experimenting...

Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>
experimenting...
2025-12-25 21:02:04 +00:00 · 2024-01-15 21:38:50 +03:00 · 2024-01-15 21:22:55 +03:00 · 2024-01-15 21:20:49 +03:00 · 2024-01-15 21:16:10 +03:00 · 2024-01-15 21:11:02 +03:00
7 changed files with 32 additions and 22 deletions
--- a/config.global.example
+++ b/config.global.example
@ -36,6 +36,8 @@ ADMIN_BRIDGE=
 DFL_WAN_IP=192.168.1.101/24
 DFL_WAN_GATE=192.168.1.252
 DFL_WAN_SSH_IP:192.168.1.102/24
 # Doman and email configuration
 #
--- a/host/templates/pve/etc/firewall/cluster.fw
+++ b/host/templates/pve/etc/firewall/cluster.fw
@ -7,7 +7,7 @@ enable: 1
 [RULES]
-IN ACCEPT -i vmbr3 -log nolog # STUB
+IN ACCEPT -i vmbr3 -log nolog # ADMIN
 IN REJECT -i vmbr0 -p udp -dport 68 -sport 68 -log nolog # dhcp
 IN REJECT -i vmbr0 -p udp -dport 67 -sport 67 -log nolog # dhcp
 OUT REJECT -i vmbr0 -p udp -dport 68 -sport 68 -log nolog # dhcp
@ -17,6 +17,8 @@ OUT DHCPfwd(REJECT) -i vmbr0 -log nolog
 IN DNS(ACCEPT) -i vmbr0 -log nolog
 IN Ping(ACCEPT) -i vmbr0 -log nolog
 IN SSH(ACCEPT) -i vmbr0 -log nolog
 IN ACCEPT -i vmbr0 -p udp -dport 51820 -log nolog # Wireguard
 IN ACCEPT -i vmbr0 -p udp -dport 51821 -log nolog # Wireguard (alt)
 |IN OpenVPN(ACCEPT) -i vmbr0 -log nolog
 IN Web(ACCEPT) -i vmbr0 -log nolog
 IN ACCEPT -i vmbr0 -p udp -dport 22027 -log nolog # syncthing
--- a/ssh/make.sh
+++ b/ssh/make.sh
@ -34,6 +34,9 @@ LAN_GATE=SKIP
 REBOOT=${REBOOT:=1}
 DFL_WAN_SSH_IP=${DFL_WAN_SSH_IP:=}
 xread "WAN ssh ip:" WAN_SSH_IP
 readVars
@ -47,6 +50,7 @@ OPTS_STAGE_1="\
 	--swap $SWAP \
 	--net0 name=lan,bridge=vmbr${LAN_BRIDGE},firewall=1,ip=dhcp,type=veth \
 	--net1 name=admin,bridge=vmbr${ADMIN_BRIDGE},firewall=1,ip=dhcp,type=veth \
 	--net2 name=wan,bridge=vmbr${WAN_BRIDGE},firewall=1${WAN_SSH_IP:+,ip=${WAN_SSH_IP}},type=veth \
 	--storage local-lvm \
 	--rootfs local-lvm:$DRIVE \
 	--unprivileged 1 \
--- a/wireguard/assets/root/templates/wg0-client.tpl
+++ b/wireguard/assets/root/templates/wg0-client.tpl
--- a/wireguard/assets/root/templates/server.conf
+++ b/wireguard/assets/root/templates/server.conf
--- a/wireguard/make.sh
+++ b/wireguard/make.sh
@ -52,13 +52,16 @@ xread "Wireguard endpoint port: " ENDPOINT_PORT
 CLIENT_IPS=${CLIENT_IPS:-10.42.0.0/16}
 ALLOWED_IPS=${ALLOWED_IPS:-0.0.0.0/0,${CLIENT_IPS}}
 DNS=${DNS:-${NS_LAN_IP:-${DFL_NS_LAN_IP}}}
 DNS=${DNS/\/*}
 xread "Local network DNS:" DNS
 xreadYes "Show profile as QRcode when done?" QRCODE
 QRCODE=${QRCODE:-0}
 readVars
 DNS=${NS_LAN_IP/\/*}
 #----------------------------------------------------------------------
@ -103,19 +106,10 @@ echo "# Copying assets..."
 echo "# Setup: wireguard default profile..."
@ lxc-attach $ID -- bash -c "cd /root \
 	&& QRCODE=${QRCODE} make default.client" 
@ lxc-attach $ID -- chmod 600 /etc/wireguard/wg0.conf
 echo "# client config:"
@ mkdir -p clients
@ pct pull $ID /etc/wireguard/clients/default.conf clients/default.conf
 # show the profile as a qrcode...
 #if [ "$QRCODE" ] ; then
 #	echo "# default profile:"
 #	@ lxc-attach $ID -- qrencode -t UTF8 -r /etc/wireguard/clients/default.conf
 #fi
 #echo "# Setup: bridge device..."
@ lxc-attach $ID wg-quick up wg0 
 echo "# Post config..."
 pctSet $ID "${OPTS_STAGE_2}" $REBOOT
--- a/wireguard/templates/root/Makefile
+++ b/wireguard/templates/root/Makefile
@ -1,10 +1,10 @@
-
+INTERFACE := wg0
 SERVER_DIR := /etc/wireguard/
-SERVER_TPL := templates/wg0.conf
+SERVER_TPL := templates/server.conf
-SERVER_CLIENT_TPL := templates/wg0-client.tpl
+SERVER_CLIENT_TPL := templates/client.tpl
-SERVER_CONF := $(SERVER_DIR)/wg0.conf
+SERVER_CONF := $(SERVER_DIR)/$(INTERFACE).conf
 SERVER_KEY := $(SERVER_DIR)/server_id
 SERVER_PUBLIC_KEY := $(SERVER_DIR)/server_id.pub
@ -26,6 +26,7 @@ ALLOWED_IPS ?= ${ALLOWED_IPS}
 	wg genkey 2> /dev/null > $@
 	chmod 600 $@
 %_id.pub: %_id
 	cat $< | wg pubkey > $@
@ -39,6 +40,9 @@ $(SERVER_CONF): $(SERVER_TPL) $(SERVER_KEY)
 			-e 's/\$${\CLIENT_IPS}/$(subst /,\/,$(CLIENT_IPS))/g' \
 			-e 's/\$${\SERVER_PRIVATE_KEY}/'$$(sed -e 's/\//\\\//g' "$(SERVER_KEY)")'/g' \
 		> "$@"
 	chmod 600 $@
 	wg-quick up $(INTERFACE) 
 # XXX need to figure out a way to link this to the .config file without 
 # 	conflicting with the server's wg0.conf
@ -64,15 +68,19 @@ $(SERVER_CONF): $(SERVER_TPL) $(SERVER_KEY)
 			-e 's/\$${\CLIENT_PUBLIC_KEY}/'$$(sed -e 's/\//\\\//g' "$(CLIENT_DIR)/$*_id.pub")'/g' \
 			-e 's/\$${\SERVER_PUBLIC_KEY}/'$$(sed -e 's/\//\\\//g' "$(SERVER_PUBLIC_KEY)")'/g' \
 		>> "$(SERVER_CONF)"
-	@ [ -z "$$QRCODE" ] \
+	make update $*.show
-		|| ( echo "# Profile: $*" \
+
 %.show: $(CLIENT_DIR)/%.conf
 	@ [ "$(QRCODE)" == "1" ] \
 		&& ( echo "# Profile: $*" \
 			&& qrencode -t UTF8 -r "$(CLIENT_DIR)/$*.conf" )
 	@ cat "$(CLIENT_DIR)/$*.conf"
 	@ echo 
-
+update:
-%.qr: %.client
+	wg syncconf $(INTERFACE) <(wg-quick strip $(INTERFACE))
 	@ ( echo "# Profile: $*" \
 		&& qrencode -t UTF8 -r "$*.conf" )
 server: $(SERVER_CONF)
Author	SHA1	Message	Date
Alex A. Naanou	31dbf3acd2	experimenting... Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>	2024-01-15 21:38:50 +03:00
Alex A. Naanou	f2e160acc4	experimenting... Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>	2024-01-15 21:22:55 +03:00
Alex A. Naanou	e8d45394de	experimenting... Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>	2024-01-15 21:20:49 +03:00
Alex A. Naanou	99bcb0d20f	experimenting... Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>	2024-01-15 21:16:10 +03:00
Alex A. Naanou	438fc83115	wireguard working... Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>	2024-01-15 21:11:02 +03:00
Alex A. Naanou	a1d805a751	tweaks... Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>	2024-01-15 21:00:19 +03:00
Alex A. Naanou	51b827d15e	tweaks... Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>	2024-01-15 20:55:54 +03:00
Alex A. Naanou	8e6d39eb42	tweaks... Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>	2024-01-15 20:49:51 +03:00
Alex A. Naanou	36689166d5	tweaks... Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>	2024-01-15 20:48:11 +03:00
Alex A. Naanou	37037a3a43	now 'ssh' is a failsafe server... Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>	2024-01-15 19:43:23 +03:00
Alex A. Naanou	ff40c4bbb1	fix... Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>	2024-01-15 18:38:43 +03:00