diff --git a/depends b/depends index 015b40de25265af51c4c9edd566e63e2697e386f..a8271340d85683b0f310c85b776a4fe8f277c608 100644 --- a/depends +++ b/depends @@ -17,5 +17,4 @@ file git lsmod:kmod bc -wg:wireguard-tools unzip \ No newline at end of file diff --git a/packages b/packages index 78336da61023adff14545ce08aa92a6b0eb31b0f..6e2a0529662ddcb3858f8333ea937cf4d897e5dc 100644 --- a/packages +++ b/packages @@ -19,7 +19,6 @@ rsync udev unzip vim -wireguard-tools xxd xz-utils zerofree diff --git a/stage6-core/02-wireguard/01-run.sh b/stage6-core/02-wireguard/01-run.sh index 10060c7a6475ee116c68030525fbd5ab6fa76951..36fa92c1c7a393ae15583bc81eb3439eb0e747fb 100755 --- a/stage6-core/02-wireguard/01-run.sh +++ b/stage6-core/02-wireguard/01-run.sh @@ -24,28 +24,22 @@ then server_private_key=$(cat "$WG_SERVER_KEY") # the keys are base64 encoded, padded with = server_public_key=$(wg pubkey <<< "$server_private_key") echo "$server_public_key" > "${DEPLOY_DIR}/${IMG_FILENAME}-server_public.key" + sed -i "s&server_private_key&${server_private_key}&g" "${ROOTFS_DIR}/etc/wireguard/wg0.conf" + sed -i "s&server_public_key&${server_public_key}&g" "${ROOTFS_DIR}/etc/wireguard/peer.conf" else - log "Creating server's Wireguard key pair" # The server's private key is generated on the build computer - server_private_key=$(wg genkey) # the keys are base64 encoded, padded with = - server_public_key=$(wg pubkey <<< "$server_private_key") - echo "$server_public_key" > "${DEPLOY_DIR}/${IMG_FILENAME}-server_public.key" -fi - -if [[ -z "$ROUTER_IP" ]] -then - WIREGUARD_DNS="192.168.0.1" - log "No Router IP specified, assuming 192.168.0.1" -else - WIREGUARD_DNS="${ROUTER_IP}" + log "Will create server's Wireguard key pair on first startup" fi - -sed -i "s&server_private_key&${server_private_key}&g" "${ROOTFS_DIR}/etc/wireguard/wg0.conf" -sed -i "s&replace_with_router_ip&${WIREGUARD_DNS}&g" "${ROOTFS_DIR}/etc/wireguard/wg0.conf" +install -m 644 files/server/wg-init.service "${ROOTFS_DIR}/etc/systemd/system/wg-init.service" +install -m 700 -o 0 files/server/init-server.sh "${ROOTFS_DIR}/etc/wireguard/init-server.sh" +on_chroot << EOF + systemctl enable wg-init +EOF sed -i "s&server_ip&${DEVICE_DNS}&g" "${ROOTFS_DIR}/etc/wireguard/peer.conf" -sed -i "s&server_public_key&${server_public_key}&g" "${ROOTFS_DIR}/etc/wireguard/peer.conf" + ########################################################################################################### # Client config # ########################################################################################################### +user_id="1" if test -f "$WG_CLIENTS" then # Set the needed variables @@ -53,23 +47,6 @@ then user_id=$(grep '\[Peer\]' "$WG_CLIENTS" | wc -l | awk '{ print 1+$1 }') # Update the server's conf cat "$WG_CLIENTS" >> "${ROOTFS_DIR}/etc/wireguard/wg0.conf" -else - log "Creating new client for Wireguard" - # Set the needed variables - user_id=$(awk '{ print 1+$1 }' "${ROOTFS_DIR}/etc/wireguard/counter_file") - client_private_key=$(wg genkey) # the keys are base64 encoded, padded with = - client_public_key=$(wg pubkey <<< "$client_private_key") - # Generate the client configuration - install -m 600 files/full-tunnel/peer.conf "${DEPLOY_DIR}/${IMG_FILENAME}-peer.conf" - sed -i "s&client_private_key&${client_private_key}&g" "${DEPLOY_DIR}/${IMG_FILENAME}-peer.conf" - sed -i "s&server_public_key&${server_public_key}&g" "${DEPLOY_DIR}/${IMG_FILENAME}-peer.conf" - sed -i "s&user_id&${user_id}&g" "${DEPLOY_DIR}/${IMG_FILENAME}-peer.conf" - sed -i "s&server_ip&${DEVICE_DNS}&g" "${DEPLOY_DIR}/${IMG_FILENAME}-peer.conf" - # Update the server's conf - cat files/full-tunnel/peer-fragment.conf | \ - sed "s&client_public_key&${client_public_key}&g" | \ - sed "s&user_id&${user_id}&g" >> "${ROOTFS_DIR}/etc/wireguard/wg0.conf" fi printf "%s" "$user_id" > "${ROOTFS_DIR}/etc/wireguard/counter_file" - diff --git a/stage6-core/02-wireguard/files/full-tunnel/peer.conf b/stage6-core/02-wireguard/files/full-tunnel/peer.conf index ed5cec063474a322362bbaf8eb7e9cde82a56485..b8b05aee37187c18e4ce839db59c6ef6720a5147 100644 --- a/stage6-core/02-wireguard/files/full-tunnel/peer.conf +++ b/stage6-core/02-wireguard/files/full-tunnel/peer.conf @@ -1,6 +1,7 @@ [Interface] Address = 10.243.243.user_id/32 PrivateKey = client_private_key +DNS = 10.243.243.1 [Peer] PublicKey = server_public_key diff --git a/stage6-core/02-wireguard/files/server/init-server.sh b/stage6-core/02-wireguard/files/server/init-server.sh new file mode 100644 index 0000000000000000000000000000000000000000..6ba340ccf53a0a12d4be4406aa9f13280aac3601 --- /dev/null +++ b/stage6-core/02-wireguard/files/server/init-server.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +server_private_key=$(wg genkey) # the keys are base64 encoded, padded with = +server_public_key=$(wg pubkey <<< "$server_private_key") + +sed -i "s&server_public_key&${server_public_key}&g" "/etc/wireguard/peer.conf" +sed -i "s&server_private_key&${server_private_key}&g" "/etc/wireguard/wg0.conf" + +wg-quick up wg0 + +systemctl disable wg-init \ No newline at end of file diff --git a/stage6-core/02-wireguard/files/server/wg-init.service b/stage6-core/02-wireguard/files/server/wg-init.service new file mode 100644 index 0000000000000000000000000000000000000000..85b6045bdce5c28fef9e6f1e21df16ef53b0fd8d --- /dev/null +++ b/stage6-core/02-wireguard/files/server/wg-init.service @@ -0,0 +1,9 @@ +[Unit] +Description=Creates Wireguard Keys on First Startup + +[Service] +ExecStart=/etc/wireguard/init-server.sh +Type=oneshot + +[Install] +WantedBy=multi-user.target diff --git a/stage6-core/02-wireguard/files/server/wg0.conf b/stage6-core/02-wireguard/files/server/wg0.conf index be063d559d5a85b6afabb3ea24deff65fdd0239e..24ba375804542f69d786ef3ef12d6e197fd4b6c9 100644 --- a/stage6-core/02-wireguard/files/server/wg0.conf +++ b/stage6-core/02-wireguard/files/server/wg0.conf @@ -1,7 +1,6 @@ [Interface] Address = 10.243.243.1/24 ListenPort = 51820 -DNS = replace_with_router_ip PrivateKey = server_private_key PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE