msb/vpn-stack
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

rework scripts to work with wg.sh, add fail2ban

Browse Source
This commit is contained in:
Matthew Saunders Brown 2023-03-13 13:13:13 -07:00
parent d87b9f54d8
commit c5df21b0f3
12 changed files with 183 additions and 266 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
install.sh
View File

@ -223,9 +223,13 @@ umask $UMASK
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service
# install wg*.sh scripts in to /usr/local/sbin/
cp wg*.sh /usr/local/sbin/
chmod 755 /usr/local/sbin/wg*.sh
# set up wireguard timer for wg-cron.sh
# removes inactive peers (clients) endpoint (last connected IP) data from wireguard
# /usr/lib/systemd/system/wg-cron.timer
mkdir -p /usr/local/lib/systemd/system/
echo '[Unit]' > /usr/lib/systemd/system/wg-cron.timer
echo 'Description=wiregaurd cron every 5 minutes' >> /usr/lib/systemd/system/wg-cron.timer
echo '' >> /usr/lib/systemd/system/wg-cron.timer
@ -245,14 +249,22 @@ echo 'ExecStart=/usr/local/sbin/wg-cron.sh' >> /usr/lib/systemd/system/wg-cron.s
echo '' >> /usr/lib/systemd/system/wg-cron.service
echo '[Install]' >> /usr/lib/systemd/system/wg-cron.service
echo 'WantedBy=multi-user.target' >> /usr/lib/systemd/system/wg-cron.service
# enable wg-cront.timer
# enable wg-cron.timer
systemctl daemon-reload
systemctl enable wg-cron.timer
systemctl start wg-cron.timer
# install wg-*.sh scripts in to /usr/local/sbin/
cp wg-*.sh /usr/local/sbin/
chmod 755 /usr/local/sbin/wg-*.sh
# install fail2ban. configure draconian ssh failure blocking
DEBIAN_FRONTEND=noninteractive apt-get -y install fail2ban
echo "[Definition]" > /etc/fail2ban/fail2ban.local
echo "dbfile = :memory:" >> /etc/fail2ban/fail2ban.local
echo "[DEFAULT]" > /etc/fail2ban/jail.local
echo "ignoreip = 127.0.0.1/8" >> /etc/fail2ban/jail.local
echo "banaction = ufw" >> /etc/fail2ban/jail.local
echo "bantime = 24h" >> /etc/fail2ban/jail.d/defaults-debian.conf
echo "maxretry = 1" >> /etc/fail2ban/jail.d/defaults-debian.conf
systemctl enable fail2ban
systemctl start fail2ban
# display installation confirmation message
echo "WireGuard is now installed and configured and running."

42
wg-client-add.sh
View File

@ -12,48 +12,28 @@ source $(dirname $0)/wg.sh
help()
{
thisfilename=$(basename -- "$0")
echo "Add virtualhost to this server."
echo "Add VPN client config."
echo ""
echo "usage: $thisfilename -d <domain> -u <username> [-h]"
echo "usage: $thisfilename -c <client> [-h]"
echo ""
echo " -h Print this help."
echo " -d <domain> Domain name to add as a VirtualHost. www. subdomain is automatically aliased."
echo " -u <username> Username to install VirtualHost for. Username must already exist."
echo " If need be run vhost-user-add.sh first."
echo " Or use vhost-deploy.sh instead to automatically generate username."
echo " -c <client> Name of the client configuration."
}
vhost:getoptions "$@"
wg::getoptions "$@"
# require root
if [ "${EUID}" -ne 0 ]; then
echo "This script must be run as root"
exit 1
# check for client config name
if [[ -z $client ]]; then
echo "client name is required"
exit
fi
# check for and set client name
if [ -n "$1" ]; then
client=$1
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
# set config file name
config=$client.conf
# check for existing config
if [ -f /etc/wireguard/clients/$config ] || [ -f /etc/wireguard/peers/$config ]; then
echo "config for $client $device already exists"
echo "config for $client already exists"
exit 1
fi

48
wg-client-create-zip.sh
View File

@ -6,32 +6,30 @@
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# require root
if [ "${EUID}" -ne 0 ]; then
echo "This script must be run as root"
exit 1
# load include file
source $(dirname $0)/wg.sh
help()
{
thisfilename=$(basename -- "$0")
echo "Create zip of client config."
echo ""
echo "usage: $thisfilename -c <client> [-h]"
echo ""
echo " -h Print this help."
echo " -c <client> Name of the client configuration."
}
wg::getoptions "$@"
# check for client config name
if [[ -z $client ]]; then
echo "client name is required"
exit
fi
# check for and set client name
if [ -n "$1" ]; then
client=$1
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
image=$config.$device.png
# set config file name
config=$client.conf
# check for existing config
if [ -f /etc/wireguard/clients/$config ]; then
@ -43,5 +41,5 @@ if [ -f /etc/wireguard/clients/$config ]; then
/usr/bin/zip -j $config.zip /etc/wireguard/clients/$config
else
echo "config for $client $device does not exist"
echo "config for $client does not exist"
fi

49
wg-client-del.sh
View File

@ -6,31 +6,30 @@
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# require root
if [ "${EUID}" -ne 0 ]; then
echo "This script must be run as root"
exit 1
# load include file
source $(dirname $0)/wg.sh
help()
{
thisfilename=$(basename -- "$0")
echo "Delete VPN client config."
echo ""
echo "usage: $thisfilename -c <client> [-h]"
echo ""
echo " -h Print this help."
echo " -c <client> Name of the client configuration."
}
wg::getoptions "$@"
# check for client config name
if [[ -z $client ]]; then
echo "client name is required"
exit
fi
# check for and set client name
if [ -n "$1" ]; then
client=$1
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
# set config file name
config=$client.conf
# check for server config
if [ -f /etc/wireguard/peers/$config ]; then
@ -38,11 +37,11 @@ if [ -f /etc/wireguard/peers/$config ]; then
wg set wg0 peer $peer remove
wg-quick save wg0
rm /etc/wireguard/peers/$config
echo "peer and server config for $client $device removed"
echo "peer and server config for $client removed"
fi
# check for client config
if [ -f /etc/wireguard/clients/$config ]; then
rm /etc/wireguard/clients/$config
echo "client config for $client $device removed"
echo "client config for $client removed"
fi

47
wg-client-disable.sh
View File

@ -6,36 +6,35 @@
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# require root
if [ "${EUID}" -ne 0 ]; then
echo "This script must be run as root"
exit 1
# load include file
source $(dirname $0)/wg.sh
help()
{
thisfilename=$(basename -- "$0")
echo "Disable VPN client config."
echo ""
echo "usage: $thisfilename -c <client> [-h]"
echo ""
echo " -h Print this help."
echo " -c <client> Name of the client configuration."
}
wg::getoptions "$@"
# check for client config name
if [[ -z $client ]]; then
echo "client name is required"
exit
fi
# check for and set client name
if [ -n "$1" ]; then
client=$1
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
# set config file name
config=$client.conf
# check for server config
if [ -f /etc/wireguard/peers/$config ]; then
peer=$(grep PublicKey /etc/wireguard/peers/$config|cut -d ' ' -f 3)
wg set wg0 peer $peer remove
wg-quick save wg0
echo "peer for $client $device disabled"
echo "peer for $client disabled"
fi

55
wg-client-enable.sh
View File

@ -6,31 +6,30 @@
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# require root
if [ "${EUID}" -ne 0 ]; then
echo "This script must be run as root"
exit 1
# load include file
source $(dirname $0)/wg.sh
help()
{
thisfilename=$(basename -- "$0")
echo "Enable existing VPN client config."
echo ""
echo "usage: $thisfilename -c <client> [-h]"
echo ""
echo " -h Print this help."
echo " -c <client> Name of the client configuration."
}
wg::getoptions "$@"
# check for client config name
if [[ -z $client ]]; then
echo "client name is required"
exit
fi
# check for and set client name
if [ -n "$1" ]; then
client=$1
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
# set config file name
config=$client.conf
# check for server config
if [ -f /etc/wireguard/peers/$config ]; then
@ -39,17 +38,17 @@ if [ -f /etc/wireguard/peers/$config ]; then
if [ $status = 0 ]; then
wg addconf wg0 /etc/wireguard/peers/$config
wg-quick save wg0
echo "peer for $client $device enabled"
echo "peer for $client enabled"
elif [ $status = 1 ]; then
echo "peer for $client $device already enabled"
echo "peer for $client already enabled"
else
echo "unexpected status for peer $client $device ($status)"
echo "unexpected status for peer $client ($status)"
fi
elif [ -f /etc/wireguard/clients/$config ]; then
# create server config
# enable server config
echo "server config for $client $device not found, but client config exists."
echo "server config for $client not found, but client config exists."
echo "add programming here to create server config and enable"
else
echo "no configs for $client $device found"
echo "no configs for $client found"
fi

9
wg-client-list.sh
View File

@ -9,11 +9,8 @@
# wg-client-list.sh
# list all client configs available on the server
# require root
if [ "${EUID}" -ne 0 ]; then
echo "This script must be run as root"
exit 1
fi
# load include file
source $(dirname $0)/wg.sh
# prints a table with username & device split in to columns
(echo "Client.Config" && echo "--------.------" && cd /etc/wireguard/clients/ && ls -1 *.conf)|sed 's|\.conf$||g'|sed 's|\.| |g'|column -t
(echo "Client" && echo "---------------" && cd /etc/wireguard/clients/ && ls -1 *.conf)|sed 's|\.conf$||g'

49
wg-client-qr-create-png.sh
View File

@ -6,32 +6,31 @@
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# require root
if [ "${EUID}" -ne 0 ]; then
echo "This script must be run as root"
exit 1
# load include file
source $(dirname $0)/wg.sh
help()
{
thisfilename=$(basename -- "$0")
echo "Create PNG QR file for client config."
echo ""
echo "usage: $thisfilename -c <client> [-h]"
echo ""
echo " -h Print this help."
echo " -c <client> Name of the client configuration."
}
wg::getoptions "$@"
# check for client config name
if [[ -z $client ]]; then
echo "client name is required"
exit
fi
# check for and set client name
if [ -n "$1" ]; then
client=$1
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
image=$config.$device.png
# set config and image file names
config=$client.conf
image=$config.png
# check for existing config
if [ -f /etc/wireguard/clients/$config ]; then
@ -42,5 +41,5 @@ if [ -f /etc/wireguard/clients/$config ]; then
qrencode -t png -r /etc/wireguard/clients/$config -o /var/lib/wireguard/$image
else
echo "config for $client $device does not exist"
echo "config for $client does not exist"
fi

47
wg-client-qr-display.sh
View File

@ -6,35 +6,34 @@
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# require root
if [ "${EUID}" -ne 0 ]; then
echo "This script must be run as root"
exit 1
# load include file
source $(dirname $0)/wg.sh
help()
{
thisfilename=$(basename -- "$0")
echo "Display client config QR code."
echo ""
echo "usage: $thisfilename -c <client> [-h]"
echo ""
echo " -h Print this help."
echo " -c <client> Name of the client configuration."
}
wg::getoptions "$@"
# check for client config name
if [[ -z $client ]]; then
echo "client name is required"
exit
fi
# check for and set client name
if [ -n "$1" ]; then
client=$1
# set beginning of config file name
config=$client
else
echo "client name not set"
exit 1
fi
# check if device name was set
if [ -n "$2" ]; then
device=$2
else
device=default
fi
# add device name & .conf to config file name
config=$config.$device.conf
# set config and image file names
config=$client.conf
# check for existing config
if [ -f /etc/wireguard/clients/$config ]; then
qrencode -t ansiutf8 < /etc/wireguard/clients/$config
else
echo "config for $client $device does not exist"
echo "config for $client does not exist"
fi

7
wg-cron.sh
View File

@ -11,11 +11,8 @@
# remove them then add them back to wireguard
# this removes the endpoint (last connected IP) and transfer stats
# require root
if [ "${EUID}" -ne 0 ]; then
echo "This script must be run as root"
exit 1
fi
# load include file
source $(dirname $0)/wg.sh
# get peer of clients with "minutes" in their last handshake
clients=($(wg|grep -B 4 minutes|grep peer|cut -d ' ' -f 2))

7
wg-peer-audit.sh
View File

@ -11,11 +11,8 @@
# this is basis of a "cleanup" script to remove configs for invalid
# old or deleted clients
# require root
if [ "${EUID}" -ne 0 ]; then
echo "This script must be run as root"
exit 1
fi
# load include file
source $(dirname $0)/wg.sh
# get all peers in running wireguard server
peers=($(wg|grep peer|cut -d ' ' -f 2))

67
wg.sh
View File

@ -15,21 +15,6 @@ fi
# functions
function vhost::set-virtualhostArray () {
cd /srv/www
virtualhostArray=(`ls -1|grep -v ^html$`)
}
function vhost::set-phpVersion () {
PHP_MAJOR_VERSION=`php -r "echo PHP_MAJOR_VERSION;"`
PHP_MINOR_VERSION=`php -r "echo PHP_MINOR_VERSION;"`
phpVersion=$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION
}
# crude but good enough domain name format validation
function wg::validate_domain () {
local my_domain=$1
@ -40,28 +25,16 @@ function wg::validate_domain () {
fi
}
-c client
-g config
-e email
-p peer ???
function wg:getoptions () {
function wg::getoptions () {
local OPTIND
while getopts "cd:i:m:o:p:u:jhnvw" opt ; do
while getopts "c:e:h" opt ; do
case "${opt}" in
h ) # display help and exit
help
exit
;;
c ) # cvs - output in cvs format
cvs=true
;;
d ) # domain name (virtualhost) to act on
domain=${OPTARG,,}
if ! wg::validate_domain $domain; then
echo "ERROR: $domain is not a valid domain name."
exit
fi
c ) # client/config name
client=${OPTARG,,}
;;
e ) # email address
email=${OPTARG,,}
@ -83,34 +56,6 @@ function wg:getoptions () {
exit 1
fi
;;
i ) # User ID (UID) for new user
uid=${OPTARG}
;;
m ) # macro - Apache mod_macro name
macro=${OPTARG}
;;
o ) # option - usually applied to previously specified variable
# e.g. could be subdomain or alias depending on the macro defined
option=${OPTARG}
;;
p ) # password
password=${OPTARG}
;;
u ) # username
username=${OPTARG,,}
;;
j ) # jail - if enabled user will be jailed
jail=true
;;
n ) # dry-run
dryrun=true
;;
v ) # verbose
verbose=true
;;
w ) # write - store data in file
write=true
;;
\? )
echo "Invalid option: $OPTARG"
exit 1
@ -124,7 +69,3 @@ function wg:getoptions () {
shift $((OPTIND-1))
}
# check for local config, which can be used to override any of the above
if [[ -f /usr/local/etc/wg.conf ]]; then
source /usr/local/etc/wg.conf
fi