Asger Weirsøe
96 lines
3.2 KiB
Bash
96 lines
3.2 KiB
Bash
#!/bin/bash
|
|
# Bringer én tunnel-namespace op.
|
|
# - opretter (eller genbruger) bridge br-weircon i hoved-netns
|
|
# - opretter netns proxy<id>
|
|
# - laver veth-par mellem hoved-netns og proxy<id>, attacher hoved-siden til bridge
|
|
# - flytter et frisk wg0-interface ind i ns'en og applikerer WG-config
|
|
# - sætter default-route via wg0 inde i ns'en
|
|
# Idempotent: river først evt. tidligere state for samme id ned.
|
|
set -euo pipefail
|
|
|
|
ID="${1:?usage: $0 <id 0..N>}"
|
|
|
|
NS="proxy${ID}"
|
|
WG="wg0" # interfacenavn inde i ns'en
|
|
VETH_MAIN="vp${ID}a"
|
|
VETH_NS="vp${ID}b"
|
|
BRIDGE="br-weircon"
|
|
BRIDGE_IP="10.99.0.1"
|
|
BRIDGE_CIDR="${BRIDGE_IP}/24"
|
|
NS_IP="10.99.0.$((10 + ID))"
|
|
NS_CIDR="${NS_IP}/24"
|
|
CONF="/etc/weircon-random-proxy/wg/proxy${ID}.conf"
|
|
RESOLV_DIR="/etc/netns/${NS}"
|
|
|
|
if [[ ! -f "$CONF" ]]; then
|
|
echo "missing wg config at $CONF" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# --- 1. river eventuel tidligere state ned --------------------------------
|
|
ip link delete "$VETH_MAIN" 2>/dev/null || true
|
|
ip netns delete "$NS" 2>/dev/null || true
|
|
rm -rf "$RESOLV_DIR"
|
|
|
|
# --- 2. bridge (delt af alle tunneler) ------------------------------------
|
|
if ! ip link show "$BRIDGE" >/dev/null 2>&1; then
|
|
ip link add "$BRIDGE" type bridge
|
|
ip addr add "$BRIDGE_CIDR" dev "$BRIDGE"
|
|
ip link set "$BRIDGE" up
|
|
fi
|
|
|
|
# --- 3. per-netns resolver fra DNS-feltet i WG-conf'en --------------------
|
|
mkdir -p "$RESOLV_DIR"
|
|
: > "${RESOLV_DIR}/resolv.conf"
|
|
DNS_LINE=$(awk -F'=' '/^[[:space:]]*DNS[[:space:]]*=/ {print $2; exit}' "$CONF" || true)
|
|
if [[ -n "${DNS_LINE:-}" ]]; then
|
|
IFS=',' read -ra dns_arr <<< "$DNS_LINE"
|
|
for d in "${dns_arr[@]}"; do
|
|
d="${d// /}"
|
|
[[ -n "$d" ]] && echo "nameserver $d" >> "${RESOLV_DIR}/resolv.conf"
|
|
done
|
|
fi
|
|
|
|
# --- 4. ns + loopback ------------------------------------------------------
|
|
ip netns add "$NS"
|
|
ip -n "$NS" link set lo up
|
|
|
|
# --- 5. veth-par, hoved-siden til bridge ----------------------------------
|
|
ip link add "$VETH_MAIN" type veth peer name "$VETH_NS"
|
|
ip link set "$VETH_MAIN" master "$BRIDGE"
|
|
ip link set "$VETH_MAIN" up
|
|
ip link set "$VETH_NS" netns "$NS"
|
|
ip -n "$NS" addr add "$NS_CIDR" dev "$VETH_NS"
|
|
ip -n "$NS" link set "$VETH_NS" up
|
|
|
|
# --- 6. WG-interface: opret + konfigurer i hoved-netns, flyt så ind -------
|
|
# Endpoint-hostname (hvis WG-config'en bruger ét) skal resolves *inden*
|
|
# interfacet flyttes — netns'en har kun upstream-DNS, som kun virker når
|
|
# tunnelen allerede er oppe. Klassisk chicken-and-egg.
|
|
ip link add "$WG" type wireguard
|
|
|
|
TMPCONF=$(mktemp)
|
|
trap 'rm -f "$TMPCONF"' EXIT
|
|
wg-quick strip "$CONF" > "$TMPCONF"
|
|
wg setconf "$WG" "$TMPCONF" # resolves via hoved-netns DNS
|
|
|
|
ip link set "$WG" netns "$NS"
|
|
|
|
# Interface-adresser fra [Interface] Address = ...
|
|
while read -r ADDR; do
|
|
[[ -z "$ADDR" ]] && continue
|
|
ip -n "$NS" addr add "$ADDR" dev "$WG"
|
|
done < <(awk -F'=' '
|
|
/^[[:space:]]*Address[[:space:]]*=/ {
|
|
gsub(/[[:space:]]/, "", $2);
|
|
n = split($2, a, ",");
|
|
for (i = 1; i <= n; i++) print a[i];
|
|
}' "$CONF")
|
|
|
|
ip -n "$NS" link set "$WG" up
|
|
|
|
# --- 7. default route via wg (egress til internettet) --------------------
|
|
ip -n "$NS" route add default dev "$WG"
|
|
|
|
echo "netns $NS oppe; socks5 vil lytte på ${NS_IP}:1080"
|