installer: auto-connect to Mullvad (Albania) after setup; robust heredoc; replace LAN interface; respect killswitch choice
This commit is contained in:
root
parent
a5e4c68017
commit
663d585ac6
1 changed files with 84 additions and 7 deletions
89
install.sh
89
install.sh
|
|
@ -607,12 +607,12 @@ EOF
|
|||
|
||||
# Enable and (optionally) start killswitch
|
||||
systemctl daemon-reload
|
||||
systemctl enable vpn-killswitch.service || true
|
||||
if [ "$SHOULD_START_KILLSWITCH" = "yes" ]; then
|
||||
systemctl enable vpn-killswitch.service || true
|
||||
systemctl start vpn-killswitch.service || true
|
||||
log "Killswitch installed and activated"
|
||||
else
|
||||
log "Killswitch installed but not started (per user choice)"
|
||||
log "Killswitch installed but not enabled/started (per user choice)"
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
@ -851,16 +851,20 @@ EOFMON
|
|||
# Reload and start services
|
||||
systemctl daemon-reload
|
||||
|
||||
# Enable services conditionally (killswitch may be skipped earlier)
|
||||
# Enable services conditionally (respect user choice for killswitch)
|
||||
if [ -f /etc/systemd/system/vpn-killswitch.service ]; then
|
||||
if [ "$SHOULD_START_KILLSWITCH" = "yes" ]; then
|
||||
systemctl enable vpn-killswitch || true
|
||||
else
|
||||
warning "Killswitch service not installed or was skipped; skipping enable"
|
||||
warning "Killswitch present but not enabled (per user choice)"
|
||||
fi
|
||||
else
|
||||
warning "Killswitch service not installed; skipping enable"
|
||||
fi
|
||||
systemctl enable vpn-webui vpn-security-monitor || true
|
||||
|
||||
# Start services conditionally
|
||||
if [ -f /etc/systemd/system/vpn-killswitch.service ]; then
|
||||
# Start services conditionally (respect user choice for killswitch)
|
||||
if [ -f /etc/systemd/system/vpn-killswitch.service ] && [ "$SHOULD_START_KILLSWITCH" = "yes" ]; then
|
||||
systemctl start vpn-killswitch || true
|
||||
fi
|
||||
systemctl start vpn-webui vpn-security-monitor || true
|
||||
|
|
@ -893,6 +897,78 @@ EOF
|
|||
log "Nginx configured"
|
||||
}
|
||||
|
||||
# Auto-connect to Mullvad (Albania) without prompts
|
||||
auto_connect_mullvad_albania() {
|
||||
if [ "$VPN_PROVIDER" != "mullvad" ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
log "Auto-connecting to Mullvad (Albania)..."
|
||||
|
||||
# Fetch Mullvad relays and pick first active WireGuard in Albania
|
||||
local api="https://api.mullvad.net/www/relays/all/"
|
||||
local endpoint_ip
|
||||
endpoint_ip=$(curl -fsSL "$api" | jq -r '.[] | select(.type=="wireguard" and .active==true and .country_name=="Albania") | .ipv4_addr_in' | head -n1)
|
||||
if [ -z "$endpoint_ip" ] || [ "$endpoint_ip" = "null" ]; then
|
||||
warning "No Albania Mullvad server found; skipping auto-connect"
|
||||
return
|
||||
fi
|
||||
|
||||
# Ensure WireGuard key exists
|
||||
if [ ! -f /etc/wireguard/mullvad_private.key ]; then
|
||||
wg genkey | tee /etc/wireguard/mullvad_private.key | wg pubkey > /etc/wireguard/mullvad_public.key
|
||||
chmod 600 /etc/wireguard/mullvad_private.key
|
||||
fi
|
||||
|
||||
local private_key
|
||||
private_key=$(cat /etc/wireguard/mullvad_private.key)
|
||||
|
||||
# Same public key used by backend placeholder
|
||||
local mullvad_pubkey="g+9JNZp3SvLPvBb+PzXHyOPHhqNiUdATrz1YdNEPvWo="
|
||||
|
||||
cat > /etc/wireguard/wg0.conf << EOFWG
|
||||
# Mullvad WireGuard Configuration (Auto)
|
||||
# Country: Albania
|
||||
|
||||
[Interface]
|
||||
PrivateKey = $private_key
|
||||
Address = 10.64.0.2/32,fc00:bbbb:bbbb:bb01::2/128
|
||||
DNS = 100.64.0.1
|
||||
|
||||
# Killswitch rules
|
||||
PreUp = iptables -F OUTPUT
|
||||
PreUp = iptables -F FORWARD
|
||||
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
|
||||
PostUp = iptables -I FORWARD -i __LAN_IF__ -o %i -j ACCEPT
|
||||
PostUp = iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
|
||||
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
|
||||
PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE
|
||||
|
||||
[Peer]
|
||||
PublicKey = $mullvad_pubkey
|
||||
AllowedIPs = 0.0.0.0/0,::/0
|
||||
Endpoint = $endpoint_ip:51820
|
||||
PersistentKeepalive = 25
|
||||
EOFWG
|
||||
|
||||
chmod 600 /etc/wireguard/wg0.conf
|
||||
|
||||
# Allow reaching the endpoint through the killswitch
|
||||
iptables -I OUTPUT 1 -p udp --dport 51820 -d "$endpoint_ip" -j ACCEPT || true
|
||||
|
||||
# Replace placeholder with actual LAN interface
|
||||
sed -i "s|__LAN_IF__|$LAN_INTERFACE|g" /etc/wireguard/wg0.conf
|
||||
|
||||
# Connect
|
||||
wg-quick down wg0 >/dev/null 2>&1 || true
|
||||
if wg-quick up wg0 >/dev/null 2>&1; then
|
||||
log "Connected to Mullvad (Albania)"
|
||||
systemctl enable wg-quick@wg0 >/dev/null 2>&1 || true
|
||||
else
|
||||
warning "Failed to bring up wg0; you can connect later via WebUI or manually"
|
||||
fi
|
||||
}
|
||||
|
||||
# Final setup
|
||||
finalize_installation() {
|
||||
log "Finalizing installation..."
|
||||
|
|
@ -998,6 +1074,7 @@ main() {
|
|||
install_webui
|
||||
setup_services
|
||||
setup_nginx
|
||||
auto_connect_mullvad_albania
|
||||
finalize_installation
|
||||
|
||||
show_summary
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue