Update alpine/alpine-secure.sh
This commit is contained in:
Minecon724
parent
dbd8681baf
commit
6a8f140a89
1 changed files with 33 additions and 12 deletions
|
|
@ -21,21 +21,42 @@ echo "$USERNAME:*" | chpasswd
|
|||
|
||||
|
||||
echo "Configuring WireGuard..."
|
||||
WG_SUBNET="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)"
|
||||
WG_LISTEN_PORT=$(shuf -i 49152-65535 -n 1)
|
||||
|
||||
if [[ -z "$CLIENT_IP" ]] || [[ -z "$SERVER_IP" ]] || [[ -z "$PREFIXLEN" ]]; then
|
||||
SUB_START="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)"
|
||||
CLIENT_IP="$SUB_START::2"
|
||||
SERVER_IP="$SUB_START::1"
|
||||
PREFIXLEN=64
|
||||
fi
|
||||
|
||||
if [[ "$CLIENT_IP" == *"."* ]]; then
|
||||
HOST_MASK=32
|
||||
else
|
||||
HOST_MASK=128
|
||||
fi
|
||||
|
||||
CLIENT_IP=$(echo "$CLIENT_IP" | cut -d"/" -f1)
|
||||
SERVER_IP=$(echo "$SERVER_IP" | cut -d"/" -f1)
|
||||
|
||||
WG_LISTEN_PORT=${WG_LISTEN_PORT:-$(jot -r 1 49152 65535)}
|
||||
WG_PRESHARED_KEY=${WG_PRESHARED_KEY:-$(wg genpsk)}
|
||||
|
||||
WG_LOCAL_PRIVKEY=$(wg genkey)
|
||||
WG_LOCAL_PUBKEY=$(echo $WG_LOCAL_PRIVKEY | wg pubkey)
|
||||
WG_LOCAL_PUBKEY=$(echo "$WG_LOCAL_PRIVKEY" | wg pubkey)
|
||||
|
||||
|
||||
cat <<EOF > /etc/wireguard/vmh-ssh-vpn.conf
|
||||
[Interface]
|
||||
ListenPort = $WG_LISTEN_PORT
|
||||
PrivateKey = $WG_LOCAL_PRIVKEY
|
||||
Address = $WG_SUBNET::1/64
|
||||
Address = $SERVER_IP/$PREFIXLEN
|
||||
|
||||
[Peer]
|
||||
PublicKey = $WIREGUARD_PUBKEY
|
||||
AllowedIPs = $WG_SUBNET::2/128
|
||||
PresharedKey = $WG_PRESHARED_KEY
|
||||
AllowedIPs = $CLIENT_IP/$HOST_MASK
|
||||
EOF
|
||||
chmod -R 700 /etc/wireguard
|
||||
|
||||
ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.vmh-ssh-vpn
|
||||
rc-update add wg-quick.vmh-ssh-vpn
|
||||
|
|
@ -50,14 +71,13 @@ chown $USERNAME:$USERNAME /home/$USERNAME/.ssh/authorized_keys
|
|||
chmod 600 /home/$USERNAME/.ssh/authorized_keys
|
||||
chmod 700 /home/$USERNAME/.ssh
|
||||
|
||||
mkdir -p /etc/ssh/sshd_config.d
|
||||
cat <<EOF > /etc/ssh/sshd_config.d/10-vmh_ssh.conf
|
||||
cat <<EOF > /etc/ssh/sshd_config.d/10-vmh-ssh.conf
|
||||
X11Forwarding no
|
||||
PasswordAuthentication no
|
||||
PubkeyAuthentication yes
|
||||
PermitRootLogin no
|
||||
|
||||
ListenAddress $WG_SUBNET::1
|
||||
ListenAddress $SERVER_IP
|
||||
EOF
|
||||
|
||||
echo 'rc_need="wg-quick.vmh-ssh-vpn"' >> /etc/conf.d/sshd
|
||||
|
|
@ -81,17 +101,18 @@ echo "1. Install the WireGuard config (fill in the gaps)"
|
|||
echo
|
||||
echo "[Interface]"
|
||||
echo "PrivateKey = ..."
|
||||
echo "Address = $WG_SUBNET::2/64"
|
||||
echo "Address = $CLIENT_IP/$PREFIXLEN"
|
||||
echo "[Peer]"
|
||||
echo "Endpoint = ...:$WG_LISTEN_PORT"
|
||||
echo "PublicKey = $WG_LOCAL_PUBKEY"
|
||||
echo "AllowedIPs = $WG_SUBNET::1/128"
|
||||
echo "PresharedKey = $WG_PRESHARED_KEY"
|
||||
echo "AllowedIPs = $SERVER_IP/$HOST_MASK"
|
||||
echo
|
||||
echo "2. Use this command to connect"
|
||||
echo
|
||||
echo "ssh $USERNAME@$WG_SUBNET::1"
|
||||
echo "ssh $USERNAME@$SERVER_IP"
|
||||
echo
|
||||
echo "NOTICE:"
|
||||
echo "If you need to change the port or other VPN settings, do it NOW. Edit /etc/wireguard/vmh-ssh-vpn.conf"
|
||||
echo "If you need to change the port or other VPN settings, do it NOW. /etc/wireguard/vmh-ssh-vpn.conf"
|
||||
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue