m724/vpsmusthave
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update debian/debian-secure.sh

Browse source
This commit is contained in:
Minecon724 2025-08-06 22:19:41 +02:00
commit 84aae25f1e
1 changed files with 30 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

40
debian/debian-secure.sh vendored
View file

@ -11,20 +11,39 @@ useradd -m -s /bin/bash $USERNAME
echo "Configuring WireGuard..." echo "Configuring WireGuard..."
WG_SUBNET="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)"
WG_LISTEN_PORT=$(shuf -i 49152-65535 -n 1) if [ -z "$CLIENT_IP" ] || [ -z "$SERVER_IP" ] || [ -z "$PREFIXLEN" ]; then
SUB_START="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)"
CLIENT_IP="$SUB_START::2"
SERVER_IP="$SUB_START::1"
PREFIXLEN=64
fi
if [ "$CLIENT_IP" == *"."* ]; then
HOST_MASK=32
else
HOST_MASK=128
fi
CLIENT_IP=$(echo "$CLIENT_IP" | cut -d"/" -f1)
SERVER_IP=$(echo "$SERVER_IP" | cut -d"/" -f1)
WG_LISTEN_PORT=${WG_LISTEN_PORT:-$(jot -r 1 49152 65535)}
WG_PRESHARED_KEY=${WG_PRESHARED_KEY:-$(wg genpsk)}
WG_LOCAL_PRIVKEY=$(wg genkey) WG_LOCAL_PRIVKEY=$(wg genkey)
WG_LOCAL_PUBKEY=$(echo $WG_LOCAL_PRIVKEY | wg pubkey) WG_LOCAL_PUBKEY=$(echo "$WG_LOCAL_PRIVKEY" | wg pubkey)
cat <<EOF > /etc/wireguard/vmh-ssh-vpn.conf cat <<EOF > /etc/wireguard/vmh-ssh-vpn.conf
[Interface] [Interface]
ListenPort = $WG_LISTEN_PORT ListenPort = $WG_LISTEN_PORT
PrivateKey = $WG_LOCAL_PRIVKEY PrivateKey = $WG_LOCAL_PRIVKEY
Address = $WG_SUBNET::1/64 Address = $SERVER_IP/$PREFIXLEN
[Peer] [Peer]
PublicKey = $WIREGUARD_PUBKEY PublicKey = $WIREGUARD_PUBKEY
AllowedIPs = $WG_SUBNET::2/128 PresharedKey = $WG_PRESHARED_KEY
AllowedIPs = $CLIENT_IP/$HOST_MASK
EOF EOF
chmod -R 700 /etc/wireguard chmod -R 700 /etc/wireguard
@ -45,7 +64,7 @@ PasswordAuthentication no
PubkeyAuthentication yes PubkeyAuthentication yes
PermitRootLogin no PermitRootLogin no
ListenAddress $WG_SUBNET::1 ListenAddress $SERVER_IP
EOF EOF
mkdir /etc/systemd/system/sshd.service.d mkdir /etc/systemd/system/sshd.service.d
@ -71,16 +90,17 @@ echo "1. Install the WireGuard config (fill in the gaps)"
echo echo
echo "[Interface]" echo "[Interface]"
echo "PrivateKey = ..." echo "PrivateKey = ..."
echo "Address = $WG_SUBNET::2/64" echo "Address = $CLIENT_IP/$PREFIXLEN"
echo "[Peer]" echo "[Peer]"
echo "Endpoint = ...:$WG_LISTEN_PORT" echo "Endpoint = ...:$WG_LISTEN_PORT"
echo "PublicKey = $WG_LOCAL_PUBKEY" echo "PublicKey = $WG_LOCAL_PUBKEY"
echo "AllowedIPs = $WG_SUBNET::1/128" echo "PresharedKey = $WG_PRESHARED_KEY"
echo "AllowedIPs = $SERVER_IP/$HOST_MASK"
echo echo
echo "2. Use this command to connect" echo "2. Use this command to connect"
echo echo
echo "ssh $USERNAME@$WG_SUBNET::1" echo "ssh $USERNAME@$SERVER_IP"
echo echo
echo "NOTICE:" echo "NOTICE:"
echo "If you need to change the port or other VPN settings, do it NOW. Edit /etc/wireguard/vmh-ssh-vpn.conf" echo "If you need to change the port or other VPN settings, do it NOW. /etc/wireguard/vmh-ssh-vpn.conf"