Update freebsd/freebsd-secure.sh

freebsd/freebsd-secure.sh

@@ -18,8 +18,22 @@ pw useradd -n "$USERNAME" -m -s /usr/local/bin/bash -w no
 # --- WireGuard setup ---
 echo "Configuring WireGuard..."
 
-WG_SUBNET="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)"
+if [ -z "$WG_CLIENT_IP" ] || [ -z "$WG_SERVER_IP" ]; then
-WG_LISTEN_PORT=$(jot -r 1 49152 65535)
+  SUB_START="fc$(openssl rand -hex 1):$(openssl rand -hex 2):$(openssl rand -hex 2):$(openssl rand -hex 2)"
+  WG_CLIENT_IP="$SUB_START::2"
+  WG_SERVER_IP="$SUB_START::1"
+  SUBNET_MASK=64
+fi
+
+if [ "$WG_CLIENT_IP" == *"."* ]; then
+  HOST_MASK=32
+else
+  HOST_MASK=128
+fi
+
+WG_LISTEN_PORT=${WG_LISTEN_PORT:-$(jot -r 1 49152 65535)}
+WG_PRESHARED_KEY=${WG_PRESHARED_KEY:-$(wg genpsk)}
+
 WG_LOCAL_PRIVKEY=$(wg genkey)
 WG_LOCAL_PUBKEY=$(echo "$WG_LOCAL_PRIVKEY" | wg pubkey)
 
@@ -29,11 +43,12 @@ cat <<EOF > /usr/local/etc/wireguard/vmh-ssh-vpn.conf
 [Interface]
 ListenPort = $WG_LISTEN_PORT
 PrivateKey = $WG_LOCAL_PRIVKEY
-Address = $WG_SUBNET::1/64
+Address = $WG_SERVER_IP/$SUBNET_MASK
 
 [Peer]
 PublicKey = $WIREGUARD_PUBKEY
-AllowedIPs = $WG_SUBNET::2/128
+PresharedKey = $WG_PRESHARED_KEY
+AllowedIPs = $WG_CLIENT_SUBNET/$HOST_MASK
 EOF
 
 chmod 600 /usr/local/etc/wireguard/vmh-ssh-vpn.conf
@@ -54,27 +69,19 @@ chmod 700 /home/"$USERNAME"/.ssh
 chmod 600 /home/"$USERNAME"/.ssh/authorized_keys
 chown -R "$USERNAME":"$USERNAME" /home/"$USERNAME"/.ssh
 
-cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
+mkdir /etc/ssh/sshd_config.d
 
-set_sshd_config() {
+echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
-    local key="$1"
-    local value="$2"
-    if grep -q "^${key}" /etc/ssh/sshd_config; then
-        # Replace existing line
-        sed -i '' "s/^${key}.*/${key} ${value}/" /etc/ssh/sshd_config
-    else
-        # Add new line if not found
-        echo "${key} ${value}" >> /etc/ssh/sshd_config
-    fi
-}
 
-sed -i '' '/^ListenAddress/d' /etc/ssh/sshd_config
+cat <<EOF > /etc/ssh/sshd_config.d/10-vmh-ssh.conf
-echo "ListenAddress $WG_SUBNET::1" >> /etc/ssh/sshd_config
+X11Forwarding no
+PasswordAuthentication no
+PubkeyAuthentication yes
+PermitRootLogin no
+
+ListenAddress $WG_SERVER_IP
+EOF
 
-set_sshd_config "X11Forwarding" "no"
-set_sshd_config "PasswordAuthentication" "no"
-set_sshd_config "PubkeyAuthentication" "yes"
-set_sshd_config "PermitRootLogin" "no"
 
 service sshd restart
 
@@ -99,17 +106,18 @@ echo "1. Install the WireGuard config (fill in the gaps)"
 echo
 echo "[Interface]"
 echo "PrivateKey = ..."
-echo "Address = $WG_SUBNET::2/64"
+echo "Address = $WG_CLIENT_IP/$SUBNET_MASK"
 echo "[Peer]"
 echo "Endpoint = ...:$WG_LISTEN_PORT"
 echo "PublicKey = $WG_LOCAL_PUBKEY"
-echo "AllowedIPs = $WG_SUBNET::1/128"
+echo "PresharedKey = $WG_PRESHARED_KEY"
+echo "AllowedIPs = $WG_SERVER_IP/$HOST_MASK"
 echo
 echo "2. Use this command to connect"
 echo
-echo "ssh $USERNAME@$WG_SUBNET::1"
+echo "ssh $USERNAME@$WG_SERVER_IP"
 echo
 echo "NOTICE:"
-echo "If you need to change the port or other VPN settings, do it NOW. Edit /usr/local/etc/wireguard/vmh-ssh-vpn.conf"
+echo "If you need to change the port or other VPN settings, do it NOW. /usr/local/etc/wireguard/vmh-ssh-vpn.conf"