commit ca7b28529fe773817851310952dd8865e755af74
Author: ange <ange@yw5n.com>
Date:   Fri Dec 27 11:37:11 2024 +0000

    first commit

diff --git a/.env b/.env
new file mode 100644
index 0000000..12331f2
--- /dev/null
+++ b/.env
@@ -0,0 +1 @@
+SSH_PORT=22
diff --git a/install.sh b/install.sh
new file mode 100755
index 0000000..9930ef6
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+. .env
+
+export iface;   iface="$(ip route show default | grep -Po 'dev\s+\K\w+')"
+export privkey; privkey="$(wg genkey)"
+
+envsubst < nftables.conf > /etc/wireguard/nftables.conf
+envsubst < wg0.conf > /etc/wireguard/wg0.conf
+
+systemctl enable wg-quick@wg0
diff --git a/nftables.conf b/nftables.conf
new file mode 100644
index 0000000..b5ea760
--- /dev/null
+++ b/nftables.conf
@@ -0,0 +1,41 @@
+table ip wg {}; delete table ip wg
+
+table ip wg {
+  chain input {
+    type filter hook input priority filter; policy drop;
+    ct state invalid               counter drop
+    ct state {established,related} counter accept
+
+    iif "lo"                  counter accept
+    ip protocol {icmp,icmpv6} counter accept
+
+    tcp dport $SSH_PORT counter accept comment "ssh"
+    iif "$iface" udp dport 443 counter accept comment "wg"
+
+    counter comment "dropped"
+  }
+
+  chain forward {
+    type filter hook forward priority filter; policy drop;
+
+    iif "wg0" counter accept
+    oif "wg0" counter accept
+
+    counter comment "dropped"
+  }
+
+  chain output {
+    type filter hook output priority filter; policy accept;
+
+    counter comment "accepted"
+  }
+
+  chain postrouting {
+    type nat hook postrouting priority srcnat; policy drop;
+
+    oif "$iface" counter masquerade
+    oif "wg0"    counter masquerade
+
+    counter comment "dropped"
+  }
+}
diff --git a/start.sh b/start.sh
new file mode 100755
index 0000000..f2804ff
--- /dev/null
+++ b/start.sh
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+wg-quick up wg0
diff --git a/stop.sh b/stop.sh
new file mode 100755
index 0000000..23d4827
--- /dev/null
+++ b/stop.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+wg-quick down wg0
diff --git a/wg0.conf b/wg0.conf
new file mode 100644
index 0000000..c48263f
--- /dev/null
+++ b/wg0.conf
@@ -0,0 +1,12 @@
+[Interface]
+PrivateKey = $privkey
+Address    = 10.0.0.1/24
+ListenPort = 443
+PostUp     = sysctl net.ipv4.ip_forward=1
+PostUp     = nft -f /etc/wireguard/nftables.conf
+PostDown   = nft delete table ip wg
+
+# dev1
+[Peer]
+PublicKey  = 
+AllowedIPs = 10.0.0.2/32