Updates
This commit is contained in:
Maurice
@@ -1,3 +1,7 @@
|
||||
#!/bin/sh
|
||||
mkdir -p /home/podman/caddy
|
||||
ln -sf ./Caddyfile /home/podman/caddy/Caddyfile
|
||||
ln -sf ./Caddyfile /home/podman/caddy/Caddyfile
|
||||
|
||||
if [ "$1" = "reload" ]; then
|
||||
podman exec caddy caddy reload -c /etc/caddy/Caddyfile
|
||||
fi
|
||||
@@ -3,4 +3,15 @@ echo "Setting up firewall..."
|
||||
|
||||
apk add nftables
|
||||
rc-update add nftables boot
|
||||
|
||||
cat << EOF > /etc/nftables.nft
|
||||
#!/usr/sbin/nft -f
|
||||
|
||||
# The state of stateful objects saved on the nftables service stop.
|
||||
include "/var/lib/nftables/*.nft"
|
||||
|
||||
# Rules
|
||||
include "/etc/nftables.d/*.nft"
|
||||
EOF
|
||||
|
||||
rc-service nftables start
|
||||
@@ -1,3 +1,4 @@
|
||||
#!/usr/sbin/nft -f
|
||||
flush ruleset
|
||||
|
||||
define wan = eth0
|
||||
@@ -36,16 +37,10 @@ define icmpv6_slaac = {
|
||||
define lan_clients = { 10.0.0.3 }
|
||||
|
||||
table inet firewall {
|
||||
# chain prerouting {
|
||||
# type nat hook prerouting priority 0;
|
||||
# # Example of port forwarding HTTP (80) from specific LAN clients to a local server
|
||||
# ip saddr 10.0.0.4 ip daddr $self tcp dport 80 dnat to $self:9999
|
||||
# }
|
||||
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100;
|
||||
|
||||
# Masquerade WireGuard VPN traffic to LAN subnet
|
||||
# Masquerade WireGuard VPN WAN traffic to LAN subnet
|
||||
oifname $wan ip saddr $vpn_net masquerade
|
||||
}
|
||||
|
||||
@@ -71,12 +66,11 @@ table inet firewall {
|
||||
ip saddr $lan_net tcp dport 22 accept # Allow SSH from LAN network
|
||||
|
||||
# AdGuard admin access (8888) only from LAN and VPN
|
||||
ip saddr $lan_net tcp dport 8888 accept
|
||||
ip saddr $vpn_net tcp dport 8888 accept
|
||||
ip saddr { $lan_net, $vpn_net } tcp dport 8888 accept
|
||||
|
||||
# AdGuard DNS, DHCP, DoT, DoQ ports only from LAN
|
||||
ip saddr $lan_net udp dport { 53, 67, 68, 784 } accept
|
||||
ip saddr $lan_net tcp dport { 53, 853 } accept
|
||||
# AdGuard DNS, DHCP, DoT, DoQ ports only from LAN and VPN
|
||||
ip saddr { $lan_net, $vpn_net} udp dport { 53, 67, 68, 784 } accept
|
||||
ip saddr { $lan_net, $vpn_net} tcp dport { 53, 853 } accept
|
||||
|
||||
# Rules for WAN interface only
|
||||
iifname $wan udp dport 51820 accept # Allow Wireguard incoming from WAN
|
||||
|
||||
@@ -2,4 +2,4 @@
|
||||
ln -sf ./rules.nft /etc/nftables.d/firewall.nft
|
||||
|
||||
echo "Reloading firewall rules..."
|
||||
nft -f /etc/nftables.d/firewall.nft
|
||||
nft -f /etc/nftables.nft
|
||||
@@ -1,2 +1,6 @@
|
||||
#!/bin/sh
|
||||
ln -sf ./sshd_config /etc/ssh/sshd_config
|
||||
ln -sf ./sshd_config /etc/ssh/sshd_config
|
||||
|
||||
if [ "$1" = "reload" ]; then
|
||||
rc-service sshd restart
|
||||
fi
|
||||
@@ -30,6 +30,7 @@ cat <<EOF > /etc/wireguard/clients/$CLIENT_NAME.conf
|
||||
[Interface]
|
||||
Address = $NEXT_IP/24
|
||||
PrivateKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.priv.key)
|
||||
DNS = 10.0.0.1 # DNS via the VPN
|
||||
|
||||
# $CLIENT_NAME configuration
|
||||
[Peer]
|
||||
|
||||
@@ -12,6 +12,7 @@ cat <<EOF > /etc/wireguard/wg0.conf
|
||||
PrivateKey = $(cat /etc/wireguard/server_priv.key)
|
||||
Address = 10.0.0.1/24 # Server has IP in the wg network
|
||||
ListenPort = 51820
|
||||
DNS = 192.168.2.22 # AdGuard DNS server IP
|
||||
EOF
|
||||
|
||||
# Enable IP forwarding, persistent
|
||||
|
||||
4
services/wireguard/update.sh
Normal file
4
services/wireguard/update.sh
Normal file
@@ -0,0 +1,4 @@
|
||||
#!/bin/sh
|
||||
if [ "$1" = "reload" ]; then
|
||||
rc-service wg-quick.wg0 restart
|
||||
fi
|
||||
Reference in New Issue
Block a user