initial commitHEAD main

author: hc <hc@a.nub.ninja> 2026-02-07 12:15:01 +0000
committer: hc <hc@a.nub.ninja> 2026-02-07 12:15:01 +0000
commit: f6cdeabe2f57b97299308e16486958ed122315b9 (patch)
tree: c570f1b5ef373eb251c8504992b95f1b7789746f /entrypoint.sh
1 files changed, 82 insertions, 0 deletions
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..2316e01
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,82 @@
+#!/bin/bash
+set -e
+WG_CONF="/etc/wireguard/wg0.conf"
+# Parse the config file
+PRIVATE_KEY=$(grep -oP 'PrivateKey\s*=\s*\K.*' "$WG_CONF" | tr -d ' ')
+ADDRESS_V4=$(grep -oP 'Address\s*=\s*\K[^,]+' "$WG_CONF" | grep -v ':' | tr -d ' ')
+ADDRESS_V6=$(grep -oP 'Address\s*=\s*\K.*' "$WG_CONF" | grep -oP '[^,]*::[^,]*' | tr -d ' ')
+DNS_SERVERS=$(grep -oP 'DNS\s*=\s*\K.*' "$WG_CONF" | tr ',' '\n' | tr -d ' ')
+PEER_PUBKEY=$(grep -oP 'PublicKey\s*=\s*\K.*' "$WG_CONF" | tr -d ' ')
+ENDPOINT=$(grep -oP 'Endpoint\s*=\s*\K.*' "$WG_CONF" | tr -d ' ')
+WG_ENDPOINT=$(echo "$ENDPOINT" | cut -d: -f1)
+WG_PORT=$(echo "$ENDPOINT" | cut -d: -f2)
+# Set DNS manually
+if [ -n "$DNS_SERVERS" ]; then
+    : > /etc/resolv.conf
+    for dns in $DNS_SERVERS; do
+        echo "nameserver $dns" >> /etc/resolv.conf
+    done
+fi
+DEFAULT_IF=$(ip route | awk '/default/ {print $5; exit}')
+DEFAULT_GW=$(ip route | awk '/default/ {print $3; exit}')
+# --- IPv4 kill switch ---
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+iptables -A OUTPUT -d "$WG_ENDPOINT" -p udp --dport "$WG_PORT" -j ACCEPT
+iptables -A INPUT -s "$WG_ENDPOINT" -p udp --sport "$WG_PORT" -j ACCEPT
+iptables -A INPUT -i wg0 -j ACCEPT
+iptables -A OUTPUT -o wg0 -j ACCEPT
+iptables -A INPUT -i "$DEFAULT_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+# Allow container-to-container traffic
+iptables -A INPUT -i eth0 -j ACCEPT
+iptables -A OUTPUT -o eth0 -d 172.16.0.0/12 -j ACCEPT
+iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j ACCEPT
+iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j ACCEPT
+iptables -A INPUT -j DROP
+iptables -A OUTPUT -j DROP
+# --- IPv6 kill switch ---
+ip6tables -A INPUT -i lo -j ACCEPT
+ip6tables -A OUTPUT -o lo -j ACCEPT
+ip6tables -A INPUT -i wg0 -j ACCEPT
+ip6tables -A OUTPUT -o wg0 -j ACCEPT
+ip6tables -A INPUT -j DROP
+ip6tables -A OUTPUT -j DROP
+# --- Bring up WireGuard manually (no wg-quick) ---
+ip link add wg0 type wireguard
+echo "$PRIVATE_KEY" | wg set wg0 private-key /dev/stdin peer "$PEER_PUBKEY" endpoint "$ENDPOINT" allowed-ips 0.0.0.0/0,::/0
+[ -n "$ADDRESS_V4" ] && ip addr add "$ADDRESS_V4" dev wg0
+[ -n "$ADDRESS_V6" ] && ip addr add "$ADDRESS_V6" dev wg0
+ip link set wg0 up
+# Route the WireGuard endpoint via the real gateway (avoid routing loop)
+ip route add "$WG_ENDPOINT"/32 via "$DEFAULT_GW" dev "$DEFAULT_IF"
+# Route all other traffic through the tunnel
+ip route add 0.0.0.0/1 dev wg0
+ip route add 128.0.0.0/1 dev wg0
+# IPv6 routes through the tunnel
+if [ -n "$ADDRESS_V6" ]; then
+    ip -6 route add ::/1 dev wg0
+    ip -6 route add 8000::/1 dev wg0
+fi
+echo "VPN is up. Checking connection..."
+curl -s --max-time 10 https://am.i.mullvad.net/connected || echo "Warning: could not verify Mullvad connection"
+echo "Public IP: $(curl -s --max-time 10 https://am.i.mullvad.net/ip) | Location: $(curl -s --max-time 10 https://am.i.mullvad.net/country), $(curl -s --max-time 10 https://am.i.mullvad.net/city)"
+echo "VPN gateway ready."
+# Keep the container running, exit gracefully on SIGTERM
+trap 'echo "Shutting down VPN..."; ip link del wg0 2>/dev/null; exit 0' SIGTERM SIGINT
+sleep infinity &
+wait $!
author	hc <hc@a.nub.ninja>	2026-02-07 12:15:01 +0000
committer	hc <hc@a.nub.ninja>	2026-02-07 12:15:01 +0000
commit	f6cdeabe2f57b97299308e16486958ed122315b9 (patch)
tree	c570f1b5ef373eb251c8504992b95f1b7789746f /entrypoint.sh

diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..2316e01 --- /dev/null +++ b/entrypoint.sh
@@ -0,0 +1,82 @@
	1	#!/bin/bash
	2	set -e
	3
	4	WG_CONF="/etc/wireguard/wg0.conf"
	5
	6	# Parse the config file
	7	PRIVATE_KEY=$(grep -oP 'PrivateKey\s=\s\K.*' "$WG_CONF" \| tr -d ' ')
	8	ADDRESS_V4=$(grep -oP 'Address\s=\s\K[^,]+' "$WG_CONF" \| grep -v ':' \| tr -d ' ')
	9	ADDRESS_V6=$(grep -oP 'Address\s=\s\K.' "$WG_CONF" \| grep -oP '[^,]::[^,]*' \| tr -d ' ')
	10	DNS_SERVERS=$(grep -oP 'DNS\s=\s\K.*' "$WG_CONF" \| tr ',' '\n' \| tr -d ' ')
	11	PEER_PUBKEY=$(grep -oP 'PublicKey\s=\s\K.*' "$WG_CONF" \| tr -d ' ')
	12	ENDPOINT=$(grep -oP 'Endpoint\s=\s\K.*' "$WG_CONF" \| tr -d ' ')
	13	WG_ENDPOINT=$(echo "$ENDPOINT" \| cut -d: -f1)
	14	WG_PORT=$(echo "$ENDPOINT" \| cut -d: -f2)
	15
	16	# Set DNS manually
	17	if [ -n "$DNS_SERVERS" ]; then
	18	: > /etc/resolv.conf
	19	for dns in $DNS_SERVERS; do
	20	echo "nameserver $dns" >> /etc/resolv.conf
	21	done
	22	fi
	23
	24	DEFAULT_IF=$(ip route \| awk '/default/ {print $5; exit}')
	25	DEFAULT_GW=$(ip route \| awk '/default/ {print $3; exit}')
	26
	27	# --- IPv4 kill switch ---
	28	iptables -A INPUT -i lo -j ACCEPT
	29	iptables -A OUTPUT -o lo -j ACCEPT
	30	iptables -A OUTPUT -d "$WG_ENDPOINT" -p udp --dport "$WG_PORT" -j ACCEPT
	31	iptables -A INPUT -s "$WG_ENDPOINT" -p udp --sport "$WG_PORT" -j ACCEPT
	32	iptables -A INPUT -i wg0 -j ACCEPT
	33	iptables -A OUTPUT -o wg0 -j ACCEPT
	34	iptables -A INPUT -i "$DEFAULT_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	35	# Allow container-to-container traffic
	36	iptables -A INPUT -i eth0 -j ACCEPT
	37	iptables -A OUTPUT -o eth0 -d 172.16.0.0/12 -j ACCEPT
	38	iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j ACCEPT
	39	iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j ACCEPT
	40	iptables -A INPUT -j DROP
	41	iptables -A OUTPUT -j DROP
	42
	43	# --- IPv6 kill switch ---
	44	ip6tables -A INPUT -i lo -j ACCEPT
	45	ip6tables -A OUTPUT -o lo -j ACCEPT
	46	ip6tables -A INPUT -i wg0 -j ACCEPT
	47	ip6tables -A OUTPUT -o wg0 -j ACCEPT
	48	ip6tables -A INPUT -j DROP
	49	ip6tables -A OUTPUT -j DROP
	50
	51	# --- Bring up WireGuard manually (no wg-quick) ---
	52	ip link add wg0 type wireguard
	53	echo "$PRIVATE_KEY" \| wg set wg0 private-key /dev/stdin peer "$PEER_PUBKEY" endpoint "$ENDPOINT" allowed-ips 0.0.0.0/0,::/0
	54
	55	[ -n "$ADDRESS_V4" ] && ip addr add "$ADDRESS_V4" dev wg0
	56	[ -n "$ADDRESS_V6" ] && ip addr add "$ADDRESS_V6" dev wg0
	57
	58	ip link set wg0 up
	59
	60	# Route the WireGuard endpoint via the real gateway (avoid routing loop)
	61	ip route add "$WG_ENDPOINT"/32 via "$DEFAULT_GW" dev "$DEFAULT_IF"
	62
	63	# Route all other traffic through the tunnel
	64	ip route add 0.0.0.0/1 dev wg0
	65	ip route add 128.0.0.0/1 dev wg0
	66
	67	# IPv6 routes through the tunnel
	68	if [ -n "$ADDRESS_V6" ]; then
	69	ip -6 route add ::/1 dev wg0
	70	ip -6 route add 8000::/1 dev wg0
	71	fi
	72
	73	echo "VPN is up. Checking connection..."
	74	curl -s --max-time 10 https://am.i.mullvad.net/connected \|\| echo "Warning: could not verify Mullvad connection"
	75	echo "Public IP: $(curl -s --max-time 10 https://am.i.mullvad.net/ip) \| Location: $(curl -s --max-time 10 https://am.i.mullvad.net/country), $(curl -s --max-time 10 https://am.i.mullvad.net/city)"
	76
	77	echo "VPN gateway ready."
	78
	79	# Keep the container running, exit gracefully on SIGTERM
	80	trap 'echo "Shutting down VPN..."; ip link del wg0 2>/dev/null; exit 0' SIGTERM SIGINT
	81	sleep infinity &
	82	wait $!