tools: add wg-quick

This is based on wg-config, but is even easier to use, and now makes
our full tools suite.

3 files changed, 0 insertions, 334 deletions

diff --git a/contrib/examples/wg-config/Makefile b/contrib/examples/wg-config/Makefile
deleted file mode 100644
index 4fa264c..0000000
--- a/contrib/examples/wg-config/Makefile
+++ /dev/null
@@ -1,11 +0,0 @@
-PREFIX ?= /usr
-DESTDIR ?=
-SBINDIR ?= $(PREFIX)/sbin
-
-all:
-	@echo "This is a shell script, so there is nothing to do. Try \"make install\" instead."
-
-install:
-	@install -v -m0755 -D -t$(DESTDIR)$(SBINDIR) wg-config
-
-.PHONY: all install
diff --git a/contrib/examples/wg-config/README b/contrib/examples/wg-config/README
deleted file mode 100644
index 93da029..0000000
--- a/contrib/examples/wg-config/README
+++ /dev/null
@@ -1,140 +0,0 @@
-== Installation ==
-
-    # make install
-
-== Usage ==
-
-wg-config is a very simple utility for adding and configuring WireGuard
-interfaces using ip(8) and wg(8).
-
-Usage: wg-config [ add | del ] INTERFACE [arguments...]
-
-  wg-config add INTERFACE --config=CONFIG_FILE [--address=ADDRESS/CIDR...]
-               [--route=ROUTE/CIDR...] [--no-auto-route-from-allowed-ips]
-               [--env-file=ENV_FILE]
-
-    The add subcommand adds a new WireGuard interface, INTERFACE, replacing
-    any existing interfaces of the same name. The --config argument is
-    required, and its argument is passed to wg(8)'s setconf subcommand. The
-    --address argument(s) is recommended for this utility to be useful. The
-    --route argument is purely optional, as by default this utility will
-    automatically add routes implied by --address and as implied by the
-    allowed-ip entries inside the --config file. To disable this automatic
-    route adding, you may use the option entitled --no-auto-route-from-allowed-ips.
-
-  wg-config del INTERFACE [--config=CONFIG_FILE_TO_SAVE] [--env-file=ENV_FILE]
-
-    The del subcommand removes an existing WireGuard interface. If the
-    optional --config is specified, then the existing configuration is
-    written out to the file specified, via wg(8)'s showconf subcommand.
-
-Both `add' and del' take the --env-file=ENV_FILE option. If specified,
-the contents of ENV_FILE are imported into wg-config. This can be used to
-set variables in a file, instead of needing to pass them on the command
-line. The following table shows the relation between the command line
-options described above, and variables that may be declared in ENV_FILE:
-
-  --address=A, --address=B, --address=C       ADDRESSES=( "A" "B" "C" )
-  --route=A, --route=B, --route=C             ADDITIONAL_ROUTES=( "A" "B" "C" )
-  --config-file=F                             CONFIG_FILE="F"
-  echo C > /tmp/F, --config-file=/tmp/F       CONFIG_FILE_CONTENTS="C"
-  --no-auto-route-from-allowed-ips            AUTO_ROUTE=0
-
-Additionally, ENV_FILE may define the bash functions pre_add, post_add,
-pre_del, and post_del, which will be called at their respective times.
-
-== Basic Example ==
-
-This basic example might be used by a server.
-
-/etc/wireguard/wg-server.conf:
-
-	[Interface]
-	PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
-	ListenPort = 41414
-
-	[Peer]
-	PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
-	AllowedIPs = 10.192.122.3/32, 10.192.124.1/24
-
-	[Peer]
-	PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=
-	AllowedIPs = 10.192.122.4/32, 192.168.0.0/16
-
-	[Peer]
-	PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
-	AllowedIPs = 10.10.10.230/32
-
-/etc/wireguard/wg-server.env:
-
-	CONFIG_FILE="$(dirname "${BASH_SOURCE[0]}")/wg-server.conf"
-	ADDRESSES=( 10.192.122.1/34 10.10.0.1/16 )
-
-Run at startup:
-# wg-config add wgserver0 --env-file=/etc/wireguard/wg-server.env
-Run at shutdown:
-# wg-config del wgserver0 --env-file=/etc/wireguard/wg-server.env
-
-== Single File Advanced Example ==
-
-This type of configuration might be desirable for a personal access gateway
-VPN, connecting to a server like in the example above.
-
-/etc/wireguard/wg-vpn-gateway.env:
-
-	CONFIG_FILE_CONTENTS="
-	[Interface]
-	PrivateKey = 6JiA3fa+NG+x5m6aq7+lxlVaVqVf1mxK6/pDOZdNuXc=
-
-	[Peer]
-	PublicKey = 6NagfTu+s8+TkEKpxX7pNjJuTf4zYtoJme7iQFYIw0A=
-	AllowedIPs = 0.0.0.0/0
-	Endpoint = demo.wireguard.io:29912
-	"
-
-	ADDRESSES=( 10.200.100.2/32 )
-
-	post_add() {
-		printf 'nameserver 10.200.100.1' | cmd resolvconf -a "$INTERFACE" -m 0
-	}
-	post_del() {
-		cmd resolvconf -d "$INTERFACE"
-	}
-
-Run to flip on the VPN:
-# wg-config add wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
-Run to flip off the VPN:
-# wg-config del wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
-
-== Advanced Example ==
-
-This achieves the same as the above, but with an external file. It only sets the
-configuration file when the subcommand is add, to prevent it from being overwritten.
-The above is much simpler and probably preferred, but this example shows how powerful
-the tool can be.
-
-/etc/wireguard/wg-vpn-gateway.conf:
-
-	[Interface]
-	PrivateKey = 6JiA3fa+NG+x5m6aq7+lxlVaVqVf1mxK6/pDOZdNuXc=
-
-	[Peer]
-	PublicKey = 6NagfTu+s8+TkEKpxX7pNjJuTf4zYtoJme7iQFYIw0A=
-	AllowedIPs = 0.0.0.0/0
-	Endpoint = demo.wireguard.io:29912
-
-/etc/wireguard/wg-vpn-gateway.env:
-
-	[[ $SUBCOMMAND == add ]] && CONFIG_FILE="$(dirname "${BASH_SOURCE[0]}")/demo-vpn.conf" || true
-	ADDRESSES=( 10.200.100.2/32 )
-	post_add() {
-		printf 'nameserver 10.200.100.1' | cmd resolvconf -a "$INTERFACE" -m 0
-	}
-	post_del() {
-		cmd resolvconf -d "$INTERFACE"
-	}
-
-Run to flip on the VPN:
-# wg-config add wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
-The config file is not overwritten on shutdown, due to the conditional in the env file:
-# wg-config del wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
diff --git a/contrib/examples/wg-config/wg-config b/contrib/examples/wg-config/wg-config
deleted file mode 100755
index 8d8d4e7..0000000
--- a/contrib/examples/wg-config/wg-config
+++ /dev/null
@@ -1,183 +0,0 @@
-#!/bin/bash
-set -e -o pipefail
-
-SELF="$(readlink -f "${BASH_SOURCE[0]}")"
-export PATH="${SELF%/*}:$PATH"
-
-cmd() {
-	echo "[#] $*" >&2
-	"$@"
-}
-
-auto_su() {
-	[[ $UID == 0 ]] || exec sudo -p "$PROGRAM must be run as root. Please enter the password for %u to continue: " "$SELF" "${ARGS[@]}"
-}
-
-unwind() {
-	set +e
-	[[ -n $INTERFACE && -n $(ip link show dev "$INTERFACE" type wireguard 2>/dev/null) ]] && del_if
-	exit
-}
-
-add_if() {
-	ip link delete dev "$INTERFACE" 2>/dev/null || true
-	cmd ip link add "$INTERFACE" type wireguard
-}
-
-del_if() {
-	[[ -n $(ip link show dev "$INTERFACE" type wireguard 2>/dev/null) ]] || { echo "$PROGRAM: \`$INTERFACE' is not a WireGuard interface" >&2; exit 1; }
-	if [[ $(ip route show table all) =~ .*\ dev\ $INTERFACE\ table\ ([0-9]+)\ .* ]]; then
-		cmd ip rule delete table ${BASH_REMATCH[1]}
-	fi
-	cmd ip link delete dev "$INTERFACE"
-}
-
-up_if() {
-	cmd ip link set "$INTERFACE" up
-}
-
-add_addr() {
-	cmd ip address add "$1" dev "$INTERFACE"
-}
-
-add_route() {
-	if [[ $1 == 0.0.0.0/0 || $1 == ::/0 ]]; then
-		add_default "$1"
-	else
-		cmd ip route add "$1" dev "$INTERFACE"
-	fi
-}
-
-add_default() {
-	[[ $(join <(wg show "$INTERFACE" allowed-ips) <(wg show "$INTERFACE" endpoints)) =~ .*\ ${1//./\\.}\ ([0-9.:a-f]+):[0-9]+$ ]] && local endpoint="${BASH_REMATCH[1]}"
-	[[ -n $endpoint ]] || return 0
-	local table=51820
-	while [[ -n $(ip route show table $table) ]]; do ((table++)); done
-	cmd ip route add "$1" dev "$INTERFACE" table $table
-	cmd ip rule add not to "$endpoint" table $table
-}
-
-set_config() {
-	if [[ -n $CONFIG_FILE_CONTENTS ]]; then
-		cmd wg setconf "$INTERFACE" <(echo "$CONFIG_FILE_CONTENTS")
-	else
-		cmd wg setconf "$INTERFACE" "$CONFIG_FILE"
-	fi
-}
-
-save_config() {
-	local old_umask="$(umask)"
-	umask 077
-	cmd wg showconf "$INTERFACE" > "$CONFIG_FILE.tmp" || { rm -f "$CONFIG_FILE.tmp"; exit 1; }
-	mv "$CONFIG_FILE.tmp" "$CONFIG_FILE" || { rm -f "$CONFIG_FILE.tmp"; exit 1; }
-	umask "$old_umask"
-}
-
-cmd_usage() {
-	cat >&2 <<-_EOF
-	Usage: $PROGRAM [ add | del ] INTERFACE [arguments...]
-
-	  $PROGRAM add INTERFACE --config=CONFIG_FILE [--address=ADDRESS/CIDR...]
-	               [--route=ROUTE/CIDR...] [--no-auto-route-from-allowed-ips]
-	               [--env-file=ENV_FILE]
-
-	    The add subcommand adds a new WireGuard interface, INTERFACE, replacing
-	    any existing interfaces of the same name. The --config argument is
-	    required, and its argument is passed to wg(8)'s setconf subcommand. The
-	    --address argument(s) is recommended for this utility to be useful. The
-	    --route argument is purely optional, as by default this utility will
-	    automatically add routes implied by --address and as implied by the
-	    allowed-ip entries inside the --config file. To disable this automatic
-	    route adding, you may use the option entitled --no-auto-route-from-allowed-ips.
-
-	  $PROGRAM del INTERFACE [--config=CONFIG_FILE_TO_SAVE] [--env-file=ENV_FILE]
-
-	    The del subcommand removes an existing WireGuard interface. If the
-	    optional --config is specified, then the existing configuration is
-	    written out to the file specified, via wg(8)'s showconf subcommand.
-
-	  $PROGRAM help
-
-	    Show this message.
-
-	Both \`add' and ``del' take the --env-file=ENV_FILE option. If specified,
-	the contents of ENV_FILE are imported into $PROGRAM. This can be used to
-	set variables in a file, instead of needing to pass them on the command
-	line. The following table shows the relation between the command line
-	options described above, and variables that may be declared in ENV_FILE:
-
-	  --address=A, --address=B, --address=C       ADDRESSES=( "A" "B" "C" )
-	  --route=A, --route=B, --route=C             ADDITIONAL_ROUTES=( "A" "B" "C" )
-	  --config-file=F                             CONFIG_FILE="F"
-	  echo C > /tmp/F, --config-file=/tmp/F       CONFIG_FILE_CONTENTS="C"
-	  --no-auto-route-from-allowed-ips            AUTO_ROUTE=0
-
-	Additionally, ENV_FILE may define the bash functions pre_add, post_add,
-	pre_del, and post_del, which will be called at their respective times.
-	_EOF
-}
-
-cmd_add() {
-	local i
-	[[ -n $CONFIG_FILE || -n $CONFIG_FILE_CONTENTS ]] || { echo "$PROGRAM: --config is required for add subcommand" >&2; exit 1; }
-	auto_su
-	trap unwind INT TERM EXIT
-	[[ $(type -t pre_add) != function ]] || pre_add
-	add_if
-	set_config
-	for i in "${ADDRESSES[@]}"; do
-		add_addr "$i"
-	done
-	up_if
-	if [[ $AUTO_ROUTE -eq 1 ]]; then
-		for i in $(wg show "$INTERFACE" allowed-ips | grep -Po '(?<=[\t ])[0-9.:/a-f]+' | sort -nr -k 2 -t /); do
-			[[ $(ip route get "$i" 2>/dev/null) == *dev\ $INTERFACE\ * ]] || add_route "$i"
-		done
-	fi
-	for i in "${ADDITIONAL_ROUTES[@]}"; do
-		add_route "$i"
-	done
-	[[ $(type -t post_add) != function ]] || post_add
-	trap - INT TERM EXIT
-}
-
-cmd_del() {
-	auto_su
-	[[ $(type -t pre_del) != function ]] || pre_del
-	[[ -n $CONFIG_FILE ]] && save_config
-	del_if
-        [[ $(type -t post_del) != function ]] || post_del
-}
-
-declare INTERFACE="$2"
-declare SUBCOMMAND="$1"
-declare -a ADDRESSES
-declare -a ADDITIONAL_ROUTES
-declare AUTO_ROUTE=1
-declare CONFIG_FILE
-declare CONFIG_FILE_CONTENTS
-declare PROGRAM="${0##*/}"
-declare -a ARGS=( "$@" )
-
-[[ -n $INTERFACE && -n $SUBCOMMAND ]] || { cmd_usage; exit 1; }
-
-shift 2
-
-for arg; do
-	case "$arg" in
-	--env-file=*) source "${arg#*=}" ;;
-	--config=*) CONFIG_FILE="${arg#*=}" ;;
-	--address=*) ADDRESSES+=( ${arg#*=} ) ;;
-	--route=*) ADDITIONAL_ROUTES+=( ${arg#*=} ) ;;
-	--no-auto-route-from-allowed-ips) AUTO_ROUTE=0 ;;
-	*) cmd_usage; exit 1 ;;
-	esac
-done
-
-case "$SUBCOMMAND" in
-add) cmd_add ;;
-del) cmd_del ;;
-*) cmd_usage; exit 1 ;;
-esac
-
-exit 0