Browse Source

generalized using variable

Toastie 1 year ago
parent
commit
ce26dcd78a
1 changed files with 26 additions and 22 deletions
  1. 26 22
      linux/wireguard/wg-persistent.sh

+ 26 - 22
linux/wireguard/wg-persistent.sh

@@ -1,34 +1,38 @@
 #!/bin/bash
 
+# Purpose: Make the running config from wg-instant.sh persistent
+
 ### References
 # https://wiki.archlinux.org/title/WireGuard
 
-# Make an running config from wg-instant.sh persistent
+### Variables
+server_ip='192.168.130.1/24'
+network='192.168.130.0/24'
+confdir='/etc/wireguard'
+interface='ens3' # $(ip link | grep -o -E "ens[0-9]")
+
 
+# Safe current configuration and
+# - remove the endpoint IP (assumption: endpoint IPs are dynamic)
+# - add server IP
+wg showconf wg0 | sed \
+ -e "/^Endpoint/d" \
+ -e "/^\[Interface]$/a Address = $server_ip" \
+ > $confdir/wg0.conf
 
-wg showconf wg0 > /etc/wireguard/wg0.conf
-# remove endpoint IPs from dynamic peers
-# add for [Interface]
-Address = 192.168.130.1/24
-PostUp = iptables -t nat -I POSTROUTING 1 -s 192.168.130.0/24 -o $(ip link | grep -o -E "ens[0-9]") -j MASQUERADE; iptables -I INPUT 1 -i %i -j ACCEPT; iptables -I FORWARD 1 -i $(ip link | grep -o -E "ens[0-9]") -o %i -j ACCEPT; iptables -I FORWARD 1 -i %i -o $(ip link | grep -o -E "ens[0-9]") -j ACCEPT; iptables -I INPUT 1 -i $(ip link | grep -o -E "ens[0-9]") -p udp --dport 51871 -j ACCEPT
-PostDown = iptables -t nat -D POSTROUTING -s 192.168.130.0/24 -o $(ip link | grep -o -E "ens[0-9]") -j MASQUERADE; iptables -D INPUT -i %i -j ACCEPT; iptables -D FORWARD -i $(ip link | grep -o -E "ens[0-9]") -o %i -j ACCEPT; iptables -D FORWARD -i %i -o $(ip link | grep -o -E "ens[0-9]") -j ACCEPT; iptables -D INPUT -i $(ip link | grep -o -E "ens[0-9]") -p udp --dport 51871 -j ACCEPT
+PostUp = iptables -t nat -I POSTROUTING 1 -s $network -o $interface -j MASQUERADE; iptables -I INPUT 1 -i %i -j ACCEPT; iptables -I FORWARD 1 -i $interface -o %i -j ACCEPT; iptables -I FORWARD 1 -i %i -o $interface -j ACCEPT; iptables -I INPUT 1 -i $interface -p udp --dport 51871 -j ACCEPT
+PostDown = iptables -t nat -D POSTROUTING -s $network -o $interface -j MASQUERADE; iptables -D INPUT -i %i -j ACCEPT; iptables -D FORWARD -i $interface -o %i -j ACCEPT; iptables -D FORWARD -i %i -o $interface -j ACCEPT; iptables -D INPUT -i $interface -p udp --dport 51871 -j ACCEPT
 
 ## Rules in several lines for better readability
-iptables -t nat -I POSTROUTING 1 -s 192.168.130.0/24 -o $(ip link | grep -o -E "ens[0-9]") -j MASQUERADE; 
+# wg-quick expands %i to the wireguard interface, here wg0
+iptables -t nat -I POSTROUTING 1 -s $network -o $interface -j MASQUERADE; 
 iptables -I INPUT 1 -i %i -j ACCEPT; 
-iptables -I FORWARD 1 -i $(ip link | grep -o -E "ens[0-9]") -o %i -j ACCEPT; 
-iptables -I FORWARD 1 -i %i -o $(ip link | grep -o -E "ens[0-9]") -j ACCEPT; 
-iptables -I INPUT 1 -i $(ip link | grep -o -E "ens[0-9]") -p udp --dport 51871 -j ACCEPT
+iptables -I FORWARD 1 -i $interface -o %i -j ACCEPT; 
+iptables -I FORWARD 1 -i %i -o $interface -j ACCEPT; 
+iptables -I INPUT 1 -i $interface -p udp --dport 51871 -j ACCEPT
 
-iptables -t nat -D POSTROUTING -s 192.168.130.0/24 -o $(ip link | grep -o -E "ens[0-9]") -j MASQUERADE; 
+iptables -t nat -D POSTROUTING -s $network -o $interface -j MASQUERADE; 
 iptables -D INPUT -i %i -j ACCEPT; 
-iptables -D FORWARD -i $(ip link | grep -o -E "ens[0-9]") -o %i -j ACCEPT; 
-iptables -D FORWARD -i %i -o $(ip link | grep -o -E "ens[0-9]") -j ACCEPT; 
-iptables -D INPUT -i $(ip link | grep -o -E "ens[0-9]") -p udp --dport 51871 -j ACCEPT
-
-iptables -t nat -D POSTROUTING -s 192.168.130.0/24 -o $(ip link | grep -o -E "ens[0-9]") -j MASQUERADE; 
-iptables -D INPUT -i wg0 -j ACCEPT; 
-iptables -D FORWARD -i $(ip link | grep -o -E "ens[0-9]") -o wg0 -j ACCEPT; 
-iptables -D FORWARD -i wg0 -o $(ip link | grep -o -E "ens[0-9]") -j ACCEPT; 
-iptables -D INPUT -i $(ip link | grep -o -E "ens[0-9]") -p udp --dport 51871 -j ACCEPT
-
+iptables -D FORWARD -i $interface -o %i -j ACCEPT; 
+iptables -D FORWARD -i %i -o $interface -j ACCEPT; 
+iptables -D INPUT -i $interface -p udp --dport 51871 -j ACCEPT