fix...

Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>

wireguard/assets/root/Makefile

@@ -1,23 +1,30 @@
 
 
 
+SERVER_DIR := /etc/wireguard/
 SERVER_TPL := templates/wg0.conf
-SERVER_CLIENT_TPL := templates/wg0-client.conf
+SERVER_CLIENT_TPL := templates/wg0-client.tpl
-SERVER_CONF := /etc/wireguard/wg0.conf
+SERVER_CONF := $(SERVER_DIR)/wg0.conf
-SERVER_KEY := /etc/wireguard/server_id
+SERVER_KEY := $(SERVER_DIR)/server_id
-SERVER_PUBLIC_KEY := /etc/wireguard/server_id.pub
+SERVER_PUBLIC_KEY := $(SERVER_DIR)/server_id.pub
 
 CLIENT_TPL := templates/client.conf
-CLIENT_DIR := /etc/wireguard/clients/
+CLIENT_DIR := $(SERVER_DIR)/clients/
 
-ENDPOINT_PORT := 51820
+CLIENT_IPS ?= 10.42.0.0/16
-ENDPOINT := 
+ENDPOINT_PORT ?= 51820
-CLIENT_IPS := 10.42.0.0/16
+ENDPOINT ?= 1.2.3.4
-DNS := 10.1.1.1
+
+# XXX need to generate this...
+CLIENT_IP ?= 10.42.0.1/32
+DNS ?= 10.1.1.1
+ALLOWED_IPS ?= 0.0.0.0/0
 
 
 %_id:
-	wg genkey > $@
+	@ mkdir -p $$(dirname $@)
+	wg genkey 2> /dev/null > $@
+	chmod 600 $@
 
 %_id.pub: %_id
 	cat $< | wg pubkey > $@
@@ -26,31 +33,32 @@ DNS := 10.1.1.1
 $(SERVER_CONF): $(SERVER_TPL) $(SERVER_KEY)
 	cat $< \
 		| sed \
-			-e 's/$${SERVER_PORT}/$(SERVER_PORT)/g' \
+			-e 's/\$${ENDPOINT_PORT}/$(ENDPOINT_PORT)/g' \
-			-e 's/$${CLIENT_IPS}/$(CLIENT_IPS)/g' \
+			-e 's/\$${CLIENT_IPS}/$(subst /,\/,$(CLIENT_IPS))/g' \
-			-e 's/$${SERVER_PRIVATE_KEY}/'$$(cat "$(SERVER_KEY)")'/g' \
+			-e 's/\$${SERVER_PRIVATE_KEY}/'$$(cat "$(SERVER_KEY)" | sed -e 's/\//\\\//g')'/g' \
 		> "$@"
 
-$(CLIENT_DIR)/%.conf: $(CLIENT_TPL) $(SERVER_CLIENT_TPL) \
+%.client: $(CLIENT_TPL) $(SERVER_CLIENT_TPL) \
 		$(CLIENT_DIR)/%_id $(CLIENT_DIR)/%_id.pub \
 		$(SERVER_CONF) $(SERVER_PUBLIC_KEY)
+	@ mkdir -p $(CLIENT_DIR)
 	cat "$<" \
 		| sed \
-			-e 's/$${DNS}/$(DNS)/g' \
+			-e 's/\$${DNS}/$(DNS)/g' \
-			-e 's/$${ENDPOINT}/$(ENDPOINT)/g' \
+			-e 's/\$${ENDPOINT}/$(ENDPOINT)/g' \
-			-e 's/$${ENDPOINT_PORT}/$(ENDPOINT_PORT)/g' \
+			-e 's/\$${ENDPOINT_PORT}/$(ENDPOINT_PORT)/g' \
-			-e 's/$${ALLOWED_IPS}/$(ALLOWED_IPS)/g' \
+			-e 's/\$${ALLOWED_IPS}/$(subst /,\/,$(ALLOWED_IPS))/g' \
-			-e 's/$${CLIENT_IP}/$(CLIENT_IP)/g' \
+			-e 's/\$${CLIENT_IP}/$(subst /,\/,$(CLIENT_IP))/g' \
-			-e 's/$${CLIENT_PRIVATE_KEY}/'$$(cat "$(CLIENT_DIR)/$%_id")'/g' \
+			-e 's/\$${CLIENT_PRIVATE_KEY}/'$$(cat "$(CLIENT_DIR)/$*_id" | sed -e 's/\//\\\//g')'/g' \
-			-e 's/$${SERVER_PUBLIC_KEY}/'$$(cat "$(SERVER_PUBLIC_KEY)")'/g' \
+			-e 's/\$${SERVER_PUBLIC_KEY}/'$$(cat "$(SERVER_PUBLIC_KEY)" | sed -e 's/\//\\\//g')'/g' \
-		> "$@"
+		> "$(CLIENT_DIR)/$*.conf"
 	cat "$(SERVER_CLIENT_TPL)" \
 		| sed \
-			-e 's/$${CLIENT_IP}/$(CLIENT_IP)/g' \
+			-e 's/\$${CLIENT_IP}/$(subst /,\/,$(CLIENT_IP))/g' \
-			-e 's/$${ENDPOINT}/$(ENDPOINT)/g' \
+			-e 's/\$${ENDPOINT}/$(ENDPOINT)/g' \
-			-e 's/$${ENDPOINT_PORT}/$(ENDPOINT_PORT)/g' \
+			-e 's/\$${ENDPOINT_PORT}/$(ENDPOINT_PORT)/g' \
-			-e 's/$${CLIENT_PUBLIC_KEY}/'$$(cat "$(CLIENT_DIR)/$%_id.pub")'/g' \
+			-e 's/\$${CLIENT_PUBLIC_KEY}/'$$(cat "$(CLIENT_DIR)/$*_id.pub" | sed -e 's/\//\\\//g')'/g' \
-			-e 's/$${SERVER_PUBLIC_KEY}/'$$(cat "$(SERVER_PUBLIC_KEY)")'/g' \
+			-e 's/\$${SERVER_PUBLIC_KEY}/'$$(cat "$(SERVER_PUBLIC_KEY)" | sed -e 's/\//\\\//g')'/g' \
 		>> "$(SERVER_CONF)"
 
 
@@ -58,7 +66,4 @@ $(CLIENT_DIR)/%.conf: $(CLIENT_TPL) $(SERVER_CLIENT_TPL) \
 server: $(SERVER_CONF)
 
 
-clients:
-
-
 

wireguard/assets/root/templates/client.conf

@@ -1,6 +1,6 @@
 [Interface]
 PrivateKey = ${CLIENT_PRIVATE_KEY}
-Address = ${CLIENT_IP}/32
+Address = ${CLIENT_IP}
 DNS = ${DNS}
 
 [Peer]

wireguard/assets/root/templates/wg0-client.tpl

@@ -1,6 +1,6 @@
 
 [Peer]
 PublicKey = ${CLIENT_PUBLIC_KEY} 
-AllowedIPs = ${CLIENT_IP}/32
+AllowedIPs = ${CLIENT_IP}
 Endpoint = ${ENDPOINT}:${ENDPOINT_PORT}
 

wireguard/make.sh

@@ -69,26 +69,33 @@ echo "# Creating CT..."
 pctCreateAlpine $ID "${OPTS_STAGE_1}" "$PASS"
 
 echo "# Installing dependencies..."
-@ lxc-attach $ID apk add iptables wireguard-tools-wg-quick
+@ lxc-attach $ID apk add iptables wireguard-tools-wg-quick make
 
 echo "# Copying assets..."
 @ pct-push-r $ID ./assets /
 
-echo "# Setup: wireguard server..."
+#echo "# Setup: wireguard server..."
-@ lxc-attach $ID -- bash -c 'wg genkey | tee server.privatekey | wg pubkey > server.publickey' 
+@ lxc-attach $ID -- bash -c 'cd /root && make server'
 
-# XXX move this into a script on the CT side...
+echo "# Setup: wireguard default profile..."
-echo "# Setup: wireguard user..."
+@ lxc-attach $ID -- bash -c "cd /root && \
-xread "profile name: " WG_PROFILE
+	ENDPOINT_PORT=51820
-xread "allowed ips: " ALLOWED_IPs
+	ENDPOINT=${DOMAIN}
+	CLIENT_IP=10.42.0.1/32
+	DNS=${NS_LAN_IP}
+	ALLOWED_IPS=0.0.0.0/0
+		make default.client" 
+@ lxc-attach $ID -- chmod 600 /etc/wireguard/wg0.conf
 
-# XXX client:
+echo "# client config:"
-# 	- generate keys
+@ mkdir -p clients
-# 	- add to wg0.conf
+@ pct pull $ID /etc/wireguard/clients/default.conf clients/default.conf
-# 	- add to $WG_PROFILE.conf
+echo "# ---"
+@ lxc-attach $ID -- cat /etc/wireguard/clients/default.conf
+echo "# ---"
 
-echo "# Setup: bridge device..."
+#echo "# Setup: bridge device..."
-@ lxc-attach $ID wg up wg0 
+@ lxc-attach $ID wg-quick up wg0 
 
 echo "# Post config..."
 pctSet $ID "${OPTS_STAGE_2}" $REBOOT