diff --git a/alpine/alpine-secure.sh b/alpine/alpine-secure.sh index 8b11446..8cf16a2 100644 --- a/alpine/alpine-secure.sh +++ b/alpine/alpine-secure.sh @@ -21,21 +21,42 @@ echo "$USERNAME:*" | chpasswd echo "Configuring WireGuard..." -WG_SUBNET="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)" -WG_LISTEN_PORT=$(shuf -i 49152-65535 -n 1) + +if [[ -z "$CLIENT_IP" ]] || [[ -z "$SERVER_IP" ]] || [[ -z "$PREFIXLEN" ]]; then + SUB_START="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)" + CLIENT_IP="$SUB_START::2" + SERVER_IP="$SUB_START::1" + PREFIXLEN=64 +fi + +if [[ "$CLIENT_IP" == *"."* ]]; then + HOST_MASK=32 +else + HOST_MASK=128 +fi + +CLIENT_IP=$(echo "$CLIENT_IP" | cut -d"/" -f1) +SERVER_IP=$(echo "$SERVER_IP" | cut -d"/" -f1) + +WG_LISTEN_PORT=${WG_LISTEN_PORT:-$(jot -r 1 49152 65535)} +WG_PRESHARED_KEY=${WG_PRESHARED_KEY:-$(wg genpsk)} + WG_LOCAL_PRIVKEY=$(wg genkey) -WG_LOCAL_PUBKEY=$(echo $WG_LOCAL_PRIVKEY | wg pubkey) +WG_LOCAL_PUBKEY=$(echo "$WG_LOCAL_PRIVKEY" | wg pubkey) + cat < /etc/wireguard/vmh-ssh-vpn.conf [Interface] ListenPort = $WG_LISTEN_PORT PrivateKey = $WG_LOCAL_PRIVKEY -Address = $WG_SUBNET::1/64 +Address = $SERVER_IP/$PREFIXLEN [Peer] PublicKey = $WIREGUARD_PUBKEY -AllowedIPs = $WG_SUBNET::2/128 +PresharedKey = $WG_PRESHARED_KEY +AllowedIPs = $CLIENT_IP/$HOST_MASK EOF +chmod -R 700 /etc/wireguard ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.vmh-ssh-vpn rc-update add wg-quick.vmh-ssh-vpn @@ -50,14 +71,13 @@ chown $USERNAME:$USERNAME /home/$USERNAME/.ssh/authorized_keys chmod 600 /home/$USERNAME/.ssh/authorized_keys chmod 700 /home/$USERNAME/.ssh -mkdir -p /etc/ssh/sshd_config.d -cat < /etc/ssh/sshd_config.d/10-vmh_ssh.conf +cat < /etc/ssh/sshd_config.d/10-vmh-ssh.conf X11Forwarding no PasswordAuthentication no PubkeyAuthentication yes PermitRootLogin no -ListenAddress $WG_SUBNET::1 +ListenAddress $SERVER_IP EOF echo 'rc_need="wg-quick.vmh-ssh-vpn"' >> /etc/conf.d/sshd @@ -81,17 +101,18 @@ echo "1. Install the WireGuard config (fill in the gaps)" echo echo "[Interface]" echo "PrivateKey = ..." -echo "Address = $WG_SUBNET::2/64" +echo "Address = $CLIENT_IP/$PREFIXLEN" echo "[Peer]" echo "Endpoint = ...:$WG_LISTEN_PORT" echo "PublicKey = $WG_LOCAL_PUBKEY" -echo "AllowedIPs = $WG_SUBNET::1/128" +echo "PresharedKey = $WG_PRESHARED_KEY" +echo "AllowedIPs = $SERVER_IP/$HOST_MASK" echo echo "2. Use this command to connect" echo -echo "ssh $USERNAME@$WG_SUBNET::1" +echo "ssh $USERNAME@$SERVER_IP" echo echo "NOTICE:" -echo "If you need to change the port or other VPN settings, do it NOW. Edit /etc/wireguard/vmh-ssh-vpn.conf" +echo "If you need to change the port or other VPN settings, do it NOW. /etc/wireguard/vmh-ssh-vpn.conf" \ No newline at end of file