diff options
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/examples/wg-config/Makefile | 11 | ||||
-rw-r--r-- | contrib/examples/wg-config/README | 140 | ||||
-rwxr-xr-x | contrib/examples/wg-config/wg-config | 183 |
3 files changed, 0 insertions, 334 deletions
diff --git a/contrib/examples/wg-config/Makefile b/contrib/examples/wg-config/Makefile deleted file mode 100644 index 4fa264c..0000000 --- a/contrib/examples/wg-config/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -PREFIX ?= /usr -DESTDIR ?= -SBINDIR ?= $(PREFIX)/sbin - -all: - @echo "This is a shell script, so there is nothing to do. Try \"make install\" instead." - -install: - @install -v -m0755 -D -t$(DESTDIR)$(SBINDIR) wg-config - -.PHONY: all install diff --git a/contrib/examples/wg-config/README b/contrib/examples/wg-config/README deleted file mode 100644 index 93da029..0000000 --- a/contrib/examples/wg-config/README +++ /dev/null @@ -1,140 +0,0 @@ -== Installation == - - # make install - -== Usage == - -wg-config is a very simple utility for adding and configuring WireGuard -interfaces using ip(8) and wg(8). - -Usage: wg-config [ add | del ] INTERFACE [arguments...] - - wg-config add INTERFACE --config=CONFIG_FILE [--address=ADDRESS/CIDR...] - [--route=ROUTE/CIDR...] [--no-auto-route-from-allowed-ips] - [--env-file=ENV_FILE] - - The add subcommand adds a new WireGuard interface, INTERFACE, replacing - any existing interfaces of the same name. The --config argument is - required, and its argument is passed to wg(8)'s setconf subcommand. The - --address argument(s) is recommended for this utility to be useful. The - --route argument is purely optional, as by default this utility will - automatically add routes implied by --address and as implied by the - allowed-ip entries inside the --config file. To disable this automatic - route adding, you may use the option entitled --no-auto-route-from-allowed-ips. - - wg-config del INTERFACE [--config=CONFIG_FILE_TO_SAVE] [--env-file=ENV_FILE] - - The del subcommand removes an existing WireGuard interface. If the - optional --config is specified, then the existing configuration is - written out to the file specified, via wg(8)'s showconf subcommand. - -Both `add' and del' take the --env-file=ENV_FILE option. If specified, -the contents of ENV_FILE are imported into wg-config. This can be used to -set variables in a file, instead of needing to pass them on the command -line. The following table shows the relation between the command line -options described above, and variables that may be declared in ENV_FILE: - - --address=A, --address=B, --address=C ADDRESSES=( "A" "B" "C" ) - --route=A, --route=B, --route=C ADDITIONAL_ROUTES=( "A" "B" "C" ) - --config-file=F CONFIG_FILE="F" - echo C > /tmp/F, --config-file=/tmp/F CONFIG_FILE_CONTENTS="C" - --no-auto-route-from-allowed-ips AUTO_ROUTE=0 - -Additionally, ENV_FILE may define the bash functions pre_add, post_add, -pre_del, and post_del, which will be called at their respective times. - -== Basic Example == - -This basic example might be used by a server. - -/etc/wireguard/wg-server.conf: - - [Interface] - PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk= - ListenPort = 41414 - - [Peer] - PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg= - AllowedIPs = 10.192.122.3/32, 10.192.124.1/24 - - [Peer] - PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0= - AllowedIPs = 10.192.122.4/32, 192.168.0.0/16 - - [Peer] - PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA= - AllowedIPs = 10.10.10.230/32 - -/etc/wireguard/wg-server.env: - - CONFIG_FILE="$(dirname "${BASH_SOURCE[0]}")/wg-server.conf" - ADDRESSES=( 10.192.122.1/34 10.10.0.1/16 ) - -Run at startup: -# wg-config add wgserver0 --env-file=/etc/wireguard/wg-server.env -Run at shutdown: -# wg-config del wgserver0 --env-file=/etc/wireguard/wg-server.env - -== Single File Advanced Example == - -This type of configuration might be desirable for a personal access gateway -VPN, connecting to a server like in the example above. - -/etc/wireguard/wg-vpn-gateway.env: - - CONFIG_FILE_CONTENTS=" - [Interface] - PrivateKey = 6JiA3fa+NG+x5m6aq7+lxlVaVqVf1mxK6/pDOZdNuXc= - - [Peer] - PublicKey = 6NagfTu+s8+TkEKpxX7pNjJuTf4zYtoJme7iQFYIw0A= - AllowedIPs = 0.0.0.0/0 - Endpoint = demo.wireguard.io:29912 - " - - ADDRESSES=( 10.200.100.2/32 ) - - post_add() { - printf 'nameserver 10.200.100.1' | cmd resolvconf -a "$INTERFACE" -m 0 - } - post_del() { - cmd resolvconf -d "$INTERFACE" - } - -Run to flip on the VPN: -# wg-config add wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env -Run to flip off the VPN: -# wg-config del wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env - -== Advanced Example == - -This achieves the same as the above, but with an external file. It only sets the -configuration file when the subcommand is add, to prevent it from being overwritten. -The above is much simpler and probably preferred, but this example shows how powerful -the tool can be. - -/etc/wireguard/wg-vpn-gateway.conf: - - [Interface] - PrivateKey = 6JiA3fa+NG+x5m6aq7+lxlVaVqVf1mxK6/pDOZdNuXc= - - [Peer] - PublicKey = 6NagfTu+s8+TkEKpxX7pNjJuTf4zYtoJme7iQFYIw0A= - AllowedIPs = 0.0.0.0/0 - Endpoint = demo.wireguard.io:29912 - -/etc/wireguard/wg-vpn-gateway.env: - - [[ $SUBCOMMAND == add ]] && CONFIG_FILE="$(dirname "${BASH_SOURCE[0]}")/demo-vpn.conf" || true - ADDRESSES=( 10.200.100.2/32 ) - post_add() { - printf 'nameserver 10.200.100.1' | cmd resolvconf -a "$INTERFACE" -m 0 - } - post_del() { - cmd resolvconf -d "$INTERFACE" - } - -Run to flip on the VPN: -# wg-config add wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env -The config file is not overwritten on shutdown, due to the conditional in the env file: -# wg-config del wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env diff --git a/contrib/examples/wg-config/wg-config b/contrib/examples/wg-config/wg-config deleted file mode 100755 index 8d8d4e7..0000000 --- a/contrib/examples/wg-config/wg-config +++ /dev/null @@ -1,183 +0,0 @@ -#!/bin/bash -set -e -o pipefail - -SELF="$(readlink -f "${BASH_SOURCE[0]}")" -export PATH="${SELF%/*}:$PATH" - -cmd() { - echo "[#] $*" >&2 - "$@" -} - -auto_su() { - [[ $UID == 0 ]] || exec sudo -p "$PROGRAM must be run as root. Please enter the password for %u to continue: " "$SELF" "${ARGS[@]}" -} - -unwind() { - set +e - [[ -n $INTERFACE && -n $(ip link show dev "$INTERFACE" type wireguard 2>/dev/null) ]] && del_if - exit -} - -add_if() { - ip link delete dev "$INTERFACE" 2>/dev/null || true - cmd ip link add "$INTERFACE" type wireguard -} - -del_if() { - [[ -n $(ip link show dev "$INTERFACE" type wireguard 2>/dev/null) ]] || { echo "$PROGRAM: \`$INTERFACE' is not a WireGuard interface" >&2; exit 1; } - if [[ $(ip route show table all) =~ .*\ dev\ $INTERFACE\ table\ ([0-9]+)\ .* ]]; then - cmd ip rule delete table ${BASH_REMATCH[1]} - fi - cmd ip link delete dev "$INTERFACE" -} - -up_if() { - cmd ip link set "$INTERFACE" up -} - -add_addr() { - cmd ip address add "$1" dev "$INTERFACE" -} - -add_route() { - if [[ $1 == 0.0.0.0/0 || $1 == ::/0 ]]; then - add_default "$1" - else - cmd ip route add "$1" dev "$INTERFACE" - fi -} - -add_default() { - [[ $(join <(wg show "$INTERFACE" allowed-ips) <(wg show "$INTERFACE" endpoints)) =~ .*\ ${1//./\\.}\ ([0-9.:a-f]+):[0-9]+$ ]] && local endpoint="${BASH_REMATCH[1]}" - [[ -n $endpoint ]] || return 0 - local table=51820 - while [[ -n $(ip route show table $table) ]]; do ((table++)); done - cmd ip route add "$1" dev "$INTERFACE" table $table - cmd ip rule add not to "$endpoint" table $table -} - -set_config() { - if [[ -n $CONFIG_FILE_CONTENTS ]]; then - cmd wg setconf "$INTERFACE" <(echo "$CONFIG_FILE_CONTENTS") - else - cmd wg setconf "$INTERFACE" "$CONFIG_FILE" - fi -} - -save_config() { - local old_umask="$(umask)" - umask 077 - cmd wg showconf "$INTERFACE" > "$CONFIG_FILE.tmp" || { rm -f "$CONFIG_FILE.tmp"; exit 1; } - mv "$CONFIG_FILE.tmp" "$CONFIG_FILE" || { rm -f "$CONFIG_FILE.tmp"; exit 1; } - umask "$old_umask" -} - -cmd_usage() { - cat >&2 <<-_EOF - Usage: $PROGRAM [ add | del ] INTERFACE [arguments...] - - $PROGRAM add INTERFACE --config=CONFIG_FILE [--address=ADDRESS/CIDR...] - [--route=ROUTE/CIDR...] [--no-auto-route-from-allowed-ips] - [--env-file=ENV_FILE] - - The add subcommand adds a new WireGuard interface, INTERFACE, replacing - any existing interfaces of the same name. The --config argument is - required, and its argument is passed to wg(8)'s setconf subcommand. The - --address argument(s) is recommended for this utility to be useful. The - --route argument is purely optional, as by default this utility will - automatically add routes implied by --address and as implied by the - allowed-ip entries inside the --config file. To disable this automatic - route adding, you may use the option entitled --no-auto-route-from-allowed-ips. - - $PROGRAM del INTERFACE [--config=CONFIG_FILE_TO_SAVE] [--env-file=ENV_FILE] - - The del subcommand removes an existing WireGuard interface. If the - optional --config is specified, then the existing configuration is - written out to the file specified, via wg(8)'s showconf subcommand. - - $PROGRAM help - - Show this message. - - Both \`add' and ``del' take the --env-file=ENV_FILE option. If specified, - the contents of ENV_FILE are imported into $PROGRAM. This can be used to - set variables in a file, instead of needing to pass them on the command - line. The following table shows the relation between the command line - options described above, and variables that may be declared in ENV_FILE: - - --address=A, --address=B, --address=C ADDRESSES=( "A" "B" "C" ) - --route=A, --route=B, --route=C ADDITIONAL_ROUTES=( "A" "B" "C" ) - --config-file=F CONFIG_FILE="F" - echo C > /tmp/F, --config-file=/tmp/F CONFIG_FILE_CONTENTS="C" - --no-auto-route-from-allowed-ips AUTO_ROUTE=0 - - Additionally, ENV_FILE may define the bash functions pre_add, post_add, - pre_del, and post_del, which will be called at their respective times. - _EOF -} - -cmd_add() { - local i - [[ -n $CONFIG_FILE || -n $CONFIG_FILE_CONTENTS ]] || { echo "$PROGRAM: --config is required for add subcommand" >&2; exit 1; } - auto_su - trap unwind INT TERM EXIT - [[ $(type -t pre_add) != function ]] || pre_add - add_if - set_config - for i in "${ADDRESSES[@]}"; do - add_addr "$i" - done - up_if - if [[ $AUTO_ROUTE -eq 1 ]]; then - for i in $(wg show "$INTERFACE" allowed-ips | grep -Po '(?<=[\t ])[0-9.:/a-f]+' | sort -nr -k 2 -t /); do - [[ $(ip route get "$i" 2>/dev/null) == *dev\ $INTERFACE\ * ]] || add_route "$i" - done - fi - for i in "${ADDITIONAL_ROUTES[@]}"; do - add_route "$i" - done - [[ $(type -t post_add) != function ]] || post_add - trap - INT TERM EXIT -} - -cmd_del() { - auto_su - [[ $(type -t pre_del) != function ]] || pre_del - [[ -n $CONFIG_FILE ]] && save_config - del_if - [[ $(type -t post_del) != function ]] || post_del -} - -declare INTERFACE="$2" -declare SUBCOMMAND="$1" -declare -a ADDRESSES -declare -a ADDITIONAL_ROUTES -declare AUTO_ROUTE=1 -declare CONFIG_FILE -declare CONFIG_FILE_CONTENTS -declare PROGRAM="${0##*/}" -declare -a ARGS=( "$@" ) - -[[ -n $INTERFACE && -n $SUBCOMMAND ]] || { cmd_usage; exit 1; } - -shift 2 - -for arg; do - case "$arg" in - --env-file=*) source "${arg#*=}" ;; - --config=*) CONFIG_FILE="${arg#*=}" ;; - --address=*) ADDRESSES+=( ${arg#*=} ) ;; - --route=*) ADDITIONAL_ROUTES+=( ${arg#*=} ) ;; - --no-auto-route-from-allowed-ips) AUTO_ROUTE=0 ;; - *) cmd_usage; exit 1 ;; - esac -done - -case "$SUBCOMMAND" in -add) cmd_add ;; -del) cmd_del ;; -*) cmd_usage; exit 1 ;; -esac - -exit 0 |