From 2efbbbe48b1349f63a0c8cc2ef47310cc5a9123e Mon Sep 17 00:00:00 2001 From: Mike Conrad Date: Wed, 25 Sep 2024 09:34:53 -0400 Subject: [PATCH] Fixed typos in scripts --- main.tf | 22 ++++++---------------- setup.sh | 50 ++++++++++++++++++++++++++------------------------ 2 files changed, 32 insertions(+), 40 deletions(-) diff --git a/main.tf b/main.tf index d9296fc..98cb655 100644 --- a/main.tf +++ b/main.tf @@ -6,24 +6,14 @@ resource "digitalocean_ssh_key" "default" { # Create a new Web Droplet in the nyc2 region resource "digitalocean_droplet" "web" { - image = "ubuntu-22-04-x64" - name = "wireguard" - region = "nyc1" - size = "s-2vcpu-4gb" - ssh_keys = [digitalocean_ssh_key.default.fingerprint] + image = "ubuntu-22-04-x64" + name = "wireguard" + region = "nyc1" + size = "s-2vcpu-4gb" + ssh_keys = [digitalocean_ssh_key.default.fingerprint] user_data = file("setup.sh") - connection { - host = digitalocean_droplet.web.ipv4_address - type = "ssh" - user = "root" - private_key = "${file("./tf-digitalocean")}" - } - - provisioner "remote-exec" { - inline = [ "cat /root/wireguard-conf/client-config.conf" ] - } } output "droplet_output" { value = digitalocean_droplet.web.ipv4_address -} \ No newline at end of file +} diff --git a/setup.sh b/setup.sh index 31f3d47..005a135 100644 --- a/setup.sh +++ b/setup.sh @@ -1,50 +1,55 @@ -#!/bin/bash -apt update +#!/usr/bin/env sh +set -e +set -u +# Set the listen port used by Wireguard, this is the default so feel free to change it. +LISTENPORT=51820 +CONFIG_DIR=/root/wireguard-conf +umask 077 +mkdir -p $CONFIG_DIR/client # Install wireguard -apt install -y wireguard +apt update && apt install -y wireguard -LISTENPORT=51820 -umask 077 -# Generate public and private key -mkdir /root/wireguard-conf -cd /root/wireguard-conf +# Generate public/private key for the "server". +wg genkey > $CONFIG_DIR/privatekey +wg pubkey < $CONFIG_DIR/privatekey > $CONFIG_DIR/publickey -wg genkey > privatekey -wg pubkey < privatekey > publickey -mkdir client - -wg genkey > client/privatekey -wg pubkey < client/privatekey > client/publickey +# Generate public/private key for the "client" +wg genkey > $CONFIG_DIR/client/privatekey +wg pubkey < $CONFIG_DIR/client/privatekey > $CONFIG_DIR/client/publickey +# Generate server config echo "[Interface] Address = 10.66.66.1/24,fd42:42:42::1/64 ListenPort = $LISTENPORT -PrivateKey = $(cat privatekey) +PrivateKey = $(cat $CONFIG_DIR/privatekey) -### Client mike-home +### Client config [Peer] -PublicKey = $(cat client/publickey) +PublicKey = $(cat $CONFIG_DIR/client/publickey) AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128 " > /etc/wireguard/do.conf -wg-quick up do +# Generate client config. This will need to be copied to your machine. echo "[Interface] -PrivateKey = $(cat client/privatekey) +PrivateKey = $(cat $CONFIG_DIR/client/privatekey) Address = 10.66.66.2/32,fd42:42:42::2/128 DNS = 1.1.1.1,1.0.0.1 [Peer] -PublicKey = $(cat publickey) +PublicKey = $(cat $CONFIG_DIR/publickey) Endpoint = $(curl icanhazip.com):$LISTENPORT AllowedIPs = 0.0.0.0/0,::/0 -" > client-config.conf +" > $CONFIG_DIR/client-config.conf + +wg-quick up do # Add iptables rules to forward internet traffic through this box # We are assuming our Wireguard interface is called do and our # primary public facing interface is called eth0. + iptables -I INPUT -p udp --dport 51820 -j ACCEPT iptables -I FORWARD -i eth0 -o do -j ACCEPT iptables -I FORWARD -i do -j ACCEPT @@ -56,6 +61,3 @@ ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo "net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf sysctl --system - - -cat client-config.conf \ No newline at end of file