-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathmullvad-wg-netns.sh
executable file
·202 lines (162 loc) · 5.49 KB
/
mullvad-wg-netns.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2018 Daniel Gröber
# Copyright (C) 2016-2018 Jason A. Donenfeld <[email protected]>.
# All Rights Reserved.
# Based on https://mullvad.net/media/files/mullvad-wg.sh but modified to be
# POSIX sh compliant and easier to review. This version also supports using a
# wireguard interface in a network namespace.
die() {
echo "[-] Error: $1" >&2
exit 1
}
provision() {
umask 077
ACCOUNT=
if [ -r "$HOME"/.mullvad-account ]; then
ACCOUNT="$(cat "$HOME"/.mullvad-account)"
fi
if [ -z "$ACCOUNT" ]; then
printf '[?] Please enter your Mullvad account number: '
read -r ACCOUNT
ACCOUNT=$(printf '%s' "$ACCOUNT" | tr -d '[[:space:]]')
fi
key="$(cat /etc/wireguard/mullvad-*.conf \
| sed -rn 's/^PrivateKey *= *([a-zA-Z0-9+/]{43}=) *$/\1/ip;T;q')"
if [ -n "$key" ]; then
echo "[+] Using existing private key."
sleep 2
echo "[?] Are you absolutely sure? (Ctrl-C to cancel)"
sleep 1.5
echo "[?] If you changed account number this will allow linking them!"
printf '[?] Press ENTER to confirm...'
read _
sleep 1
echo OK.
else
echo "[+] Generating new private key."
key="$(wg genkey)"
fi
mypubkey="$(printf '%s\n' "$key" | wg pubkey)"
echo "[+] Submitting wg public key to Mullvad API."
res="$(curl -sSL https://api.mullvad.net/wg/ \
-d account="$ACCOUNT" \
--data-urlencode pubkey="$mypubkey")"
if ! printf '%s\n' "$res" | grep -E '^[0-9a-f:/.,]+$' >/dev/null
then
die "$res"
fi
myipaddr=$res
echo "[+] Removing old /etc/wireguard/mullvad-*.conf files."
rm /etc/wireguard/mullvad-*.conf || true
echo "[+] Contacting Mullvad API for server locations."
curl -LsS https://api.mullvad.net/public/relays/wireguard/v1/ \
| jq -r \
'( .countries[]
| (.name as $country | .cities[]
| (.name as $city | .relays[]
| [$country, $city, .hostname, .public_key,
.ipv4_addr_in, .ipv6_addr_in])
)
)
| flatten
| join("\t")' \
| while read -r country city hostname pubkey ip4addr ip6addr; do
code="${hostname%-wireguard}"
addr="$ip4addr:51820" # TODO: allow v4/v6 choice
conf="/etc/wireguard/mullvad-${code}.conf"
if [ -f "$conf" ]; then
oldpubkey="$(sed -rn 's/^PublicKey *= *([a-zA-Z0-9+/]{43}=) *$/\1/ip' <"$conf")"
if [ -n "$oldpubkey" ] && [ "$pubkey" != "$oldpubkey" ]; then
echo "WARNING: $hostname changed pubkey from '$oldpubkey' to '$pubkey'"
continue
fi
fi
mkdir -p /etc/wireguard/
rm -f "${conf}.tmp"
cat > "${conf}.tmp" <<-EOF
[Interface]
PrivateKey = $key
Address = $myipaddr
[Peer] # $country, $city
PublicKey = $pubkey
Endpoint = $addr
AllowedIPs = 0.0.0.0/0, ::/0
EOF
mv "${conf}.tmp" "${conf}"
done
ACCOUNT_INFO=$(curl -s https://api.mullvad.net/www/accounts/"$ACCOUNT"/)
TOKEN=$(printf '%s\n' "$ACCOUNT_INFO" | jq -r .auth_token)
expiry=$(printf '%s\n' "$ACCOUNT_INFO" | jq -r .account.expires)
#printf '%s\n' "$ACCOUNT_INFO" | jq .
curl -s -X POST https://api.mullvad.net/www/expire-auth-token/ \
-H "Authorization: Token $TOKEN"
printf '%s\n' "$expiry" > ~/.mullvad-expiry
echo; echo
if command -v dateutils.ddiff > /dev/null 2>&1; then
dateutils.ddiff now "$expiry" -f 'Account expires in %ddays %Hhours.' >&2
else
printf 'Account expires on %s\n' "$(date -d "$expiry")" >&2
fi
echo; echo
echo "Please wait up to 60 seconds for your public key to be added to the servers."
}
init () {
nsname=$1; shift
cfgname=$1; shift
parentns=${parentns:-}
wgifname="wg-$nsname"
# [Note POSIX array trick]
# Ok, this is a nasty POSIX shell trick, we use the _one_ array we have
# access to, the args, aka "$@" to store the -netns option I optionally
# want to pass to `ip` below. Since we're done with cmdline parsing at this
# point that's totally fine, just a bit opaque. Hence this comment.
#
# You're welcome.
if [ -z "$parentns" ]; then
set --
else
set -- -netns "$parentns"
fi
# Check for old wg interfaces in (1) current namespace,
if [ -z "$parentns" ] && [ -e /sys/class/net/"$wgifname" ]; then
ip link del dev "$wgifname"
fi
# (2) parent namespace and
if [ -n "$parentns" ] && ip netns exec "$parentns" \
[ -e /sys/class/net/"$wgifname" ]
then
ip -netns "$parentns" link del dev "$wgifname"
fi
# (3) target namespace.
if ip netns exec "$nsname" [ -e /sys/class/net/"$wgifname" ]; then
ip -netns "$nsname" link del dev "$wgifname"
fi
# See [Note POSIX array trick] above.
ip "$@" link add "$wgifname" type wireguard
if ! [ -e /var/run/netns/"$nsname" ]; then
ip netns add "$nsname"
fi
# Move the wireguard interface to the target namespace. See [Note POSIX
# array trick] above.
ip "$@" link set "$wgifname" netns "$nsname"
# shellcheck disable=SC2002 # come on, < makes the pipeline read like shit
cat /etc/wireguard/"$cfgname" \
| grep -vi '^Address\|^DNS' \
| ip netns exec "$nsname" wg setconf "$wgifname" /dev/stdin
addrs="$(sed -rn 's/^Address *= *([0-9a-fA-F:/.,]+) *$/\1/ip' < /etc/wireguard/"$cfgname")"
ip -netns "$nsname" link set dev lo up
ip -netns "$nsname" link set dev "$wgifname" up
(
IFS=','
for addr in $addrs; do
ip -netns "$nsname" addr add dev "$wgifname" "$addr"
done
)
ip -netns "$nsname" route add default dev "$wgifname"
ip -netns "$nsname" -6 route add default dev "$wgifname"
} # end init()
set -e
cmd="${1:-provision}"; shift
"$cmd" "$@" # run $cmd with rest of args