Compare commits

..

1 Commits

Author SHA1 Message Date
32d90b67ce
WIP: feat: commands and tools to setup fw and system settings for VPN:
This is scrapped for now. It may be outside the scope of
    this service to manage the fw...

    Let that be handled by automations such as Ansible or other tools
    during deployment-time.

Signed-off-by: HeshamTB <hishaminv@gmail.com>
2024-03-31 00:30:33 +03:00
3 changed files with 127 additions and 101 deletions

View File

@ -20,6 +20,7 @@ import (
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
hvpnnode3 "gitea.hbanafa.com/HeshamTB/hvpn-node3"
netcmd "gitea.hbanafa.com/HeshamTB/hvpn-node3/net"
)
/*
@ -174,6 +175,13 @@ func createCliApp() *cli.App {
}
app.Flags = append(app.Flags, &wgInterfaceName)
uplinkName := cli.StringFlag{
Name: "uplink",
Usage: "Name of the interface to be used for Wireguard traffic",
Required: true,
}
app.Flags = append(app.Flags, &uplinkName)
wgEndpoint := cli.StringFlag{
Name: "endpoint",
Usage: "Wireguard endpoint domain or address without the port",
@ -276,6 +284,7 @@ func createCliApp() *cli.App {
app.Flags = append(app.Flags, &TLSCertKey)
app.Commands = append(app.Commands, NetSetupCommand())
app.Action = func(ctx *cli.Context) error {
err := setup(ctx)
@ -289,6 +298,123 @@ func createCliApp() *cli.App {
return app
}
func NetSetupCommand() *cli.Command {
cmd := cli.Command{
Name: "nsetup",
Usage: "Tools to setup the host for routing VPN traffic\nGlobal flags have an effect on this commands behaviour",
Action: func(ctx *cli.Context) error {
err := preUpCommands(ctx)
if err != nil {
return err
}
return nil
},
}
return &cmd
}
func preUpCommands(ctx *cli.Context) error {
/* Make a Revertable Command Intrface to make this more general */
sysProcFile, err := os.OpenFile(
hvpnnode3.SYS_PROC_IPV4_IP_FORWARD,
os.O_RDWR, 0644,
)
defer sysProcFile.Close()
if err != nil {
return err
}
uplinkIface := ctx.String("uplink")
wgIface := ctx.String("interface")
wgport := ctx.Int("port")
wgportStr := fmt.Sprint(wgport)
sysCtlAllowForward := netcmd.SysctlIpv4Forward(sysProcFile, true)
ipTables1 := netcmd.IptablesForwardWGInAccept(true, uplinkIface, wgIface)
ipTables2 := netcmd.IptablesForwardWGOutAccept(true, uplinkIface, wgIface)
ipTables3 := netcmd.IptablesNatPostRoutingMasq(true, uplinkIface)
ipTablesAllowPort := netcmd.IptablesPort(true, uplinkIface, wgportStr, netcmd.UDP)
sysCtlDisAllowForward := netcmd.SysctlIpv4Forward(sysProcFile, false)
ipTables4 := netcmd.IptablesForwardWGInAccept(false, uplinkIface, wgIface)
ipTables5 := netcmd.IptablesForwardWGOutAccept(false, uplinkIface, wgIface)
ipTables6 := netcmd.IptablesNatPostRoutingMasq(false, uplinkIface)
ipTablesDisAllow := netcmd.IptablesPort(false, uplinkIface, wgportStr, netcmd.UDP)
slog.Debug(sysCtlAllowForward.String())
err = sysCtlAllowForward.Run()
if err != nil {
return err
}
slog.Debug(ipTables1.String())
err = ipTables1.Run()
if err != nil {
sysCtlDisAllowForward.Run()
return err
}
slog.Debug(ipTables2.String())
err = ipTables2.Run()
if err != nil {
sysCtlDisAllowForward.Run()
ipTables4.Run()
return err
}
slog.Debug(ipTables3.String())
err = ipTables3.Run()
if err != nil {
sysCtlDisAllowForward.Run()
ipTables4.Run()
ipTables5.Run()
return err
}
slog.Debug(ipTablesAllowPort.String())
err = ipTablesAllowPort.Run()
if err != nil {
sysCtlDisAllowForward.Run()
ipTables4.Run()
ipTables5.Run()
ipTables6.Run()
return err
}
/* At this point all passed. revert.*/
err = sysCtlDisAllowForward.Run()
if err != nil {
slog.Debug(err.Error())
}
err = ipTables4.Run()
if err != nil {
slog.Debug(err.Error())
}
err = ipTables5.Run()
if err != nil {
slog.Debug(err.Error())
}
err = ipTables6.Run()
if err != nil {
slog.Debug(err.Error())
}
err = ipTablesDisAllow.Run()
if err != nil {
slog.Debug(err.Error())
}
return nil
}
func postDownCommands(ctx *cli.Context) error {
return nil
}
func setup(ctx *cli.Context) error {
slog.Debug("Starting setup()")
uid := os.Getuid()

View File

@ -7,6 +7,7 @@ const (
CONTENT_OCTET = "application/octet-stream"
CONTENT_PLAIN_TEXT = "text/plain"
WG_CLIENT_MTU = 1380
SYS_PROC_IPV4_IP_FORWARD = "/proc/sys/net/ipv4/ip_forward"
)
var (

View File

@ -1,101 +0,0 @@
#!/usr/bin/env bash
iptables=iptables
PROGRAM="${0}"
cmd="${1}"
wg_iface="${2}"
uplink_iface="${3}"
wg_port="${4}"
cmd() {
echo "[#] $*" >&2
"$@"
}
print_usage() {
cat >&2 <<-_EOF
${PROGRAM} [ set | unset ] <wg_interface> <uplink_interface> <wg_port>
_EOF
}
HAVE_SET_NAT=0
add_nat() {
cmd ${iptables} -t nat -A POSTROUTING -o ${uplink_iface} -j MASQUERADE
HAVE_SET_NAT=1
}
HAVE_SET_FORWARD=0
add_forward() {
cmd ${iptables} -I FORWARD 1 -i ${uplink_iface} -o ${wg_iface} -j ACCEPT
cmd ${iptables} -I FORWARD 1 -i ${wg_iface} -o ${uplink_iface} -j ACCEPT
HAVE_SET_FORWARD=1
}
HAVE_SET_ISOLATION=0
add_isolation() {
cmd ${iptables} -I FORWARD -i ${wg_iface} -o ${wg_iface} -j DROP
HAVE_SET_ISOLATION=1
}
HAVE_OPEN_PORT=0
add_port() {
cmd ${iptables} -I INPUT 1 -i ${uplink_iface} -p udp --dport ${wg_port} -j ACCEPT
HAVE_OPEN_PORT=1
}
add_rules() {
trap 'rm_rules; exit' INT TERM EXIT
add_forward || exit 1
add_nat || exit 1
add_isolation || exit 1
add_port || exit 1
trap - INT TERM EXIT
}
rm_forward() {
cmd ${iptables} -D FORWARD -i ${uplink_iface} -o ${wg_iface} -j ACCEPT
cmd ${iptables} -D FORWARD -i ${wg_iface} -o ${uplink_iface} -j ACCEPT
}
rm_nat() {
cmd ${iptables} -t nat -D POSTROUTING -o ${uplink_iface} -j MASQUERADE
}
rm_isolate() {
cmd ${iptables} -D FORWARD -i ${wg_iface} -o ${wg_iface} -j DROP
}
rm_port() {
cmd ${iptables} -D INPUT -i ${uplink_iface} -p udp --dport ${wg_port} -j ACCEPT
}
rm_rules() {
[[ $HAVE_SET_FORWARD -eq 0 ]] || rm_forward
[[ $HAVE_SET_NAT -eq 0 ]] || rm_nat
[[ $HAVE_SET_ISOLATION -eq 0 ]] || rm_isolate
[[ $HAVE_OPEN_PORT -eq 0 ]] || rm_port
}
if [ ! $# -eq 4 ]
then
print_usage
exit 1
fi
if [ "${cmd}" == "set" ]
then
add_rules
elif [ "${cmd}" == "unset" ];
then
HAVE_OPEN_PORT=1
HAVE_SET_ISOLATION=1
HAVE_SET_NAT=1
HAVE_SET_FORWARD=1
rm_rules
else
# cat << "Invalid command. Use set or unset" >&2
echo "Invalid command. Use set or unset"
fi