Created
February 19, 2024 22:27
-
-
Save dgavshin/79d2bb4af7a76834419243d4b8d71c37 to your computer and use it in GitHub Desktop.
A script that parses the Wireguard configuration input file and configures OpenWRT firewall rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Parse wireguard config file and setup OpenWRT firewall rules | |
| FILE=$1 | |
| if [ -z $FILE ]; then | |
| echo "Usage: $0 <config-file>" | |
| exit 1 | |
| fi | |
| function read_property { | |
| FILE=$1 | |
| PROPERTY=$2 | |
| cat $FILE | grep $PROPERTY | awk '{print $3}' | |
| } | |
| echo "[+] Setting up Wireguard VPN from $FILE" | |
| VPN_IF="vpn" | |
| ENDPOINT=$(read_property $FILE Endpoint) | |
| VPN_SERV=$(echo $ENDPOINT | awk -F: '{print $1}') | |
| VPN_PORT=$(echo $ENDPOINT | awk -F: '{print $2}') | |
| VPN_ADDR=$(read_property $FILE Address) | |
| VPN_ADDR6="" | |
| VPN_KEY=$(read_property $FILE PrivateKey) | |
| VPN_PSK=$(read_property $FILE PresharedKey) | |
| VPN_PUB=$(read_property $FILE PublicKey) | |
| echo "[+] VPN Server: $VPN_SERV:$VPN_PORT" | |
| echo "[+] Configure firewall" | |
| uci rename firewall.@zone[0]="lan" | |
| uci rename firewall.@zone[1]="wan" | |
| uci del_list firewall.wan.network="${VPN_IF}" | |
| uci add_list firewall.wan.network="${VPN_IF}" | |
| uci commit firewall | |
| service firewall restart | |
| echo "[+] Create wireguard interface" | |
| echo "[+] Configure network" | |
| uci -q delete network.${VPN_IF} | |
| uci set network.${VPN_IF}="interface" | |
| uci set network.${VPN_IF}.proto="wireguard" | |
| uci set network.${VPN_IF}.private_key="${VPN_KEY}" | |
| uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}" | |
| uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}" | |
| echo "[+] Add VPN peers" | |
| uci -q delete network.wgserver | |
| uci set network.wgserver="wireguard_${VPN_IF}" | |
| uci set network.wgserver.public_key="${VPN_PUB}" | |
| uci set network.wgserver.preshared_key="${VPN_PSK}" | |
| uci set network.wgserver.endpoint_host="${VPN_SERV}" | |
| uci set network.wgserver.endpoint_port="${VPN_PORT}" | |
| uci set network.wgserver.persistent_keepalive="25" | |
| uci set network.wgserver.route_allowed_ips="1" | |
| uci add_list network.wgserver.allowed_ips="0.0.0.0/0" | |
| uci add_list network.wgserver.allowed_ips="::/0" | |
| uci commit network | |
| service network restart | |
| echo "[+] Configure Kill-Switch" | |
| uci -q delete "firewall.${VPN_IF}" | |
| uci set firewall.${VPN_IF}="zone" | |
| uci set firewall.${VPN_IF}.name="${VPN_IF}" | |
| uci set firewall.${VPN_IF}.input="REJECT" | |
| uci set firewall.${VPN_IF}.output="ACCEPT" | |
| uci set firewall.${VPN_IF}.forward="REJECT" | |
| uci set firewall.${VPN_IF}.masq="1" | |
| uci set firewall.${VPN_IF}.mtu_fix="1" | |
| uci add_list firewall.${VPN_IF}.network="${VPN_IF}" | |
| uci del_list firewall.wan.network="${VPN_IF}" | |
| uci -q delete firewall.@forwarding[0] | |
| uci set firewall.lan_vpn="forwarding" | |
| uci set firewall.lan_vpn.src="lan" | |
| uci set firewall.lan_vpn.dest="${VPN_IF}" | |
| uci commit firewall | |
| service firewall restart | |
| echo "[+] Done ^_^" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment