnat/bypasscgnat.sh up
PostDown = /opt/bypasscgnat/bypasscgnat.sh down
[Peer]
PublicKey = ${CLIENT_PUB_KEY}
PresharedKey = ${CLIENT_PRE_KEY}
AllowedIPs = 10.0.0.2/32" > /etc/wireguard/wg0.conf
printf '\n\033[1m\033[34m=== client configuration ===\033[0m\n\n'
echo "[Interface]
PrivateKey = ${CLIENT_PRV_KEY}
Address = 10.0.0.2
[Peer]
PublicKey = ${SERVER_PUB_KEY}
PresharedKey = ${CLIENT_PRE_KEY}
AllowedIPs = 10.0.0.1/32
Endpoint = ${SERVER_IP4}:55107
PersistentKeepalive = 25" | tee client.conf
echo