msb/vpn-stack
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

rework scripts to work with wg.sh, add fail2ban

Browse Source
This commit is contained in:
Matthew Saunders Brown 2023-03-13 13:13:13 -07:00
parent d87b9f54d8
commit c5df21b0f3
12 changed files with 183 additions and 266 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
install.sh
View File

@ -223,9 +223,13 @@ umask $UMASK
systemctl enable wg-quick@wg0.service systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service systemctl start wg-quick@wg0.service
# install wg*.sh scripts in to /usr/local/sbin/
cp wg*.sh /usr/local/sbin/
chmod 755 /usr/local/sbin/wg*.sh
# set up wireguard timer for wg-cron.sh # set up wireguard timer for wg-cron.sh
# removes inactive peers (clients) endpoint (last connected IP) data from wireguard # removes inactive peers (clients) endpoint (last connected IP) data from wireguard
# /usr/lib/systemd/system/wg-cron.timer mkdir -p /usr/local/lib/systemd/system/
echo '[Unit]' > /usr/lib/systemd/system/wg-cron.timer echo '[Unit]' > /usr/lib/systemd/system/wg-cron.timer
echo 'Description=wiregaurd cron every 5 minutes' >> /usr/lib/systemd/system/wg-cron.timer echo 'Description=wiregaurd cron every 5 minutes' >> /usr/lib/systemd/system/wg-cron.timer
echo '' >> /usr/lib/systemd/system/wg-cron.timer echo '' >> /usr/lib/systemd/system/wg-cron.timer
@ -245,14 +249,22 @@ echo 'ExecStart=/usr/local/sbin/wg-cron.sh' >> /usr/lib/systemd/system/wg-cron.s
echo '' >> /usr/lib/systemd/system/wg-cron.service echo '' >> /usr/lib/systemd/system/wg-cron.service
echo '[Install]' >> /usr/lib/systemd/system/wg-cron.service echo '[Install]' >> /usr/lib/systemd/system/wg-cron.service
echo 'WantedBy=multi-user.target' >> /usr/lib/systemd/system/wg-cron.service echo 'WantedBy=multi-user.target' >> /usr/lib/systemd/system/wg-cron.service
# enable wg-cront.timer # enable wg-cron.timer
systemctl daemon-reload systemctl daemon-reload
systemctl enable wg-cron.timer systemctl enable wg-cron.timer
systemctl start wg-cron.timer systemctl start wg-cron.timer
# install wg-*.sh scripts in to /usr/local/sbin/ # install fail2ban. configure draconian ssh failure blocking
cp wg-*.sh /usr/local/sbin/ DEBIAN_FRONTEND=noninteractive apt-get -y install fail2ban
chmod 755 /usr/local/sbin/wg-*.sh echo "[Definition]" > /etc/fail2ban/fail2ban.local
echo "dbfile = :memory:" >> /etc/fail2ban/fail2ban.local
echo "[DEFAULT]" > /etc/fail2ban/jail.local
echo "ignoreip = 127.0.0.1/8" >> /etc/fail2ban/jail.local
echo "banaction = ufw" >> /etc/fail2ban/jail.local
echo "bantime = 24h" >> /etc/fail2ban/jail.d/defaults-debian.conf
echo "maxretry = 1" >> /etc/fail2ban/jail.d/defaults-debian.conf
systemctl enable fail2ban
systemctl start fail2ban
# display installation confirmation message # display installation confirmation message
echo "WireGuard is now installed and configured and running." echo "WireGuard is now installed and configured and running."

42
wg-client-add.sh
View File

@ -12,48 +12,28 @@ source $(dirname $0)/wg.sh
help() help()
{ {
thisfilename=$(basename -- "$0") thisfilename=$(basename -- "$0")
echo "Add virtualhost to this server." echo "Add VPN client config."
echo "" echo ""
echo "usage: $thisfilename -d <domain> -u <username> [-h]" echo "usage: $thisfilename -c <client> [-h]"
echo "" echo ""
echo " -h Print this help." echo " -h Print this help."
echo " -d <domain> Domain name to add as a VirtualHost. www. subdomain is automatically aliased." echo " -c <client> Name of the client configuration."
echo " -u <username> Username to install VirtualHost for. Username must already exist."
echo " If need be run vhost-user-add.sh first."
echo " Or use vhost-deploy.sh instead to automatically generate username."
} }
vhost:getoptions "$@" wg::getoptions "$@"
# require root # check for client config name
if [ "${EUID}" -ne 0 ]; then if [[ -z $client ]]; then
echo "This script must be run as root" echo "client name is required"
exit 1 exit
fi fi
# check for and set client name # set config file name
if [ -n "$1" ]; then config=$client.conf
client=$1
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
# check for existing config # check for existing config
if [ -f /etc/wireguard/clients/$config ] || [ -f /etc/wireguard/peers/$config ]; then if [ -f /etc/wireguard/clients/$config ] || [ -f /etc/wireguard/peers/$config ]; then
echo "config for $client $device already exists" echo "config for $client already exists"
exit 1 exit 1
fi fi

48
wg-client-create-zip.sh
View File

@ -6,32 +6,30 @@
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com> # Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# require root # load include file
if [ "${EUID}" -ne 0 ]; then source $(dirname $0)/wg.sh
echo "This script must be run as root"
exit 1 help()
{
thisfilename=$(basename -- "$0")
echo "Create zip of client config."
echo ""
echo "usage: $thisfilename -c <client> [-h]"
echo ""
echo " -h Print this help."
echo " -c <client> Name of the client configuration."
}
wg::getoptions "$@"
# check for client config name
if [[ -z $client ]]; then
echo "client name is required"
exit
fi fi
# check for and set client name # set config file name
if [ -n "$1" ]; then config=$client.conf
client=$1
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
image=$config.$device.png
# check for existing config # check for existing config
if [ -f /etc/wireguard/clients/$config ]; then if [ -f /etc/wireguard/clients/$config ]; then
@ -43,5 +41,5 @@ if [ -f /etc/wireguard/clients/$config ]; then
/usr/bin/zip -j $config.zip /etc/wireguard/clients/$config /usr/bin/zip -j $config.zip /etc/wireguard/clients/$config
else else
echo "config for $client $device does not exist" echo "config for $client does not exist"
fi fi

49
wg-client-del.sh
View File

@ -6,31 +6,30 @@
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com> # Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# require root # load include file
if [ "${EUID}" -ne 0 ]; then source $(dirname $0)/wg.sh
echo "This script must be run as root"
exit 1 help()
{
thisfilename=$(basename -- "$0")
echo "Delete VPN client config."
echo ""
echo "usage: $thisfilename -c <client> [-h]"
echo ""
echo " -h Print this help."
echo " -c <client> Name of the client configuration."
}
wg::getoptions "$@"
# check for client config name
if [[ -z $client ]]; then
echo "client name is required"
exit
fi fi
# check for and set client name # set config file name
if [ -n "$1" ]; then config=$client.conf
client=$1
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
# check for server config # check for server config
if [ -f /etc/wireguard/peers/$config ]; then if [ -f /etc/wireguard/peers/$config ]; then
@ -38,11 +37,11 @@ if [ -f /etc/wireguard/peers/$config ]; then
wg set wg0 peer $peer remove wg set wg0 peer $peer remove
wg-quick save wg0 wg-quick save wg0
rm /etc/wireguard/peers/$config rm /etc/wireguard/peers/$config
echo "peer and server config for $client $device removed" echo "peer and server config for $client removed"
fi fi
# check for client config # check for client config
if [ -f /etc/wireguard/clients/$config ]; then if [ -f /etc/wireguard/clients/$config ]; then
rm /etc/wireguard/clients/$config rm /etc/wireguard/clients/$config
echo "client config for $client $device removed" echo "client config for $client removed"
fi fi

47
wg-client-disable.sh
View File

@ -6,36 +6,35 @@
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com> # Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# require root # load include file
if [ "${EUID}" -ne 0 ]; then source $(dirname $0)/wg.sh
echo "This script must be run as root"
exit 1 help()
{
thisfilename=$(basename -- "$0")
echo "Disable VPN client config."
echo ""
echo "usage: $thisfilename -c <client> [-h]"
echo ""
echo " -h Print this help."
echo " -c <client> Name of the client configuration."
}
wg::getoptions "$@"
# check for client config name
if [[ -z $client ]]; then
echo "client name is required"
exit
fi fi
# check for and set client name # set config file name
if [ -n "$1" ]; then config=$client.conf
client=$1
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
# check for server config # check for server config
if [ -f /etc/wireguard/peers/$config ]; then if [ -f /etc/wireguard/peers/$config ]; then
peer=$(grep PublicKey /etc/wireguard/peers/$config|cut -d ' ' -f 3) peer=$(grep PublicKey /etc/wireguard/peers/$config|cut -d ' ' -f 3)
wg set wg0 peer $peer remove wg set wg0 peer $peer remove
wg-quick save wg0 wg-quick save wg0
echo "peer for $client $device disabled" echo "peer for $client disabled"
fi fi

55
wg-client-enable.sh
View File

@ -6,31 +6,30 @@
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com> # Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# require root # load include file
if [ "${EUID}" -ne 0 ]; then source $(dirname $0)/wg.sh
echo "This script must be run as root"
exit 1 help()
{
thisfilename=$(basename -- "$0")
echo "Enable existing VPN client config."
echo ""
echo "usage: $thisfilename -c <client> [-h]"
echo ""
echo " -h Print this help."
echo " -c <client> Name of the client configuration."
}
wg::getoptions "$@"
# check for client config name
if [[ -z $client ]]; then
echo "client name is required"
exit
fi fi
# check for and set client name # set config file name
if [ -n "$1" ]; then config=$client.conf
client=$1
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
# check for server config # check for server config
if [ -f /etc/wireguard/peers/$config ]; then if [ -f /etc/wireguard/peers/$config ]; then
@ -39,17 +38,17 @@ if [ -f /etc/wireguard/peers/$config ]; then
if [ $status = 0 ]; then if [ $status = 0 ]; then
wg addconf wg0 /etc/wireguard/peers/$config wg addconf wg0 /etc/wireguard/peers/$config
wg-quick save wg0 wg-quick save wg0
echo "peer for $client $device enabled" echo "peer for $client enabled"
elif [ $status = 1 ]; then elif [ $status = 1 ]; then
echo "peer for $client $device already enabled" echo "peer for $client already enabled"
else else
echo "unexpected status for peer $client $device ($status)" echo "unexpected status for peer $client ($status)"
fi fi
elif [ -f /etc/wireguard/clients/$config ]; then elif [ -f /etc/wireguard/clients/$config ]; then
# create server config # create server config
# enable server config # enable server config
echo "server config for $client $device not found, but client config exists." echo "server config for $client not found, but client config exists."
echo "add programming here to create server config and enable" echo "add programming here to create server config and enable"
else else
echo "no configs for $client $device found" echo "no configs for $client found"
fi fi

9
wg-client-list.sh
View File

@ -9,11 +9,8 @@
# wg-client-list.sh # wg-client-list.sh
# list all client configs available on the server # list all client configs available on the server
# require root # load include file
if [ "${EUID}" -ne 0 ]; then source $(dirname $0)/wg.sh
echo "This script must be run as root"
exit 1
fi
# prints a table with username & device split in to columns # prints a table with username & device split in to columns
(echo "Client.Config" && echo "--------.------" && cd /etc/wireguard/clients/ && ls -1 *.conf)|sed 's|\.conf$||g'|sed 's|\.| |g'|column -t (echo "Client" && echo "---------------" && cd /etc/wireguard/clients/ && ls -1 *.conf)|sed 's|\.conf$||g'

49
wg-client-qr-create-png.sh
View File

@ -6,32 +6,31 @@
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com> # Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# require root # load include file
if [ "${EUID}" -ne 0 ]; then source $(dirname $0)/wg.sh
echo "This script must be run as root"
exit 1 help()
{
thisfilename=$(basename -- "$0")
echo "Create PNG QR file for client config."
echo ""
echo "usage: $thisfilename -c <client> [-h]"
echo ""
echo " -h Print this help."
echo " -c <client> Name of the client configuration."
}
wg::getoptions "$@"
# check for client config name
if [[ -z $client ]]; then
echo "client name is required"
exit
fi fi
# check for and set client name # set config and image file names
if [ -n "$1" ]; then config=$client.conf
client=$1 image=$config.png
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
image=$config.$device.png
# check for existing config # check for existing config
if [ -f /etc/wireguard/clients/$config ]; then if [ -f /etc/wireguard/clients/$config ]; then
@ -42,5 +41,5 @@ if [ -f /etc/wireguard/clients/$config ]; then
qrencode -t png -r /etc/wireguard/clients/$config -o /var/lib/wireguard/$image qrencode -t png -r /etc/wireguard/clients/$config -o /var/lib/wireguard/$image
else else
echo "config for $client $device does not exist" echo "config for $client does not exist"
fi fi

47
wg-client-qr-display.sh
View File

@ -6,35 +6,34 @@
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com> # Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# require root # load include file
if [ "${EUID}" -ne 0 ]; then source $(dirname $0)/wg.sh
echo "This script must be run as root"
exit 1 help()
{
thisfilename=$(basename -- "$0")
echo "Display client config QR code."
echo ""
echo "usage: $thisfilename -c <client> [-h]"
echo ""
echo " -h Print this help."
echo " -c <client> Name of the client configuration."
}
wg::getoptions "$@"
# check for client config name
if [[ -z $client ]]; then
echo "client name is required"
exit
fi fi
# check for and set client name # set config and image file names
if [ -n "$1" ]; then config=$client.conf
client=$1
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
# check for existing config # check for existing config
if [ -f /etc/wireguard/clients/$config ]; then if [ -f /etc/wireguard/clients/$config ]; then
qrencode -t ansiutf8 < /etc/wireguard/clients/$config qrencode -t ansiutf8 < /etc/wireguard/clients/$config
else else
echo "config for $client $device does not exist" echo "config for $client does not exist"
fi fi

7
wg-cron.sh
View File

@ -11,11 +11,8 @@
# remove them then add them back to wireguard # remove them then add them back to wireguard
# this removes the endpoint (last connected IP) and transfer stats # this removes the endpoint (last connected IP) and transfer stats
# require root # load include file
if [ "${EUID}" -ne 0 ]; then source $(dirname $0)/wg.sh
echo "This script must be run as root"
exit 1
fi
# get peer of clients with "minutes" in their last handshake # get peer of clients with "minutes" in their last handshake
clients=($(wg|grep -B 4 minutes|grep peer|cut -d ' ' -f 2)) clients=($(wg|grep -B 4 minutes|grep peer|cut -d ' ' -f 2))

7
wg-peer-audit.sh
View File

@ -11,11 +11,8 @@
# this is basis of a "cleanup" script to remove configs for invalid # this is basis of a "cleanup" script to remove configs for invalid
# old or deleted clients # old or deleted clients
# require root # load include file
if [ "${EUID}" -ne 0 ]; then source $(dirname $0)/wg.sh
echo "This script must be run as root"
exit 1
fi
# get all peers in running wireguard server # get all peers in running wireguard server
peers=($(wg|grep peer|cut -d ' ' -f 2)) peers=($(wg|grep peer|cut -d ' ' -f 2))

67
wg.sh
View File

@ -15,21 +15,6 @@ fi
# functions # functions
function vhost::set-virtualhostArray () {
cd /srv/www
virtualhostArray=(`ls -1|grep -v ^html$`)
}
function vhost::set-phpVersion () {
PHP_MAJOR_VERSION=`php -r "echo PHP_MAJOR_VERSION;"`
PHP_MINOR_VERSION=`php -r "echo PHP_MINOR_VERSION;"`
phpVersion=$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION
}
# crude but good enough domain name format validation # crude but good enough domain name format validation
function wg::validate_domain () { function wg::validate_domain () {
local my_domain=$1 local my_domain=$1
@ -40,28 +25,16 @@ function wg::validate_domain () {
fi fi
} }
-c client function wg::getoptions () {
-g config
-e email
-p peer ???
function wg:getoptions () {
local OPTIND local OPTIND
while getopts "cd:i:m:o:p:u:jhnvw" opt ; do while getopts "c:e:h" opt ; do
case "${opt}" in case "${opt}" in
h ) # display help and exit h ) # display help and exit
help help
exit exit
;; ;;
c ) # cvs - output in cvs format c ) # client/config name
cvs=true client=${OPTARG,,}
;;
d ) # domain name (virtualhost) to act on
domain=${OPTARG,,}
if ! wg::validate_domain $domain; then
echo "ERROR: $domain is not a valid domain name."
exit
fi
;; ;;
e ) # email address e ) # email address
email=${OPTARG,,} email=${OPTARG,,}
@ -83,34 +56,6 @@ function wg:getoptions () {
exit 1 exit 1
fi fi
;; ;;
i ) # User ID (UID) for new user
uid=${OPTARG}
;;
m ) # macro - Apache mod_macro name
macro=${OPTARG}
;;
o ) # option - usually applied to previously specified variable
# e.g. could be subdomain or alias depending on the macro defined
option=${OPTARG}
;;
p ) # password
password=${OPTARG}
;;
u ) # username
username=${OPTARG,,}
;;
j ) # jail - if enabled user will be jailed
jail=true
;;
n ) # dry-run
dryrun=true
;;
v ) # verbose
verbose=true
;;
w ) # write - store data in file
write=true
;;
\? ) \? )
echo "Invalid option: $OPTARG" echo "Invalid option: $OPTARG"
exit 1 exit 1
@ -124,7 +69,3 @@ function wg:getoptions () {
shift $((OPTIND-1)) shift $((OPTIND-1))
} }
# check for local config, which can be used to override any of the above
if [[ -f /usr/local/etc/wg.conf ]]; then
source /usr/local/etc/wg.conf
fi