Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
32d90b67ce
|
@ -20,6 +20,7 @@ import (
|
||||
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
||||
|
||||
hvpnnode3 "gitea.hbanafa.com/HeshamTB/hvpn-node3"
|
||||
netcmd "gitea.hbanafa.com/HeshamTB/hvpn-node3/net"
|
||||
)
|
||||
|
||||
/*
|
||||
@ -174,6 +175,13 @@ func createCliApp() *cli.App {
|
||||
}
|
||||
app.Flags = append(app.Flags, &wgInterfaceName)
|
||||
|
||||
uplinkName := cli.StringFlag{
|
||||
Name: "uplink",
|
||||
Usage: "Name of the interface to be used for Wireguard traffic",
|
||||
Required: true,
|
||||
}
|
||||
app.Flags = append(app.Flags, &uplinkName)
|
||||
|
||||
wgEndpoint := cli.StringFlag{
|
||||
Name: "endpoint",
|
||||
Usage: "Wireguard endpoint domain or address without the port",
|
||||
@ -276,6 +284,7 @@ func createCliApp() *cli.App {
|
||||
app.Flags = append(app.Flags, &TLSCertKey)
|
||||
|
||||
|
||||
app.Commands = append(app.Commands, NetSetupCommand())
|
||||
|
||||
app.Action = func(ctx *cli.Context) error {
|
||||
err := setup(ctx)
|
||||
@ -289,6 +298,123 @@ func createCliApp() *cli.App {
|
||||
return app
|
||||
}
|
||||
|
||||
func NetSetupCommand() *cli.Command {
|
||||
cmd := cli.Command{
|
||||
Name: "nsetup",
|
||||
Usage: "Tools to setup the host for routing VPN traffic\nGlobal flags have an effect on this commands behaviour",
|
||||
Action: func(ctx *cli.Context) error {
|
||||
err := preUpCommands(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
},
|
||||
}
|
||||
|
||||
return &cmd
|
||||
}
|
||||
|
||||
func preUpCommands(ctx *cli.Context) error {
|
||||
|
||||
/* Make a Revertable Command Intrface to make this more general */
|
||||
sysProcFile, err := os.OpenFile(
|
||||
hvpnnode3.SYS_PROC_IPV4_IP_FORWARD,
|
||||
os.O_RDWR, 0644,
|
||||
)
|
||||
defer sysProcFile.Close()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
uplinkIface := ctx.String("uplink")
|
||||
wgIface := ctx.String("interface")
|
||||
wgport := ctx.Int("port")
|
||||
wgportStr := fmt.Sprint(wgport)
|
||||
|
||||
sysCtlAllowForward := netcmd.SysctlIpv4Forward(sysProcFile, true)
|
||||
ipTables1 := netcmd.IptablesForwardWGInAccept(true, uplinkIface, wgIface)
|
||||
ipTables2 := netcmd.IptablesForwardWGOutAccept(true, uplinkIface, wgIface)
|
||||
ipTables3 := netcmd.IptablesNatPostRoutingMasq(true, uplinkIface)
|
||||
ipTablesAllowPort := netcmd.IptablesPort(true, uplinkIface, wgportStr, netcmd.UDP)
|
||||
|
||||
sysCtlDisAllowForward := netcmd.SysctlIpv4Forward(sysProcFile, false)
|
||||
ipTables4 := netcmd.IptablesForwardWGInAccept(false, uplinkIface, wgIface)
|
||||
ipTables5 := netcmd.IptablesForwardWGOutAccept(false, uplinkIface, wgIface)
|
||||
ipTables6 := netcmd.IptablesNatPostRoutingMasq(false, uplinkIface)
|
||||
ipTablesDisAllow := netcmd.IptablesPort(false, uplinkIface, wgportStr, netcmd.UDP)
|
||||
|
||||
slog.Debug(sysCtlAllowForward.String())
|
||||
err = sysCtlAllowForward.Run()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
slog.Debug(ipTables1.String())
|
||||
err = ipTables1.Run()
|
||||
if err != nil {
|
||||
sysCtlDisAllowForward.Run()
|
||||
return err
|
||||
}
|
||||
|
||||
slog.Debug(ipTables2.String())
|
||||
err = ipTables2.Run()
|
||||
if err != nil {
|
||||
sysCtlDisAllowForward.Run()
|
||||
ipTables4.Run()
|
||||
return err
|
||||
}
|
||||
|
||||
slog.Debug(ipTables3.String())
|
||||
err = ipTables3.Run()
|
||||
if err != nil {
|
||||
sysCtlDisAllowForward.Run()
|
||||
ipTables4.Run()
|
||||
ipTables5.Run()
|
||||
return err
|
||||
}
|
||||
|
||||
slog.Debug(ipTablesAllowPort.String())
|
||||
err = ipTablesAllowPort.Run()
|
||||
if err != nil {
|
||||
sysCtlDisAllowForward.Run()
|
||||
ipTables4.Run()
|
||||
ipTables5.Run()
|
||||
ipTables6.Run()
|
||||
return err
|
||||
}
|
||||
|
||||
/* At this point all passed. revert.*/
|
||||
|
||||
err = sysCtlDisAllowForward.Run()
|
||||
if err != nil {
|
||||
slog.Debug(err.Error())
|
||||
}
|
||||
err = ipTables4.Run()
|
||||
if err != nil {
|
||||
slog.Debug(err.Error())
|
||||
}
|
||||
err = ipTables5.Run()
|
||||
if err != nil {
|
||||
slog.Debug(err.Error())
|
||||
}
|
||||
err = ipTables6.Run()
|
||||
if err != nil {
|
||||
slog.Debug(err.Error())
|
||||
}
|
||||
err = ipTablesDisAllow.Run()
|
||||
if err != nil {
|
||||
slog.Debug(err.Error())
|
||||
}
|
||||
|
||||
return nil
|
||||
|
||||
}
|
||||
|
||||
func postDownCommands(ctx *cli.Context) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func setup(ctx *cli.Context) error {
|
||||
slog.Debug("Starting setup()")
|
||||
uid := os.Getuid()
|
||||
|
||||
1
const.go
1
const.go
@ -7,6 +7,7 @@ const (
|
||||
CONTENT_OCTET = "application/octet-stream"
|
||||
CONTENT_PLAIN_TEXT = "text/plain"
|
||||
WG_CLIENT_MTU = 1380
|
||||
SYS_PROC_IPV4_IP_FORWARD = "/proc/sys/net/ipv4/ip_forward"
|
||||
)
|
||||
|
||||
var (
|
||||
|
||||
@ -1,101 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
iptables=iptables
|
||||
|
||||
PROGRAM="${0}"
|
||||
cmd="${1}"
|
||||
wg_iface="${2}"
|
||||
uplink_iface="${3}"
|
||||
wg_port="${4}"
|
||||
|
||||
cmd() {
|
||||
echo "[#] $*" >&2
|
||||
"$@"
|
||||
}
|
||||
|
||||
print_usage() {
|
||||
cat >&2 <<-_EOF
|
||||
${PROGRAM} [ set | unset ] <wg_interface> <uplink_interface> <wg_port>
|
||||
_EOF
|
||||
}
|
||||
|
||||
HAVE_SET_NAT=0
|
||||
add_nat() {
|
||||
cmd ${iptables} -t nat -A POSTROUTING -o ${uplink_iface} -j MASQUERADE
|
||||
HAVE_SET_NAT=1
|
||||
}
|
||||
|
||||
HAVE_SET_FORWARD=0
|
||||
add_forward() {
|
||||
cmd ${iptables} -I FORWARD 1 -i ${uplink_iface} -o ${wg_iface} -j ACCEPT
|
||||
cmd ${iptables} -I FORWARD 1 -i ${wg_iface} -o ${uplink_iface} -j ACCEPT
|
||||
HAVE_SET_FORWARD=1
|
||||
}
|
||||
|
||||
HAVE_SET_ISOLATION=0
|
||||
add_isolation() {
|
||||
cmd ${iptables} -I FORWARD -i ${wg_iface} -o ${wg_iface} -j DROP
|
||||
HAVE_SET_ISOLATION=1
|
||||
}
|
||||
|
||||
HAVE_OPEN_PORT=0
|
||||
add_port() {
|
||||
cmd ${iptables} -I INPUT 1 -i ${uplink_iface} -p udp --dport ${wg_port} -j ACCEPT
|
||||
HAVE_OPEN_PORT=1
|
||||
}
|
||||
|
||||
add_rules() {
|
||||
trap 'rm_rules; exit' INT TERM EXIT
|
||||
add_forward || exit 1
|
||||
add_nat || exit 1
|
||||
add_isolation || exit 1
|
||||
add_port || exit 1
|
||||
trap - INT TERM EXIT
|
||||
}
|
||||
|
||||
rm_forward() {
|
||||
cmd ${iptables} -D FORWARD -i ${uplink_iface} -o ${wg_iface} -j ACCEPT
|
||||
cmd ${iptables} -D FORWARD -i ${wg_iface} -o ${uplink_iface} -j ACCEPT
|
||||
}
|
||||
|
||||
rm_nat() {
|
||||
cmd ${iptables} -t nat -D POSTROUTING -o ${uplink_iface} -j MASQUERADE
|
||||
}
|
||||
|
||||
rm_isolate() {
|
||||
cmd ${iptables} -D FORWARD -i ${wg_iface} -o ${wg_iface} -j DROP
|
||||
}
|
||||
|
||||
rm_port() {
|
||||
cmd ${iptables} -D INPUT -i ${uplink_iface} -p udp --dport ${wg_port} -j ACCEPT
|
||||
}
|
||||
|
||||
rm_rules() {
|
||||
[[ $HAVE_SET_FORWARD -eq 0 ]] || rm_forward
|
||||
[[ $HAVE_SET_NAT -eq 0 ]] || rm_nat
|
||||
[[ $HAVE_SET_ISOLATION -eq 0 ]] || rm_isolate
|
||||
[[ $HAVE_OPEN_PORT -eq 0 ]] || rm_port
|
||||
}
|
||||
|
||||
if [ ! $# -eq 4 ]
|
||||
then
|
||||
print_usage
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "${cmd}" == "set" ]
|
||||
then
|
||||
add_rules
|
||||
|
||||
elif [ "${cmd}" == "unset" ];
|
||||
then
|
||||
HAVE_OPEN_PORT=1
|
||||
HAVE_SET_ISOLATION=1
|
||||
HAVE_SET_NAT=1
|
||||
HAVE_SET_FORWARD=1
|
||||
rm_rules
|
||||
else
|
||||
# cat << "Invalid command. Use set or unset" >&2
|
||||
echo "Invalid command. Use set or unset"
|
||||
fi
|
||||
|
||||
Loading…
Reference in New Issue
Block a user