99 lines
3.4 KiB
Bash
99 lines
3.4 KiB
Bash
#!/bin/sh
|
|
TCP="80 443"
|
|
UDP="80 443"
|
|
|
|
iptables_setup() {
|
|
MODE="$1"
|
|
SERVER_INT="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)"
|
|
WG_SERVER_IP="10.0.0.1"
|
|
WG_CLIENT_IP="10.0.0.2"
|
|
: "${tcpports:=$TCP}"
|
|
: "${udpports:=$UDP}"
|
|
|
|
if [ "$MODE" = "up" ] ; then
|
|
for port in $tcpports; do
|
|
iptables -A FORWARD -i "$SERVER_INT" -o wg0 -p tcp --syn --dport "$port" -m conntrack --ctstate NEW -j ACCEPT
|
|
iptables -t nat -A PREROUTING -i "$SERVER_INT" -p tcp --dport "$port" -j DNAT --to-destination "$WG_CLIENT_IP"
|
|
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport "$port" -d "$WG_CLIENT_IP" -j SNAT --to-source "$WG_SERVER_IP"
|
|
ufw allow "$port"/tcp
|
|
done
|
|
for port in $udpports; do
|
|
iptables -A FORWARD -i "$SERVER_INT" -o wg0 -p udp --dport "$port" -m conntrack --ctstate NEW -j ACCEPT
|
|
iptables -t nat -A PREROUTING -i "$SERVER_INT" -p udp --dport "$port" -j DNAT --to-destination "$WG_CLIENT_IP"
|
|
iptables -t nat -A POSTROUTING -o wg0 -p udp --dport "$port" -d "$WG_CLIENT_IP" -j SNAT --to-source "$WG_SERVER_IP"
|
|
ufw allow "$port"/udp
|
|
done
|
|
fi
|
|
|
|
if [ "$MODE" = "down" ] ; then
|
|
for port in $tcpports; do
|
|
iptables -D FORWARD -i "$SERVER_INT" -o wg0 -p tcp --syn --dport "$port" -m conntrack --ctstate NEW -j ACCEPT
|
|
iptables -t nat -D PREROUTING -i "$SERVER_INT" -p tcp --dport "$port" -j DNAT --to-destination "$WG_CLIENT_IP"
|
|
iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport "$port" -d "$WG_CLIENT_IP" -j SNAT --to-source "$WG_SERVER_IP"
|
|
ufw deny "$port"/tcp
|
|
done
|
|
for port in $udpports; do
|
|
iptables -D FORWARD -i "$SERVER_INT" -o wg0 -p udp --dport "$port" -m conntrack --ctstate NEW -j ACCEPT
|
|
iptables -t nat -D PREROUTING -i "$SERVER_INT" -p udp --dport "$port" -j DNAT --to-destination "$WG_CLIENT_IP"
|
|
iptables -t nat -D POSTROUTING -o wg0 -p udp --dport "$port" -d "$WG_CLIENT_IP" -j SNAT --to-source "$WG_SERVER_IP"
|
|
ufw deny "$port"/udp
|
|
done
|
|
fi
|
|
|
|
ufw reload
|
|
return 0
|
|
}
|
|
|
|
[ "$1" = "up" ] && iptables_setup up && exit 0
|
|
[ "$1" = "down" ] && iptables_setup down && exit 0
|
|
|
|
install_wireguard() {
|
|
apt-get install -y wireguard iptables resolvconf
|
|
mkdir -p /etc/wireguard
|
|
chmod 600 -R /etc/wireguard/
|
|
}
|
|
|
|
wireguard_config() {
|
|
echo "net.ipv4.ip_forward = 1" >/etc/sysctl.d/wg.conf
|
|
sysctl -p
|
|
sysctl --system
|
|
|
|
SERVER_IP4="$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | awk '{print $1}' | head -1)"
|
|
SERVER_PRV_KEY=$(wg genkey)
|
|
SERVER_PUB_KEY=$(echo "${SERVER_PRV_KEY}" | wg pubkey)
|
|
|
|
CLIENT_PRV_KEY=$(wg genkey)
|
|
CLIENT_PUB_KEY=$(echo "${CLIENT_PRV_KEY}" | wg pubkey)
|
|
CLIENT_PRE_KEY=$(wg genpsk)
|
|
}
|
|
|
|
install_wireguard
|
|
wireguard_config
|
|
|
|
echo "[Interface]
|
|
PrivateKey = ${SERVER_PRV_KEY}
|
|
ListenPort = 55107
|
|
Address = 10.0.0.1/24
|
|
|
|
PostUp = /opt/bypasscgnat/bypasscgnat.sh up
|
|
PostDown = /opt/bypasscgnat/bypasscgnat.sh down
|
|
|
|
[Peer]
|
|
PublicKey = ${CLIENT_PUB_KEY}
|
|
PresharedKey = ${CLIENT_PRE_KEY}
|
|
AllowedIPs = 10.0.0.2/32" > /etc/wireguard/wg0.conf
|
|
|
|
printf '\n\033[1m\033[34m=== client configuration ===\033[0m\n\n'
|
|
|
|
echo "[Interface]
|
|
PrivateKey = ${CLIENT_PRV_KEY}
|
|
Address = 10.0.0.2
|
|
|
|
[Peer]
|
|
PublicKey = ${SERVER_PUB_KEY}
|
|
PresharedKey = ${CLIENT_PRE_KEY}
|
|
AllowedIPs = 10.0.0.1/32
|
|
Endpoint = ${SERVER_IP4}:55107
|
|
PersistentKeepalive = 25" | tee client.conf
|
|
|
|
echo
|