testing
This commit is contained in:
60
piawg.sh
60
piawg.sh
@@ -71,26 +71,35 @@ opn_curl() {
|
||||
local error
|
||||
local response
|
||||
local http_code
|
||||
path="$1"
|
||||
path="$opn_endpoint/$1"
|
||||
shift
|
||||
error="Failed request to '$opn_endpoint/$path'"
|
||||
error="Failed request to '$path'"
|
||||
if ! response="$(_curl -H 'Content-Type: application/json' \
|
||||
-u "$opn_key:$opn_secret" -w '\n%{http_code}' \
|
||||
"$@" "$opn_endpoint/$path")"; then
|
||||
"$@" "$path")"; then
|
||||
err "$error"
|
||||
fi
|
||||
http_code="$(printf '%s' "$response" | tail -1)"
|
||||
response="$(printf '%s' "$response" | sed '$d')"
|
||||
if ! check_http "$http_code"; then
|
||||
error_msg="$(printf '%s' "$response" | \
|
||||
jq -r '.errorMessage // empty' 2>/dev/null)"
|
||||
[ -n "$error_msg" ] && error="$error_msg ($path)"
|
||||
fi
|
||||
check_http "$http_code" || err "$error"
|
||||
printf '%s' "$response" | sed '$d'
|
||||
printf '%s' "$response"
|
||||
}
|
||||
|
||||
pia_addkey() {
|
||||
local response
|
||||
local response_gw
|
||||
local key
|
||||
local port
|
||||
local peer_ip
|
||||
local updates
|
||||
local server_vip
|
||||
local gateway_ip
|
||||
local gateway_id
|
||||
# Add pubkey via PIA API and get connection details
|
||||
info "Adding '$piawg_pubkey' to PIA server $server_cn"
|
||||
if ! response=$(
|
||||
@@ -98,7 +107,7 @@ pia_addkey() {
|
||||
--cacert ./ca.rsa.4096.crt \
|
||||
--data-urlencode "pt=$pia_token" \
|
||||
--data-urlencode "pubkey=$piawg_pubkey" \
|
||||
"https://$server_cn:1337/addKey"
|
||||
"https://$server_cn:$server_port/addKey"
|
||||
); then
|
||||
err "Failed connect to $server_cn to addKey"
|
||||
fi
|
||||
@@ -148,6 +157,24 @@ pia_addkey() {
|
||||
err "Failed to reload Wireguard service"
|
||||
fi
|
||||
|
||||
# Update gateway address
|
||||
if ! response_gw="$(\
|
||||
opn_curl 'routing/settings/searchGateway' -X POST -d '{}')"; then
|
||||
err "Failed to search gateways"
|
||||
fi
|
||||
debug -f "searchGatewayn%s" "$(printf '%s' "$response_gw" | jq .)"
|
||||
gateway_id="$(printf '%s' "$response_gw" | jq -r --arg name "$OPN_GW" \
|
||||
'.rows[] | select(.name == $name) | .uuid')"
|
||||
gateway_ip="$(printf '%s' "$response_gw" | jq -r --arg name "$OPN_GW" \
|
||||
'.rows[] | select(.name == $name) | .gateway')"
|
||||
opn_curl "routing/settings/getGateway/$gateway_id"
|
||||
if [ "$gateway_ip" != "$server_vip" ]; then
|
||||
info "Updating gateway $OPN_GW address from $gateway_ip to $server_vip"
|
||||
opn_curl "routing/settings/setGateway/$gateway_id" -X POST \
|
||||
-d '{"gateway": {"gateway": "'"$server_vip"'"}}'
|
||||
opn_curl 'routing/settings/reconfigure' -X POST -d '{}'
|
||||
fi
|
||||
|
||||
# Update OpenBao config with response data
|
||||
server_vip="$(printf '%s' "$response" | jq -r '.server_vip')"
|
||||
info "Update server_vip at $BAO_PATH_CONFIG to $server_vip"
|
||||
@@ -282,6 +309,7 @@ _fingerprint=1fd25658456eab3041fba77ccd398ab8124edcc1b8b2fc1d55fdf6b1bbfc9d70
|
||||
: "${OPN_IF:=PIAwg}"
|
||||
: "${OPN_PEER:=PIAwg_srv}"
|
||||
: "${OPN_ALIAS:=PIAwg_IP}"
|
||||
: "${OPN_GW:=PIAWG_VPN}"
|
||||
|
||||
# Get ephemeral session token from AppRole login
|
||||
if ! bao_token_reply=$(_curl -H 'Content-Type: application/json' \
|
||||
@@ -333,6 +361,7 @@ opn_if_reply="$(opn_curl 'wireguard/server/searchServer' -d '{}' |
|
||||
piawg_uuid="$(printf '%s' "$opn_if_reply" | jq -r .uuid)"
|
||||
piawg_pubkey="$(printf '%s' "$opn_if_reply" | jq -r .pubkey)"
|
||||
piawg_tunaddr="$(printf '%s' "$opn_if_reply" | jq -r .tunneladdress)"
|
||||
piawg_interface="$(printf '%s' "$opn_if_reply" | jq -r .interface)"
|
||||
debug -f "Wireguard instance $OPN_IF from OPNsense API\n%s" \
|
||||
"$(printf '%s' "$opn_if_reply" | jq '.privkey = "[CENSORED]"')"
|
||||
unset opn_if_reply
|
||||
@@ -352,6 +381,7 @@ wg_reply="$(bao_curl "$BAO_KV_MOUNT/data/$BAO_PATH_CONFIG")"
|
||||
server_ip="$(printf '%s' "$wg_reply" | jq -r .data.data.server_ip)"
|
||||
server_cn="$(printf '%s' "$wg_reply" | jq -r .data.data.server_cn)"
|
||||
server_port="$(printf '%s' "$wg_reply" | jq -r .data.data.server_port)"
|
||||
server_vip="$(printf '%s' "$wg_reply" | jq -r .data.data.server_vip)"
|
||||
debug -f "Config from OpenBao ($BAO_PATH_CONFIG)\n%s" \
|
||||
"$(printf '%s' "$wg_reply" | jq .)"
|
||||
unset wg_reply
|
||||
@@ -382,3 +412,23 @@ else
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if conf_reply="$(bao_curl "$BAO_KV_MOUNT/data/$BAO_PATH_CONFIG")"; then
|
||||
port_forward="$(printf '%s' "$conf_reply" | jq -r '.data.data.port_forward')"
|
||||
if [ "$port_forward" = "true" ]; then
|
||||
server_cn="$(printf '%s' "$conf_reply" | jq -r '.data.data.server_cn')"
|
||||
server_vip="$(printf '%s' "$conf_reply" | jq -r '.data.data.server_vip')"
|
||||
set -x
|
||||
if ! pf_sig_reply="$(_curl -G --cacert ./ca.rsa.4096.crt \
|
||||
--interface "$piawg_interface" \
|
||||
--resolve "$server_cn:19999:$server_vip" \
|
||||
--data-urlencode "token=$pia_token" \
|
||||
"https://$server_cn:19999/getSignature")"; then
|
||||
err "Failed to connect to https://$server_cn:19999/getSignature"
|
||||
fi
|
||||
set +x
|
||||
debug -f "getSignature\n%s" "$(printf '%s' "$pf_sig_reply" | jq .)"
|
||||
fi
|
||||
fi
|
||||
debug -f "Check for port_forward value in OpenBao ($BAO_PATH_CONFIG)\n%s" \
|
||||
"$(printf '%s' "$conf_reply" | jq .)"
|
||||
|
||||
Reference in New Issue
Block a user