iamtakingiteasy/vpn.sh

## vpn.sh
#!/bin/sh

# wireguard-vanity-address is recommended

# example netdev file
#
# [NetDev]
# Name=overlay
# Kind=wireguard
# Description=overlay
#
# [WireGuard]
# ListenPort=34342
# PrivateKey=IE40Kwh+Gs1VbPNqWtP0qcm8Wtt+vqJNCzqZ0x71+ks=
#
# [WireGuardPeer]
# PublicKey=node1sMLyrrPJAi6Ip058niL3WtNN2fvLq9BVzzCuB8=
# PresharedKey=GMiYgwSTUqGlv6nNCciDXCkafc/nSLiQ2LNew6kTacE=
# AllowedIPs=10.32.45.2/32
# Endpoint=node1.example.com:34252
# PersistentKeepalive=25
#
# [WireGuardPeer]
# PublicKey=node2wwndqhrCkqUxTIwgCa7JvVz0HR7rJ49lHl0rE4=
# PresharedKey=9rUMBqMSrtlkJBCitPVbHGk6Yvmu5Ww4Wfae6mrcyCI=
# AllowedIPs=10.32.45.3/32
# Endpoint=node2.example.com:34234
# PersistentKeepalive=25


netdev=/etc/systemd/network/99-overlay.netdev
table=1000

ports=(
	80
	443
)

localnets=(
	10.0.0.0/8
	172.16.0.0/12
	192.168.0.0/16
)

directdomains=(
	cdn.discordapp.com
)

peers() {
	cur=$(ip route show table 1000 | awk '{print $3}')
	awk -v cur="$cur/32" -F= '
	  function p(){
	    if (allow == cur) {
	      ad="(*)"
	    } else {
	      ad=""
	    }
	    if (key) {print key, allow, endp, ad}
	  }
	  /WireGuardPeer/{p();key=allow=endp=""}
	  /PublicKey/{key=$2 "="}
	  /AllowedIPs/{allow=$2}
	  /Endpoint/{endp=substr($2, 1, index($2, ":")-1)}
	  END{p()}
	' < $netdev
}

reset() {
	ip route show table $table | while read v; do ip route del $v table $table; done

	( ip rule show priority 5; ip rule show priority 10 ) | while read n s; do
		ip rule del $s
	done

	peers | while read p a d; do
		wg set overlay peer $p allowed-ips "$a"
	done
}

sel() {
	reset
	peers | grep "$1" | {
		read p a d;
		[ -z $p ] && echo "unknown $1" && exit 1

		wg set overlay peer $p allowed-ips "0.0.0.0/0" || { reset && exit 1; }

		selectors=()

		for v in ${ports[@]}; do
			selectors+=("dport $v table $table priority 10")
		done

		for v in ${localnets[@]}; do
			selectors+=("to $v table main priority 5")
		done

		for v in ${directdomains[@]} $(peers | awk '{print $3}'); do
			for s in $(dig "$v" +short); do
				selectors+=("to $s table main priority 5")
			done
		done

		gw=${a%/*}

		echo "gw $1 -> $gw ($d @ $(dig "$d" +short))"

		ip route add default via $gw table $table

		for v in "${selectors[@]}"; do
			ip rule add $v
		done
	}
}

if [ ${#@} -eq 1 ]; then
        if [ "$1" = "-" ]; then
                echo "reset"
                reset
        else
                sel "$1"
        fi
fi

peers
	#!/bin/sh

	# wireguard-vanity-address is recommended

	# example netdev file
	#
	# [NetDev]
	# Name=overlay
	# Kind=wireguard
	# Description=overlay
	#
	# [WireGuard]
	# ListenPort=34342
	# PrivateKey=IE40Kwh+Gs1VbPNqWtP0qcm8Wtt+vqJNCzqZ0x71+ks=
	#
	# [WireGuardPeer]
	# PublicKey=node1sMLyrrPJAi6Ip058niL3WtNN2fvLq9BVzzCuB8=
	# PresharedKey=GMiYgwSTUqGlv6nNCciDXCkafc/nSLiQ2LNew6kTacE=
	# AllowedIPs=10.32.45.2/32
	# Endpoint=node1.example.com:34252
	# PersistentKeepalive=25
	#
	# [WireGuardPeer]
	# PublicKey=node2wwndqhrCkqUxTIwgCa7JvVz0HR7rJ49lHl0rE4=
	# PresharedKey=9rUMBqMSrtlkJBCitPVbHGk6Yvmu5Ww4Wfae6mrcyCI=
	# AllowedIPs=10.32.45.3/32
	# Endpoint=node2.example.com:34234
	# PersistentKeepalive=25


	netdev=/etc/systemd/network/99-overlay.netdev
	table=1000

	ports=(
	80
	443
	)

	localnets=(
	10.0.0.0/8
	172.16.0.0/12
	192.168.0.0/16
	)

	directdomains=(
	cdn.discordapp.com
	)

	peers() {
	cur=$(ip route show table 1000 \| awk '{print $3}')
	awk -v cur="$cur/32" -F= '
	function p(){
	if (allow == cur) {
	ad="(*)"
	} else {
	ad=""
	}
	if (key) {print key, allow, endp, ad}
	}
	/WireGuardPeer/{p();key=allow=endp=""}
	/PublicKey/{key=$2 "="}
	/AllowedIPs/{allow=$2}
	/Endpoint/{endp=substr($2, 1, index($2, ":")-1)}
	END{p()}
	' < $netdev
	}

	reset() {
	ip route show table $table \| while read v; do ip route del $v table $table; done

	( ip rule show priority 5; ip rule show priority 10 ) \| while read n s; do
	ip rule del $s
	done

	peers \| while read p a d; do
	wg set overlay peer $p allowed-ips "$a"
	done
	}

	sel() {
	reset
	peers \| grep "$1" \| {
	read p a d;
	[ -z $p ] && echo "unknown $1" && exit 1

	wg set overlay peer $p allowed-ips "0.0.0.0/0" \|\| { reset && exit 1; }

	selectors=()

	for v in ${ports[@]}; do
	selectors+=("dport $v table $table priority 10")
	done

	for v in ${localnets[@]}; do
	selectors+=("to $v table main priority 5")
	done

	for v in ${directdomains[@]} $(peers \| awk '{print $3}'); do
	for s in $(dig "$v" +short); do
	selectors+=("to $s table main priority 5")
	done
	done

	gw=${a%/*}

	echo "gw $1 -> $gw ($d @ $(dig "$d" +short))"

	ip route add default via $gw table $table

	for v in "${selectors[@]}"; do
	ip rule add $v
	done
	}
	}

	if [ ${#@} -eq 1 ]; then
	if [ "$1" = "-" ]; then
	echo "reset"
	reset
	else
	sel "$1"
	fi
	fi

	peers