Compare commits
3 Commits
3a042dd063
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
ff24a10667
|
|||
|
e9a59d81d6
|
|||
|
c72d963735
|
188
piawg.sh
188
piawg.sh
@@ -5,10 +5,24 @@
|
||||
# Allow local variable scoping, therefore not strictly POSIX
|
||||
# shellcheck disable=SC3043
|
||||
|
||||
msg() { printf '[%s]: %s\n' "${2-INFO}" "$1"; }
|
||||
msg() {
|
||||
local format
|
||||
format='%s'
|
||||
OPTIND=1
|
||||
while getopts 'f:' opt; do
|
||||
case $opt in f) format="$OPTARG" ;; *) return 1 ;; esac
|
||||
done
|
||||
shift $((OPTIND - 1))
|
||||
printf "[%s]: ${format}\n" "${2-INFO}" "$1"
|
||||
}
|
||||
|
||||
info() { [ "$PIAWG_VERBOSE" -eq 1 ] && msg "$1"; }
|
||||
debug() { [ "$PIAWG_DEBUG" -eq 1 ] && msg "$@" 'DEBUG'; }
|
||||
warn() { msg "$1" 'WARN'; }
|
||||
err() { msg "$1" 'ERROR'; exit 1; }
|
||||
err() {
|
||||
msg "$1" 'ERROR'
|
||||
exit 1
|
||||
}
|
||||
|
||||
check_http() { [ "$1" = "${2:-200}" ] && return 0 || return 1; }
|
||||
check_token() { printf '%s\n' "$1" | grep -q '^[0-9A-Fa-f]\{128\}$'; }
|
||||
@@ -24,10 +38,14 @@ bao_curl() {
|
||||
local error
|
||||
local http_code
|
||||
local notfound
|
||||
local content_type
|
||||
notfound=0
|
||||
while getopts "n" opt; do
|
||||
content_type='application/json'
|
||||
OPTIND=1
|
||||
while getopts "np" opt; do
|
||||
case "$opt" in
|
||||
n) notfound=1 ;;
|
||||
p) content_type='application/merge-patch+json' ;;
|
||||
*) err "bao_curl option '$opt' not found" ;;
|
||||
esac
|
||||
done
|
||||
@@ -35,7 +53,7 @@ bao_curl() {
|
||||
path="$BAO_ADDR/v1/$1"
|
||||
shift
|
||||
error="Failed request to '$path'"
|
||||
if ! response=$(_curl -H 'Content-Type: application/json' \
|
||||
if ! response=$(_curl -H "Content-Type: $content_type" \
|
||||
-H "X-Vault-Token: $bao_token" -w '\n%{http_code}' "$@" "$path"); then
|
||||
err "$error"
|
||||
fi
|
||||
@@ -53,25 +71,35 @@ opn_curl() {
|
||||
local error
|
||||
local response
|
||||
local http_code
|
||||
path="$1"
|
||||
path="$opn_endpoint/$1"
|
||||
shift
|
||||
error="Failed request to '$opn_endpoint/$path'"
|
||||
error="Failed request to '$path'"
|
||||
if ! response="$(_curl -H 'Content-Type: application/json' \
|
||||
-u "$opn_key:$opn_secret" -w '\n%{http_code}' \
|
||||
"$@" "$opn_endpoint/$path")"; then
|
||||
"$@" "$path")"; then
|
||||
err "$error"
|
||||
fi
|
||||
http_code="$(printf '%s' "$response" | tail -1)"
|
||||
response="$(printf '%s' "$response" | sed '$d')"
|
||||
if ! check_http "$http_code"; then
|
||||
error_msg="$(printf '%s' "$response" |
|
||||
jq -r '.errorMessage // empty' 2>/dev/null)"
|
||||
[ -n "$error_msg" ] && error="$error_msg ($path)"
|
||||
fi
|
||||
check_http "$http_code" || err "$error"
|
||||
printf '%s' "$response" | sed '$d'
|
||||
printf '%s' "$response"
|
||||
}
|
||||
|
||||
pia_addkey() {
|
||||
local response
|
||||
local response_gw
|
||||
local key
|
||||
local port
|
||||
local peer_ip
|
||||
local updates
|
||||
local server_vip
|
||||
local gateway_ip
|
||||
local gateway_id
|
||||
# Add pubkey via PIA API and get connection details
|
||||
info "Adding '$piawg_pubkey' to PIA server $server_cn"
|
||||
if ! response=$(
|
||||
@@ -79,12 +107,13 @@ pia_addkey() {
|
||||
--cacert ./ca.rsa.4096.crt \
|
||||
--data-urlencode "pt=$pia_token" \
|
||||
--data-urlencode "pubkey=$piawg_pubkey" \
|
||||
"https://$server_cn:1337/addKey"
|
||||
"https://$server_cn:$server_port/addKey"
|
||||
); then
|
||||
err "Failed connect to $server_cn to addKey"
|
||||
fi
|
||||
[ "$(printf '%s' "$response" | jq -r '.status')" != "OK" ] &&
|
||||
err "Failed to addKey to $server_cn"
|
||||
debug -f 'PIA API addKey response\n%s' "$(echo "$response" | jq .)"
|
||||
|
||||
# Update Wireguard config on OPNsense
|
||||
updates='{}'
|
||||
@@ -105,6 +134,7 @@ pia_addkey() {
|
||||
updates="$(printf '%s' "$updates" |
|
||||
jq --arg s "$piawg_uuid" '.servers = $s')"
|
||||
info "Updating connection details of $OPN_IF peer $OPN_PEER"
|
||||
debug -f "$OPN_PEER updates\n%s" "$(echo "$updates" | jq .)"
|
||||
if [ "$(opn_curl "wireguard/client/setClient/$piawgsrv_uuid" \
|
||||
-d "$(printf '%s' "$updates" | jq '{client: .}')" |
|
||||
jq -r '.result')" != "saved" ]; then
|
||||
@@ -127,6 +157,40 @@ pia_addkey() {
|
||||
err "Failed to reload Wireguard service"
|
||||
fi
|
||||
|
||||
# Update OpenBao config with response data
|
||||
server_vip="$(printf '%s' "$response" | jq -r '.server_vip')"
|
||||
info "Update server_vip at $BAO_PATH_CONFIG to $server_vip"
|
||||
bao_curl -p "$BAO_KV_MOUNT/data/$BAO_PATH_CONFIG" -X PATCH -d \
|
||||
"$(jq -n --arg ip "$server_vip" '{data:{server_vip:$ip}}')" >/dev/null
|
||||
|
||||
# Update gateway address
|
||||
if ! response_gw="$(opn_curl \
|
||||
'routing/settings/search_gateway' -X POST -d '{}')"; then
|
||||
err "Failed to search gateways"
|
||||
fi
|
||||
debug -f "search_gateway\n%s" "$(printf '%s' "$response_gw" | jq .)"
|
||||
gateway_id="$(printf '%s' "$response_gw" | jq -r --arg name "$OPN_GW" \
|
||||
'.rows[] | select(.name == $name) | .uuid')"
|
||||
gateway_ip="$(printf '%s' "$response_gw" | jq -r --arg name "$OPN_GW" \
|
||||
'.rows[] | select(.name == $name) | .gateway')"
|
||||
if [ "$gateway_ip" != "$server_vip" ]; then
|
||||
info "Updating gateway $OPN_GW address from $gateway_ip to $server_vip"
|
||||
if ! update_gw="$(opn_curl \
|
||||
"routing/settings/set_gateway/$gateway_id" -X POST \
|
||||
-d "$(jq -nc --arg ip "$server_vip" \
|
||||
'{gateway_item: {gateway: $ip}}')")"; then
|
||||
err "Failed to update gateway ($gateway_id)"
|
||||
fi
|
||||
if [ "$(printf '%s' "$update_gw" | jq -r '.result')" != "saved" ]; then
|
||||
err "Failed to save gateway update"
|
||||
fi
|
||||
info "Restarting WireGuard interface after gateway update"
|
||||
if [ "$(opn_curl "core/service/restart/wireguard/$piawg_uuid" \
|
||||
-X POST -d '{}' | jq -r '.result')" != "ok" ]; then
|
||||
err "Failed to restart WireGuard interface after gateway update"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Update firewall rule alias
|
||||
piawg_ip_alias="$(opn_curl 'firewall/alias/searchItem' -d '{}' |
|
||||
jq -r ".rows[] | select(.name == \"$OPN_ALIAS\") | .uuid")"
|
||||
@@ -143,6 +207,84 @@ pia_addkey() {
|
||||
fi
|
||||
}
|
||||
|
||||
pia_forward() {
|
||||
local config
|
||||
local server_cn
|
||||
local server_vip
|
||||
local pf_signature
|
||||
local pf_payload
|
||||
local pf_port
|
||||
local pf_expires
|
||||
local pf_sig_reply
|
||||
local pf_updated_at
|
||||
local pf_update
|
||||
local epoch_now
|
||||
local epoch_expire
|
||||
local epoch_diff
|
||||
local bind_resp
|
||||
config="$1"
|
||||
server_cn="$(printf '%s' "$config" | jq -r '.data.data.server_cn')"
|
||||
server_vip="$(printf '%s' "$config" | jq -r '.data.data.server_vip')"
|
||||
pf_signature="$(printf '%s' "$config" | jq -r '.data.data.pf_signature')"
|
||||
pf_payload="$(printf '%s' "$config" | jq -r '.data.data.pf_payload')"
|
||||
pf_port="$(printf '%s' "$config" | jq -r '.data.data.pf_port')"
|
||||
pf_expires="$(printf '%s' "$config" | jq -r '.data.data.pf_expires')"
|
||||
pf_updated_at="$(printf '%s' "$config" | jq -r '.data.data.pf_updated_at')"
|
||||
epoch_now="$(date '+%s')"
|
||||
epoch_expire="$(date -j -f '%Y-%m-%dT%H:%M:%S' \
|
||||
"${pf_expires%%.*}" '+%s' 2>/dev/null)"
|
||||
epoch_diff=$((epoch_now - ${pf_updated_at:-0}))
|
||||
if [ -z "$epoch_expire" ] || [ "$epoch_expire" -lt "$epoch_now" ]; then
|
||||
info "Requesting new port forward signature"
|
||||
if ! pf_sig_reply="$(_curl -G --cacert ./ca.rsa.4096.crt \
|
||||
--resolve "$server_cn:19999:$server_vip" \
|
||||
--data-urlencode "token=$pia_token" \
|
||||
"https://$server_cn:19999/getSignature")"; then
|
||||
err "Failed to connect to https://$server_cn:19999/getSignature"
|
||||
fi
|
||||
debug -f "getSignature\n%s" "$(printf '%s' "$pf_sig_reply" | jq .)"
|
||||
[ "$(printf '%s' "$pf_sig_reply" | jq -r '.status')" != "OK" ] &&
|
||||
err "getSignature failed"
|
||||
pf_signature="$(printf '%s' "$pf_sig_reply" | jq -r '.signature')"
|
||||
pf_payload="$(printf '%s' "$pf_sig_reply" | jq -r '.payload')"
|
||||
pf_port="$(printf '%s' "$pf_payload" |
|
||||
base64 -d 2>/dev/null | jq -r '.port // empty')"
|
||||
pf_expires="$(printf '%s' "$pf_payload" |
|
||||
base64 -d 2>/dev/null | jq -r '.expires_at // empty')"
|
||||
pf_update="$(jq -n --arg v "$pf_signature" '.data.pf_signature = $v')"
|
||||
pf_update="$(printf '%s' "$pf_update" |
|
||||
jq --arg v "$pf_payload" '.data.pf_payload = $v')"
|
||||
pf_update="$(printf '%s' "$pf_update" |
|
||||
jq --arg v "$pf_port" '.data.pf_port = $v')"
|
||||
pf_update="$(printf '%s' "$pf_update" |
|
||||
jq --arg v "$pf_expires" '.data.pf_expires = $v')"
|
||||
pf_update="$(printf '%s' "$pf_update" |
|
||||
jq --arg v "$(date '+%s')" '.data.pf_updated_at = $v')"
|
||||
debug -f "pf_update\n%s" "$(printf '%s' "$pf_update" | jq .)"
|
||||
info "Updating $BAO_PATH_CONFIG with pf_port=$pf_port"
|
||||
bao_curl -p "$BAO_KV_MOUNT/data/$BAO_PATH_CONFIG" \
|
||||
-X PATCH -d "$pf_update" >/dev/null
|
||||
elif [ "$epoch_diff" -ge 300 ]; then
|
||||
info "Renewing port forward ($epoch_diff/300)"
|
||||
if ! bind_resp="$(_curl -G --resolve "${server_cn}:19999:${server_vip}" \
|
||||
--data-urlencode "payload=${pf_payload}" \
|
||||
--data-urlencode "signature=${pf_signature}" \
|
||||
"https://${server_cn}:19999/bindPort")"; then
|
||||
err "Failed to bindPort (https://${server_cn}:19999/bindPort)"
|
||||
fi
|
||||
[ "$(printf '%s' "$bind_resp" | jq -r '.status')" != "OK" ] &&
|
||||
err "Failed to get bindPort status"
|
||||
debug -f "bind_resp\n%s" "$(printf '%s' "$bind_resp" | jq .)"
|
||||
pf_update="$(jq -n --arg v "$(date '+%s')" '.data.pf_updated_at = $v')"
|
||||
debug -f "pf_update\n%s" "$(printf '%s' "$pf_update" | jq .)"
|
||||
info "Updating pf_updated_at $BAO_PATH_CONFIG"
|
||||
bao_curl -p "$BAO_KV_MOUNT/data/$BAO_PATH_CONFIG" \
|
||||
-X PATCH -d "$pf_update" >/dev/null
|
||||
else
|
||||
info "Port forward still valid, updated ${epoch_diff}s ago"
|
||||
fi
|
||||
}
|
||||
|
||||
check_tunnel() {
|
||||
local tunneladdr
|
||||
local response
|
||||
@@ -188,9 +330,15 @@ renew_token() {
|
||||
unset pia_token
|
||||
}
|
||||
|
||||
PIAWG_DEBUG=0
|
||||
PIAWG_VERBOSE=0
|
||||
while getopts "v" opt; do
|
||||
OPTIND=1
|
||||
while getopts "dv" opt; do
|
||||
case $opt in
|
||||
d)
|
||||
PIAWG_VERBOSE=1
|
||||
PIAWG_DEBUG=1
|
||||
;;
|
||||
v) PIAWG_VERBOSE=1 ;;
|
||||
*)
|
||||
printf '%s\n' "Usage: $0 [-v]" >&2
|
||||
@@ -249,6 +397,7 @@ _fingerprint=1fd25658456eab3041fba77ccd398ab8124edcc1b8b2fc1d55fdf6b1bbfc9d70
|
||||
: "${OPN_IF:=PIAwg}"
|
||||
: "${OPN_PEER:=PIAwg_srv}"
|
||||
: "${OPN_ALIAS:=PIAwg_IP}"
|
||||
: "${OPN_GW:=PIAWG_VPN}"
|
||||
|
||||
# Get ephemeral session token from AppRole login
|
||||
if ! bao_token_reply=$(_curl -H 'Content-Type: application/json' \
|
||||
@@ -289,6 +438,9 @@ bao_opn_login="$(bao_curl "$BAO_KV_MOUNT/data/$BAO_PATH_OPNSENSE")"
|
||||
opn_key="$(printf '%s' "$bao_opn_login" | jq -r .data.data.key)"
|
||||
opn_secret="$(printf '%s' "$bao_opn_login" | jq -r .data.data.secret)"
|
||||
opn_endpoint="$(printf '%s' "$bao_opn_login" | jq -r .data.data.endpoint)"
|
||||
debug -f "OPNsense login details from OpenBao ($BAO_PATH_OPNSENSE)\n%s" \
|
||||
"$(printf '%s' "$bao_opn_login" |
|
||||
jq '.data.data.secret = "[CENSORED]" | .data.data.key = "[CENSORED]"')"
|
||||
opn_endpoint="${opn_endpoint%/}"
|
||||
|
||||
# Get OPNsense Wireguard config
|
||||
@@ -297,6 +449,8 @@ opn_if_reply="$(opn_curl 'wireguard/server/searchServer' -d '{}' |
|
||||
piawg_uuid="$(printf '%s' "$opn_if_reply" | jq -r .uuid)"
|
||||
piawg_pubkey="$(printf '%s' "$opn_if_reply" | jq -r .pubkey)"
|
||||
piawg_tunaddr="$(printf '%s' "$opn_if_reply" | jq -r .tunneladdress)"
|
||||
debug -f "Wireguard instance $OPN_IF from OPNsense API\n%s" \
|
||||
"$(printf '%s' "$opn_if_reply" | jq '.privkey = "[CENSORED]"')"
|
||||
unset opn_if_reply
|
||||
|
||||
opn_peer_reply="$(opn_curl 'wireguard/client/searchClient' -d '{}' |
|
||||
@@ -305,6 +459,8 @@ piawgsrv_uuid="$(printf '%s' "$opn_peer_reply" | jq -r .uuid)"
|
||||
piawgsrv_pubkey="$(printf '%s' "$opn_peer_reply" | jq -r .pubkey)"
|
||||
piawgsrv_srvaddr="$(printf '%s' "$opn_peer_reply" | jq -r .serveraddress)"
|
||||
piawgsrv_srvport="$(printf '%s' "$opn_peer_reply" | jq -r .serverport)"
|
||||
debug -f "Wireguard peer $OPN_PEER from OPNsense API\n%s" \
|
||||
"$(printf '%s' "$opn_peer_reply" | jq .)"
|
||||
unset opn_peer_reply
|
||||
|
||||
# Get target server IP, common name, and OPNsense WG pubkey
|
||||
@@ -312,6 +468,9 @@ wg_reply="$(bao_curl "$BAO_KV_MOUNT/data/$BAO_PATH_CONFIG")"
|
||||
server_ip="$(printf '%s' "$wg_reply" | jq -r .data.data.server_ip)"
|
||||
server_cn="$(printf '%s' "$wg_reply" | jq -r .data.data.server_cn)"
|
||||
server_port="$(printf '%s' "$wg_reply" | jq -r .data.data.server_port)"
|
||||
server_vip="$(printf '%s' "$wg_reply" | jq -r .data.data.server_vip)"
|
||||
debug -f "Config from OpenBao ($BAO_PATH_CONFIG)\n%s" \
|
||||
"$(printf '%s' "$wg_reply" | jq .)"
|
||||
unset wg_reply
|
||||
|
||||
# Update to reflect desired state
|
||||
@@ -340,3 +499,12 @@ else
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# Optional: port forward
|
||||
if conf_reply="$(bao_curl "$BAO_KV_MOUNT/data/$BAO_PATH_CONFIG")"; then
|
||||
debug -f "Check for port_forward value in OpenBao ($BAO_PATH_CONFIG)\n%s" \
|
||||
"$(printf '%s' "$conf_reply" | jq .)"
|
||||
port_forward="$(printf '%s' "$conf_reply" |
|
||||
jq -r '.data.data.port_forward')"
|
||||
[ "$port_forward" = "true" ] && pia_forward "$conf_reply"
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user