Removes firewalld from CentOS, use iptables insert instead of add to …

…avoid interfering with exitting rules and adds interactive IPv6 dialog
l-n-s · Dec 1, 2019 · 66eef37 · 66eef37
1 parent b0cfa7a
commit 66eef37
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 41 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # wireguard-install
 
-[WireGuard](https://www.wireguard.com) [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu 18.04 LTS, Debian 9 and CentOS 7.
+[WireGuard](https://www.wireguard.com) [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu 18.04 LTS, Debian 9 and CentOS 7-8.
 
 This script will let you setup your own VPN server in no more than a minute, even if you haven't used WireGuard before. It has been designed to be as unobtrusive and universal as possible.
 
@@ -24,6 +24,7 @@ The script can be configured by setting the following environment variables:
 * SERVER\_HOST - public IP address, detected by default
 * SERVER\_PORT - listening port, picked random by default
 * CLIENT\_DNS - comma separated DNS servers to use by the client
+* PRIVATE\_SUBNET6 - IPv6 private subnet, empty by default, causes installing with IPv6 support
 
 ## Setting up clients
 
@@ -34,7 +35,7 @@ Install WireGuard and reboot your computer:
     sudo add-apt-repository ppa:wireguard/wireguard -y && sudo apt update && sudo apt install wireguard resolvconf -y
     sudo reboot
 
-Copy the file `/root/client-wg0.conf` from a remote server to your local PC path `/etc/wireguard/wg0.conf` and run 
+Copy the file `/root/client-wg0.conf` from a remote server to your local PC path `/etc/wireguard/wg0.conf` and run
 `sudo systemctl start [email protected]`
 
 To show VPN status, run `sudo wg show`.

diff --git a/wireguard-install.sh b/wireguard-install.sh
@@ -48,17 +48,6 @@ if [ ! -f "$WG_CONFIG" ]; then
     PRIVATE_SUBNET=${PRIVATE_SUBNET:-"10.9.0.0/24"}
     PRIVATE_SUBNET_MASK=$( echo $PRIVATE_SUBNET | cut -d "/" -f 2 )
     GATEWAY_ADDRESS="${PRIVATE_SUBNET::-4}1"
-    ### If you want to enable IPv6, supply PRIVATE_SUBNET6 environment variable
-    ### You can generate unique private subnet on https://simpledns.com/private-ipv6
-    ### Example:
-    ### PRIVATE_SUBNET6="fd42:42:42::/64"
-    ### TODO: Add IPv6 address validation
-    PRIVATE_SUBNET6=${PRIVATE_SUBNET6:-""}
-    if [ "$PRIVATE_SUBNET6" != "" ]; then
-        PRIVATE_SUBNET_MASK6=$( echo $PRIVATE_SUBNET6 | cut -d "/" -f 2 )
-        PRIVATE_SUBNET_ADDRESS6="$( echo $PRIVATE_SUBNET6 | cut -d "/" -f 1 )"
-        GATEWAY_ADDRESS6="${PRIVATE_SUBNET_ADDRESS6}1"
-    fi
 
     if [ "$SERVER_HOST" == "" ]; then
         SERVER_HOST=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
@@ -75,6 +64,23 @@ if [ ! -f "$WG_CONFIG" ]; then
         SERVER_PORT=$( get_free_udp_port )
     fi
 
+    ### If you want to enable IPv6, supply PRIVATE_SUBNET6 environment variable
+    ### You can generate unique private subnet on https://simpledns.com/private-ipv6
+    ### TODO: Add IPv6 address validation
+    PRIVATE_SUBNET6=${PRIVATE_SUBNET6:-""}
+    if [[ "$PRIVATE_SUBNET6" == "" && "$INTERACTIVE" == "yes" ]]; then
+        echo "Private subnet for IPv6 is not set."
+        read -p "Do you want to enable IPv6 support with default subnet 'fd42:42:42::/64'? [n/y]: " -e -i "n" CONFIRM
+        if [ "$CONFIRM" == "y" ]; then
+            PRIVATE_SUBNET6="fd42:42:42::/64"
+        fi
+    fi
+    if [ "$PRIVATE_SUBNET6" != "" ]; then
+        PRIVATE_SUBNET_MASK6=$( echo $PRIVATE_SUBNET6 | cut -d "/" -f 2 )
+        PRIVATE_SUBNET_ADDRESS6="$( echo $PRIVATE_SUBNET6 | cut -d "/" -f 1 )"
+        GATEWAY_ADDRESS6="${PRIVATE_SUBNET_ADDRESS6}1"
+    fi
+
     if [ "$CLIENT_DNS" == "" ]; then
         echo "Which DNS do you want to use with the VPN?"
         echo "   1) Cloudflare"
@@ -113,7 +119,8 @@ if [ ! -f "$WG_CONFIG" ]; then
     elif [ "$DISTRO" == "CentOS" ]; then
         curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
         yum install epel-release -y
-        yum install wireguard-dkms qrencode wireguard-tools firewalld -y
+        yum remove firewalld -y
+        yum install wireguard-dkms qrencode wireguard-tools iptables-services -y
     fi
 
     SERVER_PRIVKEY=$( wg genkey )
@@ -137,7 +144,7 @@ if [ ! -f "$WG_CONFIG" ]; then
         echo "# IPV6 $PRIVATE_SUBNET6" >> $WG_CONFIG
     fi
 
-echo "[Interface]
+    echo "[Interface]
 Address = $INTERFACE_ADDRESS
 ListenPort = $SERVER_PORT
 PrivateKey = $SERVER_PRIVKEY
@@ -165,33 +172,25 @@ qrencode -t ansiutf8 -l L < $HOME/$CLIENT_NAME-wg0.conf
     sysctl -p
 
     if [ "$DISTRO" == "CentOS" ]; then
-        systemctl start firewalld
-        systemctl enable firewalld
-        firewall-cmd --zone=public --add-port=$SERVER_PORT/udp
-        firewall-cmd --zone=trusted --add-source=$PRIVATE_SUBNET
-        firewall-cmd --permanent --zone=public --add-port=$SERVER_PORT/udp
-        firewall-cmd --permanent --zone=trusted --add-source=$PRIVATE_SUBNET
-        firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s $PRIVATE_SUBNET ! -d $PRIVATE_SUBNET -j SNAT --to $SERVER_HOST
-        firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s $PRIVATE_SUBNET ! -d $PRIVATE_SUBNET -j SNAT --to $SERVER_HOST
-        if [ "$PRIVATE_SUBNET6" != "" ]; then
-        # IPv6 firewalld part is not tested yet
-            firewall-cmd --zone=trusted --add-source=$PRIVATE_SUBNET6
-            firewall-cmd --permanent --zone=trusted --add-source=$PRIVATE_SUBNET6
-            firewall-cmd --direct --add-rule ipv6 nat POSTROUTING 0 -s $PRIVATE_SUBNET6 ! -d $PRIVATE_SUBNET6 -j SNAT --to $SERVER_HOST
-            firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s $PRIVATE_SUBNET6 ! -d $PRIVATE_SUBNET6 -j SNAT --to $SERVER_HOST
-        fi
+        systemctl start iptables
+        systemctl enable iptables
+        IPTABLES_CONF="/etc/sysconfig/iptables"
+        IP6TABLES_CONF="/etc/sysconfig/ip6tables"
     else
-        iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-        iptables -A FORWARD -m conntrack --ctstate NEW -s $PRIVATE_SUBNET -m policy --pol none --dir in -j ACCEPT
-        iptables -t nat -A POSTROUTING -s $PRIVATE_SUBNET -m policy --pol none --dir out -j MASQUERADE
-        iptables -A INPUT -p udp --dport $SERVER_PORT -j ACCEPT
-        iptables-save > /etc/iptables/rules.v4
-        if [ "$PRIVATE_SUBNET6" != "" ]; then
-            ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-            ip6tables -A FORWARD -m conntrack --ctstate NEW -s $PRIVATE_SUBNET6 -m policy --pol none --dir in -j ACCEPT
-            ip6tables -t nat -A POSTROUTING -s $PRIVATE_SUBNET6 -m policy --pol none --dir out -j MASQUERADE
-            ip6tables-save > /etc/iptables/rules.v6
-        fi
+        IPTABLES_CONF="/etc/iptables/rules.v4"
+        IP6TABLES_CONF="/etc/iptables/rules.v6"
+    fi
+
+    iptables -I FORWARD -m conntrack --ctstate NEW -s $PRIVATE_SUBNET -m policy --pol none --dir in -j ACCEPT
+    iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    iptables -t nat -I POSTROUTING -s $PRIVATE_SUBNET -m policy --pol none --dir out -j MASQUERADE
+    iptables -I INPUT -p udp --dport $SERVER_PORT -j ACCEPT
+    iptables-save > $IPTABLES_CONF
+    if [ "$PRIVATE_SUBNET6" != "" ]; then
+        ip6tables -I FORWARD -m conntrack --ctstate NEW -s $PRIVATE_SUBNET6 -m policy --pol none --dir in -j ACCEPT
+        ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+        ip6tables -t nat -I POSTROUTING -s $PRIVATE_SUBNET6 -m policy --pol none --dir out -j MASQUERADE
+        ip6tables-save > $IP6TABLES_CONF
     fi
 
     systemctl enable [email protected]