skynet-server-cloud/infra/root/setup.sh at master

Fork: 0
Skyworks / skynet-server-cloud
Find file
Newer
Older
skynet-server-cloud / infra / root / setup.sh
One on 22 Jul 2024 3 KB Specify port in the config
Raw Blame History
#!/bin/bash

echo_info() {
    GREEN='\033[0;32m'
    NC='\033[0m'
    printf "${GREEN}$1${NC}\n"
}

####################################################################
# Constants
####################################################################

# vpn --> outbound
WG_INTERFACE=wg-cloud
OUTBOUND_INTERFACE=wgcf

####################################################################
# wireguard setup
# wireguard -> X forwarding
# wireguard -> $WAN_INTERFACE SNAT
####################################################################

echo_info "Set up outbound..."

./start_outbound.sh

echo_info "Set up wireguard..."

echo "[Interface]
PrivateKey = ${WG_GATEWAY_PRIVATE_KEY}
Address = ${WG_GATEWAY_IP}
ListenPort = ${WG_GATEWAY_PORT}

[Peer]
PublicKey = ${WG_CLIENT_PUBLIC_KEY}
AllowedIPs = ${WG_CLIENT_IP}
" > /${WG_INTERFACE}.conf

wg-quick down /${WG_INTERFACE}.conf
wg-quick up /${WG_INTERFACE}.conf

# default drop forward
iptables-nft  -P FORWARD DROP
ip6tables-nft -P FORWARD DROP

# allow establishing connection from vpn
iptables-nft  -A FORWARD -i $WG_INTERFACE -j ACCEPT
ip6tables-nft -A FORWARD -i $WG_INTERFACE -j ACCEPT
# allow only established connection from outside
iptables-nft  -A FORWARD -i $OUTBOUND_INTERFACE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables-nft -A FORWARD -i $OUTBOUND_INTERFACE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# DNAT all outbound connections
iptables-nft  -t nat -A POSTROUTING -o $OUTBOUND_INTERFACE -j MASQUERADE
ip6tables-nft -t nat -A POSTROUTING -o $OUTBOUND_INTERFACE -j MASQUERADE

# clamp tcp MSS of packets out all tunnels
iptables-nft  -t mangle -A POSTROUTING -o $WG_INTERFACE      -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ip6tables-nft -t mangle -A POSTROUTING -o $WG_INTERFACE      -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

iptables-nft  -t mangle -A POSTROUTING -o $OUTBOUND_INTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ip6tables-nft -t mangle -A POSTROUTING -o $OUTBOUND_INTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# setup routing rules (vpn --> outbound)
# v4
ip r flush table 100
ip r add   table 100 default dev $OUTBOUND_INTERFACE

ip ru add iif $WG_INTERFACE priority 99  lookup main suppress_prefixlength 0
ip ru add iif $WG_INTERFACE priority 100 lookup 100

# v6
ip -6 r flush table 100
ip -6 r add   table 100 default dev $OUTBOUND_INTERFACE

ip -6 ru add iif $WG_INTERFACE priority 99  lookup main suppress_prefixlength 0
ip -6 ru add iif $WG_INTERFACE priority 100 lookup 100

####################################################################
# iptables de-duplicate
####################################################################

echo_info "De-duplicating iptables..."

iptables-nft-save | awk '/^COMMIT$/ { delete x; }; !x[$0]++' > /tmp/iptables.conf
iptables-nft -F
iptables-nft-restore < /tmp/iptables.conf

ip6tables-nft-save | awk '/^COMMIT$/ { delete x; }; !x[$0]++' > /tmp/iptables.conf
ip6tables-nft -F
ip6tables-nft-restore < /tmp/iptables.conf

####################################################################
####################################################################

echo_info "Infra setup complete!"

sleep infinity &

wait