diff --git a/Readme.md b/README.md similarity index 97% rename from Readme.md rename to README.md index e8817e4..0cf316b 100644 --- a/Readme.md +++ b/README.md @@ -87,4 +87,4 @@ pptp.sh(Deprecated, DO NOT USE) - Description: Auto Install PPTP for CentOS 6 - Intro: https://teddysun.com/134.html -Copyright (C) 2013-2018 Teddysun +Copyright (C) 2013-2019 Teddysun diff --git a/bench.sh b/bench.sh index 8c64ea3..0a845f2 100644 --- a/bench.sh +++ b/bench.sh @@ -2,7 +2,7 @@ # # Description: Auto test download & I/O speed script # -# Copyright (C) 2015 - 2018 Teddysun +# Copyright (C) 2015 - 2019 Teddysun # # Thanks: LookBack # @@ -49,7 +49,7 @@ speed_test_v6() { speed_v4() { speed_test_v4 'http://cachefly.cachefly.net/100mb.test' 'CacheFly' - speed_test_v4 'http://speedtest.tokyo.linode.com/100MB-tokyo.bin' 'Linode, Tokyo, JP' + speed_test_v4 'http://speedtest.tokyo2.linode.com/100MB-tokyo2.bin' 'Linode, Tokyo2, JP' speed_test_v4 'http://speedtest.singapore.linode.com/100MB-singapore.bin' 'Linode, Singapore, SG' speed_test_v4 'http://speedtest.london.linode.com/100MB-london.bin' 'Linode, London, UK' speed_test_v4 'http://speedtest.frankfurt.linode.com/100MB-frankfurt.bin' 'Linode, Frankfurt, DE' @@ -66,7 +66,7 @@ speed_v6() { speed_test_v6 'http://speedtest.dallas.linode.com/100MB-dallas.bin' 'Linode, Dallas, TX' speed_test_v6 'http://speedtest.newark.linode.com/100MB-newark.bin' 'Linode, Newark, NJ' speed_test_v6 'http://speedtest.singapore.linode.com/100MB-singapore.bin' 'Linode, Singapore, SG' - speed_test_v6 'http://speedtest.tokyo.linode.com/100MB-tokyo.bin' 'Linode, Tokyo, JP' + speed_test_v6 'http://speedtest.tokyo2.linode.com/100MB-tokyo2.bin' 'Linode, Tokyo2, JP' speed_test_v6 'http://speedtest.sjc03.softlayer.com/downloads/test100.zip' 'Softlayer, San Jose, CA' speed_test_v6 'http://speedtest.wdc01.softlayer.com/downloads/test100.zip' 'Softlayer, Washington, WA' speed_test_v6 'http://speedtest.par01.softlayer.com/downloads/test100.zip' 'Softlayer, Paris, FR' @@ -95,7 +95,7 @@ calc_disk() { cname=$( awk -F: '/model name/ {name=$2} END {print name}' /proc/cpuinfo | sed 's/^[ \t]*//;s/[ \t]*$//' ) cores=$( awk -F: '/model name/ {core++} END {print core}' /proc/cpuinfo ) -freq=$( awk -F: '/cpu MHz/ {freq=$2} END {print freq}' /proc/cpuinfo | sed 's/^[ \t]*//;s/[ \t]*$//' ) +freq=$( awk -F'[ :]' '/cpu MHz/ {print $4;exit}' /proc/cpuinfo ) tram=$( free -m | awk '/Mem/ {print $2}' ) uram=$( free -m | awk '/Mem/ {print $3}' ) swap=$( free -m | awk '/Swap/ {print $2}' ) @@ -106,7 +106,7 @@ opsy=$( get_opsy ) arch=$( uname -m ) lbit=$( getconf LONG_BIT ) kern=$( uname -r ) -ipv6=$( wget -qO- -t1 -T2 ipv6.icanhazip.com ) +#ipv6=$( wget -qO- -t1 -T2 ipv6.icanhazip.com ) disk_size1=($( LANG=C df -hPl | grep -wvE '\-|none|tmpfs|devtmpfs|by-uuid|chroot|Filesystem|udev|docker' | awk '{print $2}' )) disk_size2=($( LANG=C df -hPl | grep -wvE '\-|none|tmpfs|devtmpfs|by-uuid|chroot|Filesystem|udev|docker' | awk '{print $3}' )) disk_total_size=$( calc_disk "${disk_size1[@]}" ) @@ -144,7 +144,7 @@ echo -e "Average I/O speed : ${YELLOW}$ioavg MB/s${PLAIN}" next printf "%-32s%-24s%-14s\n" "Node Name" "IPv4 address" "Download Speed" speed_v4 && next -if [[ "$ipv6" != "" ]]; then - printf "%-32s%-24s%-14s\n" "Node Name" "IPv6 address" "Download Speed" - speed_v6 && next -fi +#if [[ "$ipv6" != "" ]]; then +# printf "%-32s%-24s%-14s\n" "Node Name" "IPv6 address" "Download Speed" +# speed_v6 && next +#fi diff --git a/docker/kms/Dockerfile b/docker/kms/Dockerfile index 41aa660..e54e759 100644 --- a/docker/kms/Dockerfile +++ b/docker/kms/Dockerfile @@ -1,5 +1,5 @@ # Dockerfile for KMS Server -# Copyright (C) 2018 Teddysun +# Copyright (C) 2018 - 2019 Teddysun # Reference URL: # https://github.com/Wind4/vlmcsd diff --git a/docker/kms/README.md b/docker/kms/README.md index 2968c57..27e54e3 100644 --- a/docker/kms/README.md +++ b/docker/kms/README.md @@ -25,7 +25,7 @@ It can be found at [Docker Hub][3]. ## Start a container ```bash -$ docker run -d -p 1688:1688 --name kms teddysun/kms +$ docker run -d -p 1688:1688 --name kms --restart=always teddysun/kms ``` **Note**: The TCP port number `1688` must be opened in firewall. diff --git a/docker/l2tp/Dockerfile b/docker/l2tp/Dockerfile index b4b9b07..ecaa7ca 100644 --- a/docker/l2tp/Dockerfile +++ b/docker/l2tp/Dockerfile @@ -1,7 +1,7 @@ # Dockerfile for L2TP/IPSec VPN Server -# Copyright (C) 2018 Teddysun +# Copyright (C) 2018 - 2019 Teddysun -FROM debian:stretch +FROM debian:buster LABEL maintainer="Teddysun " RUN set -ex \ diff --git a/docker/l2tp/README.md b/docker/l2tp/README.md index 434bfcd..96a7ad1 100644 --- a/docker/l2tp/README.md +++ b/docker/l2tp/README.md @@ -2,9 +2,9 @@ Docker image to run a L2TP/IPsec VPN Server, with both `L2TP/IPsec PSK` and `IPSec Xauth PSK`. -1. Based on Debian 9 (Stretch) with [libreswan-3.27 (IPsec VPN software)](https://github.com/libreswan/libreswan) and [xl2tpd-1.3.12 (L2TP daemon)](https://github.com/xelerance/xl2tpd). +1. Based on Debian 10 (Buster) with [libreswan-3.29 (IPsec VPN software)](https://packages.debian.org/sid/libreswan) and [xl2tpd-1.3.12 (L2TP daemon)](https://packages.debian.org/sid/xl2tpd). -2. Based on alpine with [libreswan-3.21 (IPsec VPN software)](https://pkgs.alpinelinux.org/package/v3.8/community/x86_64/libreswan) and [xl2tpd-1.3.10 (L2TP daemon)](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/xl2tpd). +2. Based on Alpine with [libreswan-3.29 (IPsec VPN software)](https://pkgs.alpinelinux.org/package/edge/community/x86_64/libreswan) and [xl2tpd-1.3.14 (L2TP daemon)](https://pkgs.alpinelinux.org/package/edge/main/x86_64/xl2tpd). Docker images are built for quick deployment in various computing cloud providers. @@ -47,25 +47,41 @@ VPN_DNS1= VPN_DNS2= ``` -This will create a default user account for L2TP/IPsec VPN login, which can be used by your **multiple devices**. -The IPSec PSK (pre-shared key) is specified by the `VPN_IPSEC_PSK` environment variable. -The username is specified in `VPN_USER` environment variable. -and password is specified in `VPN_PASSWORD` environment variable. -If your VPS has multiple public IP addresses, maybe public IP need to specified in `VPN_PUBLIC_IP` environment variable. +This will create a default user account for L2TP/IPsec VPN login, which can be used by your **multiple devices**. + +The IPSec PSK (pre-shared key) is specified by the `VPN_IPSEC_PSK`. + +The **default username** is specified in `VPN_USER`. + +The **default password** is specified in `VPN_PASSWORD`. + +If your VPS has multiple public IP addresses, maybe public IP need to specified in `VPN_PUBLIC_IP`. + +If you want to specify a other private network, maybe need to specified in `VPN_L2TP_NET` (default `192.168.18.0/24`). + +If you want to specify a other private network, maybe need to specified in `VPN_XAUTH_NET` (default `192.168.20.0/24`). + +If you want to specify a `local ip` for `xl2tpd.conf`, maybe need to specified in `VPN_L2TP_LOCAL` (default `192.168.18.1`). + +If you want to specify a `ip range` for `xl2tpd.conf`, maybe need to specified in `VPN_L2TP_REMOTE` (default `192.168.18.10-192.168.18.250`). + +If you want to specify a `rightaddresspool` for `ipsec.conf`, maybe need to specified in `VPN_XAUTH_REMOTE` (default `192.168.20.10-192.168.20.250`). + +If you want to specify a other DNS servers, maybe need to specified in `VPN_DNS1` and `VPN_DNS2` (default `8.8.8.8`, `8.8.4.4`). There is an example to start a container: ```bash -$ docker run -d --privileged -p 500:500/udp -p 4500:4500/udp --name l2tp --env-file /etc/l2tp.env -v /lib/modules:/lib/modules teddysun/l2tp +$ docker run -d --privileged -p 500:500/udp -p 4500:4500/udp --name l2tp --restart=always --env-file /etc/l2tp.env -v /lib/modules:/lib/modules teddysun/l2tp ``` or start a container with tag **alpine** ```bash -$ docker run -d --privileged -p 500:500/udp -p 4500:4500/udp --name l2tp --env-file /etc/l2tp.env -v /lib/modules:/lib/modules teddysun/l2tp:alpine +$ docker run -d --privileged -p 500:500/udp -p 4500:4500/udp --name l2tp --restart=always --env-file /etc/l2tp.env -v /lib/modules:/lib/modules teddysun/l2tp:alpine ``` -**Note**: The UDP port number `500` and `4500` must be opened in firewall. +**Warning**: The UDP port number `500` and `4500` must be opened in firewall. ## Check container details @@ -132,6 +148,12 @@ $ docker exec -it l2tp l2tpctl -d $ docker exec -it l2tp l2tpctl -m ``` +### Print Libreswan & xl2tpd version + +```bash +$ docker exec -it l2tp l2tpctl -v +``` + ### Print help information ```bash diff --git a/docker/l2tp/alpine/Dockerfile b/docker/l2tp/alpine/Dockerfile index db3b106..ce8b1fa 100644 --- a/docker/l2tp/alpine/Dockerfile +++ b/docker/l2tp/alpine/Dockerfile @@ -1,7 +1,7 @@ # Dockerfile for L2TP/IPSec VPN Server based alpine -# Copyright (C) 2018 Teddysun +# Copyright (C) 2018 - 2019 Teddysun -FROM alpine:latest +FROM alpine:edge LABEL maintainer="Teddysun " RUN apk add -U openssl libreswan xl2tpd ppp-l2tp \ diff --git a/docker/l2tp/alpine/l2tp.sh b/docker/l2tp/alpine/l2tp.sh index 5f70359..7be0bec 100644 --- a/docker/l2tp/alpine/l2tp.sh +++ b/docker/l2tp/alpine/l2tp.sh @@ -137,8 +137,7 @@ conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=${XAUTH_REMOTE} - modecfgdns1=${DNS1} - modecfgdns2=${DNS2} + modecfgdns=${DNS1},${DNS2} leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes @@ -186,14 +185,18 @@ cat > /etc/ipsec.secrets < /etc/ppp/chap-secrets </dev/null; then + cat > /etc/ppp/chap-secrets < /etc/ipsec.d/passwd </dev/null; then + cat > /etc/ipsec.d/passwd < /etc/ipsec.secrets < /etc/ppp/chap-secrets </dev/null; then + cat > /etc/ppp/chap-secrets < /etc/ipsec.d/passwd </dev/null; then + cat > /etc/ipsec.d/passwd < +# +# Reference URL: +# https://www.wireguard.com +# https://git.zx2c4.com/WireGuard + +trap _exit INT QUIT TERM + +_red() { + printf '\033[1;31;31m%b\033[0m' "$1" +} + +_green() { + printf '\033[1;31;32m%b\033[0m' "$1" +} + +_yellow() { + printf '\033[1;31;33m%b\033[0m' "$1" +} + +_printargs() { + printf -- "%s" "[$(date)] " + printf -- "%s" "$1" + printf "\n" +} + +_info() { + _printargs "$@" +} + +_warn() { + printf -- "%s" "[$(date)] " + _yellow "$1" + printf "\n" +} + +_error() { + printf -- "%s" "[$(date)] " + _red "$1" + printf "\n" + exit 2 +} + +_exit() { + printf "\n" + _red "$0 has been terminated." + printf "\n" + exit 1 +} + +_exists() { + local cmd="$1" + if eval type type > /dev/null 2>&1; then + eval type "$cmd" > /dev/null 2>&1 + elif command > /dev/null 2>&1; then + command -v "$cmd" > /dev/null 2>&1 + else + which "$cmd" > /dev/null 2>&1 + fi + rt="$?" + return ${rt} +} + +_ipv4() { + local ipv4="$( ip addr | egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | \ + egrep -v "^192\.168|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-2]\.|^10\.|^127\.|^255\.|^0\." | head -n 1 )" + [ -z "${ipv4}" ] && ipv4="$( wget -qO- -t1 -T2 ipv4.icanhazip.com )" + [ -z "${ipv4}" ] && ipv4="$( wget -qO- -t1 -T2 ipinfo.io/ip )" + printf -- "%s" "${ipv4}" +} + +_ipv6() { + local ipv6="" + ipv6="$(wget -qO- -t1 -T2 ipv6.icanhazip.com)" + printf -- "%s" "${ipv6}" +} + +_nic() { + local nic="" + nic="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)" + printf -- "%s" "${nic}" +} + +_port() { + local port="$(shuf -i 1024-20480 -n 1)" + while true + do + if _exists "netstat" && netstat -tunlp | grep -w "${port}" > /dev/null 2>&1; then + port="$(shuf -i 1024-20480 -n 1)" + else + break + fi + done + printf -- "%s" "${port}" +} + +_os() { + local os="" + [ -f "/etc/debian_version" ] && source /etc/os-release && os="${ID}" && printf -- "%s" "${os}" && return + [ -f "/etc/fedora-release" ] && os="fedora" && printf -- "%s" "${os}" && return + [ -f "/etc/redhat-release" ] && os="centos" && printf -- "%s" "${os}" && return +} + +_os_full() { + [ -f /etc/redhat-release ] && awk '{print ($1,$3~/^[0-9]/?$3:$4)}' /etc/redhat-release && return + [ -f /etc/os-release ] && awk -F'[= "]' '/PRETTY_NAME/{print $3,$4,$5}' /etc/os-release && return + [ -f /etc/lsb-release ] && awk -F'[="]+' '/DESCRIPTION/{print $2}' /etc/lsb-release && return +} + +_os_ver() { + local main_ver="$( echo $(_os_full) | grep -oE "[0-9.]+")" + printf -- "%s" "${main_ver%%.*}" +} + +_error_detect() { + local cmd="$1" + _info "${cmd}" + eval ${cmd} 1> /dev/null + if [ $? -ne 0 ]; then + _error "Execution command (${cmd}) failed, please check it and try again." + fi +} + +_version_gt(){ + test "$(echo "$@" | tr " " "\n" | sort -V | head -n 1)" != "$1" +} + +_is_installed() { + if _exists "wg" && _exists "wg-quick"; then + if [ -s "/lib/modules/$(uname -r)/extra/wireguard.ko" ] || [ -s "/lib/modules/$(uname -r)/extra/wireguard.ko.xz" ] \ + || [ -s "/lib/modules/$(uname -r)/updates/dkms/wireguard.ko" ]; then + return 0 + else + return 1 + fi + else + return 2 + fi +} + +_get_latest_ver() { + wireguard_ver="$(wget --no-check-certificate -qO- https://api.github.com/repos/WireGuard/WireGuard/tags | grep 'name' | head -1 | cut -d\" -f4)" + if [ -z "${wireguard_ver}" ]; then + wireguard_ver="$(curl -Lso- https://api.github.com/repos/WireGuard/WireGuard/tags | grep 'name' | head -1 | cut -d\" -f4)" + fi + [ -z "${wireguard_ver}" ] && _error "Failed to get wireguard latest version from github" +} + +# Check OS version +check_os() { + _info "Check OS version" + if _exists "virt-what"; then + virt="$(virt-what)" + elif _exists "systemd-detect-virt"; then + virt="$(systemd-detect-virt)" + fi + if [ -n "${virt}" -a "${virt}" = "lxc" ]; then + _error "Virtualization method is LXC, which is not supported." + fi + if [ -n "${virt}" -a "${virt}" = "openvz" ] || [ -d "/proc/vz" ]; then + _error "Virtualization method is OpenVZ, which is not supported." + fi + [ -z "$(_os)" ] && _error "Not supported OS." + case "$(_os)" in + ubuntu) + [ -n "$(_os_ver)" -a "$(_os_ver)" -lt 16 ] && _error "Not supported OS, please change to Ubuntu 16+ and try again." + ;; + debian) + [ -n "$(_os_ver)" -a "$(_os_ver)" -lt 8 ] && _error "Not supported OS, please change to Debian 8+ and try again." + ;; + fedora) + [ -n "$(_os_ver)" -a "$(_os_ver)" -lt 29 ] && _error "Not supported OS, please change to Fedora 29+ and try again." + ;; + centos) + [ -n "$(_os_ver)" -a "$(_os_ver)" -lt 7 ] && _error "Not supported OS, please change to CentOS 7+ and try again." + ;; + *) + ;; # do nothing + esac +} + +# Install from repository +install_wg_1() { + _info "Install wireguard from repository" + case "$(_os)" in + ubuntu) + _error_detect "add-apt-repository ppa:wireguard/wireguard" + _error_detect "apt-get update" + _error_detect "apt-get -y install linux-headers-$(uname -r)" + _error_detect "apt-get -y install qrencode" + _error_detect "apt-get -y install iptables" + _error_detect "apt-get -y install wireguard" + ;; + debian) + echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list + printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable + _error_detect "apt-get update" + _error_detect "apt-get -y install linux-headers-$(uname -r)" + _error_detect "apt-get -y install qrencode" + _error_detect "apt-get -y install iptables" + _error_detect "apt-get -y install wireguard" + ;; + fedora) + _error_detect "dnf -y copr enable jdoss/wireguard" + _error_detect "dnf -y install kernel-devel" + _error_detect "dnf -y install kernel-headers" + _error_detect "dnf -y install qrencode" + _error_detect "dnf -y install wireguard-dkms wireguard-tools" + ;; + centos) + _error_detect "curl -Lso /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo" + _error_detect "yum -y install epel-release" + _error_detect "yum -y install kernel-devel" + _error_detect "yum -y install kernel-headers" + _error_detect "yum -y install qrencode" + _error_detect "yum -y install wireguard-dkms wireguard-tools" + ;; + *) + ;; # do nothing + esac + if ! _is_installed; then + _error "Failed to install wireguard, the kernel is most likely not configured correctly" + fi +} + +# Install from source +install_wg_2() { + _info "Install wireguard from source" + case "$(_os)" in + ubuntu|debian) + _error_detect "apt-get update" + [ ! -d "/usr/src/linux-headers-$(uname -r)" ] && _error_detect "apt-get -y install linux-headers-$(uname -r)" + _error_detect "apt-get -y install qrencode" + _error_detect "apt-get -y install iptables" + _error_detect "apt-get -y install bc" + _error_detect "apt-get -y install gcc" + _error_detect "apt-get -y install make" + _error_detect "apt-get -y install libmnl-dev" + ;; + fedora) + [ ! -d "/usr/src/kernels/$(uname -r)" ] && _error_detect "dnf -y install kernel-headers" && _error_detect "dnf -y install kernel-devel" + _error_detect "dnf -y install qrencode" + _error_detect "dnf -y install bc" + _error_detect "dnf -y install gcc" + _error_detect "dnf -y install make" + _error_detect "dnf -y install libmnl-devel" + ;; + centos) + _error_detect "yum -y install epel-release" + [ ! -d "/usr/src/kernels/$(uname -r)" ] && _error_detect "yum -y install kernel-headers" && _error_detect "yum -y install kernel-devel" + _error_detect "yum -y install qrencode" + _error_detect "yum -y install bc" + _error_detect "yum -y install gcc" + _error_detect "yum -y install make" + _error_detect "yum -y install libmnl-devel" + ;; + *) + ;; # do nothing + esac + _get_latest_ver + wireguard_name="WireGuard-${wireguard_ver}" + wireguard_url="https://github.com/WireGuard/WireGuard/archive/${wireguard_ver}.tar.gz" + _error_detect "wget --no-check-certificate -qO ${wireguard_name}.tar.gz ${wireguard_url}" + _error_detect "tar zxf ${wireguard_name}.tar.gz" + _error_detect "cd ${wireguard_name}/src" + _error_detect "make tools" + _error_detect "make module" + _error_detect "make install" + _error_detect "cd ${cur_dir} && rm -fr ${wireguard_name}.tar.gz ${wireguard_name}" + if ! _is_installed; then + _error "Failed to install wireguard, the kernel is most likely not configured correctly" + fi +} + +# Create server interface +create_server_if() { + SERVER_PRIVATE_KEY="$(wg genkey)" + SERVER_PUBLIC_KEY="$(echo ${SERVER_PRIVATE_KEY} | wg pubkey)" + CLIENT_PRIVATE_KEY="$(wg genkey)" + CLIENT_PUBLIC_KEY="$(echo ${CLIENT_PRIVATE_KEY} | wg pubkey)" + CLIENT_PRE_SHARED_KEY="$( wg genpsk )" + _info "Create server interface: /etc/wireguard/${SERVER_WG_NIC}.conf" + [ ! -d "/etc/wireguard" ] && mkdir -p "/etc/wireguard" + if [ -n "${SERVER_PUB_IPV6}" ]; then + cat > /etc/wireguard/${SERVER_WG_NIC}.conf < /etc/wireguard/${SERVER_WG_NIC}.conf < /etc/wireguard/${SERVER_WG_NIC}_client < /etc/wireguard/${SERVER_WG_NIC}_client <> /etc/sysctl.conf + [ -n "${SERVER_PUB_IPV6}" ] && echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.conf + sysctl -p >/dev/null 2>&1 +} + +# Set firewall rules +set_firewall() { + _info "Setting firewall rules" + if _exists "firewall-cmd"; then + if [ "$(firewall-cmd --state | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g")" = "running" ]; then + default_zone="$(firewall-cmd --get-default-zone)" + if [ "$(firewall-cmd --zone=${default_zone} --query-masquerade)" = "no" ]; then + _error_detect "firewall-cmd --zone=${default_zone} --add-masquerade" + fi + if ! firewall-cmd --list-ports | grep -qw "${SERVER_WG_PORT}/udp"; then + _error_detect "firewall-cmd --permanent --zone=${default_zone} --add-port=${SERVER_WG_PORT}/udp" + fi + _error_detect "firewall-cmd --reload" + else + _warn "Firewalld looks like not running, please start it and manually set" + fi + else + if _exists "iptables"; then + iptables -A INPUT -p udp --dport ${SERVER_WG_PORT} -j ACCEPT + iptables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT + iptables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE + iptables-save > /etc/iptables.rules + if [ -d "/etc/network/if-up.d" ]; then + cat > /etc/network/if-up.d/iptables < /etc/ip6tables.rules + if [ -d "/etc/network/if-up.d" ]; then + cat > /etc/network/if-up.d/ip6tables < ${new_client_if} <> ${default_server_if} < ${new_client_if} <> ${default_server_if} <