126 lines
No EOL
2.9 KiB
Bash
126 lines
No EOL
2.9 KiB
Bash
#!/bin/sh
|
|
set -e
|
|
. ./variables
|
|
|
|
|
|
# --- Pre-flight package installation ---
|
|
echo "Installing dependencies... Please stay for a second, you will confirm the install"
|
|
pkg update
|
|
pkg install sudo wireguard-tools
|
|
|
|
|
|
# --- User setup ---
|
|
echo "Setting up user..."
|
|
|
|
pw useradd -n "$USERNAME" -m -s /usr/local/bin/bash -w no
|
|
|
|
|
|
# --- WireGuard setup ---
|
|
echo "Configuring WireGuard..."
|
|
|
|
if [ -z "$CLIENT_IP" ] || [ -z "$SERVER_IP" ] || [ -z "$PREFIXLEN" ]; then
|
|
SUB_START="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)"
|
|
CLIENT_IP="$SUB_START::2"
|
|
SERVER_IP="$SUB_START::1"
|
|
PREFIXLEN=64
|
|
fi
|
|
|
|
if [ "$CLIENT_IP" == *"."* ]; then
|
|
HOST_MASK=32
|
|
else
|
|
HOST_MASK=128
|
|
fi
|
|
|
|
CLIENT_IP=$(echo "$CLIENT_IP" | cut -d"/" -f1)
|
|
SERVER_IP=$(echo "$SERVER_IP" | cut -d"/" -f1)
|
|
|
|
WG_LISTEN_PORT=${WG_LISTEN_PORT:-$(jot -r 1 49152 65535)}
|
|
WG_PRESHARED_KEY=${WG_PRESHARED_KEY:-$(wg genpsk)}
|
|
|
|
WG_LOCAL_PRIVKEY=$(wg genkey)
|
|
WG_LOCAL_PUBKEY=$(echo "$WG_LOCAL_PRIVKEY" | wg pubkey)
|
|
|
|
mkdir -p /usr/local/etc/wireguard
|
|
|
|
cat <<EOF > /usr/local/etc/wireguard/vmh-ssh-vpn.conf
|
|
[Interface]
|
|
ListenPort = $WG_LISTEN_PORT
|
|
PrivateKey = $WG_LOCAL_PRIVKEY
|
|
Address = $SERVER_IP/$PREFIXLEN
|
|
|
|
[Peer]
|
|
PublicKey = $WIREGUARD_PUBKEY
|
|
PresharedKey = $WG_PRESHARED_KEY
|
|
AllowedIPs = $CLIENT_IP/$HOST_MASK
|
|
EOF
|
|
|
|
chmod 600 /usr/local/etc/wireguard/vmh-ssh-vpn.conf
|
|
|
|
sysrc wireguard_enable="YES"
|
|
sysrc wireguard_interfaces="vmh-ssh-vpn"
|
|
|
|
service wireguard start vmh-ssh-vpn
|
|
|
|
|
|
# --- SSH setup ---
|
|
echo "Configuring ssh..."
|
|
|
|
mkdir -p /home/"$USERNAME"/.ssh
|
|
echo "$MY_SSH_KEY" > /home/"$USERNAME"/.ssh/authorized_keys
|
|
|
|
chmod 700 /home/"$USERNAME"/.ssh
|
|
chmod 600 /home/"$USERNAME"/.ssh/authorized_keys
|
|
chown -R "$USERNAME":"$USERNAME" /home/"$USERNAME"/.ssh
|
|
|
|
mkdir /etc/ssh/sshd_config.d
|
|
|
|
echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
|
|
|
|
cat <<EOF > /etc/ssh/sshd_config.d/10-vmh-ssh.conf
|
|
X11Forwarding no
|
|
PasswordAuthentication no
|
|
PubkeyAuthentication yes
|
|
PermitRootLogin no
|
|
|
|
ListenAddress $SERVER_IP
|
|
EOF
|
|
|
|
|
|
service sshd restart
|
|
|
|
|
|
# --- Sudo configuration ---
|
|
echo "Configuring sudo..."
|
|
|
|
mkdir -p /usr/local/etc/sudoers.d
|
|
cat <<EOF > /usr/local/etc/sudoers.d/99-vmh-newuser
|
|
$USERNAME ALL=(ALL:ALL) NOPASSWD:ALL
|
|
EOF
|
|
|
|
chmod 0440 /usr/local/etc/sudoers.d/99-vmh-newuser
|
|
|
|
|
|
# --- Final Instructions ---
|
|
echo
|
|
echo "BEFORE DISCONNECTING, FOLLOW THE FOLLOWING STEPS"
|
|
echo "You won't be able to reconnect if you don't."
|
|
echo
|
|
echo "1. Install the WireGuard config (fill in the gaps)"
|
|
echo
|
|
echo "[Interface]"
|
|
echo "PrivateKey = ..."
|
|
echo "Address = $CLIENT_IP/$PREFIXLEN"
|
|
echo "[Peer]"
|
|
echo "Endpoint = ...:$WG_LISTEN_PORT"
|
|
echo "PublicKey = $WG_LOCAL_PUBKEY"
|
|
echo "PresharedKey = $WG_PRESHARED_KEY"
|
|
echo "AllowedIPs = $SERVER_IP/$HOST_MASK"
|
|
echo
|
|
echo "2. Use this command to connect"
|
|
echo
|
|
echo "ssh $USERNAME@$SERVER_IP"
|
|
echo
|
|
echo "NOTICE:"
|
|
echo "If you need to change the port or other VPN settings, do it NOW. /usr/local/etc/wireguard/vmh-ssh-vpn.conf"
|
|
|
|
|