Minecon724/vpsmusthave
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update alpine/alpine-secure.sh

Browse source
This commit is contained in:
Minecon724 2025-08-09 20:25:59 +02:00
commit 6a8f140a89
1 changed files with 33 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

45
alpine/alpine-secure.sh
View file

@ -21,21 +21,42 @@ echo "$USERNAME:*" | chpasswd
echo "Configuring WireGuard..."
WG_SUBNET="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)"
WG_LISTEN_PORT=$(shuf -i 49152-65535 -n 1)
if [[ -z "$CLIENT_IP" ]] || [[ -z "$SERVER_IP" ]] || [[ -z "$PREFIXLEN" ]]; then
SUB_START="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)"
CLIENT_IP="$SUB_START::2"
SERVER_IP="$SUB_START::1"
PREFIXLEN=64
fi
if [[ "$CLIENT_IP" == *"."* ]]; then
HOST_MASK=32
else
HOST_MASK=128
fi
CLIENT_IP=$(echo "$CLIENT_IP" | cut -d"/" -f1)
SERVER_IP=$(echo "$SERVER_IP" | cut -d"/" -f1)
WG_LISTEN_PORT=${WG_LISTEN_PORT:-$(jot -r 1 49152 65535)}
WG_PRESHARED_KEY=${WG_PRESHARED_KEY:-$(wg genpsk)}
WG_LOCAL_PRIVKEY=$(wg genkey)
WG_LOCAL_PUBKEY=$(echo $WG_LOCAL_PRIVKEY | wg pubkey)
WG_LOCAL_PUBKEY=$(echo "$WG_LOCAL_PRIVKEY" | wg pubkey)
cat <<EOF > /etc/wireguard/vmh-ssh-vpn.conf
[Interface]
ListenPort = $WG_LISTEN_PORT
PrivateKey = $WG_LOCAL_PRIVKEY
Address = $WG_SUBNET::1/64
Address = $SERVER_IP/$PREFIXLEN
[Peer]
PublicKey = $WIREGUARD_PUBKEY
AllowedIPs = $WG_SUBNET::2/128
PresharedKey = $WG_PRESHARED_KEY
AllowedIPs = $CLIENT_IP/$HOST_MASK
EOF
chmod -R 700 /etc/wireguard
ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.vmh-ssh-vpn
rc-update add wg-quick.vmh-ssh-vpn
@ -50,14 +71,13 @@ chown $USERNAME:$USERNAME /home/$USERNAME/.ssh/authorized_keys
chmod 600 /home/$USERNAME/.ssh/authorized_keys
chmod 700 /home/$USERNAME/.ssh
mkdir -p /etc/ssh/sshd_config.d
cat <<EOF > /etc/ssh/sshd_config.d/10-vmh_ssh.conf
cat <<EOF > /etc/ssh/sshd_config.d/10-vmh-ssh.conf
X11Forwarding no
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
ListenAddress $WG_SUBNET::1
ListenAddress $SERVER_IP
EOF
echo 'rc_need="wg-quick.vmh-ssh-vpn"' >> /etc/conf.d/sshd
@ -81,17 +101,18 @@ echo "1. Install the WireGuard config (fill in the gaps)"
echo
echo "[Interface]"
echo "PrivateKey = ..."
echo "Address = $WG_SUBNET::2/64"
echo "Address = $CLIENT_IP/$PREFIXLEN"
echo "[Peer]"
echo "Endpoint = ...:$WG_LISTEN_PORT"
echo "PublicKey = $WG_LOCAL_PUBKEY"
echo "AllowedIPs = $WG_SUBNET::1/128"
echo "PresharedKey = $WG_PRESHARED_KEY"
echo "AllowedIPs = $SERVER_IP/$HOST_MASK"
echo
echo "2. Use this command to connect"
echo
echo "ssh $USERNAME@$WG_SUBNET::1"
echo "ssh $USERNAME@$SERVER_IP"
echo
echo "NOTICE:"
echo "If you need to change the port or other VPN settings, do it NOW. Edit /etc/wireguard/vmh-ssh-vpn.conf"
echo "If you need to change the port or other VPN settings, do it NOW. /etc/wireguard/vmh-ssh-vpn.conf"