├── Basic Topology.png ├── Oracle Cloud ├── images │ ├── firewall_03.png │ ├── firewall_04.png │ ├── instance_01.png │ ├── firewall_03_s.png │ ├── firewall_04_s.png │ ├── create_01_arrow.png │ ├── create_02_arrow.png │ ├── create_03_arrow.png │ ├── create_04_arrow.png │ ├── create_05_arrow.png │ ├── firewall_01_arrow.png │ ├── firewall_02_arrow.png │ ├── firewall_05_circ.png │ ├── instance_01_arrow.png │ ├── instance_01_circ.png │ ├── firewall_01_arrow_s.png │ ├── firewall_02_arrow_s.png │ ├── firewall_05_circ_s.png │ └── instance_01_arrow_s.png └── Oracle_Installer.sh ├── .github ├── ISSUE_TEMPLATE │ ├── config.yml │ ├── feature_request.yml │ └── bug_report.yml └── workflows │ └── main.yaml ├── Wireguard Configs ├── VPS │ └── wg0.conf └── Local Server │ └── wg0.conf ├── README.md └── Digital Ocean └── DO_Installer.sh /Basic Topology.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Basic Topology.png -------------------------------------------------------------------------------- /Oracle Cloud/images/firewall_03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/firewall_03.png -------------------------------------------------------------------------------- /Oracle Cloud/images/firewall_04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/firewall_04.png -------------------------------------------------------------------------------- /Oracle Cloud/images/instance_01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/instance_01.png -------------------------------------------------------------------------------- /Oracle Cloud/images/firewall_03_s.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/firewall_03_s.png -------------------------------------------------------------------------------- /Oracle Cloud/images/firewall_04_s.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/firewall_04_s.png -------------------------------------------------------------------------------- /Oracle Cloud/images/create_01_arrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/create_01_arrow.png -------------------------------------------------------------------------------- /Oracle Cloud/images/create_02_arrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/create_02_arrow.png -------------------------------------------------------------------------------- /Oracle Cloud/images/create_03_arrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/create_03_arrow.png -------------------------------------------------------------------------------- /Oracle Cloud/images/create_04_arrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/create_04_arrow.png -------------------------------------------------------------------------------- /Oracle Cloud/images/create_05_arrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/create_05_arrow.png -------------------------------------------------------------------------------- /Oracle Cloud/images/firewall_01_arrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/firewall_01_arrow.png -------------------------------------------------------------------------------- /Oracle Cloud/images/firewall_02_arrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/firewall_02_arrow.png -------------------------------------------------------------------------------- /Oracle Cloud/images/firewall_05_circ.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/firewall_05_circ.png -------------------------------------------------------------------------------- /Oracle Cloud/images/instance_01_arrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/instance_01_arrow.png -------------------------------------------------------------------------------- /Oracle Cloud/images/instance_01_circ.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/instance_01_circ.png -------------------------------------------------------------------------------- /Oracle Cloud/images/firewall_01_arrow_s.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/firewall_01_arrow_s.png -------------------------------------------------------------------------------- /Oracle Cloud/images/firewall_02_arrow_s.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/firewall_02_arrow_s.png -------------------------------------------------------------------------------- /Oracle Cloud/images/firewall_05_circ_s.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/firewall_05_circ_s.png -------------------------------------------------------------------------------- /Oracle Cloud/images/instance_01_arrow_s.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mochman/Bypass_CGNAT/HEAD/Oracle Cloud/images/instance_01_arrow_s.png -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | contact_links: 3 | - name: Matrix Chat 4 | url: https://matrix.to/#/#github-help:mochchat.com 5 | about: Find more help here. 6 | -------------------------------------------------------------------------------- /.github/workflows/main.yaml: -------------------------------------------------------------------------------- 1 | name: Autoclose 2 | on: 3 | issues: 4 | types: [opened, edited, reopened] 5 | jobs: 6 | autoclose: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - name: Close issues not using template 10 | uses: roots/issue-closer@v1.1 11 | with: 12 | repo-token: ${{ secrets.GITHUB_TOKEN }} 13 | issue-close-message: "@${issue.user.login} this issue was automatically closed because it did not follow the issue template" 14 | issue-pattern: ".*provided as much information.*" 15 | -------------------------------------------------------------------------------- /Wireguard Configs/VPS/wg0.conf: -------------------------------------------------------------------------------- 1 | [Interface] 2 | PrivateKey = YOUR PRIVATE KEY 2 3 | ListenPort = 55107 4 | Address = 10.0.0.1/24 5 | 6 | PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4 7 | PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 '!' --dport 55107 -j DNAT --to-destination 10.0.0.2; 8 | 9 | PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -D POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4 10 | PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 '!' --dport 55107 -j DNAT --to-destination 10.0.0.2; 11 | 12 | [Peer] 13 | PublicKey = YOUR PUBLIC KEY 2 14 | AllowedIPs = 10.0.0.2/32 15 | -------------------------------------------------------------------------------- /Wireguard Configs/Local Server/wg0.conf: -------------------------------------------------------------------------------- 1 | [Interface] 2 | PrivateKey = YOUR PRIVATE KEY 3 | Address = 10.0.0.2/24 4 | 5 | PostUp = iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 192.168.2.6:1234; iptables -t nat -A POSTROUTING -p tcp --dport 1234 -j MASQUERADE 6 | PostUp = iptables -t nat -A PREROUTING -p tcp --dport 5001 -j DNAT --to-destination 192.168.2.4:5001; iptables -t nat -A POSTROUTING -p tcp --dport 5001 -j MASQUERADE 7 | PostUp = iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 192.168.2.7:1194; iptables -t nat -A POSTROUTING -p udp --dport 1194 -j MASQUERADE 8 | 9 | PostDown = iptables -t nat -D PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 192.168.2.6:1234; iptables -t nat -D POSTROUTING -p tcp --dport 1234 -j MASQUERADE 10 | PostDown = iptables -t nat -D PREROUTING -p tcp --dport 5001 -j DNAT --to-destination 192.168.2.4:5001; iptables -t nat -D POSTROUTING -p tcp --dport 5001 -j MASQUERADE 11 | PostDown = iptables -t nat -D PREROUTING -p udp --dport 1194 -j DNAT --to-destination 192.168.2.7:1194; iptables -t nat -D POSTROUTING -p udp --dport 1194 -j MASQUERADE 12 | 13 | [Peer] 14 | PublicKey = YOUR PUBLIC KEY 15 | AllowedIPs = 0.0.0.0/0 16 | Endpoint = 1.2.3.4:55107 17 | PersistentKeepalive = 25 18 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.yml: -------------------------------------------------------------------------------- 1 | name: Feature Request 2 | description: Suggest an idea for this project 3 | title: "Feature - " 4 | labels: [enhancement] 5 | 6 | body: 7 | - type: markdown 8 | attributes: 9 | value: | 10 | This form is for suggesting an idea for this project. 11 | 12 | - type: checkboxes 13 | id: terms 14 | attributes: 15 | label: Terms 16 | options: 17 | - label: This request is not a duplicate of an existing feature 18 | required: true 19 | - label: I have provided as much information as I can about the new feature. 20 | required: true 21 | 22 | - type: textarea 23 | id: summary 24 | attributes: 25 | label: Summary 26 | description: One paragraph explanation of the feature. 27 | validations: 28 | required: true 29 | 30 | - type: textarea 31 | id: motivation 32 | attributes: 33 | label: Motivation 34 | value: | 35 | #### Why are we doing this? 36 | 37 | #### What use cases does it support? 38 | 39 | #### What is the expected outcome? 40 | 41 | #### Potential conflicts / foreseeable issues 42 | validations: 43 | required: true 44 | 45 | - type: textarea 46 | id: additional-context 47 | attributes: 48 | label: Additional Context 49 | description: Add any other context or screenshots about the feature request here. 50 | 51 | - type: markdown 52 | attributes: 53 | value: | 54 | Thanks for taking the time to fill out this feature request form! 55 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.yml: -------------------------------------------------------------------------------- 1 | name: Problem Report 2 | description: Report a problem. 3 | title: "Problem - " 4 | labels: [bug] 5 | assignees: mochman 6 | 7 | body: 8 | - type: markdown 9 | attributes: 10 | value: This form is for reporting problems. 11 | 12 | - type: checkboxes 13 | id: terms 14 | attributes: 15 | label: Terms 16 | options: 17 | - label: This request is not a duplicate of an existing issue. 18 | required: true 19 | - label: I have provided as much information as I can to help resolve this issue. 20 | required: true 21 | 22 | - type: textarea 23 | id: description 24 | attributes: 25 | label: Description 26 | value: | 27 | #### Describe the problem. 28 | 29 | #### A clear and concice description 30 | validations: 31 | required: true 32 | 33 | - type: textarea 34 | id: steps-reproduce 35 | attributes: 36 | label: steps-to-reproduce 37 | description: | 38 | Please provide reproduction steps as detailed as possible 39 | value: | 40 | 1. Go to '...' 41 | 2. Click on '....' 42 | 3. Run '....' 43 | validations: 44 | required: true 45 | 46 | - type: textarea 47 | id: actual-behavior 48 | attributes: 49 | label: Actual Behavior 50 | placeholder: What actually happens? 51 | validations: 52 | required: true 53 | 54 | - type: textarea 55 | id: script-version 56 | attributes: 57 | label: Script Version 58 | description: If using automated script, which version, otherwise put in 'Manual'. 59 | validations: 60 | required: true 61 | 62 | - type: textarea 63 | id: server-config 64 | attributes: 65 | label: VPS wireguard config (/etc/wireguard/wg0.conf) 66 | description: Please copy and paste the config. CLEAR OUT PUBLIC IPs AND KEYS. 67 | render: shell 68 | 69 | - type: textarea 70 | id: client-config 71 | attributes: 72 | label: Local Server wireguard config (/etc/wireguard/wg0.conf) 73 | description: Please copy and paste the config. CLEAR OUT PUBLIC IPs AND KEYS. 74 | render: shell 75 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Bypassing a CGNAT with Wireguard 2 | 3 | ## Overview 4 | Before switching ISPs, I had a public IP that allowed me to use port forwarding on my router to pass traffic to services hosted on my internal network. My new ISP uses a CGNAT, so I had to find a workaround. I chose this path, because it keeps pretty much everything the same for my services. The main things I wanted to do with my setup were: 5 | * Forward only specific traffic from the internet to my services 6 | * Provide my NPM (Nginx Proxy Manager) Server with clients real IPs (for fail2ban blocking purposes) 7 | * Allow for traffic to flow to internal services that NPM doesn't manage 8 | 9 | I went through a couple configurations and VPS providers before I created this solution. Prior to attempting this, I had little to no knowledge about VPS providers, wireguard, ufw, and iptables. Getting it to work the way I wanted took a few days of research, trial, and error. 10 | This will hopefully be a useful tutorial for people who are in a similar situation. 11 | This tutorial assumes you have some basic knowledge about how to use Ubuntu from the command line. 12 | 13 | Here is a basic diagram of my configuration. The IPs and ports will need to be changed by you to meet your requirements. 14 | 15 | ![Topology](Basic%20Topology.png) 16 | 17 | ## Tested with: 18 | * Digital Ocean ([link](https://www.digitalocean.com/products/droplets/)) 19 | * Oracle Cloud ([link](https://www.oracle.com/cloud/)) 20 | * AWS Ligthsail ([link](https://aws.amazon.com/lightsail/)) 21 | 22 | ## If this is something you would like to try out, please go to the [wiki section](https://github.com/mochman/Bypass_CGNAT/wiki) to start the tutorial. 23 | 24 | # Other ways to bypass a CGNAT 25 | [Wireguard Installer for Gaming](https://github.com/xiahualiu/wg_gaming_installer) - Can be used to bypass a CGNAT so you can have a **Full Clone NAT** 26 | 27 | [Cloudflared Tunnels](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/) 28 | 29 | [BoringProxy](https://boringproxy.io/) 30 | 31 | [ZeroTier](https://www.zerotier.com/) [(u/RedKyet's Tutorial)](https://www.reddit.com/r/selfhosted/comments/u8n5hz/how_to_bypass_cgnat_and_expose_your_server_to_the/) 32 | 33 | [Awesome-Tunnel](https://github.com/anderspitman/awesome-tunneling) - List of many open/closed source tunneling solutions. 34 | -------------------------------------------------------------------------------- /Digital Ocean/DO_Installer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # For Digital Ocean VMs running Ubuntu 20.04 4 | # Usage: 5 | # on VPS - ./DO_Installer.sh 6 | # on Local Server - ./DO_Installer.sh 7 | 8 | echo -e "\e[92m****************************************************" 9 | echo -e "***** \e[97mDigital Ocean Wireguard Tunnel Installer\e[92m *****" 10 | echo -e "****************************************************\e[0m" 11 | echo "" 12 | echo "This script will install and configure wireguard on your machines" 13 | if [[ $(/usr/bin/id -u) -ne 0 ]]; then 14 | echo "Please run with sudo" 15 | exit 16 | fi 17 | if [[ $1 != "Local" ]]; then 18 | echo "" 19 | echo "Please have a terminal window running on both your VPS and your Local Server since this script will ask you to input information into/from each other." 20 | echo "Be advised, this script will modify your iptables & ufw(firewall) settings." 21 | echo -e "\e[36m" 22 | read -n 1 -s -r -p 'Press y to continue, any other key to exit' YORN 23 | echo -e "\e[0m" 24 | if [[ $YORN != [Yy] ]]; then 25 | echo "Exiting..." 26 | exit 27 | fi 28 | fi 29 | 30 | if [[ $1 == "VPS" ]] || [ ! $1 ]; then 31 | SERVERTYPE=1 32 | elif [[ $1 == "Local" ]]; then 33 | SERVERTYPE=2 34 | else 35 | echo "" 36 | printf "Select Server\n1. VPS\n2. Local Server\n" 37 | read -p 'Number: ' SERVERTYPE 38 | fi 39 | 40 | if ! [ $SERVERTYPE -eq 1 -o $SERVERTYPE -eq 2 ] 2>/dev/null; then 41 | echo "Incorrect Entry. Exiting..." 42 | exit 43 | fi 44 | 45 | echo "" 46 | echo "Stopping any current wireguard services" 47 | systemctl stop wg-quick@wg0 48 | wg-quick down wg0 2> /dev/null 49 | echo -e "\e[92mDone.\e[0m" 50 | echo "" 51 | echo "Updating System..." 52 | apt update 53 | apt upgrade -y 54 | echo -e "\e[92mDone.\e[0m" 55 | echo "" 56 | echo "Installing Software..." 57 | 58 | if [ $SERVERTYPE -eq 1 ]; then 59 | apt install ufw wireguard -y 60 | else 61 | apt install wireguard -y 62 | fi 63 | echo -e "\e[92mDone.\e[0m" 64 | echo "" 65 | echo "Configuring Forwarding Settings" 66 | if grep -e "^net.ipv4.ip_forward=1$" /etc/sysctl.conf >/dev/null; then 67 | echo -e "\e[92mAlready set correctly.\e[0m" 68 | else 69 | sed -i 's/^\#net.ipv4.ip_forward=1$/net.ipv4.ip_forward=1/g' /etc/sysctl.conf 70 | if ! grep -e "^net.ipv4.ip_forward=1$" /etc/sysctl.conf >/dev/null; then 71 | echo -e "\e[92mAppending to /etc/sysctl.conf\e[0m" 72 | echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf 73 | fi 74 | sysctl -p 75 | echo -e "\e[92mDone.\e[0m" 76 | fi 77 | echo "" 78 | 79 | echo "In the following steps, you will need to enter some IP addresses. You can find your VPS Public IP address on your Digital Ocean Droplet Page under \"ipv4:\"". 80 | echo "The other IP addresses & port have a default set (shown in square brackets). If you don't want to change them, just press enter when prompted." 81 | echo "" 82 | LOCALIPS=$(ip a s | grep -Eo "inet [0-9|\.|/]+" | grep -v "127.0.0.1" | sed 's/inet //') 83 | 84 | if [ $3 ]; then 85 | PUBLIC_IP=$3 86 | else 87 | read -p $'\e[36mVPS Public IP\e[0m: ' PUBLIC_IP 88 | fi 89 | 90 | if [ $SERVERTYPE -eq 1 ]; then 91 | echo "" 92 | echo -e "\e[33mThe following networks have been found on your system. Please use a different network for your Wireguard Server & Client\e[0m" 93 | echo $LOCALIPS 94 | echo "" 95 | read -p $'\e[36mWireguard Server IP \e[0m[\e[32m10.1.0.1\e[0m]: ' WG_SERVER_IP 96 | fi 97 | WG_SERVER_IP=${WG_SERVER_IP:-10.1.0.1} 98 | 99 | if [ $5 ]; then 100 | WG_CLIENT_IP=$5 101 | else 102 | read -p $'\e[36mWireguard Client IP \e[0m[\e[32m10.1.0.2\e[0m]: ' WG_CLIENT_IP 103 | WG_CLIENT_IP=${WG_CLIENT_IP:-10.1.0.2} 104 | fi 105 | 106 | if [ $6 ]; then 107 | WGPORT=$6 108 | else 109 | read -p $'\e[36mWireguard Port \e[0m[\e[32m55108\e[0m]: ' WGPORT 110 | WGPORT=${WGPORT:-55108} 111 | fi 112 | 113 | for i in "PUBLIC_IP" "WG_SERVER_IP" "WG_CLIENT_IP" 114 | do 115 | if [[ ${!i} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then 116 | : 117 | else 118 | echo -e "\e[31m$i is not a valid IP, exiting...\e[0m" 119 | exit 1 120 | fi 121 | done 122 | 123 | 124 | #Set the Configuration Files 125 | echo "Writing the configuration files..." 126 | umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null 127 | sudo wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey > /dev/null 128 | echo -e "\e[92mDone.\e[0m" 129 | echo "" 130 | 131 | if [ $SERVERTYPE -eq 1 ]; then 132 | PK_FOR_CLIENT=$(cat /etc/wireguard/publickey) 133 | TUNNEL_IP=$(ip -4 a show scope global | grep global | awk '{print $2}' | sed 's/\/.*//g' | grep -ve ^10\.) 134 | TUNNEL_INT=$(ip -4 a show scope global | grep global | grep -v " 172." | grep -v " 10." | grep -v "wg0" | awk '{print $(NF)}') 135 | SSHD_PORT=$(cat /etc/ssh/sshd_config | grep -E "Port [0-9]+" | grep -Eo "[0-9]+") 136 | FAIL2BAN=false 137 | echo "Checking for f2b" 138 | if command -v fail2ban-server $> /dev/null; then 139 | echo -e "\e[33mFound. Stopping...\e[0m" 140 | systemctl stop fail2ban.service 141 | FAIL2BAN=true 142 | echo -e "\e[92mStoppped.\e[0m" 143 | else 144 | echo -e "\e[92mNot found.\e[0m" 145 | fi 146 | echo "Stopping & Clearing ufw" 147 | ufw reset 148 | echo -e "\e[92mDone.\e[0m" 149 | echo "Flushing default iptables" 150 | iptables -F 151 | iptables -X 152 | echo -e "\e[92mDone.\e[0m" 153 | echo "" 154 | echo "What ports/protcols do you want to pass through to your Local Server?" 155 | echo "Please enter them like the following (comma separated, no spaces):" 156 | echo "443/tcp,80/tcp,8123/udp,5128/tcp" 157 | echo "If you don't want any other traffic added, just press enter" 158 | echo "" 159 | read -p $'\e[36mEntry\e[0m: ' PORTLIST 160 | echo "Saving the iptables to persist across reboots" 161 | iptables-save > /etc/iptables/rules.v4 162 | echo -e "\e[92mDone.\e[0m" 163 | echo "" 164 | echo "" 165 | echo -e "\e[1;35mBefore continuing with the rest of this script, please run this script on your Local Server with the following line\e[0m:" 166 | echo "" 167 | echo -e "\"\e[96msudo ./DO_Installer.sh Local $PK_FOR_CLIENT $PUBLIC_IP $WG_SERVER_IP $WG_CLIENT_IP $WGPORT $PORTLIST\e[0m\"" 168 | echo "" 169 | echo -e "\e[1;35mThat script will output a public key for you to input here.\e[0m" 170 | read -p $'\e[36mPublic Key from Client\e[0m: ' PK_FOR_SERVER 171 | echo "ListenPort = $WGPORT" >> /etc/wireguard/wg0.conf 172 | echo "Address = $WG_SERVER_IP/24" >> /etc/wireguard/wg0.conf 173 | echo "" >> /etc/wireguard/wg0.conf 174 | echo "PostUp = iptables -t nat -A PREROUTING -p tcp -i $TUNNEL_INT '!' --dport $SSHD_PORT -j DNAT --to-destination $WG_CLIENT_IP; iptables -t nat -A POSTROUTING -o $TUNNEL_INT -j SNAT --to-source $TUNNEL_IP" >> /etc/wireguard/wg0.conf 175 | echo "PostUp = iptables -t nat -A PREROUTING -p udp -i $TUNNEL_INT '!' --dport $WGPORT -j DNAT --to-destination $WG_CLIENT_IP;" >> /etc/wireguard/wg0.conf 176 | echo "" >> /etc/wireguard/wg0.conf 177 | echo "PostDown = iptables -t nat -D PREROUTING -p tcp -i $TUNNEL_INT '!' --dport $SSHD_PORT -j DNAT --to-destination $WG_CLIENT_IP; iptables -t nat -D POSTROUTING -o $TUNNEL_INT -j SNAT --to-source $TUNNEL_IP" >> /etc/wireguard/wg0.conf 178 | echo "PostDown = iptables -t nat -D PREROUTING -p udp -i $TUNNEL_INT '!' --dport $WGPORT -j DNAT --to-destination $WG_CLIENT_IP;" >> /etc/wireguard/wg0.conf 179 | echo "" >> /etc/wireguard/wg0.conf 180 | echo "[Peer]" >> /etc/wireguard/wg0.conf 181 | echo "PublicKey = $PK_FOR_SERVER" >> /etc/wireguard/wg0.conf 182 | echo "AllowedIPs = $WG_CLIENT_IP/32" >> /etc/wireguard/wg0.conf 183 | echo -e "\e[92mWireguard Config file created at /etc/wireguard/wg0.conf\e[0m" 184 | echo "" 185 | echo "Starting Wireguard..." 186 | systemctl start wg-quick@wg0 187 | echo "" 188 | echo "Waiting for connection..." 189 | while ! ping -c 1 -W 1 $WG_CLIENT_IP > /dev/null; do 190 | printf '.' 191 | sleep 2 192 | done 193 | echo -e "\e[92mConnection Established!\e[0m" 194 | echo "" 195 | echo "Enabling Wireguard to start across reboots..." 196 | systemctl enable wg-quick@wg0 197 | echo -e "\e[92mDone.\e[0m" 198 | echo "" 199 | echo "Your wireguard tunnel should be set up now. If you need to reset the link for any reason, please run 'systemctl reboot wg-quick@wg0'" 200 | echo "" 201 | read -r -p $'\e[36mWould you like this script to configure your firewall? [Y/n]\e[0m' UFW_YN 202 | if [[ ! "$UFW_YN" =~ ^([yY][eE][sS]|[yY]|"")$ ]]; then 203 | echo -e "You should limit access to your server by using ufw as described in \e[94;4mhttps://github.com/mochman/Bypass_CGNAT/wiki/Limiting-Access\e[0m" 204 | exit 205 | fi 206 | echo "Adding OpenSSH($SSHD_PORT/tcp)" 207 | ufw allow $SSHD_PORT/tcp > /dev/null 208 | echo "Adding Wireguard Port($WGPORT)" 209 | ufw allow $WGPORT > /dev/null 210 | for i in $(echo $PORTLIST | sed "s/,/ /g") 211 | do 212 | PORT=$(echo $i| cut -d'/' -f 1) 213 | PROT=$(echo $i| cut -d'/' -f 2) 214 | echo "Adding $PORT/$PROT" 215 | ufw allow $PORT/$PROT > /dev/null 216 | done 217 | echo "Allowing routing" 218 | ufw default allow routed > /dev/null 219 | echo "Deny all other traffic" 220 | ufw default allow routed 221 | echo -e "\e[92mDone.\e[0m" 222 | echo "" 223 | echo "Here are all the rules that have been added." 224 | ufw show added | tail -n +2 225 | echo "" 226 | echo "Do the rules look good (at the very least, you should see your ssh port) for activating?" 227 | echo "" 228 | read -r -p $'\e[36mActivate rules? [Y/n]\e[0m' UFW_ON 229 | if [[ ! "$UFW_ON" =~ ^([yY][eE][sS]|[yY]|"")$ ]]; then 230 | echo "Firewall not enabled" 231 | echo -e "You should limit access to your server by using ufw as described in \e[94;4mhttps://github.com/mochman/Bypass_CGNAT/wiki/Limiting-Access\e[0m" 232 | exit 233 | else 234 | ufw enable 235 | fi 236 | if $FAIL2BAN; then 237 | echo "Restarting fail2ban" 238 | systemctl start fail2ban.service 239 | echo -e "\e[92mDone.\e[0m" 240 | fi 241 | 242 | echo "" 243 | echo "Your system has been configured. If you need to reset the link for any reason, please run 'systemctl reboot wg-quick@wg0'" 244 | echo "" 245 | else 246 | PK_FOR_SERVER=$(cat /etc/wireguard/publickey) 247 | if [ $7 ]; then 248 | PORTLIST=$7 249 | fi 250 | echo "Address = $WG_CLIENT_IP/24" >> /etc/wireguard/wg0.conf 251 | echo "" >> /etc/wireguard/wg0.conf 252 | for i in $(echo $PORTLIST | sed "s/,/ /g") 253 | do 254 | PORT=$(echo $i| cut -d'/' -f 1) 255 | PROT=$(echo $i| cut -d'/' -f 2) 256 | printf "IP Address of service using $PORT/$PROT (Just press Enter if using this server): " 257 | read SVC_IP 258 | if [[ -n $SVC_IP ]]; then 259 | echo "PostUp = iptables -t nat -A PREROUTING -p $PROT --dport $PORT -j DNAT --to-destination $SVC_IP:$PORT; iptables -t nat -A POSTROUTING -p $PROT --dport $PORT -j MASQUERADE" >> /etc/wireguard/wg0.conf 260 | echo "PostDown = iptables -t nat -D PREROUTING -p $PROT --dport $PORT -j DNAT --to-destination $SVC_IP:$PORT; iptables -t nat -D POSTROUTING -p $PROT --dport $PORT -j MASQUERADE" >> /etc/wireguard/wg0.conf 261 | echo "" >> /etc/wireguard/wg0.conf 262 | fi 263 | done 264 | echo "[Peer]" >> /etc/wireguard/wg0.conf 265 | echo "PublicKey = $2" >> /etc/wireguard/wg0.conf 266 | echo "AllowedIPs = 0.0.0.0/0" >> /etc/wireguard/wg0.conf 267 | echo "Endpoint = $PUBLIC_IP:$WGPORT" >> /etc/wireguard/wg0.conf 268 | echo "PersistentKeepalive = 25" >> /etc/wireguard/wg0.conf 269 | echo "Wireguard Config file created at /etc/wireguard/wg0.conf" 270 | echo "" 271 | echo "Here is the Public Key for you to enter back on the VPS." 272 | echo "" 273 | echo -e "\e[96m$PK_FOR_SERVER\e[0m" 274 | echo "" 275 | echo "Starting Wireguard..." 276 | systemctl start wg-quick@wg0 277 | echo "Waiting for connection" 278 | while ! ping -c 1 -W 1 $WG_SERVER_IP > /dev/null; do 279 | printf '.' 280 | sleep 1 281 | done 282 | echo -e "\e[92mConnection Established!\e[0m" 283 | echo "" 284 | echo "Enabling Wireguard to start across reboots..." 285 | systemctl enable wg-quick@wg0 286 | echo -e "\e[92mDone.\e[0m" 287 | echo "" 288 | echo "Your system has been configured. If you need to reset the link for any reason, please run 'systemctl reboot wg-quick@wg0'" 289 | echo "" 290 | fi 291 | -------------------------------------------------------------------------------- /Oracle Cloud/Oracle_Installer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Installation script for wireguard using an Oracle Cloud VPS 3 | # https://github.com/mochman/Bypass_CGNAT 4 | 5 | if [ $EUID != 0 ]; then 6 | sudo "$0" "$@" 7 | exit $? 8 | fi 9 | 10 | WGCONFLOC='/etc/wireguard/wg0.conf' 11 | WGPUBKEY='/etc/wireguard/publickey' 12 | WGCLIENTIPFILE='/etc/wireguard/client_ip' 13 | WGPORTSFILE='/etc/wireguard/forwarded_ports' 14 | WGCONFBOTTOM='/etc/wireguard/bottom_section' 15 | WGCONFTOP='/etc/wireguard/top_section' 16 | 17 | RED='\033[0;31m' 18 | NC='\033[0m' 19 | GREEN='\033[0;32m' 20 | YELLOW='\033[1;33m' 21 | BOLD='\033[1m' 22 | LGREEN='\033[92m' 23 | WHITE='\033[97m' 24 | LBLUE='\033[94m' 25 | LBU='\033[94;4m' 26 | CYAN='\033[36m' 27 | LCYAN='\033[96m' 28 | MAGEN='\033[1;35m' 29 | 30 | stop_wireguard () { 31 | echo -en "${YELLOW}Stopping any current wireguard services${NC}..." 32 | systemctl stop wg-quick@wg0 2> /dev/null 33 | wg-quick down wg0 2> /dev/null 34 | echo -e "[${GREEN}Done${NC}]" 35 | } 36 | 37 | update_system () { 38 | echo -e "${YELLOW}Updating System${NC}..." 39 | apt update 40 | apt upgrade -y 41 | echo -e "[${GREEN}Done${NC}]" 42 | } 43 | 44 | install_required () { 45 | echo -e "${YELLOW}Installing Required Software${NC}..." 46 | if [[ $SERVERTYPE == 1 ]]; then 47 | apt install iputils-ping ufw wireguard -y 48 | else 49 | apt install wireguard -y 50 | fi 51 | echo -e "[${GREEN}Done${NC}]" 52 | } 53 | 54 | configure_forwarding () { 55 | echo -en "${YELLOW}Configuring Forwarding Settings${NC}..." 56 | if grep -e "^net.ipv4.ip_forward=1$" /etc/sysctl.conf >/dev/null; then 57 | echo -e "[${GREEN}Already set${NC}]" 58 | else 59 | sed -i 's/^\#net.ipv4.ip_forward=1$/net.ipv4.ip_forward=1/g' /etc/sysctl.conf 60 | if ! grep -e "^net.ipv4.ip_forward=1$" /etc/sysctl.conf >/dev/null; then 61 | echo -e "[${CYAN}Appending to /etc/sysctl.conf${NC}]" 62 | echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf 63 | fi 64 | echo -en "${YELLOW}Reloading sysctl settings${NC}..." 65 | sysctl -q -p 66 | echo -e "[${GREEN}Done${NC}]" 67 | fi 68 | } 69 | 70 | get_ips () { 71 | echo "In the following steps, you will need to enter some IP addresses. You can find your VPS Public IP address on your Oracle Cloud Instance Page under \"Public IP Address\"". 72 | echo "The other IP addresses & port have a default set (shown in square brackets). If you don't want to change them, just press enter when prompted." 73 | echo "" 74 | LOCALIPS=$(ip a s | grep -Eo "inet [0-9|\.|/]+" | grep -v "127.0.0.1" | sed 's/inet //') 75 | 76 | if [ $3 ]; then 77 | PUBLIC_IP=$3 78 | else 79 | read -p $'\e[36mVPS Public IP\e[0m: ' PUBLIC_IP 80 | fi 81 | 82 | if [[ $SERVERTYPE == 1 ]]; then 83 | echo "" 84 | echo -e "${YELLOW}The following networks have been found on your system. Please use a different network for your Wireguard Server & Client{$NC}" 85 | echo $LOCALIPS 86 | echo "" 87 | read -p $'\e[36mWireguard Server IP \e[0m[\e[32m10.1.0.1\e[0m]: ' WG_SERVER_IP 88 | fi 89 | WG_SERVER_IP=${WG_SERVER_IP:-10.1.0.1} 90 | 91 | if [ $1 ]; then 92 | WG_CLIENT_IP=$1 93 | else 94 | read -p $'\e[36mWireguard Client IP \e[0m[\e[32m10.1.0.2\e[0m]: ' WG_CLIENT_IP 95 | WG_CLIENT_IP=${WG_CLIENT_IP:-10.1.0.2} 96 | fi 97 | 98 | if [ $2 ]; then 99 | WGPORT=$2 100 | else 101 | read -p $'\e[36mWireguard Port \e[0m[\e[32m55108\e[0m]: ' WGPORT 102 | WGPORT=${WGPORT:-55108} 103 | fi 104 | 105 | for i in "PUBLIC_IP" "WG_SERVER_IP" "WG_CLIENT_IP" 106 | do 107 | if [[ ${!i} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then 108 | : 109 | else 110 | echo -e "${RED}$i is not a valid IP, exiting...${NC}" 111 | exit 1 112 | fi 113 | done 114 | echo -en "${YELLOW}Saving Client IP to file${NC}..." 115 | echo $WG_CLIENT_IP > $WGCLIENTIPFILE 116 | echo -e "[${GREEN}Done${NC}]" 117 | } 118 | 119 | create_keys () { 120 | echo -en "${YELLOW}Creating new Private/Public Keys${NC}..." 121 | umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee $WGCONFLOC > /dev/null 122 | sudo wg genkey | tee -a $WGCONFLOC | wg pubkey | sudo tee $WGPUBKEY > /dev/null 123 | echo -e "[${GREEN}Done${NC}]" 124 | } 125 | 126 | create_server_config () { 127 | PK_FOR_CLIENT=$(cat $WGPUBKEY) 128 | TUNNEL_IP=$(ip -4 a show scope global | grep global | awk '{print $2}' | sed 's/\/.*//g') 129 | TUNNEL_INT=$(ip -4 a show scope global | grep global | grep -v " 172." | grep -v "wg0" | awk '{print $(NF)}') 130 | SSHD_PORT=$(cat /etc/ssh/sshd_config | grep -E "Port [0-9]+" | grep -Eo "[0-9]+") 131 | echo -en "${YELLOW}Flushing default iptables${NC}..." 132 | iptables -F 133 | iptables -t nat -F 134 | echo -e "[${GREEN}Done${NC}]" 135 | echo "" 136 | echo "What ports/protcols do you want to pass through to your Local Server?" 137 | echo "Please enter them like the following (comma separated, no spaces):" 138 | echo "443/tcp,80/tcp,8123/udp,5128/tcp" 139 | echo "If you don't want any other traffic added, just press enter" 140 | echo "" 141 | read -p $'\e[36mEntry\e[0m: ' PORTLIST 142 | echo -en "${YELLOW}Saving the iptables to persist across reboots${NC}..." 143 | iptables-save > /etc/iptables/rules.v4 144 | echo -e "[${GREEN}Done${NC}]" 145 | echo -en "${YELLOW}Saving ports to ${WGPORTSFILE}${NC}..." 146 | echo $PORTLIST > $WGPORTSFILE 147 | echo -e "[${GREEN}Done${NC}]" 148 | echo "" 149 | echo "" 150 | echo -e "${MAGEN}Before continuing with the rest of this script, please run this script on your Local Server with the following line${NC}:" 151 | echo "" 152 | echo -e "${LCYAN}./Oracle_Installer.sh Local $PK_FOR_CLIENT $PUBLIC_IP $WG_SERVER_IP $WG_CLIENT_IP $WGPORT $PORTLIST${NC}" 153 | echo "" 154 | echo -e "${MAGEN}That script will output a public key for you to input here.${NC}" 155 | read -p $'\e[36mPublic Key from Client\e[0m: ' PK_FOR_SERVER 156 | echo "ListenPort = $WGPORT" >> $WGCONFLOC 157 | echo "Address = $WG_SERVER_IP/24" >> $WGCONFLOC 158 | echo "" >> $WGCONFLOC 159 | TCP_PORTS="" 160 | UDP_PORTS="" 161 | for i in $(echo $PORTLIST | sed "s/,/ /g") 162 | do 163 | PORT=$(echo $i| cut -d'/' -f 1) 164 | PROT=$(echo $i| cut -d'/' -f 2) 165 | if [ $PROT == "tcp" ]; then 166 | TCP_PORTS+="${PORT}," 167 | elif [ $PROT == "udp" ]; then 168 | UDP_PORTS+="${PORT}," 169 | fi 170 | done 171 | TCP_PORTS=${TCP_PORTS%?} 172 | UDP_PORTS=${UDP_PORTS%?} 173 | if [ ${#TCP_PORTS} -ge 1 ]; then 174 | echo "PostUp = iptables -t nat -A PREROUTING -p tcp -i $TUNNEL_INT --match multiport --dports ${TCP_PORTS} -j DNAT --to-destination $WG_CLIENT_IP" >> $WGCONFLOC 175 | fi 176 | echo "PostUp = iptables -t nat -A POSTROUTING -o $TUNNEL_INT -j SNAT --to-source $TUNNEL_IP" >> $WGCONFLOC 177 | if [ ${#UDP_PORTS} -ge 1 ]; then 178 | echo "PostUp = iptables -t nat -A PREROUTING -p udp -i $TUNNEL_INT --match multiport --dports ${UDP_PORTS} -j DNAT --to-destination $WG_CLIENT_IP;" >> $WGCONFLOC 179 | fi 180 | echo "" >> $WGCONFLOC 181 | if [ ${#TCP_PORTS} -ge 1 ]; then 182 | echo "PostDown = iptables -t nat -D PREROUTING -p tcp -i $TUNNEL_INT --match multiport --dports ${TCP_PORTS} -j DNAT --to-destination $WG_CLIENT_IP" >> $WGCONFLOC 183 | fi 184 | echo "PostDown = iptables -t nat -D POSTROUTING -o $TUNNEL_INT -j SNAT --to-source $TUNNEL_IP" >> $WGCONFLOC 185 | if [ ${#UDP_PORTS} -ge 1 ]; then 186 | echo "PostDown = iptables -t nat -D PREROUTING -p udp -i $TUNNEL_INT --match multiport --dports ${UDP_PORTS} -j DNAT --to-destination $WG_CLIENT_IP;" >> $WGCONFLOC 187 | fi 188 | echo "" >> $WGCONFLOC 189 | echo "[Peer]" >> $WGCONFLOC 190 | echo "PublicKey = $PK_FOR_SERVER" >> $WGCONFLOC 191 | echo "AllowedIPs = $WG_CLIENT_IP/32" >> $WGCONFLOC 192 | echo -e "${GREEN}Wireguard Config file created at $WGCONFLOC${NC}" 193 | echo "" 194 | echo -en "${YELLOW}Starting Wireguard${NC}..." 195 | systemctl start wg-quick@wg0 196 | echo -e "[${GREEN}Done${NC}]" 197 | echo -e "${YELLOW}Waiting for connection${NC}..." 198 | while ! ping -c 1 -W 1 $WG_CLIENT_IP > /dev/null 2>&1; do 199 | printf '.' 200 | sleep 2 201 | done 202 | echo -e "[${GREEN}Connection Established${NC}]" 203 | echo -en "${YELLOW}Enabling Wireguard to start across reboots${NC}..." 204 | systemctl enable wg-quick@wg0 >/dev/null 205 | echo -e "[${GREEN}Done${NC}]" 206 | echo "Your wireguard tunnel should be set up now. If you need to reset the link for any reason, please run 'systemctl reboot wg-quick@wg0'" 207 | } 208 | 209 | create_client_config () { 210 | PUBLIC_IP=$1 211 | WG_CLIENT_IP=$2 212 | WGPORT=$3 213 | PORTLIST=$4 214 | PUBKEY=$5 215 | WG_SERVER_IP=$6 216 | PK_FOR_SERVER=$(cat $WGPUBKEY) 217 | echo "Address = $WG_CLIENT_IP/24" >> $WGCONFLOC 218 | echo "" >> $WGCONFLOC 219 | for i in $(echo $PORTLIST | sed "s/,/ /g") 220 | do 221 | PORT=$(echo $i| cut -d'/' -f 1) 222 | PROT=$(echo $i| cut -d'/' -f 2) 223 | printf "IP Address of service using $PORT/$PROT (Just press Enter if using this server): " 224 | read SVC_IP 225 | if [[ -n $SVC_IP ]]; then 226 | echo "PostUp = iptables -t nat -A PREROUTING -p $PROT --dport $PORT -j DNAT --to-destination $SVC_IP:$PORT; iptables -t nat -A POSTROUTING -p $PROT --dport $PORT -j MASQUERADE" >> $WGCONFLOC 227 | echo "PostDown = iptables -t nat -D PREROUTING -p $PROT --dport $PORT -j DNAT --to-destination $SVC_IP:$PORT; iptables -t nat -D POSTROUTING -p $PROT --dport $PORT -j MASQUERADE" >> $WGCONFLOC 228 | echo "" >> $WGCONFLOC 229 | fi 230 | done 231 | echo "[Peer]" >> $WGCONFLOC 232 | echo "PublicKey = $PUBKEY" >> $WGCONFLOC 233 | echo "AllowedIPs = 0.0.0.0/0" >> $WGCONFLOC 234 | echo "Endpoint = $PUBLIC_IP:$WGPORT" >> $WGCONFLOC 235 | echo "PersistentKeepalive = 25" >> $WGCONFLOC 236 | echo "Wireguard Config file created at $WGCONFLOC" 237 | echo "" 238 | echo -en "${YELLOW}Saving ports to ${WGPORTSFILE}${NC}..." 239 | echo $PORTLIST > $WGPORTSFILE 240 | echo -e "[${GREEN}Done${NC}]" 241 | echo "" 242 | echo "Here is the Public Key for you to enter back on the VPS." 243 | echo "" 244 | echo -e "${LCYAN}$PK_FOR_SERVER${NC}" 245 | echo "" 246 | echo -en "${YELLOW}Starting Wireguard${NC}..." 247 | systemctl start wg-quick@wg0 248 | echo -e "[${GREEN}Done${NC}]" 249 | echo -e "${YELLOW}Waiting for connection${NC}..." 250 | while ! ping -c 1 -W 1 $WG_SERVER_IP > /dev/null; do 251 | printf '.' 252 | sleep 1 253 | done 254 | echo -e "[${GREEN}Connection Established${NC}]" 255 | echo "" 256 | echo -en "${YELLOW}Enabling Wireguard to start across reboots${NC}..." 257 | systemctl enable wg-quick@wg0 >/dev/null 258 | echo -e "[${GREEN}Done${NC}]" 259 | } 260 | 261 | clear_firewall () { 262 | echo -en "${YELLOW}Clearing Old Firewall Rules${NC}..." 263 | ufw --force disable >/dev/null 264 | ufw --force reset >/dev/null 265 | echo -e "[${GREEN}Done${NC}]" 266 | } 267 | 268 | setup_firewall () { 269 | if test -n "${WGPORT-}"; then 270 | echo "" >/dev/null 271 | else 272 | WGPORT=$(cat $WGCONFLOC | grep 'ListenPort' | awk '{print $3}') 273 | fi 274 | echo "Configuring ufw rules" 275 | echo " Allowing OpenSSH($SSHD_PORT/tcp)" 276 | ufw allow $SSHD_PORT/tcp > /dev/null 277 | echo " Allowing Wireguard Port($WGPORT)" 278 | ufw allow $WGPORT > /dev/null 279 | for i in $(echo $PORTLIST | sed "s/,/ /g") 280 | do 281 | PORT=$(echo $i| cut -d'/' -f 1) 282 | PROT=$(echo $i| cut -d'/' -f 2) 283 | echo " Allowing $PORT/$PROT" 284 | ufw allow $PORT/$PROT > /dev/null 285 | done 286 | echo " Allowing routing" 287 | ufw default allow routed > /dev/null 288 | echo " Deny all other traffic" 289 | ufw default deny incoming > /dev/null 290 | echo "" 291 | echo " Here are all the rules that have been added." 292 | ufw show added | tail -n +2 | sed -e 's/^/ /' 293 | echo "" 294 | echo " Do the rules look good (at the very least, you should see your ssh port) for activating?" 295 | echo "" 296 | read -r -p $' \e[36mActivate rules? [Y/n]\e[0m' UFW_ON 297 | if [[ ! "$UFW_ON" =~ ^([yY][eE][sS]|[yY]|"")$ ]]; then 298 | echo " Firewall not enabled" 299 | echo -e " You should limit access to your server by using ufw as described in \e[94;4mhttps://github.com/mochman/Bypass_CGNAT/wiki/Limiting-Access\e[0m" 300 | exit 301 | else 302 | ufw --force enable >/dev/null 303 | fi 304 | echo -e "[${GREEN}ufw Configured${NC}]" 305 | } 306 | 307 | get_ports () { 308 | OLDPORTS=$(cat $WGPORTSFILE) 309 | SSHD_PORT=$(cat /etc/ssh/sshd_config | grep -E "Port [0-9]+" | grep -Eo "[0-9]+") 310 | WGPORT=$(cat $WGCONFLOC | grep 'ListenPort' | awk '{print $3}') 311 | WG_CLIENT_IP=$(cat $WGCLIENTIPFILE) 312 | TUNNEL_IP=$(ip -4 a show scope global | grep global | awk '{print $2}' | sed 's/\/.*//g') 313 | TUNNEL_INT=$(ip -4 a show scope global | grep global | awk '{print $7}') 314 | echo "What ports/protcols do you want to pass through to your Local Server?" 315 | echo "Please enter them like the following (comma separated, no spaces):" 316 | echo "443/tcp,80/tcp,8123/udp,5128/tcp" 317 | echo "If you don't want any other traffic added, just press enter" 318 | echo -e "Your current ports are ${CYAN}$OLDPORTS${NC}" 319 | echo "" 320 | read -p $'\e[36mEntry\e[0m: ' PORTLIST 321 | echo "" 322 | echo -en "${YELLOW}Saving ports to ${WGPORTSFILE}${NC}..." 323 | echo $PORTLIST > $WGPORTSFILE 324 | echo -e "[${GREEN}Done${NC}]" 325 | sed -i '/^Post/d' $WGCONFLOC 326 | sed -i '/^$/d' $WGCONFLOC 327 | sed -i '4 a \\' $WGCONFLOC 328 | sed -i '4 a \\' $WGCONFLOC 329 | TCP_PORTS="" 330 | UDP_PORTS="" 331 | for i in $(echo $PORTLIST | sed "s/,/ /g") 332 | do 333 | PORT=$(echo $i| cut -d'/' -f 1) 334 | PROT=$(echo $i| cut -d'/' -f 2) 335 | if [ $PROT == "tcp" ]; then 336 | TCP_PORTS+="${PORT}," 337 | elif [ $PROT == "udp" ]; then 338 | UDP_PORTS+="${PORT}," 339 | fi 340 | done 341 | TCP_PORTS=${TCP_PORTS%?} 342 | UDP_PORTS=${UDP_PORTS%?} 343 | if [ ${#UDP_PORTS} -ge 1 ]; then 344 | sed -i "5 a PostDown = iptables -t nat -D PREROUTING -p udp -i $TUNNEL_INT --match multiport --dports ${UDP_PORTS} -j DNAT --to-destination $WG_CLIENT_IP;" $WGCONFLOC 345 | fi 346 | sed -i "5 a PostDown = iptables -t nat -D POSTROUTING -o $TUNNEL_INT -j SNAT --to-source $TUNNEL_IP" $WGCONFLOC 347 | if [ ${#TCP_PORTS} -ge 1 ]; then 348 | sed -i "5 a PostDown = iptables -t nat -D PREROUTING -p tcp -i $TUNNEL_INT --match multiport --dports ${TCP_PORTS} -j DNAT --to-destination $WG_CLIENT_IP" $WGCONFLOC 349 | fi 350 | sed -i '5 a \\' $WGCONFLOC 351 | if [ ${#UDP_PORTS} -ge 1 ]; then 352 | sed -i "5 a PostUp = iptables -t nat -A PREROUTING -p udp -i $TUNNEL_INT --match multiport --dports ${UDP_PORTS} -j DNAT --to-destination $WG_CLIENT_IP;" $WGCONFLOC 353 | fi 354 | sed -i "5 a PostUp = iptables -t nat -A POSTROUTING -o $TUNNEL_INT -j SNAT --to-source $TUNNEL_IP" $WGCONFLOC 355 | if [ ${#TCP_PORTS} -ge 1 ]; then 356 | sed -i "5 a PostUp = iptables -t nat -A PREROUTING -p tcp -i $TUNNEL_INT --match multiport --dports ${TCP_PORTS} -j DNAT --to-destination $WG_CLIENT_IP" $WGCONFLOC 357 | fi 358 | echo "" 359 | echo -e "\e[1;35mBefore continuing with the rest of this script, please run this script on your Local Server with the following line\e[0m:" 360 | echo "" 361 | echo -e "${LCYAN}./Oracle_Installer.sh LocalMod $PORTLIST${NC}" 362 | echo "" 363 | read -n 1 -s -r -p 'Press any key to continue.' YORN 364 | echo "" 365 | } 366 | 367 | ask_firewall () { 368 | if [[ $1 == 1 ]]; then 369 | echo "Since the ports have been modified, the firewall needs to be changed" 370 | clear_firewall 371 | setup_firewall 372 | else 373 | read -r -p $'\e[36mWould you like this script to configure your firewall? [Y/n]\e[0m' UFW_YN 374 | if [[ ! "$UFW_YN" =~ ^([yY][eE][sS]|[yY]|"")$ ]]; then 375 | echo -e "You should limit access to your server by using ufw as described in \e[94;4mhttps://github.com/mochman/Bypass_CGNAT/wiki/Limiting-Access\e[0m" 376 | exit 377 | else 378 | clear_firewall 379 | setup_firewall 380 | fi 381 | fi 382 | } 383 | 384 | start_wireguard () { 385 | echo -en "${YELLOW}Starting wireguard services${NC}..." 386 | systemctl start wg-quick@wg0 2> /dev/null 387 | echo -e "[${GREEN}Done${NC}]" 388 | } 389 | 390 | modify_mapping () { 391 | awk '{print} /Address/ {exit}' $WGCONFLOC > $WGCONFTOP 392 | sed -n '/\[Peer/,$p' < $WGCONFLOC > $WGCONFBOTTOM 393 | cat $WGCONFTOP > $WGCONFLOC 394 | echo "" >> $WGCONFLOC 395 | for i in $(echo $PORTLIST | sed "s/,/ /g") 396 | do 397 | PORT=$(echo $i| cut -d'/' -f 1) 398 | PROT=$(echo $i| cut -d'/' -f 2) 399 | printf "IP Address of service using $PORT/$PROT (Just press Enter if using this server): " 400 | read SVC_IP 401 | if [[ -n $SVC_IP ]]; then 402 | echo "PostUp = iptables -t nat -A PREROUTING -p $PROT --dport $PORT -j DNAT --to-destination $SVC_IP:$PORT; iptables -t nat -A POSTROUTING -p $PROT --dport $PORT -j MASQUERADE" >> $WGCONFLOC 403 | echo "PostDown = iptables -t nat -D PREROUTING -p $PROT --dport $PORT -j DNAT --to-destination $SVC_IP:$PORT; iptables -t nat -D POSTROUTING -p $PROT --dport $PORT -j MASQUERADE" >> $WGCONFLOC 404 | echo "" >> $WGCONFLOC 405 | fi 406 | done 407 | echo "" >> $WGCONFLOC 408 | cat $WGCONFBOTTOM >> $WGCONFLOC 409 | rm -f $WGCONFTOP $WGCONFBOTTOM 410 | echo "" 411 | } 412 | 413 | modify_client_config () { 414 | PORTLIST=$1 415 | modify_mapping 416 | echo -en "${YELLOW}Saving ports to ${WGPORTSFILE}${NC}..." 417 | echo $PORTLIST > $WGPORTSFILE 418 | echo -e "[${GREEN}Done${NC}]" 419 | } 420 | 421 | mapping_change () { 422 | PORTLIST=$(cat $WGPORTSFILE) 423 | modify_mapping 424 | } 425 | 426 | script_complete () { 427 | echo "" 428 | echo -e "Your system has been configured. If you need to reset the VPN link for any reason, please run ${CYAN}sudo systemctl restart wg-quick@wg0${NC}" 429 | echo "" 430 | } 431 | 432 | 433 | #**********************Begin Script************************************ 434 | clear 435 | echo "" 436 | echo -e "${LGREEN}***************************************************" 437 | echo -e "* ${WHITE}Oracle Cloud Wireguard Tunnel Installer${LGREEN} *" 438 | echo -e "* ${LBLUE}Version 0.2.0 ${LGREEN} *" 439 | echo -e "***************************************************${NC}" 440 | echo "" 441 | echo "This script will install and configure wireguard on your machines." 442 | if [[ $1 == "Local" ]]; then 443 | stop_wireguard 444 | update_system 445 | install_required 446 | configure_forwarding 447 | create_keys 448 | create_client_config $3 $5 $6 $7 $2 $4 449 | script_complete 450 | exit 451 | elif [[ $1 == "LocalMod" ]]; then 452 | stop_wireguard 453 | modify_client_config $2 454 | start_wireguard 455 | script_complete 456 | exit 457 | else 458 | SERVERTYPE=1 459 | echo "" 460 | echo -e "Make sure you have followed the Opening Up Ports section found on:" 461 | echo -e "${LBU}https://github.com/mochman/Bypass_CGNAT/wiki/Oracle-Cloud--(Opening-Up-Ports)${NC}" 462 | echo "" 463 | echo "Please have a terminal window running on both your VPS and your Local Server" 464 | echo "since this script will ask you to input information into/from each other." 465 | echo -e "${YELLOW}Be advised, this script will modify your iptables & ufw(firewall) settings.${NC}" 466 | echo -e "${CYAN}" 467 | read -n 1 -s -r -p 'Press q to quit, any other key to continue' YORN 468 | echo -e "${NC}" 469 | if [[ $YORN == [Qq] ]]; then 470 | echo "Exiting..." 471 | exit 472 | fi 473 | fi 474 | 475 | FOUNDOLD=0 476 | 477 | # Look for an already set up wireguard config 478 | if grep -q -E 'PrivateKey = .+' $WGCONFLOC 2>/dev/null; then 479 | # Check if Server/Client 480 | if grep -q 'Endpoint' $WGCONFLOC; then 481 | # Client 482 | FOUNDTYPE=2 483 | FOUNDOLD=1 484 | SERVERTYPE=2 485 | options=("Change Port->IP Mapping" "Reload Wireguard Service" "Exit Script") 486 | else 487 | # Server 488 | FOUNDTYPE=1 489 | FOUNDOLD=1 490 | SERVERTYPE=1 491 | options=("Change Ports Passed Through" "Create New Configuration" "Reload Wireguard Service" "Exit Script") 492 | fi 493 | else 494 | FOUNDTYPE=0 495 | fi 496 | 497 | echo "" 498 | echo -e "${LBLUE}***************************************************" 499 | if [[ $FOUNDOLD == 1 ]]; then 500 | echo -e "*${NC} Current Wireguard Configuration Detected ${LBLUE} *" 501 | fi 502 | if [[ $FOUNDTYPE == 2 ]]; then 503 | echo -e "*${YELLOW} Local Client ${LBLUE} *" 504 | elif [[ $FOUNDTYPE == 1 ]]; then 505 | echo -e "*${YELLOW} VPS Server ${LBLUE} *" 506 | else 507 | echo -e "*${NC} Wireguard Configuration Not Found ${LBLUE} *" 508 | fi 509 | echo -e "${LBLUE}***************************************************${NC}" 510 | echo "" 511 | 512 | if [[ $FOUNDOLD == 1 ]]; then 513 | echo "Options:" 514 | if [[ $FOUNDTYPE == 1 ]]; then #Server 515 | PS3="Select #: " 516 | select opt in "${options[@]}" 517 | do 518 | case $opt in 519 | "Change Ports Passed Through") 520 | echo "" 521 | stop_wireguard 522 | echo "" 523 | get_ports 524 | echo "" 525 | ask_firewall 1 526 | start_wireguard 527 | script_complete 528 | exit 529 | ;; 530 | "Create New Configuration") 531 | echo "" 532 | stop_wireguard 533 | update_system 534 | install_required 535 | configure_forwarding 536 | get_ips $5 $6 $3 537 | create_keys 538 | create_server_config 539 | ask_firewall 540 | script_complete 541 | exit 542 | ;; 543 | "Reload Wireguard Service") 544 | echo "" 545 | stop_wireguard 546 | start_wireguard 547 | exit 548 | ;; 549 | "Exit Script") 550 | exit 551 | ;; 552 | *) exit;; 553 | esac 554 | done 555 | elif [[ $FOUNDTYPE == 2 ]]; then #Client 556 | PS3="Select #: " 557 | select opt in "${options[@]}" 558 | do 559 | case $opt in 560 | "Change Port->IP Mapping") 561 | stop_wireguard 562 | echo "" 563 | mapping_change 564 | echo "" 565 | start_wireguard 566 | break 567 | ;; 568 | "Reload Wireguard Service") 569 | echo "" 570 | stop_wireguard 571 | start_wireguard 572 | exit 573 | ;; 574 | "Exit Script") 575 | exit 576 | ;; 577 | *) exit;; 578 | esac 579 | done 580 | fi 581 | else 582 | stop_wireguard 583 | update_system 584 | install_required 585 | configure_forwarding 586 | get_ips $5 $6 $3 587 | create_keys 588 | create_server_config 589 | ask_firewall 590 | script_complete 591 | fi 592 | --------------------------------------------------------------------------------