From 4e04bee9152657a33a787e41625ed37ea0f4380d Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Tue, 5 Jul 2016 16:01:31 +0200 Subject: contrib: organize example scripts and add synergy Signed-off-by: Jason A. Donenfeld --- contrib/client-server-example/README | 16 ---------------- contrib/client-server-example/client.sh | 20 -------------------- contrib/client-server-example/server.sh | 14 -------------- contrib/ncat-client-server/README | 16 ++++++++++++++++ contrib/ncat-client-server/client.sh | 20 ++++++++++++++++++++ contrib/ncat-client-server/server.sh | 14 ++++++++++++++ contrib/synergy/README | 3 +++ contrib/synergy/synergy-client.sh | 18 ++++++++++++++++++ contrib/synergy/synergy-server.sh | 17 +++++++++++++++++ contrib/systemd/README | 5 +++++ contrib/systemd/wgserver.service | 15 +++++++++++++++ contrib/wgserver.service | 15 --------------- 12 files changed, 108 insertions(+), 65 deletions(-) delete mode 100644 contrib/client-server-example/README delete mode 100755 contrib/client-server-example/client.sh delete mode 100755 contrib/client-server-example/server.sh create mode 100644 contrib/ncat-client-server/README create mode 100755 contrib/ncat-client-server/client.sh create mode 100755 contrib/ncat-client-server/server.sh create mode 100644 contrib/synergy/README create mode 100755 contrib/synergy/synergy-client.sh create mode 100755 contrib/synergy/synergy-server.sh create mode 100644 contrib/systemd/README create mode 100644 contrib/systemd/wgserver.service delete mode 100644 contrib/wgserver.service diff --git a/contrib/client-server-example/README b/contrib/client-server-example/README deleted file mode 100644 index fd3088a..0000000 --- a/contrib/client-server-example/README +++ /dev/null @@ -1,16 +0,0 @@ - === IMPORTANT NOTE === - -Do not use these scripts in production. They are simply a -demonstration of how easy the `wg(8)` tool is at the command -line, but by no means should you actually attempt to use -these. They are horribly insecure and defeat the purpose -of WireGuard. - - STAY AWAY! - -Distros: do not distribute these with your packages. - - - -That all said, this is a pretty cool example of just how -darn easy WireGuard can be. diff --git a/contrib/client-server-example/client.sh b/contrib/client-server-example/client.sh deleted file mode 100755 index fbae46a..0000000 --- a/contrib/client-server-example/client.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -set -e -[[ $UID == 0 ]] || { echo "You must be root to run this."; exit 1; } -umask 077 -trap 'rm -f /tmp/wg_private_key' EXIT INT TERM -exec 3<>/dev/tcp/demo.wireguard.io/42912 -wg genkey | tee /tmp/wg_private_key | wg pubkey >&3 -IFS=: read -r status server_pubkey server_port internal_ip <&3 -[[ $status == OK ]] -ip link del dev wg0 2>/dev/null || true -ip link add dev wg0 type wireguard -wg set wg0 private-key /tmp/wg_private_key peer "$server_pubkey" allowed-ips 0.0.0.0/0 endpoint "demo.wireguard.io:$server_port" -ip address add "$internal_ip"/24 dev wg0 -ip link set up dev wg0 -if [ "$1" == "default-route" ]; then - host="$(wg show wg0 endpoints | sed -n 's/.*\t\(.*\):.*/\1/p')" - ip route add $(ip route get $host | sed '/ via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/{s/^\(.* via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*/\1/}' | head -n 1) 2>/dev/null || true - ip route add 0/1 dev wg0 - ip route add 128/1 dev wg0 -fi diff --git a/contrib/client-server-example/server.sh b/contrib/client-server-example/server.sh deleted file mode 100755 index e37861f..0000000 --- a/contrib/client-server-example/server.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -if [[ -z $NCAT_REMOTE_ADDR ]]; then - ip link del dev wg0 2>/dev/null - set -e - ip link add dev wg0 type wireguard - ip address add 192.168.4.1/24 dev wg0 - wg set wg0 private-key <(wg genkey) listen-port 12912 - ip link set up dev wg0 - exec ncat -e "$(readlink -f "$0")" -k -l -p 42912 -v -fi -read -r public_key -[[ $(wg show wg0 | grep peer | wc -l) -ge 253 ]] && wg set wg0 peer $(wg show wg0 latest-handshakes | sort -k 2 -b -n | head -n 1 | cut -f 1) remove -next_ip=$(all="$(wg show wg0 allowed-ips)"; for ((i=2; i<=254; i++)); do ip="192.168.4.$i"; [[ $all != *$ip/32* ]] && echo $ip && break; done) -wg set wg0 peer "$public_key" allowed-ips $next_ip/32 2>/dev/null && echo "OK:$(wg show wg0 private-key | wg pubkey):$(wg show wg0 listen-port):$next_ip" || echo ERROR diff --git a/contrib/ncat-client-server/README b/contrib/ncat-client-server/README new file mode 100644 index 0000000..fd3088a --- /dev/null +++ b/contrib/ncat-client-server/README @@ -0,0 +1,16 @@ + === IMPORTANT NOTE === + +Do not use these scripts in production. They are simply a +demonstration of how easy the `wg(8)` tool is at the command +line, but by no means should you actually attempt to use +these. They are horribly insecure and defeat the purpose +of WireGuard. + + STAY AWAY! + +Distros: do not distribute these with your packages. + + + +That all said, this is a pretty cool example of just how +darn easy WireGuard can be. diff --git a/contrib/ncat-client-server/client.sh b/contrib/ncat-client-server/client.sh new file mode 100755 index 0000000..fbae46a --- /dev/null +++ b/contrib/ncat-client-server/client.sh @@ -0,0 +1,20 @@ +#!/bin/bash +set -e +[[ $UID == 0 ]] || { echo "You must be root to run this."; exit 1; } +umask 077 +trap 'rm -f /tmp/wg_private_key' EXIT INT TERM +exec 3<>/dev/tcp/demo.wireguard.io/42912 +wg genkey | tee /tmp/wg_private_key | wg pubkey >&3 +IFS=: read -r status server_pubkey server_port internal_ip <&3 +[[ $status == OK ]] +ip link del dev wg0 2>/dev/null || true +ip link add dev wg0 type wireguard +wg set wg0 private-key /tmp/wg_private_key peer "$server_pubkey" allowed-ips 0.0.0.0/0 endpoint "demo.wireguard.io:$server_port" +ip address add "$internal_ip"/24 dev wg0 +ip link set up dev wg0 +if [ "$1" == "default-route" ]; then + host="$(wg show wg0 endpoints | sed -n 's/.*\t\(.*\):.*/\1/p')" + ip route add $(ip route get $host | sed '/ via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/{s/^\(.* via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*/\1/}' | head -n 1) 2>/dev/null || true + ip route add 0/1 dev wg0 + ip route add 128/1 dev wg0 +fi diff --git a/contrib/ncat-client-server/server.sh b/contrib/ncat-client-server/server.sh new file mode 100755 index 0000000..e37861f --- /dev/null +++ b/contrib/ncat-client-server/server.sh @@ -0,0 +1,14 @@ +#!/bin/bash +if [[ -z $NCAT_REMOTE_ADDR ]]; then + ip link del dev wg0 2>/dev/null + set -e + ip link add dev wg0 type wireguard + ip address add 192.168.4.1/24 dev wg0 + wg set wg0 private-key <(wg genkey) listen-port 12912 + ip link set up dev wg0 + exec ncat -e "$(readlink -f "$0")" -k -l -p 42912 -v +fi +read -r public_key +[[ $(wg show wg0 | grep peer | wc -l) -ge 253 ]] && wg set wg0 peer $(wg show wg0 latest-handshakes | sort -k 2 -b -n | head -n 1 | cut -f 1) remove +next_ip=$(all="$(wg show wg0 allowed-ips)"; for ((i=2; i<=254; i++)); do ip="192.168.4.$i"; [[ $all != *$ip/32* ]] && echo $ip && break; done) +wg set wg0 peer "$public_key" allowed-ips $next_ip/32 2>/dev/null && echo "OK:$(wg show wg0 private-key | wg pubkey):$(wg show wg0 listen-port):$next_ip" || echo ERROR diff --git a/contrib/synergy/README b/contrib/synergy/README new file mode 100644 index 0000000..b75fb77 --- /dev/null +++ b/contrib/synergy/README @@ -0,0 +1,3 @@ +These scripts should be modified according to your precise setup. +They provide a very simple way of tunneling synergy inside of a +WireGuard tunnel, to protect your data in transit. diff --git a/contrib/synergy/synergy-client.sh b/contrib/synergy/synergy-client.sh new file mode 100755 index 0000000..56cfdb2 --- /dev/null +++ b/contrib/synergy/synergy-client.sh @@ -0,0 +1,18 @@ +#!/bin/bash +set -ex +if [[ $UID == 0 ]]; then + ip link del dev synergy || true + ip link add dev synergy type wireguard + ip address add 10.193.125.39/32 peer 10.193.125.38/32 dev synergy + wg set synergy \ + listen-port 29184 \ + private-key <(echo oNcsXA5Ma56q9xHmvvKuzLfwXYy7Uqy+bTmmXg/XtVs=) \ + peer m321UMZXoJ6qw8Jli2spbAVBc2MdOzV/EHDKfZQy0g0= \ + allowed-ips 10.193.125.38/32 \ + endpoint 10.10.10.100:29184 + ip link set up dev synergy +else + sudo "$(readlink -f "$0")" + killall synergyc || true + synergyc 10.193.125.38:38382 +fi diff --git a/contrib/synergy/synergy-server.sh b/contrib/synergy/synergy-server.sh new file mode 100755 index 0000000..6bef423 --- /dev/null +++ b/contrib/synergy/synergy-server.sh @@ -0,0 +1,17 @@ +#!/bin/bash +set -ex +if [[ $UID == 0 ]]; then + ip link del dev synergy || true + ip link add dev synergy type wireguard + ip address add 10.193.125.38/32 peer 10.193.125.39/32 dev synergy + wg set synergy \ + listen-port 29184 \ + private-key <(echo 2InSrlZA5eQfI/MvnvPieqNTBo9cd+udc3SOO9yFpXo=) \ + peer CBnoidQLjlbRsrqrI56WQbANWwkll41w/rVUIW9zISI= \ + allowed-ips 10.193.125.39/32 + ip link set up dev synergy +else + sudo "$(readlink -f "$0")" + killall synergys || true + synergys -a 10.193.125.38:38382 +fi diff --git a/contrib/systemd/README b/contrib/systemd/README new file mode 100644 index 0000000..1ef51aa --- /dev/null +++ b/contrib/systemd/README @@ -0,0 +1,5 @@ +Until WireGuard receives full integration to the various network +management utilities, there are a number of ways of setting up +a WireGuard tunnel at boot time. This systemd unit file is one +such way of doing things. Probably it should be tweaked before +using. diff --git a/contrib/systemd/wgserver.service b/contrib/systemd/wgserver.service new file mode 100644 index 0000000..dfce1e9 --- /dev/null +++ b/contrib/systemd/wgserver.service @@ -0,0 +1,15 @@ +[Unit] +Description=WireGuard Server + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/ip link add dev wgserver type wireguard +ExecStart=/bin/ip address add 192.168.177.1/24 dev wgserver +ExecStart=/usr/bin/wg setconf wgserver /etc/wireguard-server.conf +ExecStart=/bin/ip link set up dev wgserver +ExecStop=/bin/sh -c 'umask 077; /usr/bin/wg showconf wgserver > /etc/wireguard-server.conf.tmp && mv /etc/wireguard-server.conf.tmp /etc/wireguard-server.conf' +ExecStop=/bin/ip link del dev wgserver + +[Install] +WantedBy=multi-user.target diff --git a/contrib/wgserver.service b/contrib/wgserver.service deleted file mode 100644 index dfce1e9..0000000 --- a/contrib/wgserver.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=WireGuard Server - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/bin/ip link add dev wgserver type wireguard -ExecStart=/bin/ip address add 192.168.177.1/24 dev wgserver -ExecStart=/usr/bin/wg setconf wgserver /etc/wireguard-server.conf -ExecStart=/bin/ip link set up dev wgserver -ExecStop=/bin/sh -c 'umask 077; /usr/bin/wg showconf wgserver > /etc/wireguard-server.conf.tmp && mv /etc/wireguard-server.conf.tmp /etc/wireguard-server.conf' -ExecStop=/bin/ip link del dev wgserver - -[Install] -WantedBy=multi-user.target -- cgit v1.2.3-59-g8ed1b