From 4971b123d3b2bc90411c1428157d03380077bdb0 Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Sun, 8 Mar 2026 19:13:54 -0400 Subject: [PATCH] testing --- piawg.sh | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 55 insertions(+), 5 deletions(-) diff --git a/piawg.sh b/piawg.sh index 97e8261..c077151 100755 --- a/piawg.sh +++ b/piawg.sh @@ -71,26 +71,35 @@ opn_curl() { local error local response local http_code - path="$1" + path="$opn_endpoint/$1" shift - error="Failed request to '$opn_endpoint/$path'" + error="Failed request to '$path'" if ! response="$(_curl -H 'Content-Type: application/json' \ -u "$opn_key:$opn_secret" -w '\n%{http_code}' \ - "$@" "$opn_endpoint/$path")"; then + "$@" "$path")"; then err "$error" fi http_code="$(printf '%s' "$response" | tail -1)" + response="$(printf '%s' "$response" | sed '$d')" + if ! check_http "$http_code"; then + error_msg="$(printf '%s' "$response" | \ + jq -r '.errorMessage // empty' 2>/dev/null)" + [ -n "$error_msg" ] && error="$error_msg ($path)" + fi check_http "$http_code" || err "$error" - printf '%s' "$response" | sed '$d' + printf '%s' "$response" } pia_addkey() { local response + local response_gw local key local port local peer_ip local updates local server_vip + local gateway_ip + local gateway_id # Add pubkey via PIA API and get connection details info "Adding '$piawg_pubkey' to PIA server $server_cn" if ! response=$( @@ -98,7 +107,7 @@ pia_addkey() { --cacert ./ca.rsa.4096.crt \ --data-urlencode "pt=$pia_token" \ --data-urlencode "pubkey=$piawg_pubkey" \ - "https://$server_cn:1337/addKey" + "https://$server_cn:$server_port/addKey" ); then err "Failed connect to $server_cn to addKey" fi @@ -148,6 +157,24 @@ pia_addkey() { err "Failed to reload Wireguard service" fi + # Update gateway address + if ! response_gw="$(\ + opn_curl 'routing/settings/searchGateway' -X POST -d '{}')"; then + err "Failed to search gateways" + fi + debug -f "searchGatewayn%s" "$(printf '%s' "$response_gw" | jq .)" + gateway_id="$(printf '%s' "$response_gw" | jq -r --arg name "$OPN_GW" \ + '.rows[] | select(.name == $name) | .uuid')" + gateway_ip="$(printf '%s' "$response_gw" | jq -r --arg name "$OPN_GW" \ + '.rows[] | select(.name == $name) | .gateway')" + opn_curl "routing/settings/getGateway/$gateway_id" + if [ "$gateway_ip" != "$server_vip" ]; then + info "Updating gateway $OPN_GW address from $gateway_ip to $server_vip" + opn_curl "routing/settings/setGateway/$gateway_id" -X POST \ + -d '{"gateway": {"gateway": "'"$server_vip"'"}}' + opn_curl 'routing/settings/reconfigure' -X POST -d '{}' + fi + # Update OpenBao config with response data server_vip="$(printf '%s' "$response" | jq -r '.server_vip')" info "Update server_vip at $BAO_PATH_CONFIG to $server_vip" @@ -282,6 +309,7 @@ _fingerprint=1fd25658456eab3041fba77ccd398ab8124edcc1b8b2fc1d55fdf6b1bbfc9d70 : "${OPN_IF:=PIAwg}" : "${OPN_PEER:=PIAwg_srv}" : "${OPN_ALIAS:=PIAwg_IP}" +: "${OPN_GW:=PIAWG_VPN}" # Get ephemeral session token from AppRole login if ! bao_token_reply=$(_curl -H 'Content-Type: application/json' \ @@ -333,6 +361,7 @@ opn_if_reply="$(opn_curl 'wireguard/server/searchServer' -d '{}' | piawg_uuid="$(printf '%s' "$opn_if_reply" | jq -r .uuid)" piawg_pubkey="$(printf '%s' "$opn_if_reply" | jq -r .pubkey)" piawg_tunaddr="$(printf '%s' "$opn_if_reply" | jq -r .tunneladdress)" +piawg_interface="$(printf '%s' "$opn_if_reply" | jq -r .interface)" debug -f "Wireguard instance $OPN_IF from OPNsense API\n%s" \ "$(printf '%s' "$opn_if_reply" | jq '.privkey = "[CENSORED]"')" unset opn_if_reply @@ -352,6 +381,7 @@ wg_reply="$(bao_curl "$BAO_KV_MOUNT/data/$BAO_PATH_CONFIG")" server_ip="$(printf '%s' "$wg_reply" | jq -r .data.data.server_ip)" server_cn="$(printf '%s' "$wg_reply" | jq -r .data.data.server_cn)" server_port="$(printf '%s' "$wg_reply" | jq -r .data.data.server_port)" +server_vip="$(printf '%s' "$wg_reply" | jq -r .data.data.server_vip)" debug -f "Config from OpenBao ($BAO_PATH_CONFIG)\n%s" \ "$(printf '%s' "$wg_reply" | jq .)" unset wg_reply @@ -382,3 +412,23 @@ else fi fi fi + +if conf_reply="$(bao_curl "$BAO_KV_MOUNT/data/$BAO_PATH_CONFIG")"; then + port_forward="$(printf '%s' "$conf_reply" | jq -r '.data.data.port_forward')" + if [ "$port_forward" = "true" ]; then + server_cn="$(printf '%s' "$conf_reply" | jq -r '.data.data.server_cn')" + server_vip="$(printf '%s' "$conf_reply" | jq -r '.data.data.server_vip')" + set -x + if ! pf_sig_reply="$(_curl -G --cacert ./ca.rsa.4096.crt \ + --interface "$piawg_interface" \ + --resolve "$server_cn:19999:$server_vip" \ + --data-urlencode "token=$pia_token" \ + "https://$server_cn:19999/getSignature")"; then + err "Failed to connect to https://$server_cn:19999/getSignature" + fi + set +x + debug -f "getSignature\n%s" "$(printf '%s' "$pf_sig_reply" | jq .)" + fi +fi +debug -f "Check for port_forward value in OpenBao ($BAO_PATH_CONFIG)\n%s" \ + "$(printf '%s' "$conf_reply" | jq .)"