diff --git a/freebsd/freebsd-secure.sh b/freebsd/freebsd-secure.sh index 100ec8a..1eba70d 100644 --- a/freebsd/freebsd-secure.sh +++ b/freebsd/freebsd-secure.sh @@ -18,8 +18,22 @@ pw useradd -n "$USERNAME" -m -s /usr/local/bin/bash -w no # --- WireGuard setup --- echo "Configuring WireGuard..." -WG_SUBNET="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)" -WG_LISTEN_PORT=$(jot -r 1 49152 65535) +if [ -z "$WG_CLIENT_IP" ] || [ -z "$WG_SERVER_IP" ]; then + SUB_START="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)" + WG_CLIENT_IP="$SUB_START::2" + WG_SERVER_IP="$SUB_START::1" + SUBNET_MASK=64 +fi + +if [ "$WG_CLIENT_IP" == *"."* ]; then + HOST_MASK=32 +else + HOST_MASK=128 +fi + +WG_LISTEN_PORT=${WG_LISTEN_PORT:-$(jot -r 1 49152 65535)} +WG_PRESHARED_KEY=${WG_PRESHARED_KEY:-$(wg genpsk)} + WG_LOCAL_PRIVKEY=$(wg genkey) WG_LOCAL_PUBKEY=$(echo "$WG_LOCAL_PRIVKEY" | wg pubkey) @@ -29,11 +43,12 @@ cat < /usr/local/etc/wireguard/vmh-ssh-vpn.conf [Interface] ListenPort = $WG_LISTEN_PORT PrivateKey = $WG_LOCAL_PRIVKEY -Address = $WG_SUBNET::1/64 +Address = $WG_SERVER_IP/$SUBNET_MASK [Peer] PublicKey = $WIREGUARD_PUBKEY -AllowedIPs = $WG_SUBNET::2/128 +PresharedKey = $WG_PRESHARED_KEY +AllowedIPs = $WG_CLIENT_SUBNET/$HOST_MASK EOF chmod 600 /usr/local/etc/wireguard/vmh-ssh-vpn.conf @@ -54,27 +69,19 @@ chmod 700 /home/"$USERNAME"/.ssh chmod 600 /home/"$USERNAME"/.ssh/authorized_keys chown -R "$USERNAME":"$USERNAME" /home/"$USERNAME"/.ssh -cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak +mkdir /etc/ssh/sshd_config.d -set_sshd_config() { - local key="$1" - local value="$2" - if grep -q "^${key}" /etc/ssh/sshd_config; then - # Replace existing line - sed -i '' "s/^${key}.*/${key} ${value}/" /etc/ssh/sshd_config - else - # Add new line if not found - echo "${key} ${value}" >> /etc/ssh/sshd_config - fi -} +echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config -sed -i '' '/^ListenAddress/d' /etc/ssh/sshd_config -echo "ListenAddress $WG_SUBNET::1" >> /etc/ssh/sshd_config +cat < /etc/ssh/sshd_config.d/10-vmh-ssh.conf +X11Forwarding no +PasswordAuthentication no +PubkeyAuthentication yes +PermitRootLogin no + +ListenAddress $WG_SERVER_IP +EOF -set_sshd_config "X11Forwarding" "no" -set_sshd_config "PasswordAuthentication" "no" -set_sshd_config "PubkeyAuthentication" "yes" -set_sshd_config "PermitRootLogin" "no" service sshd restart @@ -99,17 +106,18 @@ echo "1. Install the WireGuard config (fill in the gaps)" echo echo "[Interface]" echo "PrivateKey = ..." -echo "Address = $WG_SUBNET::2/64" +echo "Address = $WG_CLIENT_IP/$SUBNET_MASK" echo "[Peer]" echo "Endpoint = ...:$WG_LISTEN_PORT" echo "PublicKey = $WG_LOCAL_PUBKEY" -echo "AllowedIPs = $WG_SUBNET::1/128" +echo "PresharedKey = $WG_PRESHARED_KEY" +echo "AllowedIPs = $WG_SERVER_IP/$HOST_MASK" echo echo "2. Use this command to connect" echo -echo "ssh $USERNAME@$WG_SUBNET::1" +echo "ssh $USERNAME@$WG_SERVER_IP" echo echo "NOTICE:" -echo "If you need to change the port or other VPN settings, do it NOW. Edit /usr/local/etc/wireguard/vmh-ssh-vpn.conf" +echo "If you need to change the port or other VPN settings, do it NOW. /usr/local/etc/wireguard/vmh-ssh-vpn.conf" \ No newline at end of file