Added more files/scripts for Wireguard usage, modified others.

2025-11-20 09:01:42 -05:00 · 2025-11-20 09:01:42 -05:00 · c609104708
parent 9615716240
commit c609104708
5 changed files with 98 additions and 0 deletions
--- a/firewall/detect-wan.sh
+++ b/firewall/detect-wan.sh
@ -0,0 +1,13 @@
+#!/bin/bash
+# Detects the most likely WAN interface and prints it
+
+# Look for interface with default route
+WAN_IF=$(ip route | awk '/default/ {print $5}' | head -n 1)
+
+if [ -z "$WAN_IF" ]; then
+    echo "Could not detect WAN interface." >&2
+    exit 1
+fi
+
+echo "$WAN_IF"
+
--- a/firewall/nftables.conf.example
+++ b/firewall/nftables.conf.example
@ -11,6 +11,7 @@ flush ruleset
 # Adjust these to match your system
 #
 define wan_if      = "eno1"   # WAN interface (optional use; mainly for clarity)
+# define wan_if = "$(bash /path/to/detect-wan.sh)"
 define vpn_if_pref = "zt+"    # ZeroTier interfaces start with "zt"
 define wg_if       = "wg0"
 # define lan_if    = "br0"    # If you later want LAN-specific rules
--- a/firewall/nftables.wireguard.conf.example
+++ b/firewall/nftables.wireguard.conf.example
@ -13,6 +13,7 @@ flush ruleset

 # Adjust to your actual interfaces
 define wan_if    = "eno1"    # WAN interface name
+# define wan_if = "$(bash /path/to/detect-wan.sh)"
 define wg_if     = "wg0"     # WireGuard interface name
 define wg_port   = 51820     # WireGuard UDP port

--- a/wireguard/gen-wg-peer.sh
+++ b/wireguard/gen-wg-peer.sh
@ -0,0 +1,69 @@
+#!/bin/bash
+# Generate a WireGuard peer config and update wg0.conf automatically.
+
+set -e
+
+if [ -z "$1" ]; then
+    echo "Usage: $0 <peername>"
+    exit 1
+fi
+
+PEER=$1
+WG_DIR="/etc/wireguard"
+VPN_NET="10.20.0"
+CONF="$WG_DIR/wg0.conf"
+
+# Find next free IP
+USED_IPS=$(grep AllowedIPs "$CONF" | awk -F'[ ./]' '{print $7}')
+FREE_IP=$(comm -23 \
+    <(seq 2 254 | sort) \
+    <(printf "%s\n" $USED_IPS | sort) \
+    | head -n 1)
+
+if [ -z "$FREE_IP" ]; then
+    echo "No free VPN IPs left" >&2
+    exit 1
+fi
+
+CLIENT_IP="10.20.0.$FREE_IP"
+
+# Generate client keypair
+wg genkey | tee "$PEER.key" | wg pubkey > "$PEER.pub"
+CLIENT_PRIVATE_KEY=$(cat "$PEER.key")
+CLIENT_PUBLIC_KEY=$(cat "$PEER.pub")
+
+# Server public key
+SERVER_PUBLIC_KEY=$(wg show wg0 public-key)
+
+# Generate client config
+cat > "$PEER.conf" <<EOF
+[Interface]
+PrivateKey = $CLIENT_PRIVATE_KEY
+Address = $CLIENT_IP/32
+DNS = 1.1.1.1
+
+[Peer]
+PublicKey = $SERVER_PUBLIC_KEY
+Endpoint = <SERVER_PUBLIC_IP>:51820
+AllowedIPs = 10.20.0.0/24
+PersistentKeepalive = 25
+EOF
+
+echo "Client config written to $PEER.conf"
+
+# Add to server config
+cat >> "$CONF" <<EOF
+
+# Peer: $PEER
+[Peer]
+PublicKey = $CLIENT_PUBLIC_KEY
+AllowedIPs = $CLIENT_IP/32
+EOF
+
+echo "Added peer $PEER to $CONF"
+
+# Apply live without restart
+wg set wg0 peer "$CLIENT_PUBLIC_KEY" allowed-ips "$CLIENT_IP/32"
+
+echo "Peer added live to WireGuard"
+
--- a/wireguard/wg0-client.conf.template
+++ b/wireguard/wg0-client.conf.template
@ -0,0 +1,14 @@
+# wg0-client.conf.template
+# Copy, rename, and fill in keys for a new client
+
+[Interface]
+PrivateKey = <CLIENT_PRIVATE_KEY>
+Address = 10.20.0.X/32
+DNS = 1.1.1.1
+
+[Peer]
+PublicKey = <SERVER_PUBLIC_KEY>
+Endpoint = <SERVER_PUBLIC_IP>:51820
+AllowedIPs = 10.20.0.0/24
+PersistentKeepalive = 25
+