From b4371deb71e895225b06adc90494af4fe3efb95b Mon Sep 17 00:00:00 2001 From: RealStickman Date: Mon, 29 May 2023 11:53:58 +0200 Subject: [PATCH] Completely reworked wireguard allowed ip calculation Based on findings that the Endpoint is not automatically excluded when AllowedIPs is set manually and happens to include the Endpoint changes had to be made. An additional Python script has been created that takes IP-Ranges to exclude as an argument so the AllowedIPs range can be calculated dynamically for every different config file. This drastically increases the time to patch all files, so it might be worth it to make this script more parallel in the future. --- arch-config/scripts/pieces/ipexclude.py | 33 +++++++++++++++++++ .../scripts/pieces/wireguard-allowed.sh | 15 ++++++--- 2 files changed, 44 insertions(+), 4 deletions(-) create mode 100755 arch-config/scripts/pieces/ipexclude.py diff --git a/arch-config/scripts/pieces/ipexclude.py b/arch-config/scripts/pieces/ipexclude.py new file mode 100755 index 00000000..f539fb58 --- /dev/null +++ b/arch-config/scripts/pieces/ipexclude.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python3 + +from ipaddress import ip_network +import argparse + +parser = argparse.ArgumentParser(description="") + +parser.add_argument( + "-e", + "--exclude", + required=False, + type=str, + action="append", + help="IP range that should be excluded from 0.0.0.0/0", +) + +args = parser.parse_args() + +start: str = "0.0.0.0/0" +exclude: list[str] = args.exclude + +result = [ip_network(start)] +for i in exclude: + n = ip_network(i) + new = [] + for k in result: + if k.overlaps(n): + new.extend(k.address_exclude(n)) + else: + new.append(k) + result = new + +print(", ".join(str(i) for i in sorted(result)) + ", ::0/0") diff --git a/arch-config/scripts/pieces/wireguard-allowed.sh b/arch-config/scripts/pieces/wireguard-allowed.sh index d2cc68d4..8caee059 100755 --- a/arch-config/scripts/pieces/wireguard-allowed.sh +++ b/arch-config/scripts/pieces/wireguard-allowed.sh @@ -3,11 +3,11 @@ set -euo pipefail if [ $# -eq 0 ]; then echo "Please supply one file" - $(exit 1) + exit 1 echo "$?" elif [ $# -ge 2 ]; then echo "Please only give one argument" - $(exit 1) + exit 1 echo "$?" fi @@ -27,9 +27,16 @@ unzip "$file" -d "$extract" readarray -d '' conffiles < <(find "$extract" -name "*\.conf" -print0) for file in "${conffiles[@]}"; do - # delimiter @ is used instead of / - sed -i 's@AllowedIPs = 0.0.0.0/0,::0/0@AllowedIPs = 0.0.0.0/1, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3, ::/1, 8000::/2, c000::/3, e000::/4, f000::/5, f800::/6, fe00::/9, fec0::/10, ff00::/8@g' "$file" echo "Patching $file" + endpointIP="$(grep "Endpoint =" "$file" | grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}")" + echo "Calculating AllowedIPs" + allowedIPs="$(~/GitProjects/configs/arch-config/scripts/pieces/ipexclude.py -e "$endpointIP" -e 172.16.0.0/12)" + echo "Replacing AllowedIPs" + # delimiter @ is used instead of / + sed -i "s@AllowedIPs = 0.0.0.0/0,::0/0@AllowedIPs = $allowedIPs@g" "$file" + echo "Removing DNS" + sed -i 's/DNS = 10.64.0.1//g' "$file" + echo "Finished $file" done zip -r -9 "$patched" "vpnconfigs"