homelab/scripts/vpn/script.sh

#!/bin/bash
set -euo pipefail

source "$HL_LIB"

_assert_vars HL_TIMEZONE HL_DOMAIN HL_DNS_SERVERS_SPACE_SEP;

_ch_001-install_wireguard() {
    sudo apt-get install -y wireguard;
    sudo modprobe wireguard;
}

_ch_002-install_dsnet() {
    sudo curl -L https://github.com/naggie/dsnet/releases/latest/download/dsnet-linux-amd64 -o /usr/bin/dsnet
    sudo chmod +x /usr/bin/dsnet
}

_ch_003-init_dsnet() {
    sudo dsnet init

    # copy the fresh config if there isn't one already
    [ -f /data/dsnetconfig.json ] || sudo cp /etc/dsnetconfig.json /data/dsnetconfig.json

    sudo rm /etc/dsnetconfig.json
    sudo ln -s /data/dsnetconfig.json /etc/dsnetconfig.json
}

_ch_004-install_service() {
    sudo cp dsnet.service /etc/systemd/system/dsnet.service
    sudo systemctl daemon-reload
}

_ch_005-enable_ip_forwarding() {
    sudo sysctl -w net.ipv4.ip_forward=1
    sudo sysctl -w net.ipv6.conf.all.forwarding=1
    echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
    echo "net.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf
}

_ch_006-run_service() {
    sudo systemctl enable --now dsnet.service
}

_ch_007-install_dnsmasq() {
    sudo apt-get install -y dnsmasq
}

_ch_008-configure_dnsmasq() {
    # dynamically acquire ip address of the wireguard interface
    DSNET_IP=$(ip -f inet addr show dsnet | awk '/inet/ {print $2}' | cut -d / -f 1)

    # listen only for queries from inside the VPN and respond with the VPN ip address
    {
        echo "# dsnet intra-VPN DNS resolver"
        echo "listen-address=$DSNET_IP"
        for serv in $HL_DNS_SERVERS_SPACE_SEP; do
            echo "server=$serv"
        done
        echo "address=/$HL_DOMAIN/$DSNET_IP"
    } | sudo tee /etc/dnsmasq.d/dnsmasq-vpn

    sudo systemctl reload dnsmasq.service
}

_ch_009-enable_dnsmasq() {
    sudo systemctl enable --now dnsmasq.service
}

_run_checkpoints