Completely reworked wireguard allowed ip calculation

Based on findings that the Endpoint is not automatically excluded when AllowedIPs is set manually and happens to include the Endpoint changes had to be made. An additional Python script has been created that takes IP-Ranges to exclude as an argument so the AllowedIPs range can be calculated dynamically for every different config file. This drastically increases the time to patch all files, so it might be worth it to make this script more parallel in the future.
2023-05-29 11:53:58 +02:00 · 2023-05-29 11:53:58 +02:00 · b4371deb71
commit b4371deb71
parent 9e60f1b2bd
2 changed files with 44 additions and 4 deletions
--- a/arch-config/scripts/pieces/ipexclude.py
+++ b/arch-config/scripts/pieces/ipexclude.py
@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+
+from ipaddress import ip_network
+import argparse
+
+parser = argparse.ArgumentParser(description="")
+
+parser.add_argument(
+    "-e",
+    "--exclude",
+    required=False,
+    type=str,
+    action="append",
+    help="IP range that should be excluded from 0.0.0.0/0",
+)
+
+args = parser.parse_args()
+
+start: str = "0.0.0.0/0"
+exclude: list[str] = args.exclude
+
+result = [ip_network(start)]
+for i in exclude:
+    n = ip_network(i)
+    new = []
+    for k in result:
+        if k.overlaps(n):
+            new.extend(k.address_exclude(n))
+        else:
+            new.append(k)
+    result = new
+
+print(", ".join(str(i) for i in sorted(result)) + ", ::0/0")
--- a/arch-config/scripts/pieces/wireguard-allowed.sh
+++ b/arch-config/scripts/pieces/wireguard-allowed.sh
@ -3,11 +3,11 @@ set -euo pipefail

 if [ $# -eq 0 ]; then
    echo "Please supply one file"
-    $(exit 1)
+    exit 1
    echo "$?"
 elif [ $# -ge 2 ]; then
    echo "Please only give one argument"
-    $(exit 1)
+    exit 1
    echo "$?"
 fi

@ -27,9 +27,16 @@ unzip "$file" -d "$extract"
 readarray -d '' conffiles < <(find "$extract" -name "*\.conf" -print0)

 for file in "${conffiles[@]}"; do
-    # delimiter @ is used instead of /
-    sed -i 's@AllowedIPs = 0.0.0.0/0,::0/0@AllowedIPs = 0.0.0.0/1, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3, ::/1, 8000::/2, c000::/3, e000::/4, f000::/5, f800::/6, fe00::/9, fec0::/10, ff00::/8@g' "$file"
    echo "Patching $file"
+    endpointIP="$(grep "Endpoint =" "$file" | grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}")"
+    echo "Calculating AllowedIPs"
+    allowedIPs="$(~/GitProjects/configs/arch-config/scripts/pieces/ipexclude.py -e "$endpointIP" -e 172.16.0.0/12)"
+    echo "Replacing AllowedIPs"
+    # delimiter @ is used instead of /
+    sed -i "s@AllowedIPs = 0.0.0.0/0,::0/0@AllowedIPs = $allowedIPs@g" "$file"
+    echo "Removing DNS"
+    sed -i 's/DNS = 10.64.0.1//g' "$file"
+    echo "Finished $file"
 done

 zip -r -9 "$patched" "vpnconfigs"