DESTDIR ?=
SBINDIR ?= $(PREFIX)/sbin
-SCRIPTS := wg-config tungate
-
all:
- @echo "These are shell scripts, so there is nothing to do. Try \"make install\" instead."
+ @echo "This is a shell script, so there is nothing to do. Try \"make install\" instead."
install:
- @install -v -m0755 -D -t$(DESTDIR)$(SBINDIR) $(SCRIPTS)
+ @install -v -m0755 -D -t$(DESTDIR)$(SBINDIR) wg-config
.PHONY: all install
Additionally, ENV_FILE may define the bash functions pre_add, post_add,
pre_del, and post_del, which will be called at their respective times.
+== Basic Example ==
-== Helper Tool ==
-
-tungate is a separate utility, developed originally not explicitly for
-WireGuard, which acts as a poor man's way of ensuring 0/1 and 128/1 default
-route overrides still work with an endpoint going over the original default
-route. It's quite handy, and wg-config makes use of it for dealing with
-0.0.0.0/0 routes. At the moment it only supports IPv4, but adding IPv6
-should be pretty easy.
-
-== Example ==
+This basic example might be used by a server.
/etc/wireguard/wg-server.conf:
Run at shutdown:
# wg-config del wgserver0 --env-file=/etc/wireguard/wg-server.env
-== Advanced Example ==
+== Single File Advanced Example ==
-/etc/wireguard/wg-vpn-gateway.conf:
+This type of configuration might be desirable for a personal access gateway
+VPN, connecting to a server like in the example above.
+
+/etc/wireguard/wg-vpn-gateway.env:
+ CONFIG_FILE_CONTENTS="
[Interface]
PrivateKey = 6JiA3fa+NG+x5m6aq7+lxlVaVqVf1mxK6/pDOZdNuXc=
PublicKey = 6NagfTu+s8+TkEKpxX7pNjJuTf4zYtoJme7iQFYIw0A=
AllowedIPs = 0.0.0.0/0
Endpoint = demo.wireguard.io:29912
+ "
-/etc/wireguard/wg-vpn-gateway.env:
-
- [[ $SUBCOMMAND == add ]] && CONFIG_FILE="$(dirname "${BASH_SOURCE[0]}")/demo-vpn.conf" || true
ADDRESSES=( 10.200.100.2/32 )
+
post_add() {
printf 'nameserver 10.200.100.1' | cmd resolvconf -a "$INTERFACE" -m 0
}
Run to flip on the VPN:
# wg-config add wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
-The config file is not overwritten on shutdown, due to the conditional in the env file:
+Run to flip off the VPN:
# wg-config del wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
-== Single File Advanced Example ==
+== Advanced Example ==
-/etc/wireguard/wg-vpn-gateway.env:
+This achieves the same as the above, but with an external file. It only sets the
+configuration file when the subcommand is add, to prevent it from being overwritten.
+The above is much simpler and probably preferred, but this example shows how powerful
+the tool can be.
+
+/etc/wireguard/wg-vpn-gateway.conf:
- CONFIG_FILE_CONTENTS="
[Interface]
PrivateKey = 6JiA3fa+NG+x5m6aq7+lxlVaVqVf1mxK6/pDOZdNuXc=
PublicKey = 6NagfTu+s8+TkEKpxX7pNjJuTf4zYtoJme7iQFYIw0A=
AllowedIPs = 0.0.0.0/0
Endpoint = demo.wireguard.io:29912
- "
- ADDRESSES=( 10.200.100.2/32 )
+/etc/wireguard/wg-vpn-gateway.env:
+ [[ $SUBCOMMAND == add ]] && CONFIG_FILE="$(dirname "${BASH_SOURCE[0]}")/demo-vpn.conf" || true
+ ADDRESSES=( 10.200.100.2/32 )
post_add() {
printf 'nameserver 10.200.100.1' | cmd resolvconf -a "$INTERFACE" -m 0
}
Run to flip on the VPN:
# wg-config add wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
-Run to flip off the VPN:
+The config file is not overwritten on shutdown, due to the conditional in the env file:
# wg-config del wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
+++ /dev/null
-#!/bin/bash
-
-unwind() {
- ip route del "$1/32" 2>/dev/null
- exit
-}
-
-short_route() {
- ip route | sed -n "s/$1 \\(.* dev [^ ]\\+\\).*/\\1/p" | head -n 1
-}
-
-resolve_ip() {
- local filter='/^[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$/{p;q;}'
- [[ $(sed -n "$filter" <<<"$1") == "$1" ]] && echo "$1" ||
- host -t a "$1" | cut -d ' ' -f 4 | sed -n "$filter"
-}
-
-set_route() {
- local default_route="$(short_route default)"
- [[ -n $default_route ]] || { echo "[-] Could not determine default route"; return; }
- echo "[+] Adding route for $1 to be $default_route"
- ip route del "$1/32" 2>/dev/null
- ip route add "$1/32" $default_route
-}
-
-check_loop() {
- local ip="$(resolve_ip "$1")"
- [[ -n $ip ]] || { echo "[-] Could not determine IP of '$1'" && return 1; }
- echo "[+] Making sure $ip goes over the default (non-0/1,128/1) route"
-
- set_route "$ip"
- trap unwind INT TERM EXIT
-
- while read -r; do
- [[ $(short_route "$ip") != "$(short_route default)" ]] && set_route "$ip"
- done < <(exec ip monitor route)
-}
-
-[[ $# -ne 1 ]] && { echo "Usage: $0 IP|HOST" >&2; exit 1; }
-[[ $UID -ne 0 ]] && exec sudo "$(readlink -f "$0")" "$@"
-
-check_loop "$1"
-exit $?
unwind() {
set +e
- [[ -n $INTERFACE && -n $(ip link show dev "$INTERFACE" type wireguard 2>/dev/null) ]] && cmd ip link delete dev "$INTERFACE"
+ [[ -n $INTERFACE && -n $(ip link show dev "$INTERFACE" type wireguard 2>/dev/null) ]] && del_if
exit
}
del_if() {
[[ -n $(ip link show dev "$INTERFACE" type wireguard 2>/dev/null) ]] || { echo "$PROGRAM: \`$INTERFACE' is not a WireGuard interface" >&2; exit 1; }
+ if [[ $(ip route show table all) =~ .*\ dev\ $INTERFACE\ table\ ([0-9]+)\ .* ]]; then
+ cmd ip rule delete table ${BASH_REMATCH[1]}
+ fi
cmd ip link delete dev "$INTERFACE"
}
}
add_route() {
- cmd ip route add "$1" dev "$INTERFACE"
+ if [[ $1 == 0.0.0.0/0 || $1 == ::/0 ]]; then
+ add_default "$1"
+ else
+ cmd ip route add "$1" dev "$INTERFACE"
+ fi
}
add_default() {
- if [[ $1 == ::/0 ]]; then
- echo "tungate: does not yet support IPv6, skipping ::/0" >&2
- return 0
- elif [[ $1 == 0.0.0.0/0 ]]; then
- local endpoint="$(join <(wg show "$INTERFACE" allowed-ips) <(wg show "$INTERFACE" endpoints) | sed -n 's/.* 0\.0\.0\.0\/0.* \([0-9.:\/a-z]\+\):[0-9]\+$/\1/p')"
- add_route 0/1
- add_route 128/1
- killall tungate 2>/dev/null || true
- echo "[&] Forking \`tungate' for $endpoint to background" >&2
- tungate "$endpoint" >/dev/null 2>&1 & disown
- return 0
- fi
- return 1
+ [[ $(join <(wg show "$INTERFACE" allowed-ips) <(wg show "$INTERFACE" endpoints)) =~ .*\ ${1//./\\.}\ ([0-9.:a-f]+):[0-9]+$ ]] && local endpoint="${BASH_REMATCH[1]}"
+ [[ -n $endpoint ]] || return 0
+ local table=51820
+ while [[ -n $(ip route show table $table) ]]; do ((table++)); done
+ cmd ip route add "$1" dev "$INTERFACE" table $table
+ cmd ip rule add not to "$endpoint" table $table
}
set_config() {
done
up_if
if [[ $AUTO_ROUTE -eq 1 ]]; then
- for i in $(wg show "$INTERFACE" allowed-ips | grep -Po '(?<=[\t ])[0-9.:/a-z]+' | sort -nr -k 2 -t /); do
- if ! add_default "$i" && [[ $(ip route get "$i") != *dev\ $INTERFACE\ * ]]; then
- add_route "$i"
- fi
+ for i in $(wg show "$INTERFACE" allowed-ips | grep -Po '(?<=[\t ])[0-9.:/a-f]+' | sort -nr -k 2 -t /); do
+ [[ $(ip route get "$i" 2>/dev/null) == *dev\ $INTERFACE\ * ]] || add_route "$i"
done
fi
for i in "${ADDITIONAL_ROUTES[@]}"; do
- if ! add_default "$i"; then
- add_route "$i"
- fi
+ add_route "$i"
done
[[ $(type -t post_add) != function ]] || post_add
trap - INT TERM EXIT
cmd_del() {
auto_su
[[ $(type -t pre_del) != function ]] || pre_del
- killall tungate 2>/dev/null || true
[[ -n $CONFIG_FILE ]] && save_config
del_if
[[ $(type -t post_del) != function ]] || post_del
projects / thirdparty / wireguard-tools.git / commitdiff
