On some systems like Hetzner VM cloud i have a Point-to-Point interface so i have a peer address on the same line as my public IPv4 (look at peer here : https://linux.die.net/man/8/ip )
An example of `ip a` with peer is :
```
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 96:00:00:a2:88:c2 brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet XX.XX.XX.XX peer XX.XX.XX.XX/32 brd XX.XX.XX.XX scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::9400:ff:fea2:88c2/64 scope link
valid_lft forever preferred_lft forever
```
With a peer, the output of the command line 74 is : `XX.XX.XX.XX peer XX.XX.XX.XX`
I just modify this line with awk to print only the first field which is always the IPv4.
I think it's correct and it's work like a charm when there is a peer or not now. But tell me if it's not good for you :)
Thanks for your work !
If the FORWARD chain policy defaults to DENY, it must explicitly allow traffic from the external to the wg interface.
To solve this, the patch just adds
iptables -A FORWARD -i ${SERVER_PUB_NIC} -o ${SERVER_WG_NIC} -j ACCEPT;
Added `clientRevoke()` based on openvpn-install repo, fixes #4
Some other changes were required for this to work:
- client names aren't random anymore
- client names are saved above the `[Peer]` block of the server configuration file to keep track of them
- checks added for existing IPv4, IPv6 and client name. I used `until` to ask the user again if this is the case to not make him loose its work if, for example, the client name and IPv4 inserted are unique but not the IPv6.
- using `until` instead of `exit` isn't idempotent but it's more user friendly. This will be a future goal.
- default options should be safe to use so the suggestion for the client IP is automatically incremented. The subnet of `SERVER_WG_IPV` is hard-coded inside `CLIENT_WG_IPV` for obvious reasons
- cleaned some minor code
- use IPv6 if IPv4 isn't available
- add input validations, fixes #86 .
- assign secondary DNS to primary DNS value if it's empty. Fixes #68
- use `$SERVER_WG_IPV4` and `$SERVER_WG_IPV6` when suggesting the client IP
- save user DNS to `params` file and apply it to all clients, removing support for customizing DNS for individual clients. If this is a problem we can add again the code to allow customization but maybe use the sourced DNS as a suggestion for clients that need a different one
- add shellcheck ignores, needed for IDE that have shellcheck support
- escaped variables to `"${var}"` style
- updated README to reflect changes
- fixed the kernel mismatch issue on CentOS by updating the kernel https://github.com/angristan/wireguard-install/issues/95#issuecomment-653696198. Fedora might need this change too
- Use `firewall-cmd` only if `firewalld` is running. Fixes #95
- Fix the client's subnet mask. Fixes #87
- Save the client configuration in the correct `$HOME`. Fixes #96
Co-authored-by: Chris Lewicki <chris@lewicki.dev>
Co-authored-by: Stanislas <angristan@pm.me>
Stanislas Lange
turbozapekanka
Elie Obeid
Xavier Le Vourch
Hasan Aga
Stanislas
Anatolii Cherednichenko
Ravinou
Andréi Pampukha
Mikodev
Filipe Melo
enolp
Patrick M
glenn wolfe
Julian Gaal
randomshell
Stefan A
Farzin Monsef
xiagw
Aleksander
Navratan Gupta
Ian