docker-wireguard/entrypoint.sh at master · pingod/docker-wireguard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#!/bin/bash

export config_path=${config_path:-/etc/wireguard}
export wg_port=${wg_port:-8080}
export wg_ip=${wg_ip:-127.0.0.1}

echo 1 > /proc/sys/net/ipv4/ip_forward

build_module(){
cd /wireguard/src
echo "Building the wireguard kernel module..."
make module
echo "Installing the wireguard kernel module..."
make module-install
echo "Cleaning up..."
make clean
echo "Successfully built and installed the wireguard kernel module!"
# shellcheck disable=SC2068
exec $@
}
#build_module


set_config(){
if [[ ! -f ${config_path}/wg0.conf ]];then
# 创建并进入WireGuard文件夹
mkdir -p ${config_path} && chmod 0777 ${config_path}
cd ${config_path}
umask 077
# 生成服务器和客户端密钥对
wg genkey | tee ${config_path}/server_privatekey | wg pubkey > ${config_path}/server_publickey
wg genkey | tee ${config_path}/client_privatekey | wg pubkey > ${config_path}/client_publickey

# 重要！如果名字不是eth0, 以下PostUp和PostDown处里面的eth0替换成自己服务器显示的名字
# ListenPort为端口号，可以自己设置想使用的数字
# 以下内容一次性粘贴执行，不要分行执行
echo "
[Interface]
PrivateKey = $(cat ${config_path}/server_privatekey)
Address = 10.0.0.1/24
PostUp   = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = ${wg_port}
DNS = 8.8.8.8
#k8s中coredns的地址
DNS = 10.96.0.2
#公司自己搭建的DNSMASQ服务器地址
DNS = 10.252.97.139
MTU = 1420

[Peer]
PublicKey = $(cat ${config_path}/client_publickey)
AllowedIPs = 10.0.0.2/32 " > ${config_path}/wg0.conf

# Endpoint是自己服务器ip和服务端配置文件中设置的端口号，自己在本地编辑好再粘贴到SSH里
# 以下内容一次性粘贴执行，不要分行执行
echo "
[Interface]
PrivateKey = $(cat ${config_path}/client_privatekey)
Address = 10.0.0.2/24
DNS = 8.8.8.8
#k8s中coredns的地址
DNS = 10.96.0.2
#公司自己搭建的DNSMASQ服务器地址
DNS = 10.252.97.139
MTU = 1420

[Peer]
PublicKey = $(cat ${config_path}/server_publickey)
Endpoint = ${wg_ip}:${wg_port}
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepalive = 25 " > ${config_path}/client.conf
fi

}
set_config


add_user(){
user_name=${user_name:-$1}
clients_path=${clients_path:-${config_path}/clients}
#为了计算生成的配置文件中，分配给客户端的ip地址，需要计算下现有的Peer数目
clients_count=$(cat wg0.conf |grep -io Peer|wc -l)
(( clients_ip_lite=$clients_count + 2 ))

if [[ ! -f ${clients_path}/${user_name}/${user_name}_privatekey ]];then
mkdir -p ${clients_path}/${user_name}

# 生成新的客户端密钥对
wg genkey | tee ${clients_path}/${user_name}/${user_name}_privatekey | wg pubkey > ${clients_path}/${user_name}/${user_name}_publickey

# 新建一个客户端文件，使用新客户端密钥的私钥
# Address与上面的AllowedIPs保持一致
# Endpoint和之前的一样，为服务器ip和设置好的ListenPort
# 一次性复制粘贴，不要分行执行
echo "
[Interface]
PrivateKey = $(cat ${clients_path}/${user_name}/${user_name}_privatekey)
Address = 10.0.0.${clients_ip_lite}/24
DNS = 8.8.8.8
#k8s中coredns的地址
DNS = 10.96.0.2
#公司自己搭建的DNSMASQ服务器地址
DNS = 10.252.97.139
MTU = 1420
[Peer]
PublicKey = $(cat ${config_path}/server_publickey)
Endpoint = ${wg_ip}:${wg_port}
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepalive = 25 " > ${clients_path}/${user_name}/${user_name}.conf

# 在服务端配置文件中加入新的客户端公钥
# AllowedIPs重新定义一段
# 一次性复制粘贴，不要分行执行

echo "
[Peer]
#${user_name}
PublicKey = $(cat ${clients_path}/${user_name}/${user_name}_publickey)
AllowedIPs = 10.0.0.${clients_ip_lite}/32" >> ${config_path}/wg0.conf

echo ${1}_privatekey had added

#新添加的Peer需要重启
#wg-quick down wg0
#wg-quick up wg0

#使用wg命令可以实现热加载
wg set wg0 peer $(cat ${clients_path}/${user_name}/${user_name}_publickey) allowed-ips 10.0.0.${clients_ip_lite}/32
#wg-quick save wg0
wg show
else
echo ${1}_privatekey had already exist
fi

}

del_user(){

user_name=${user_name:-$1}
clients_path=${clients_path:-${config_path}/clients}
#user_publickey=$(cat ${clients_path}/${user_name}/${user_name}_publickey)
#删除匹配的上下一行
#sed -i.bak -e '/'"$user_publickey"'$/{n;d}' -e '$!N;/\n.*'"$user_publickey"'$/!P;D' ${config_path}/wg0.conf
#删除匹配的上下一行，并且删除匹配行;由于user_publickey变量里通常含有特殊字符串，如/。目前还没搞定。所以放弃下面方法
#sed -i.bak '#'"$user_publickey"'#,+1d;:go;1,1!{P;$!N;D};N;bgo' ${config_path}/wg0.conf
sed -i.bak '/'"#${user_name}$"'/,+2d;:go;1,2!{P;$!N;D};N;bgo' ${config_path}/wg0.conf
echo ${clients_path}/${user_name} had deleted

#删除的Peer需要重启
# wg-quick down wg0
# wg-quick up wg0

#使用wg命令可以实现热加载
wg set wg0 peer $(cat ${clients_path}/${user_name}/${user_name}_publickey) remove
wg show

rm -fr ${clients_path}/${user_name}

}

if [[ $1 == "-a" ]];then
  if [[ !  $2 ]];then
    echo "请输入一个用户名称"
  else
    add_user $2
  fi
fi

if [[ $1 == "-d" ]];then
  if [[ !  $2 ]];then
    echo "请输入一个用户名称"
  else
    del_user $2
  fi
fi


if [[ $1 != "-a" && $1 != "-d" ]];then
/bin/bash "$@"
wg show
# check if Wireguard is running
if [[ $(wg) ]]
then
    syslogd -n      # keep container alive
else
    echo "wireguard is stopped"  # else exit container
fi
fi