nocci/mvpg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

installer: auto-connect to Mullvad (Albania) after setup; robust heredoc; replace LAN interface; respect killswitch choice

Browse source
This commit is contained in:
root 2025-08-12 09:51:39 +00:00
parent a5e4c68017
commit 663d585ac6
1 changed files with 84 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

91
install.sh
View file

@ -607,12 +607,12 @@ EOF
# Enable and (optionally) start killswitch # Enable and (optionally) start killswitch
systemctl daemon-reload systemctl daemon-reload
systemctl enable vpn-killswitch.service || true
if [ "$SHOULD_START_KILLSWITCH" = "yes" ]; then if [ "$SHOULD_START_KILLSWITCH" = "yes" ]; then
systemctl enable vpn-killswitch.service || true
systemctl start vpn-killswitch.service || true systemctl start vpn-killswitch.service || true
log "Killswitch installed and activated" log "Killswitch installed and activated"
else else
log "Killswitch installed but not started (per user choice)" log "Killswitch installed but not enabled/started (per user choice)"
fi fi
} }
@ -851,16 +851,20 @@ EOFMON
# Reload and start services # Reload and start services
systemctl daemon-reload systemctl daemon-reload
# Enable services conditionally (killswitch may be skipped earlier) # Enable services conditionally (respect user choice for killswitch)
if [ -f /etc/systemd/system/vpn-killswitch.service ]; then if [ -f /etc/systemd/system/vpn-killswitch.service ]; then
systemctl enable vpn-killswitch || true if [ "$SHOULD_START_KILLSWITCH" = "yes" ]; then
systemctl enable vpn-killswitch || true
else
warning "Killswitch present but not enabled (per user choice)"
fi
else else
warning "Killswitch service not installed or was skipped; skipping enable" warning "Killswitch service not installed; skipping enable"
fi fi
systemctl enable vpn-webui vpn-security-monitor || true systemctl enable vpn-webui vpn-security-monitor || true
# Start services conditionally # Start services conditionally (respect user choice for killswitch)
if [ -f /etc/systemd/system/vpn-killswitch.service ]; then if [ -f /etc/systemd/system/vpn-killswitch.service ] && [ "$SHOULD_START_KILLSWITCH" = "yes" ]; then
systemctl start vpn-killswitch || true systemctl start vpn-killswitch || true
fi fi
systemctl start vpn-webui vpn-security-monitor || true systemctl start vpn-webui vpn-security-monitor || true
@ -893,6 +897,78 @@ EOF
log "Nginx configured" log "Nginx configured"
} }
# Auto-connect to Mullvad (Albania) without prompts
auto_connect_mullvad_albania() {
if [ "$VPN_PROVIDER" != "mullvad" ]; then
return
fi
log "Auto-connecting to Mullvad (Albania)..."
# Fetch Mullvad relays and pick first active WireGuard in Albania
local api="https://api.mullvad.net/www/relays/all/"
local endpoint_ip
endpoint_ip=$(curl -fsSL "$api" | jq -r '.[] | select(.type=="wireguard" and .active==true and .country_name=="Albania") | .ipv4_addr_in' | head -n1)
if [ -z "$endpoint_ip" ] || [ "$endpoint_ip" = "null" ]; then
warning "No Albania Mullvad server found; skipping auto-connect"
return
fi
# Ensure WireGuard key exists
if [ ! -f /etc/wireguard/mullvad_private.key ]; then
wg genkey | tee /etc/wireguard/mullvad_private.key | wg pubkey > /etc/wireguard/mullvad_public.key
chmod 600 /etc/wireguard/mullvad_private.key
fi
local private_key
private_key=$(cat /etc/wireguard/mullvad_private.key)
# Same public key used by backend placeholder
local mullvad_pubkey="g+9JNZp3SvLPvBb+PzXHyOPHhqNiUdATrz1YdNEPvWo="
cat > /etc/wireguard/wg0.conf << EOFWG
# Mullvad WireGuard Configuration (Auto)
# Country: Albania
[Interface]
PrivateKey = $private_key
Address = 10.64.0.2/32,fc00:bbbb:bbbb:bb01::2/128
DNS = 100.64.0.1
# Killswitch rules
PreUp = iptables -F OUTPUT
PreUp = iptables -F FORWARD
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PostUp = iptables -I FORWARD -i __LAN_IF__ -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE
[Peer]
PublicKey = $mullvad_pubkey
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = $endpoint_ip:51820
PersistentKeepalive = 25
EOFWG
chmod 600 /etc/wireguard/wg0.conf
# Allow reaching the endpoint through the killswitch
iptables -I OUTPUT 1 -p udp --dport 51820 -d "$endpoint_ip" -j ACCEPT || true
# Replace placeholder with actual LAN interface
sed -i "s|__LAN_IF__|$LAN_INTERFACE|g" /etc/wireguard/wg0.conf
# Connect
wg-quick down wg0 >/dev/null 2>&1 || true
if wg-quick up wg0 >/dev/null 2>&1; then
log "Connected to Mullvad (Albania)"
systemctl enable wg-quick@wg0 >/dev/null 2>&1 || true
else
warning "Failed to bring up wg0; you can connect later via WebUI or manually"
fi
}
# Final setup # Final setup
finalize_installation() { finalize_installation() {
log "Finalizing installation..." log "Finalizing installation..."
@ -998,6 +1074,7 @@ main() {
install_webui install_webui
setup_services setup_services
setup_nginx setup_nginx
auto_connect_mullvad_albania
finalize_installation finalize_installation
show_summary show_summary