welsberr
/
VHostLoom
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added more files/scripts for Wireguard usage, modified others.

This commit is contained in:
Wesley R. Elsberry 2025-11-20 09:01:42 -05:00
parent 9615716240
commit c609104708
5 changed files with 98 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
firewall/detect-wan.sh Normal file
View File

@ -0,0 +1,13 @@
#!/bin/bash
# Detects the most likely WAN interface and prints it
# Look for interface with default route
WAN_IF=$(ip route | awk '/default/ {print $5}' | head -n 1)
if [ -z "$WAN_IF" ]; then
echo "Could not detect WAN interface." >&2
exit 1
fi
echo "$WAN_IF"

1
firewall/nftables.conf.example
View File

@ -11,6 +11,7 @@ flush ruleset
# Adjust these to match your system # Adjust these to match your system
# #
define wan_if = "eno1" # WAN interface (optional use; mainly for clarity) define wan_if = "eno1" # WAN interface (optional use; mainly for clarity)
# define wan_if = "$(bash /path/to/detect-wan.sh)"
define vpn_if_pref = "zt+" # ZeroTier interfaces start with "zt" define vpn_if_pref = "zt+" # ZeroTier interfaces start with "zt"
define wg_if = "wg0" define wg_if = "wg0"
# define lan_if = "br0" # If you later want LAN-specific rules # define lan_if = "br0" # If you later want LAN-specific rules

1
firewall/nftables.wireguard.conf.example
View File

@ -13,6 +13,7 @@ flush ruleset
# Adjust to your actual interfaces # Adjust to your actual interfaces
define wan_if = "eno1" # WAN interface name define wan_if = "eno1" # WAN interface name
# define wan_if = "$(bash /path/to/detect-wan.sh)"
define wg_if = "wg0" # WireGuard interface name define wg_if = "wg0" # WireGuard interface name
define wg_port = 51820 # WireGuard UDP port define wg_port = 51820 # WireGuard UDP port

69
wireguard/gen-wg-peer.sh Normal file
View File

@ -0,0 +1,69 @@
#!/bin/bash
# Generate a WireGuard peer config and update wg0.conf automatically.
set -e
if [ -z "$1" ]; then
echo "Usage: $0 <peername>"
exit 1
fi
PEER=$1
WG_DIR="/etc/wireguard"
VPN_NET="10.20.0"
CONF="$WG_DIR/wg0.conf"
# Find next free IP
USED_IPS=$(grep AllowedIPs "$CONF" | awk -F'[ ./]' '{print $7}')
FREE_IP=$(comm -23 \
<(seq 2 254 | sort) \
<(printf "%s\n" $USED_IPS | sort) \
| head -n 1)
if [ -z "$FREE_IP" ]; then
echo "No free VPN IPs left" >&2
exit 1
fi
CLIENT_IP="10.20.0.$FREE_IP"
# Generate client keypair
wg genkey | tee "$PEER.key" | wg pubkey > "$PEER.pub"
CLIENT_PRIVATE_KEY=$(cat "$PEER.key")
CLIENT_PUBLIC_KEY=$(cat "$PEER.pub")
# Server public key
SERVER_PUBLIC_KEY=$(wg show wg0 public-key)
# Generate client config
cat > "$PEER.conf" <<EOF
[Interface]
PrivateKey = $CLIENT_PRIVATE_KEY
Address = $CLIENT_IP/32
DNS = 1.1.1.1
[Peer]
PublicKey = $SERVER_PUBLIC_KEY
Endpoint = <SERVER_PUBLIC_IP>:51820
AllowedIPs = 10.20.0.0/24
PersistentKeepalive = 25
EOF
echo "Client config written to $PEER.conf"
# Add to server config
cat >> "$CONF" <<EOF
# Peer: $PEER
[Peer]
PublicKey = $CLIENT_PUBLIC_KEY
AllowedIPs = $CLIENT_IP/32
EOF
echo "Added peer $PEER to $CONF"
# Apply live without restart
wg set wg0 peer "$CLIENT_PUBLIC_KEY" allowed-ips "$CLIENT_IP/32"
echo "Peer added live to WireGuard"

14
wireguard/wg0-client.conf.template Normal file
View File

@ -0,0 +1,14 @@
# wg0-client.conf.template
# Copy, rename, and fill in keys for a new client
[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.20.0.X/32
DNS = 1.1.1.1
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <SERVER_PUBLIC_IP>:51820
AllowedIPs = 10.20.0.0/24
PersistentKeepalive = 25