gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
64bfeccfdb
secubox-openwrt/package/secubox/secubox-app-mitmproxy/root/usr/sbin/mitmproxy-sync-wg-endpoints
CyberMind-FR ee9a54b0a5 fix(waf): Add LuCI whitelist and moderate sensitivity mode 
- Add TRUSTED_PATH_PREFIXES for LuCI, ubus, and CGI paths
- Fix moderate mode to always require threshold (3 attempts in 5 min)
  instead of immediate ban on critical threats
- Add WireGuard endpoint whitelist support to prevent VPN peer bans
- New script: mitmproxy-sync-wg-endpoints extracts peer IPs from UCI
- Bump version to v2.4

Prevents accidental bans from legitimate external LuCI login attempts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-09 16:47:17 +01:00

98 lines
3.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# Sync WireGuard peer endpoints to mitmproxy WAF whitelist
# This ensures VPN peers are never banned by the WAF
#
# Run this:
# - On boot (via init script)
# - When WireGuard config changes (via UCI hook)
# - Periodically (via cron)
ENDPOINTS_FILE="/srv/mitmproxy/wireguard-endpoints.json"
# Extract all WireGuard peer endpoints from UCI
get_wg_endpoints() {
local endpoints=""
# Get all wireguard interfaces
for iface in $(uci show network 2>/dev/null | grep "proto='wireguard'" | cut -d. -f2); do
# Get peers for this interface
for peer in $(uci show network 2>/dev/null | grep "network\.@wireguard_${iface}\[" | grep "endpoint_host" | cut -d= -f1); do
endpoint=$(uci -q get "$peer" 2>/dev/null | cut -d: -f1)
if [ -n "$endpoint" ]; then
# Skip if it's a hostname (contains letters)
case "$endpoint" in
*[a-zA-Z]*)
# Resolve hostname to IP
resolved=$(nslookup "$endpoint" 2>/dev/null | grep "Address" | tail -1 | awk '{print $2}')
if [ -n "$resolved" ] && [ "$resolved" != "#53" ]; then
endpoint="$resolved"
else
continue
fi
;;
esac
if [ -n "$endpoints" ]; then
endpoints="$endpoints, \"$endpoint\""
else
endpoints="\"$endpoint\""
fi
fi
done
done
# Also check direct endpoint_host in wireguard peer sections
for peer in $(uci show network 2>/dev/null | grep "\.endpoint_host=" | cut -d= -f1); do
endpoint=$(uci -q get "$peer" 2>/dev/null | cut -d: -f1)
if [ -n "$endpoint" ]; then
case "$endpoint" in
*[a-zA-Z]*)
resolved=$(nslookup "$endpoint" 2>/dev/null | grep "Address" | tail -1 | awk '{print $2}')
if [ -n "$resolved" ] && [ "$resolved" != "#53" ]; then
endpoint="$resolved"
else
continue
fi
;;
esac
# Check if already in list
case "$endpoints" in
*"$endpoint"*) ;;
*)
if [ -n "$endpoints" ]; then
endpoints="$endpoints, \"$endpoint\""
else
endpoints="\"$endpoint\""
fi
;;
esac
fi
done
echo "$endpoints"
}
# Main
endpoints=$(get_wg_endpoints)
# Write JSON file
cat > "$ENDPOINTS_FILE" << EOF
{
"updated": "$(date -Iseconds)",
"endpoints": [$endpoints]
}
EOF
# Count endpoints
if [ -n "$endpoints" ]; then
count=$(echo "$endpoints" | tr ',' '\n' | wc -l)
else
count=0
fi
logger -t mitmproxy-wg "Synced $count WireGuard endpoint(s) to WAF whitelist"
# If verbose mode
[ "$1" = "-v" ] && cat "$ENDPOINTS_FILE"
Reference in New Issue View Git Blame Copy Permalink