testing
This commit is contained in:
57
piawg.sh
57
piawg.sh
@@ -10,6 +10,11 @@ err() {
|
||||
exit 1
|
||||
}
|
||||
|
||||
info() {
|
||||
[ "$PIAWG_VERBOSE" -eq 1 ] &&
|
||||
printf '[INFO]: %s\n' "$1" >&2
|
||||
}
|
||||
|
||||
check_http() {
|
||||
case $1 in
|
||||
2[0-9][0-9]) return 0 ;;
|
||||
@@ -84,6 +89,7 @@ pia_addkey() {
|
||||
local peer_ip
|
||||
local updates
|
||||
# Add pubkey via PIA API and get connection details
|
||||
info "Adding '$piawg_pubkey' to PIA server $server_cn"
|
||||
if ! response=$(
|
||||
curl -sS -G --connect-timeout 5 \
|
||||
--max-time 20 --retry 5 --retry-delay 2 \
|
||||
@@ -116,6 +122,7 @@ pia_addkey() {
|
||||
if [ "$updates" != '{}' ]; then
|
||||
updates="$(printf '%s' "$updates" |
|
||||
jq --arg s "$piawg_uuid" '.servers = $s')"
|
||||
info "Updating connection details of $OPN_IF peer $OPN_PEER"
|
||||
if [ "$(opn_curl "wireguard/client/setClient/$piawgsrv_uuid" \
|
||||
-d "$(printf '%s' "$updates" | jq '{client: .}')" |
|
||||
jq -r '.result')" != "saved" ]; then
|
||||
@@ -124,6 +131,7 @@ pia_addkey() {
|
||||
fi
|
||||
peer_ip="$(printf '%s' "$response" | jq -r '.peer_ip')"
|
||||
if [ "$peer_ip" != "$piawg_tunaddr" ]; then
|
||||
info "Updating connection details of $OPN_IF instance"
|
||||
if [ "$(opn_curl "wireguard/server/setServer/$piawg_uuid" \
|
||||
-d "$(jq -n --arg ip "$peer_ip/32" \
|
||||
'{server: {tunneladdress: $ip}}')" |
|
||||
@@ -131,16 +139,37 @@ pia_addkey() {
|
||||
err "Failed to update $OPN_WG tunnel address to $peer_ip"
|
||||
fi
|
||||
fi
|
||||
info "Reloading Wireguard service"
|
||||
opn_curl 'wireguard/service/reconfigure' -d '{}'
|
||||
|
||||
# Update firewall rule alias
|
||||
piawg_ip_alias="$(opn_curl 'firewall/alias/searchItem' -d '{}' |
|
||||
jq -r '.rows[] | select(.name == "PIAwg_IP") | .uuid')"
|
||||
jq -r ".rows[] | select(.name == \"$OPN_ALIAS\") | .uuid")"
|
||||
info "Updating alias $OPN_ALIAS to $peer_ip"
|
||||
opn_curl "firewall/alias/setItem/$piawg_ip_alias" \
|
||||
-d "$(jq -n --arg ip "$peer_ip" '{alias: {content: $ip}}')"
|
||||
info "Reloading Firewall alias"
|
||||
opn_curl 'firewall/alias/reconfigure' -d '{}'
|
||||
}
|
||||
|
||||
tunnel_check() {
|
||||
local tunneladdr
|
||||
local response
|
||||
local peer_status
|
||||
tunneladdr="$(opn_curl 'wireguard/server/searchServer' -d '{}' |
|
||||
jq -r ".rows[] | select(.name == \"$OPN_IF\") | .tunneladdress")"
|
||||
response="$(opn_curl 'wireguard/service/show' -d '{}' |
|
||||
jq ".rows[] | select(.name == \"$OPN_PEER\")")"
|
||||
peer_status="$(printf '%s' "$response" | jq -r '."peer-status"')"
|
||||
[ "$peer_status" != "online" ] && return 1
|
||||
if ! ping -c1 -W3 -S "${tunneladdr%/32}" 1.1.1.1 >/dev/null 2>&1; then
|
||||
if ! ping -c1 -W3 -S "${tunneladdr%/32}" 8.8.8.8 >/dev/null 2>&1; then
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
# Get a new PIA API token and store
|
||||
renew_token() {
|
||||
local login_response
|
||||
@@ -168,6 +197,15 @@ renew_token() {
|
||||
unset pia_token
|
||||
}
|
||||
|
||||
PIAWG_VERBOSE=0
|
||||
while getopts "v" opt; do
|
||||
case $opt in
|
||||
v) PIAWG_VERBOSE=1 ;;
|
||||
*) printf '%s\n' "Usage: $0 [-v]" >&2; exit 1 ;;
|
||||
esac
|
||||
done
|
||||
shift $((OPTIND - 1))
|
||||
|
||||
# Check for required external commands
|
||||
for rbin in curl jq openssl; do
|
||||
command -v "$rbin" >/dev/null 2>&1 ||
|
||||
@@ -187,6 +225,7 @@ if [ ! -f "$PIAWG_CONF" ]; then
|
||||
#BAO_ROLE=
|
||||
#BAO_SECRET=
|
||||
EOF
|
||||
info "Created '$PIAWG_CONF' configuration file"
|
||||
fi
|
||||
|
||||
# Source config
|
||||
@@ -215,6 +254,7 @@ _fingerprint=1fd25658456eab3041fba77ccd398ab8124edcc1b8b2fc1d55fdf6b1bbfc9d70
|
||||
: "${BAO_PATH_TOKEN:=piawg/session/token}"
|
||||
: "${OPN_IF:=PIAwg}"
|
||||
: "${OPN_PEER:=PIAwg_srv}"
|
||||
: "${OPN_ALIAS:=PIAwg_IP}"
|
||||
|
||||
# Get ephemeral session token from AppRole login
|
||||
if ! bao_token_reply=$(curl -sS \
|
||||
@@ -236,6 +276,7 @@ get_token_reply="$(
|
||||
bao_curl -n "$BAO_KV_MOUNT/data/$BAO_PATH_TOKEN"
|
||||
)" && rc=0 || rc=$?
|
||||
if [ "$rc" -eq 4 ]; then
|
||||
info "Renewing PIA token"
|
||||
renew_token
|
||||
get_token_reply="$(bao_curl "$BAO_KV_MOUNT/data/$BAO_PATH_TOKEN")"
|
||||
fi
|
||||
@@ -246,6 +287,7 @@ check_token "$pia_token" || err "Failed to get valid PIA token"
|
||||
# Download PIA RSA CA certificate
|
||||
if [ ! -f ./ca.rsa.4096.crt ]; then
|
||||
[ -f ./.ca.rsa.4096.crt ] && rm ./.ca.rsa.4096.crt
|
||||
info "Downloading PIA's CA certificate"
|
||||
curl -sS --connect-timeout 5 --max-time 20 --retry 5 --retry-delay 2 \
|
||||
-o ./.ca.rsa.4096.crt "$PIA_CRT"
|
||||
pia_file_hash="$(openssl x509 -in ./.ca.rsa.4096.crt -outform DER |
|
||||
@@ -291,15 +333,4 @@ unset wg_reply
|
||||
[ "$server_ip" != "$piawgsrv_srvaddr" ] && pia_addkey
|
||||
|
||||
# Check tunnel
|
||||
piawg_tunaddr="$(opn_curl 'wireguard/server/searchServer' -d '{}' |
|
||||
jq -r ".rows[] | select(.name == \"$OPN_IF\") | .tunneladdress")"
|
||||
wg_status_reply="$(opn_curl 'wireguard/service/show' -d '{}' |
|
||||
jq ".rows[] | select(.name == \"$OPN_PEER\")")"
|
||||
echo "$wg_status_reply" | jq .
|
||||
wg_status="$(printf '%s' "$wg_status_reply" | jq -r '."peer-status"')"
|
||||
[ ! "$wg_status" = "online" ] && err "$OPN_PEER is offline"
|
||||
if ! ping -c1 -W3 -S "${piawg_tunaddr%/32}" 1.1.1.1 >/dev/null 2>&1; then
|
||||
if ! ping -c1 -W3 -S "${piawg_tunaddr%/32}" 8.8.8.8 >/dev/null 2>&1; then
|
||||
err "$OPN_PEER failed to ping internet"
|
||||
fi
|
||||
fi
|
||||
tunnel_check && info "$server_cn tunnel working on $OPN_IF"
|
||||
|
||||
Reference in New Issue
Block a user