Skip to content

Instantly share code, notes, and snippets.

@ryderlacin-pixel

ryderlacin-pixel/wg-final-setup.ps1

Created June 7, 2026 01:30
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ryderlacin-pixel/d10d207b4b3e828b047e23b6213f36c7 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ryderlacin-pixel/d10d207b4b3e828b047e23b6213f36c7 to your computer and use it in GitHub Desktop.
Download ZIP
Windows WireGuard and WARP Self-Healing Kill Switch Automated Setup
Raw
wg-final-setup.ps1
# ================================================================
# WireGuard + WARP Kill Switch - FULL OTOMATIK KURULUM (FINAL)
# - WireGuard otomatik kurulur (yoksa)
# - wgcf ile anonim WARP config otomatik oluşturulur
# - kill switch (v8+V10) kurulur
# - Hiçbir kişisel bilgi içermez
# - Yönetici olarak çalıştırın
# ================================================================
$ErrorActionPreference = "SilentlyContinue"
$KLASOR = "C:\WireGuard"
$CONFIG = "C:\WireGuard\wgcf-profile.conf"
$LOG = "C:\WireGuard\killswitch.log"
$MONITOR_PS1 = "C:\WireGuard\monitor.ps1"
$ONARIM_PS1 = "C:\WireGuard\onarim.ps1"
$SERVIS_PS1 = "C:\WireGuard\servis-monitor.ps1"
$WMI_WRAPPER = "C:\WireGuard\wmi-onarim.ps1"
$WG_EXE = "C:\Program Files\WireGuard\wireguard.exe"
$TUNEL_ADI = "wgcf-profile"
$TUNEL_SVC = "WireGuardTunnel`$wgcf-profile"
$GOREV_ANA = "WG-KillSwitch"
$GOREV_ONARIM = "WG-OnarimGorevi"
$WG_SVC_ADI = "WGKillSwitchSvc"
$WMI_FILTER = "WGMonitorOldu"
$WMI_CONSUMER = "WGMonitorOnarim"
$STARTUP_LNK = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\WGKillSwitch.lnk"
$GPO_SCRIPT_DIR = "C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup"
$GPO_SCRIPT = "$GPO_SCRIPT_DIR\wg-startup.ps1"
$GPO_INI_DIR = "C:\Windows\System32\GroupPolicy\Machine\Scripts"
$GPO_INI = "$GPO_INI_DIR\scripts.ini"
$NSSM = "C:\WireGuard\nssm.exe"
function Baslik($t) {
Write-Host ""
Write-Host "================================================================" -ForegroundColor Cyan
Write-Host " $t" -ForegroundColor White
Write-Host "================================================================" -ForegroundColor Cyan
}
function OK($t) { Write-Host " [OK] $t" -ForegroundColor Green }
function WARN($t) { Write-Host " [WARN] $t" -ForegroundColor Yellow }
function HATA($t) { Write-Host " [HATA] $t" -ForegroundColor Red }
function BILGI($t){ Write-Host " [--] $t" -ForegroundColor Gray }
function Log($m) {
$mutex = $null
try {
$mutex = New-Object System.Threading.Mutex($false, "Global\WGKillSwitchLog")
$mutex.WaitOne(3000) | Out-Null
Add-Content -Path $LOG -Value "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') | $m" -Encoding UTF8 -EA SilentlyContinue
try {
$s = Get-Content $LOG -Encoding UTF8 -EA Stop
if ($s.Count -gt 500) { $s | Select-Object -Last 250 | Set-Content $LOG -Encoding UTF8 -Force }
} catch {}
} finally {
if ($mutex) { try { $mutex.ReleaseMutex() } catch {} }
}
}
function GorevDurdurSil($isim) {
schtasks /End /TN "\$isim" /F 2>$null | Out-Null
schtasks /Delete /TN "\$isim" /F 2>$null | Out-Null
Stop-ScheduledTask -TaskName $isim -EA SilentlyContinue
Unregister-ScheduledTask -TaskName $isim -Confirm:$false -EA SilentlyContinue
}
function TunelCalisiyor {
$c = & sc.exe query $TUNEL_SVC 2>$null
return ($c -match "RUNNING")
}
function ScriptsIniGuncelle($iniDosyasi, $scriptYolu) {
New-Item -ItemType Directory -Path (Split-Path $iniDosyasi) -Force -EA SilentlyContinue | Out-Null
$icerik = ""
if (Test-Path $iniDosyasi) {
$icerik = Get-Content $iniDosyasi -Raw -Encoding Unicode -EA SilentlyContinue
if ([string]::IsNullOrWhiteSpace($icerik)) { $icerik = Get-Content $iniDosyasi -Raw -EA SilentlyContinue }
}
if ($null -eq $icerik) { $icerik = "" }
if ($icerik -match [regex]::Escape($scriptYolu)) { BILGI "GPO scripts.ini: zaten kayitli, atlaniyor"; return }
if ($icerik -match "\[Startup\]") {
$maxIndex = -1
$startup = $false
foreach ($satir in ($icerik -split "`r?`n")) {
if ($satir -match "^\[Startup\]") { $startup = $true; continue }
if ($satir -match "^\[" -and $satir -notmatch "^\[Startup\]") { $startup = $false; continue }
if ($startup -and $satir -match "^(\d+)CmdLine=") {
$idx = [int]$Matches[1]; if ($idx -gt $maxIndex) { $maxIndex = $idx }
}
}
$yi = $maxIndex + 1
$yeniBlok = "${yi}CmdLine=powershell.exe`r`n${yi}Parameters=-NonInteractive -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$scriptYolu`"`r`n"
$icerik = $icerik -replace "(\[Startup\]\r?\n)", "`$1$yeniBlok"
} else {
$icerik += "`r`n[Startup]`r`n0CmdLine=powershell.exe`r`n0Parameters=-NonInteractive -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$scriptYolu`"`r`n"
}
$icerik | Set-Content $iniDosyasi -Encoding Unicode -Force
}
function WarpIpleriniAl {
$ipListesi = [System.Collections.Generic.List[string]]::new()
try {
$ep = (Get-Content $CONFIG -Encoding UTF8 -EA Stop) | Where-Object { $_ -match "^\s*Endpoint\s*=" } | Select-Object -First 1
if ($ep -match "=\s*([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+:") {
$prefix = $Matches[1] + ".0/24"
if (-not $ipListesi.Contains($prefix)) { $ipListesi.Add($prefix) }
BILGI "WARP endpoint conf'tan: $prefix"
}
} catch {}
try {
$resp = Invoke-RestMethod "https://api.cloudflare.com/client/v4/ips" -TimeoutSec 8 -EA Stop
if ($resp.success -and $resp.result.ipv4_cidrs) {
foreach ($cidr in $resp.result.ipv4_cidrs) {
if ($cidr -match "^(162\.159\.|104\.16\.)") {
if (-not $ipListesi.Contains($cidr)) { $ipListesi.Add($cidr) }
}
}
}
} catch {}
if ($ipListesi.Count -eq 0) {
@("162.159.192.0/24","162.159.193.0/24","162.159.195.0/24","104.16.0.0/13") | ForEach-Object { $ipListesi.Add($_) }
WARN "WARP IP fallback kullanildi"
}
return ($ipListesi -join ",")
}
# ================================================================
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
[Security.Principal.WindowsBuiltInRole]"Administrator")) {
Write-Host "`n [!!] Yonetici olarak calistirin!" -ForegroundColor Red; pause; exit 1
}
# ================================================================
Baslik "0. WIREGUARD + WARP OTOMATIK KURULUM"
# ================================================================
New-Item -ItemType Directory -Path $KLASOR -Force | Out-Null
# ---- 0.1 WireGuard kurulumu (yoksa) ----
if (-not (Test-Path $WG_EXE)) {
BILGI "WireGuard kurulu degil, indiriliyor..."
$wgMsi = "$KLASOR\wireguard-amd64-msi.msi"
try {
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://download.wireguard.com/windows-client/wireguard-amd64-0.5.3.msi" -OutFile $wgMsi -TimeoutSec 60 -UseBasicParsing
BILGI "WireGuard MSI indirildi, sessiz kurulum basliyor..."
$process = Start-Process msiexec.exe -ArgumentList "/i `"$wgMsi`" /quiet /norestart" -Wait -NoNewWindow -PassThru
if ($process.ExitCode -eq 0) {
OK "WireGuard kuruldu (driver yuklendi)"
} else {
HATA "WireGuard kurulumu basarisiz (exit $($process.ExitCode))"
pause; exit 1
}
Remove-Item $wgMsi -Force -EA SilentlyContinue
} catch {
HATA "WireGuard indirme/kurulum hatasi: $_"
pause; exit 1
}
} else {
OK "WireGuard zaten mevcut"
}
# ---- 0.2 wgcf kurulumu ----
$WGCF_EXE = "$KLASOR\wgcf.exe"
if (-not (Test-Path $WGCF_EXE)) {
BILGI "wgcf indiriliyor..."
try {
$wgcfUrl = "https://github.com/ViRb3/wgcf/releases/download/v2.2.19/wgcf_2.2.19_windows_amd64.exe"
Invoke-WebRequest $wgcfUrl -OutFile $WGCF_EXE -TimeoutSec 30 -UseBasicParsing
OK "wgcf indirildi: $WGCF_EXE"
} catch {
HATA "wgcf indirilemedi: $_"
pause; exit 1
}
} else {
OK "wgcf zaten mevcut"
}
# ---- 0.3 WARP config olustur (register + generate) ----
if (-not (Test-Path $CONFIG)) {
BILGI "WARP config olusturuluyor (anonim)..."
Push-Location $KLASOR
try {
$regOut = & $WGCF_EXE register --accept-tos 2>&1
if ($LASTEXITCODE -ne 0) { throw "wgcf register hata: $regOut" }
BILGI "wgcf register basarili"
$genOut = & $WGCF_EXE generate 2>&1
if ($LASTEXITCODE -ne 0) { throw "wgcf generate hata: $genOut" }
if (Test-Path "$KLASOR\wgcf-profile.conf") {
Move-Item -Path "$KLASOR\wgcf-profile.conf" -Destination $CONFIG -Force
OK "WARP config olusturuldu: $CONFIG"
} else {
throw "wgcf-profile.conf olusmadi"
}
} catch {
HATA "WARP config olusturulamadi: $_"
Pop-Location; pause; exit 1
}
Pop-Location
} else {
OK "WARP config zaten var (kullaniliyor)"
}
$confCheck = Get-Content $CONFIG -Encoding UTF8 -EA Stop
if ($confCheck -notmatch "PrivateKey" -or $confCheck -notmatch "Endpoint") {
HATA "Config dosyasi gecersiz (PrivateKey/Endpoint yok)"
pause; exit 1
}
# ================================================================
Baslik "1. KLASOR VE ON HAZIRLIK"
# ================================================================
New-Item -ItemType Directory -Path $KLASOR -Force | Out-Null
OK "WireGuard EXE ve config hazir"
# ================================================================
Baslik "2. NSSM HAZIRLIK"
# ================================================================
if (-not (Test-Path $NSSM)) {
try {
$zip = "$KLASOR\nssm.zip"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://nssm.cc/release/nssm-2.24.zip" -OutFile $zip -TimeoutSec 45 -UseBasicParsing
Add-Type -AssemblyName System.IO.Compression.FileSystem
$zf = [System.IO.Compression.ZipFile]::OpenRead($zip)
$entry = $zf.Entries | Where-Object { $_.FullName -like "*win64/nssm.exe" } | Select-Object -First 1
[System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $NSSM, $true)
$zf.Dispose(); Remove-Item $zip -Force -EA SilentlyContinue
OK "NSSM indirildi"
} catch { WARN "NSSM indirilemedi - servis katmani atlanacak" }
} else { OK "NSSM mevcut" }
# ================================================================
Baslik "3. TEMIZLIK"
# ================================================================
GorevDurdurSil $GOREV_ANA
GorevDurdurSil $GOREV_ONARIM
GorevDurdurSil "WireGuard-KillSwitch-Monitor"
$eskiSvc = & sc.exe query $WG_SVC_ADI 2>$null
if ($eskiSvc) {
if ($eskiSvc -match "PAUSED") { & sc.exe continue $WG_SVC_ADI 2>$null | Out-Null; Start-Sleep 2 }
if (Test-Path $NSSM) { & $NSSM stop $WG_SVC_ADI 2>$null | Out-Null }
& sc.exe stop $WG_SVC_ADI 2>$null | Out-Null; Start-Sleep 2
if (Test-Path $NSSM) { & $NSSM remove $WG_SVC_ADI confirm 2>$null | Out-Null }
& sc.exe delete $WG_SVC_ADI 2>$null | Out-Null; Start-Sleep 2
}
Get-CimInstance -Namespace root\subscription -ClassName __EventFilter -EA SilentlyContinue |
Where-Object { $_.Name -eq $WMI_FILTER } | Remove-CimInstance -EA SilentlyContinue
Get-CimInstance -Namespace root\subscription -ClassName CommandLineEventConsumer -EA SilentlyContinue |
Where-Object { $_.Name -eq $WMI_CONSUMER } | Remove-CimInstance -EA SilentlyContinue
Get-CimInstance -Namespace root\subscription -ClassName __FilterToConsumerBinding -EA SilentlyContinue |
Where-Object { $_.Filter -like "*$WMI_FILTER*" } | Remove-CimInstance -EA SilentlyContinue
Remove-Item $STARTUP_LNK -Force -EA SilentlyContinue
Get-CimInstance Win32_Process -EA SilentlyContinue |
Where-Object { $_.CommandLine -like "*monitor.ps1*" -or $_.CommandLine -like "*onarim.ps1*" -or
$_.CommandLine -like "*servis-monitor.ps1*" -or $_.CommandLine -like "*wmi-onarim.ps1*" } |
ForEach-Object { Stop-Process -Id $_.ProcessId -Force -EA SilentlyContinue }
$ks_kurallar = @(
"KS - ENGEL Wi-Fi Cikis","KS - ENGEL Ethernet Cikis","KS - ENGEL IPv6 Cikis","KS - ENGEL IPv6 Giris",
"KS - Yerel Ag Cikis","KS - Yerel Ag Giris","KS - DHCP Cikis","KS - DHCP Giris",
"KS - WARP Sunucu Cikis","KS - Loopback Cikis","KS - Loopback Giris",
"KS - DNS Izin","KS - DNS Engel","KS - WireGuard EXE","KS - WireGuard Tunnel SVC"
)
foreach ($k in $ks_kurallar) { netsh advfirewall firewall delete rule name="$k" | Out-Null }
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound | Out-Null
& $WG_EXE /uninstalltunnelservice $TUNEL_ADI 2>$null; Start-Sleep 3
Remove-Item "$KLASOR\onarim.lock" -Force -EA SilentlyContinue
if (Test-Path $LOG) { attrib -H -S $LOG 2>$null | Out-Null }
Get-ChildItem $KLASOR -File -EA SilentlyContinue | ForEach-Object { attrib -H -S $_.FullName 2>$null | Out-Null }
OK "Temizlik tamamlandi"
# ================================================================
Baslik "4. IPv6 ENGELI"
# ================================================================
Remove-NetFirewallRule -DisplayName "KS - ENGEL IPv6 Cikis" -EA SilentlyContinue
Remove-NetFirewallRule -DisplayName "KS - ENGEL IPv6 Giris" -EA SilentlyContinue
New-NetFirewallRule -DisplayName "KS - ENGEL IPv6 Cikis" -Direction Outbound -Action Block `
-RemoteAddress "fe80::/10","2001::/32","2002::/16","fc00::/7","2000::/3" -Enabled True -EA SilentlyContinue | Out-Null
New-NetFirewallRule -DisplayName "KS - ENGEL IPv6 Giris" -Direction Inbound -Action Block `
-RemoteAddress "fe80::/10","2001::/32","2002::/16","fc00::/7","2000::/3" -Enabled True -EA SilentlyContinue | Out-Null
Get-NetAdapter | Where-Object { $_.Status -ne "Not Present" -and $_.Name -ne $TUNEL_ADI } |
ForEach-Object { Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6 -EA SilentlyContinue }
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" -Name "DisabledComponents" -Value 0xFF -Type DWord -Force -EA SilentlyContinue
OK "IPv6 engeli aktif"
# ================================================================
Baslik "5. WIREGUARD TUNEL KURULUMU"
# ================================================================
& $WG_EXE /installtunnelservice $CONFIG 2>$null
Start-Sleep 7
if (TunelCalisiyor) { OK "Tunel CALISIYOR" } else { WARN "Tunel henuz baslamadi - monitor baslatacak" }
& sc.exe config $TUNEL_SVC start= delayed-auto 2>$null | Out-Null
OK "WireGuard tunel: delayed-auto-start [FIX-BOOT-1]"
# ================================================================
Baslik "6. FIREWALL KURALLARI"
# ================================================================
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound | Out-Null
netsh advfirewall firewall add rule name="KS - ENGEL Wi-Fi Cikis" `
dir=out action=block interfacetype=wireless remoteip=0.0.0.0/1,128.0.0.0/1 enable=yes | Out-Null
netsh advfirewall firewall add rule name="KS - ENGEL Ethernet Cikis" `
dir=out action=block interfacetype=lan remoteip=0.0.0.0/1,128.0.0.0/1 enable=yes | Out-Null
netsh advfirewall firewall add rule name="KS - Yerel Ag Cikis" `
dir=out action=allow remoteip=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 enable=yes | Out-Null
netsh advfirewall firewall add rule name="KS - Yerel Ag Giris" `
dir=in action=allow remoteip=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 enable=yes | Out-Null
netsh advfirewall firewall add rule name="KS - DHCP Cikis" `
dir=out action=allow protocol=UDP localport=68 remoteport=67 enable=yes | Out-Null
netsh advfirewall firewall add rule name="KS - DHCP Giris" `
dir=in action=allow protocol=UDP localport=68 remoteport=67 enable=yes | Out-Null
netsh advfirewall firewall add rule name="KS - Loopback Cikis" `
dir=out action=allow remoteip=127.0.0.0/8 enable=yes | Out-Null
netsh advfirewall firewall add rule name="KS - Loopback Giris" `
dir=in action=allow remoteip=127.0.0.0/8 enable=yes | Out-Null
netsh advfirewall firewall add rule name="KS - DNS Izin" `
dir=out action=allow protocol=UDP remoteip=1.1.1.1,1.0.0.1 remoteport=53 enable=yes | Out-Null
netsh advfirewall firewall add rule name="KS - DNS Engel" `
dir=out action=block protocol=UDP remoteport=53 enable=yes | Out-Null
$warpIpler = WarpIpleriniAl
BILGI "WARP IP'leri: $warpIpler"
netsh advfirewall firewall add rule name="KS - WARP Sunucu Cikis" `
dir=out action=allow protocol=UDP remoteip=$warpIpler remoteport=2408,854 enable=yes | Out-Null
OK "Firewall kurallari tamam"
if (TunelCalisiyor) {
netsh advfirewall firewall delete rule name="KS - ENGEL Wi-Fi Cikis" | Out-Null
netsh advfirewall firewall delete rule name="KS - ENGEL Ethernet Cikis" | Out-Null
OK "Tunel aktif - ENGEL kaldirildi"
} else { WARN "Tunel kapali - ENGEL aktif" }
# ================================================================
Baslik "7. MONITOR SCRIPT"
# ================================================================
@'
# WireGuard Kill Switch Monitor FINAL - dokunma
$TUNEL_SVC = 'WireGuardTunnel$wgcf-profile'
$TUNEL_ADI = 'wgcf-profile'
$CONFIG = 'C:\WireGuard\wgcf-profile.conf'
$LOG = 'C:\WireGuard\killswitch.log'
$WG_EXE = 'C:\Program Files\WireGuard\wireguard.exe'
function Log($m) {
$mutex = $null
try {
$mutex = New-Object System.Threading.Mutex($false, "Global\WGKillSwitchLog")
$mutex.WaitOne(3000) | Out-Null
Add-Content $LOG "$(Get-Date -f 'yyyy-MM-dd HH:mm:ss') | [MON] $m" -Encoding UTF8 -EA SilentlyContinue
try { $s = Get-Content $LOG -Encoding UTF8 -EA Stop; if ($s.Count -gt 500) { $s | Select-Object -Last 250 | Set-Content $LOG -Encoding UTF8 -Force } } catch {}
} finally { if ($mutex) { try { $mutex.ReleaseMutex() } catch {} } }
}
function TunelCalisiyor { return ((& sc.exe query $TUNEL_SVC 2>$null) -match "RUNNING") }
function InternetVar {
try {
$tcp = New-Object System.Net.Sockets.TcpClient
$iar = $tcp.BeginConnect('1.1.1.1', 443, $null, $null)
$ok = $iar.AsyncWaitHandle.WaitOne(4000, $false)
if ($ok) { $tcp.EndConnect($iar); $tcp.Close(); return $true }
$tcp.Close(); return $false
} catch { return $false }
}
function WarpIpAl {
try {
$ep = (Get-Content $CONFIG -Encoding UTF8 -EA Stop) | Where-Object { $_ -match '^\s*Endpoint\s*=' } | Select-Object -First 1
if ($ep -match '=\s*([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+:') { return ($Matches[1] + '.0/24') }
} catch {}
return "162.159.192.0/24,162.159.193.0/24,162.159.195.0/24,104.16.0.0/13"
}
function EngelKapat {
$warpIp = WarpIpAl
netsh advfirewall firewall delete rule name="KS - ENGEL Wi-Fi Cikis" 2>$null | Out-Null
netsh advfirewall firewall delete rule name="KS - ENGEL Ethernet Cikis" 2>$null | Out-Null
netsh advfirewall firewall add rule name="KS - ENGEL Wi-Fi Cikis" `
dir=out action=block interfacetype=wireless remoteip=0.0.0.0/1,128.0.0.0/1 enable=yes | Out-Null
netsh advfirewall firewall add rule name="KS - ENGEL Ethernet Cikis" `
dir=out action=block interfacetype=lan remoteip=0.0.0.0/1,128.0.0.0/1 enable=yes | Out-Null
netsh advfirewall firewall delete rule name="KS - WARP Sunucu Cikis" 2>$null | Out-Null
netsh advfirewall firewall add rule name="KS - WARP Sunucu Cikis" `
dir=out action=allow protocol=UDP remoteip=$warpIp remoteport=2408,854 enable=yes | Out-Null
Log "ENGEL aktif (WARP $warpIp izinli)"
}
function EngelAc {
netsh advfirewall firewall delete rule name="KS - ENGEL Wi-Fi Cikis" | Out-Null
netsh advfirewall firewall delete rule name="KS - ENGEL Ethernet Cikis" | Out-Null
Log "ENGEL kaldirildi - internet acildi"
}
function WarpKuraliniGaranti {
$ip = WarpIpAl
netsh advfirewall firewall delete rule name="KS - WARP Sunucu Cikis" 2>$null | Out-Null
netsh advfirewall firewall add rule name="KS - WARP Sunucu Cikis" `
dir=out action=allow protocol=UDP remoteip=$ip remoteport=2408,854 enable=yes | Out-Null
Log "WARP kurali yenilendi ($ip)"
}
function WireGuardHazir {
try {
$out = & sc.exe query type= driver state= all 2>$null
$wgd = & sc.exe query "WireGuard" 2>$null
if (Test-Path 'C:\Program Files\WireGuard\wireguard.exe') { return $true }
return $false
} catch { return $false }
}
Log "=== Monitor baslatildi (FINAL) ==="
try {
$bootZaman = (Get-CimInstance Win32_OperatingSystem -EA Stop).LastBootUpTime
if ((Get-Date) -lt $bootZaman.AddSeconds(90)) {
Log "Sistem yeni acildi - ag stack icin 15sn ek bekleme [V10-1]"
Start-Sleep -Seconds 15
}
} catch {}
$bootBekle = 0
while ($bootBekle -lt 90 -and -not (TunelCalisiyor)) {
Start-Sleep -Seconds 3
$bootBekle += 3
}
if (TunelCalisiyor) {
$durum = 'running'
Clear-DnsClientCache -EA SilentlyContinue
EngelAc
Log "Baslangic: Tunel calisiyor (${bootBekle}sn beklendi), engel yok"
} else {
$durum = 'stopped'
EngelKapat
Log "Baslangic: Tunel kapali (${bootBekle}sn beklendi), engel aktif - ilk kurtarma basliyor"
}
function TunelKurmeYDene {
$mux = $null
try {
$mux = New-Object System.Threading.Mutex($false, 'Global\WGTunnelInstallMutex')
if (-not $mux.WaitOne(60000)) {
Log "TunelKurmeYDene: mutex timeout - baska process install yapiyor, mevcut durum donduruldu"
return (TunelCalisiyor)
}
Get-Process -Name "wireguard" -EA SilentlyContinue | Stop-Process -Force -EA SilentlyContinue
$wgSvcPid = (Get-CimInstance Win32_Service -Filter "Name='$TUNEL_SVC'" -EA SilentlyContinue).ProcessId
if ($wgSvcPid -and $wgSvcPid -gt 0) { Stop-Process -Id $wgSvcPid -Force -EA SilentlyContinue }
Start-Sleep -Seconds 1
& $WG_EXE /uninstalltunnelservice $TUNEL_ADI 2>$null
Start-Sleep -Seconds 3
& $WG_EXE /installtunnelservice $CONFIG 2>$null
Start-Sleep -Seconds 10
return (TunelCalisiyor)
} finally {
if ($mux) { try { $mux.ReleaseMutex() } catch {} }
}
}
$donguSayac = 0
while ($true) {
Start-Sleep -Seconds 5
$donguSayac++
if (TunelCalisiyor) {
if ($durum -ne 'running') {
Clear-DnsClientCache -EA SilentlyContinue
EngelAc
$durum = 'running'
}
} else {
if ($durum -ne 'stopped') {
Log "UYARI: Tunel kapandi - ENGEL devreye giriyor"
EngelKapat
$durum = 'stopped'
}
WarpKuraliniGaranti
Log "Kurtarma basliyor"
$basarili = $false
$toplamDeneme = 0
while (-not $basarili) {
for ($i = 1; $i -le 5; $i++) {
$toplamDeneme++
Log "Deneme $i/5 (toplam: $toplamDeneme)"
$tunelKalktı = TunelKurmeYDene
if ($tunelKalktı) {
$warpBekle = 0
$internetOK = $false
while ($warpBekle -lt 30) {
if (InternetVar) { $internetOK = $true; break }
Start-Sleep -Seconds 5
$warpBekle += 5
}
if ($internetOK) {
Log "Deneme $i - Tunel + internet OK (${warpBekle}sn beklendi)"
Clear-DnsClientCache -EA SilentlyContinue
EngelAc
$durum = 'running'
$basarili = $true
break
} else {
Log "Deneme $i - Tunel kalktı ama 30sn sonra internet yok, yeniden deneniyor"
EngelKapat
& $WG_EXE /uninstalltunnelservice $TUNEL_ADI 2>$null
Start-Sleep -Seconds 3
}
} else {
Log "Deneme $i - Tunel baslamadi"
Start-Sleep -Seconds 5
}
}
if (-not $basarili) {
Log "KRITIK: 5 deneme basarisiz (toplam: $toplamDeneme) - 3dk bekleniyor, sonra tekrar denenecek"
EngelKapat
$bekSure = 0
while ($bekSure -lt 180) {
Start-Sleep -Seconds 15
$bekSure += 15
if (TunelCalisiyor) {
Log "3dk bekleme sirasinda tunel kendisi kalktı!"
$basarili = $true
Clear-DnsClientCache -EA SilentlyContinue
EngelAc
$durum = 'running'
break
}
}
if ($basarili) { break }
Log "3dk bekleme bitti - tekrar deneniyor..."
}
}
}
}
'@ | Set-Content $MONITOR_PS1 -Encoding UTF8 -Force
attrib -H -S $MONITOR_PS1 2>$null | Out-Null
try {
$raw = [System.IO.File]::ReadAllText($MONITOR_PS1, [System.Text.Encoding]::UTF8)
$raw = $raw -replace "(?<!\r)\n", "`r`n"
[System.IO.File]::WriteAllText($MONITOR_PS1, $raw, [System.Text.Encoding]::UTF8)
} catch {}
OK "monitor.ps1 yazildi (FINAL)"
# ================================================================
Baslik "8. ONARIM SCRIPT"
# ================================================================
@'
# WG Onarim FINAL - dokunma
$GOREV_ANA = "WG-KillSwitch"
$MONITOR = "C:\WireGuard\monitor.ps1"
$LOG = "C:\WireGuard\killswitch.log"
$TUNEL_SVC = 'WireGuardTunnel$wgcf-profile'
$WG_EXE = "C:\Program Files\WireGuard\wireguard.exe"
$CONFIG = "C:\WireGuard\wgcf-profile.conf"
$TUNEL_ADI = "wgcf-profile"
$LOCK = "C:\WireGuard\onarim.lock"
function Log($m) {
$mutex = $null
try {
$mutex = New-Object System.Threading.Mutex($false, "Global\WGKillSwitchLog")
$mutex.WaitOne(3000) | Out-Null
Add-Content $LOG "$(Get-Date -f 'yyyy-MM-dd HH:mm:ss') | [ONARIM] $m" -Encoding UTF8 -EA SilentlyContinue
try { $s = Get-Content $LOG -Encoding UTF8 -EA Stop; if ($s.Count -gt 500) { $s | Select-Object -Last 250 | Set-Content $LOG -Encoding UTF8 -Force } } catch {}
} finally { if ($mutex) { try { $mutex.ReleaseMutex() } catch {} } }
}
if (Test-Path $LOCK) {
$lp = [int](Get-Content $LOCK -EA SilentlyContinue)
if ($lp -and (Get-Process -Id $lp -EA SilentlyContinue)) { exit 0 }
Remove-Item $LOCK -Force -EA SilentlyContinue
}
$PID | Set-Content $LOCK -Force -EA SilentlyContinue
try {
if (Test-Path $LOG) { attrib -H -S $LOG 2>$null | Out-Null }
$politikaOK = $true
foreach ($profil in @("DomainProfile","PrivateProfile","PublicProfile")) {
if ((netsh advfirewall show $profil 2>$null) -match "BlockOutbound") { $politikaOK = $false }
}
if (-not $politikaOK) {
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound | Out-Null
Log "Firewall politikasi duzeltildi"
}
$fwSvc = & sc.exe query MpsSvc 2>$null
if ($fwSvc -match "STOPPED") {
& sc.exe start MpsSvc 2>$null | Out-Null; Start-Sleep 3
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound | Out-Null
Log "KRITIK: Firewall servisi yeniden baslatildi"
}
$gorev = Get-ScheduledTask -TaskName $GOREV_ANA -EA SilentlyContinue
if (-not $gorev) {
$b64 = (Get-ItemProperty "HKLM:\SOFTWARE\WGKillSwitch" -Name "TaskXML" -EA SilentlyContinue).TaskXML
if ($b64) {
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($b64)) | Register-ScheduledTask -TaskName $GOREV_ANA -Force | Out-Null
schtasks /Run /TN "\$GOREV_ANA" 2>$null | Out-Null
Log "WG-KillSwitch geri yuklendi"
} else { Log "KRITIK: Registry yedek yok" }
} elseif ($gorev.State -eq 'Disabled') {
Enable-ScheduledTask -TaskName $GOREV_ANA | Out-Null
schtasks /Run /TN "\$GOREV_ANA" 2>$null | Out-Null
Log "WG-KillSwitch etkinlestirildi"
}
$tunelDurum = & sc.exe query $TUNEL_SVC 2>$null
if ($tunelDurum -notmatch "RUNNING") {
Log "Tunel calısmiyor - yeniden kuruluyor"
if ((Test-Path $WG_EXE) -and (Test-Path $CONFIG)) {
& $WG_EXE /uninstalltunnelservice $TUNEL_ADI 2>$null | Out-Null
Start-Sleep 2
& $WG_EXE /installtunnelservice $CONFIG 2>$null | Out-Null
Start-Sleep 8
$td2 = & sc.exe query $TUNEL_SVC 2>$null
if ($td2 -match "RUNNING") { Log "Tunel yeniden kuruldu" }
else { Log "KRITIK: Tunel kurulamadi" }
}
}
$wgSvc = & sc.exe query WGKillSwitchSvc 2>$null
if ($wgSvc -notmatch "RUNNING") {
Log "WGKillSwitchSvc calısmiyor - baslatiliyor"
& sc.exe start WGKillSwitchSvc 2>$null | Out-Null; Start-Sleep 5
$wg2 = & sc.exe query WGKillSwitchSvc 2>$null
if ($wg2 -match "RUNNING") { Log "WGKillSwitchSvc baslatildi" }
else { Log "KRITIK: WGKillSwitchSvc baslatilamadi" }
}
Start-Sleep -Milliseconds 500
$proclar = Get-Process powershell -EA SilentlyContinue | Where-Object {
try { (Get-CimInstance Win32_Process -Filter "ProcessId=$($_.Id)" -EA Stop).CommandLine -like "*monitor.ps1*" }
catch { $false }
}
if (-not $proclar) {
Log "Monitor process yok - gorev ve dogrudan baslatma"
schtasks /Run /TN "\$GOREV_ANA" 2>$null | Out-Null
Start-Sleep 3
$proclar2 = Get-Process powershell -EA SilentlyContinue | Where-Object {
try { (Get-CimInstance Win32_Process -Filter "ProcessId=$($_.Id)" -EA Stop).CommandLine -like "*monitor.ps1*" }
catch { $false }
}
if (-not $proclar2) {
Start-Process powershell.exe -ArgumentList "-NonInteractive -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$MONITOR`"" -WindowStyle Hidden
Log "Monitor dogrudan baslatildi [FIX-BOOT-9]"
}
} elseif (($proclar | Measure-Object).Count -gt 1) {
$proclar | Sort-Object Id | Select-Object -SkipLast 1 | ForEach-Object {
Stop-Process -Id $_.Id -Force -EA SilentlyContinue
Log "Fazla monitor olduruldu (PID: $($_.Id))"
}
}
} finally {
Remove-Item $LOCK -Force -EA SilentlyContinue
}
'@ | Set-Content $ONARIM_PS1 -Encoding UTF8 -Force
OK "onarim.ps1 yazildi"
# ================================================================
Baslik "9. WMI WRAPPER"
# ================================================================
@'
# WMI Onarim Wrapper FINAL - dokunma
$LOG = 'C:\WireGuard\killswitch.log'
$ONARIM = 'C:\WireGuard\onarim.ps1'
function Log($m) {
$mutex = $null
try {
$mutex = New-Object System.Threading.Mutex($false, "Global\WGKillSwitchLog")
$mutex.WaitOne(2000) | Out-Null
Add-Content $LOG "$(Get-Date -f 'yyyy-MM-dd HH:mm:ss') | [WMI] $m" -Encoding UTF8 -EA SilentlyContinue
} finally { if ($mutex) { try { $mutex.ReleaseMutex() } catch {} } }
}
Start-Sleep -Seconds 2
$proc = Get-Process powershell -EA SilentlyContinue | Where-Object {
try { (Get-CimInstance Win32_Process -Filter "ProcessId=$($_.Id)" -EA Stop).CommandLine -like "*monitor.ps1*" }
catch { $false }
}
if (-not $proc) {
Log "Monitor oldu - onarim tetikleniyor"
if (Test-Path $ONARIM) { Start-Process powershell.exe -ArgumentList "-NonInteractive -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$ONARIM`"" -WindowStyle Hidden }
} else {
Log "WMI tetiklendi ama monitor calisiyor (baska PS oldu) - aksiyon yok"
}
'@ | Set-Content $WMI_WRAPPER -Encoding UTF8 -Force
OK "wmi-onarim.ps1 yazildi"
# ================================================================
Baslik "10. SERVIS MONITOR"
# ================================================================
@'
# WGKillSwitchSvc Wrapper FINAL - NSSM tarafindan calistirilir - dokunma
$LOG = 'C:\WireGuard\killswitch.log'
$ONARIM = 'C:\WireGuard\onarim.ps1'
function Log($m) {
$mutex = $null
try {
$mutex = New-Object System.Threading.Mutex($false, "Global\WGKillSwitchLog")
$mutex.WaitOne(2000) | Out-Null
Add-Content $LOG "$(Get-Date -f 'yyyy-MM-dd HH:mm:ss') | [SVC] $m" -Encoding UTF8 -EA SilentlyContinue
} finally { if ($mutex) { try { $mutex.ReleaseMutex() } catch {} } }
}
Log "WGKillSwitchSvc baslatildi"
Start-Sleep -Seconds 20
if (Test-Path $ONARIM) {
Start-Process powershell.exe -ArgumentList "-NonInteractive -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$ONARIM`"" -WindowStyle Hidden
Log "Ilk baslangic onarimi tetiklendi"
}
while ($true) {
Start-Sleep -Seconds 30
$proc = Get-Process powershell -EA SilentlyContinue | Where-Object {
try { (Get-CimInstance Win32_Process -Filter "ProcessId=$($_.Id)" -EA Stop).CommandLine -like "*monitor.ps1*" }
catch { $false }
}
if (-not $proc) {
Log "Monitor yok - onarim tetikleniyor"
if (Test-Path $ONARIM) { Start-Process powershell.exe -ArgumentList "-NonInteractive -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$ONARIM`"" -WindowStyle Hidden }
}
}
'@ | Set-Content $SERVIS_PS1 -Encoding UTF8 -Force
OK "servis-monitor.ps1 yazildi"
# ================================================================
Baslik "11. ANA ZAMANLANMIS GOREV - 60SN BOOT DELAY"
# ================================================================
GorevDurdurSil $GOREV_ANA
$action = New-ScheduledTaskAction -Execute "powershell.exe" `
-Argument "-NonInteractive -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$MONITOR_PS1`""
$trigger = New-ScheduledTaskTrigger -AtStartup
$trigger.Delay = "PT60S"
$settings = New-ScheduledTaskSettingsSet -ExecutionTimeLimit ([TimeSpan]::Zero) `
-RestartCount 999 -RestartInterval (New-TimeSpan -Minutes 1) `
-StartWhenAvailable -RunOnlyIfNetworkAvailable:$false -MultipleInstances IgnoreNew
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
Register-ScheduledTask -TaskName $GOREV_ANA -Action $action -Trigger $trigger `
-Settings $settings -Principal $principal -Force | Out-Null
schtasks /Run /TN "\$GOREV_ANA" 2>$null | Out-Null
Start-Sleep 2
$g1 = Get-ScheduledTask -TaskName $GOREV_ANA -EA SilentlyContinue
if ($g1) { OK "WG-KillSwitch kuruldu ($($g1.State)) - 60sn boot delay [FIX-BOOT-3]" }
else { HATA "WG-KillSwitch kurulamadi!" }
# ================================================================
Baslik "12. ONARIM GOREVI - 30SN BOOT DELAY"
# ================================================================
GorevDurdurSil $GOREV_ONARIM
$action2 = New-ScheduledTaskAction -Execute "powershell.exe" `
-Argument "-NonInteractive -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$ONARIM_PS1`""
$trigger2a = New-ScheduledTaskTrigger -AtStartup
$trigger2a.Delay = "PT30S"
$trigger2b = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) `
-RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 9999)
$settings2 = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Minutes 2) `
-StartWhenAvailable -RunOnlyIfNetworkAvailable:$false -MultipleInstances IgnoreNew
$principal2 = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
Register-ScheduledTask -TaskName $GOREV_ONARIM -Action $action2 `
-Trigger $trigger2a,$trigger2b -Settings $settings2 -Principal $principal2 -Force | Out-Null
$g2 = Get-ScheduledTask -TaskName $GOREV_ONARIM -EA SilentlyContinue
if ($g2) { OK "WG-OnarimGorevi kuruldu ($($g2.State)) - 30sn boot delay [FIX-BOOT-4]" }
else { HATA "WG-OnarimGorevi kurulamadi!" }
# ================================================================
Baslik "13. REGISTRY + KORUMA"
# ================================================================
$acl = Get-Acl $KLASOR
$acl.SetAccessRuleProtection($true, $false)
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) | Out-Null }
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow")))
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators","FullControl","ContainerInherit,ObjectInherit","None","Allow")))
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Users","ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")))
Set-Acl -Path $KLASOR -AclObject $acl
Get-ChildItem $KLASOR -File | Where-Object { $_.Name -ne "killswitch.log" } |
ForEach-Object { attrib +S +H $_.FullName }
OK "ACL + gizleme tamam (log acik)"
$gorevXml = Export-ScheduledTask -TaskName $GOREV_ANA
if ($gorevXml) {
$gorevXml | Set-Content "$KLASOR\WG-KillSwitch-backup.xml" -Encoding UTF8 -Force
$b64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($gorevXml))
New-Item -Path "HKLM:\SOFTWARE\WGKillSwitch" -Force | Out-Null
Set-ItemProperty "HKLM:\SOFTWARE\WGKillSwitch" "TaskXML" $b64 -Force
Set-ItemProperty "HKLM:\SOFTWARE\WGKillSwitch" "MonitorPath" $MONITOR_PS1 -Force
Set-ItemProperty "HKLM:\SOFTWARE\WGKillSwitch" "OnarimPath" $ONARIM_PS1 -Force
Set-ItemProperty "HKLM:\SOFTWARE\WGKillSwitch" "Version" "FINAL" -Force
Set-ItemProperty "HKLM:\SOFTWARE\WGKillSwitch" "InstalledDate" (Get-Date -f "yyyy-MM-dd HH:mm:ss") -Force
OK "Registry yedegi yazildi (FINAL)"
}
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" `
"WGKillSwitchGuard" "powershell.exe -NonInteractive -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$ONARIM_PS1`"" -Force
OK "Registry Run key eklendi"
& sc.exe failure $TUNEL_SVC reset=60 actions=restart/5000/restart/10000/restart/30000 2>$null | Out-Null
OK "WireGuard tunel crash recovery ayarlandi"
# ================================================================
Baslik "14. WINDOWS SERVISI (NSSM) - DELAYED-AUTO"
# ================================================================
if (Test-Path $NSSM) {
& $NSSM install $WG_SVC_ADI powershell.exe 2>$null | Out-Null
& $NSSM set $WG_SVC_ADI AppParameters "-NonInteractive -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$SERVIS_PS1`"" 2>$null | Out-Null
& $NSSM set $WG_SVC_ADI Start SERVICE_DELAYED_AUTO_START 2>$null | Out-Null
& $NSSM set $WG_SVC_ADI ObjectName LocalSystem 2>$null | Out-Null
& $NSSM set $WG_SVC_ADI DisplayName "WG KillSwitch Guard" 2>$null | Out-Null
& $NSSM set $WG_SVC_ADI Description "WireGuard Kill Switch FINAL - dokunma" 2>$null | Out-Null
& $NSSM set $WG_SVC_ADI AppExit Default Restart 2>$null | Out-Null
& $NSSM set $WG_SVC_ADI AppRestartDelay 5000 2>$null | Out-Null
& sc.exe failure $WG_SVC_ADI reset=60 actions=restart/5000/restart/10000/restart/30000 2>$null | Out-Null
& sc.exe sdset $WG_SVC_ADI "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)" 2>$null | Out-Null
& $NSSM start $WG_SVC_ADI 2>$null | Out-Null
Start-Sleep 5
$svcK = & sc.exe query $WG_SVC_ADI 2>$null
if ($svcK -match "RUNNING") { OK "WGKillSwitchSvc: CALISIYOR (delayed-auto) [FIX-BOOT-2]" }
elseif ($svcK -match "PENDING") { OK "WGKillSwitchSvc: BASLIYOR..." }
else { WARN "WGKillSwitchSvc baslatılamadı - diger katmanlar devrede" }
} else { WARN "NSSM yok - servis katmani atlandı" }
# ================================================================
Baslik "15. WMI SUBSCRIPTION"
# ================================================================
$wmiFilterQuery = "SELECT * FROM __InstanceDeletionEvent WITHIN 5 " +
"WHERE TargetInstance ISA 'Win32_Process' " +
"AND TargetInstance.Name = 'powershell.exe'"
$filter = New-CimInstance -Namespace root\subscription -ClassName __EventFilter `
-Property @{ Name=$WMI_FILTER; EventNamespace="root\cimv2"; QueryLanguage="WQL"; Query=$wmiFilterQuery } -EA SilentlyContinue
$consumer = New-CimInstance -Namespace root\subscription -ClassName CommandLineEventConsumer `
-Property @{ Name=$WMI_CONSUMER; CommandLineTemplate="powershell.exe -NonInteractive -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$WMI_WRAPPER`"" } -EA SilentlyContinue
if ($filter -and $consumer) {
New-CimInstance -Namespace root\subscription -ClassName __FilterToConsumerBinding `
-Property @{ Filter=[Ref]$filter; Consumer=[Ref]$consumer } -EA SilentlyContinue | Out-Null
OK "WMI Event Subscription kuruldu"
} else { WARN "WMI Subscription kurulamadi" }
# ================================================================
Baslik "16. STARTUP KLASORU"
# ================================================================
New-Item -ItemType Directory -Path (Split-Path $STARTUP_LNK) -Force -EA SilentlyContinue | Out-Null
$wsh = New-Object -ComObject WScript.Shell
$lnk = $wsh.CreateShortcut($STARTUP_LNK)
$lnk.TargetPath = "powershell.exe"
$lnk.Arguments = "-NonInteractive -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$ONARIM_PS1`""
$lnk.WorkingDirectory = $KLASOR
$lnk.Save()
if (Test-Path $STARTUP_LNK) { OK "Startup shortcut olusturuldu" } else { WARN "Startup shortcut olusturulamadi" }
# ================================================================
Baslik "17. GPO BOOT SCRIPT"
# ================================================================
New-Item -ItemType Directory -Path $GPO_SCRIPT_DIR -Force -EA SilentlyContinue | Out-Null
@'
# WG KillSwitch GPO Boot Script FINAL
$LOG = 'C:\WireGuard\killswitch.log'
$ONARIM = 'C:\WireGuard\onarim.ps1'
function Log($m) {
$mutex = $null
try {
$mutex = New-Object System.Threading.Mutex($false, "Global\WGKillSwitchLog")
$mutex.WaitOne(2000) | Out-Null
Add-Content $LOG "$(Get-Date -f 'yyyy-MM-dd HH:mm:ss') | [GPO] $m" -Encoding UTF8 -EA SilentlyContinue
} finally { if ($mutex) { try { $mutex.ReleaseMutex() } catch {} } }
}
Log "GPO boot script calistı"
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound 2>$null | Out-Null
$bekle = 0
while ($bekle -lt 60) {
$svc = & sc.exe query "WireGuardTunnel`$wgcf-profile" 2>$null
if ($svc -match "RUNNING") { break }
Start-Sleep -Seconds 3; $bekle += 3
}
if (Test-Path $ONARIM) {
Start-Process powershell.exe -ArgumentList "-NonInteractive -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$ONARIM`"" -WindowStyle Hidden
Log "Onarim tetiklendi (${bekle}sn beklendi)"
}
'@ | Set-Content $GPO_SCRIPT -Encoding UTF8 -Force
ScriptsIniGuncelle $GPO_INI $GPO_SCRIPT
Start-Process "secedit.exe" -ArgumentList "/refreshpolicy machine_policy /enforce" -WindowStyle Hidden -Wait -EA SilentlyContinue
Start-Process "gpupdate.exe" -ArgumentList "/force" -WindowStyle Hidden -EA SilentlyContinue
if (Test-Path $GPO_SCRIPT) { OK "GPO boot script kuruldu" } else { WARN "GPO script olusturulamadi" }
# ================================================================
Baslik "18. DEFENDER MUAFIYETI"
# ================================================================
try { Add-MpPreference -ExclusionPath $KLASOR -EA Stop; OK "Defender muafiyeti: $KLASOR" }
catch { WARN "Defender muafiyeti eklenemedi" }
# ================================================================
Baslik "19. SON KONTROL"
# ================================================================
$h = 0
if (TunelCalisiyor) { OK "Tunel: CALISIYOR" } else { WARN "Tunel: KAPALI (monitor baslatacak)"; $h++ }
$g1 = Get-ScheduledTask -TaskName $GOREV_ANA -EA SilentlyContinue
$g2 = Get-ScheduledTask -TaskName $GOREV_ONARIM -EA SilentlyContinue
if ($g1) { OK "WG-KillSwitch: $($g1.State)" } else { HATA "WG-KillSwitch EKSIK"; $h++ }
if ($g2) {
$tetik = ($g2.Triggers | Measure-Object).Count
if ($tetik -ge 2) { OK "WG-OnarimGorevi: $($g2.State) ($tetik tetikleyici)" }
else { WARN "WG-OnarimGorevi: $tetik tetikleyici (beklenen 2)"; $h++ }
} else { HATA "WG-OnarimGorevi EKSIK"; $h++ }
Start-Sleep 3
$proc = Get-Process powershell -EA SilentlyContinue | Where-Object {
try { (Get-CimInstance Win32_Process -Filter "ProcessId=$($_.Id)" -EA Stop).CommandLine -like "*monitor.ps1*" }
catch { $false }
}
if (($proc | Measure-Object).Count -gt 1) {
$proc | Sort-Object Id | Select-Object -SkipLast 1 | ForEach-Object { Stop-Process -Id $_.Id -Force -EA SilentlyContinue }
Start-Sleep 2
$proc = Get-Process powershell -EA SilentlyContinue | Where-Object {
try { (Get-CimInstance Win32_Process -Filter "ProcessId=$($_.Id)" -EA Stop).CommandLine -like "*monitor.ps1*" }
catch { $false }
}
}
if ($proc) { OK "Monitor: aktif (PID: $(($proc | Select-Object -First 1).Id))" }
else { WARN "Monitor: henuz baslamadi" }
$svcSon = & sc.exe query $WG_SVC_ADI 2>$null
if ($svcSon -match "RUNNING") { OK "WGKillSwitchSvc: CALISIYOR" }
elseif (Test-Path $NSSM) { WARN "WGKillSwitchSvc: calısmiyor"; $h++ }
else { WARN "WGKillSwitchSvc: NSSM yok, atlandı" }
$svcCfg = & sc.exe qc $TUNEL_SVC 2>$null
if ($svcCfg -match "DELAYED") { OK "WireGuard tunel: delayed-auto-start [FIX-BOOT-1]" }
else { WARN "WireGuard tunel: delayed-auto degil - boot sorunu olabilir [FIX-BOOT-1]" }
$svcCfg2 = & sc.exe qc $WG_SVC_ADI 2>$null
if ($svcCfg2 -match "DELAYED") { OK "WGKillSwitchSvc: delayed-auto-start [FIX-BOOT-2]" }
else { WARN "WGKillSwitchSvc: delayed-auto degil [FIX-BOOT-2]" }
$wmiK = Get-CimInstance -Namespace root\subscription -ClassName __EventFilter -EA SilentlyContinue |
Where-Object { $_.Name -eq $WMI_FILTER }
if ($wmiK) { OK "WMI Subscription: AKTIF" } else { WARN "WMI Subscription: yok"; $h++ }
if (Test-Path $STARTUP_LNK) { OK "Startup shortcut: MEVCUT" } else { WARN "Startup shortcut: yok"; $h++ }
if (Test-Path $GPO_SCRIPT) { OK "GPO script: MEVCUT" } else { WARN "GPO script: yok"; $h++ }
$reg = Get-ItemProperty "HKLM:\SOFTWARE\WGKillSwitch" -EA SilentlyContinue
if ($reg.TaskXML) { OK "Registry yedegi: v$($reg.Version)" } else { WARN "Registry yedegi: eksik"; $h++ }
$ipv6k = Get-NetFirewallRule -DisplayName "KS - ENGEL IPv6 Cikis" -EA SilentlyContinue
if ($ipv6k -and $ipv6k.Enabled -eq "True") { OK "IPv6 engeli: AKTIF" } else { WARN "IPv6 engeli: aktif degil"; $h++ }
$dns = Get-NetFirewallRule -DisplayName "KS - DNS Engel" -EA SilentlyContinue
if ($dns) { OK "DNS sizinti korumasi: AKTIF" } else { WARN "DNS sizinti korumasi: yok"; $h++ }
$logAttr = & attrib $LOG 2>$null
if ($logAttr -match "H ") { attrib -H -S -R $LOG 2>$null | Out-Null; WARN "Log gizli bayrak temizlendi" }
else { OK "killswitch.log: acik ve yazilabilir" }
$defMuaf = (Get-MpPreference -EA SilentlyContinue).ExclusionPath
if ($defMuaf -contains $KLASOR) { OK "Defender muafiyeti: AKTIF" } else { WARN "Defender muafiyeti: aktif degil" }
Log "wg-final.ps1 kurulum tamamlandi"
Write-Host ""
if ($h -eq 0) {
Write-Host "================================================================" -ForegroundColor Green
Write-Host " KURULUM TAMAMLANDI - SISTEM MAKSIMUM KORUMADA (FINAL) " -ForegroundColor White
Write-Host "================================================================" -ForegroundColor Green
} else {
Write-Host "================================================================" -ForegroundColor Yellow
Write-Host " KURULUM TAMAMLANDI - $h UYARI VAR (yukari bak) " -ForegroundColor Yellow
Write-Host "================================================================" -ForegroundColor Yellow
}
Write-Host ""
Write-Host " FINAL - TUM IYILESTIRMELER AKTIF:" -ForegroundColor White
Write-Host " Boot'ta tunel kalkamiyor = driver hazir olmadan monitor devreye giriyordu" -ForegroundColor Gray
Write-Host " [FIX-BOOT-1] WireGuard tunel: delayed-auto-start" -ForegroundColor DarkGray
Write-Host " [FIX-BOOT-2] WGKillSwitchSvc: delayed-auto-start" -ForegroundColor DarkGray
Write-Host " [FIX-BOOT-3] WG-KillSwitch gorevi: 60sn boot delay" -ForegroundColor DarkGray
Write-Host " [FIX-BOOT-4] WG-OnarimGorevi: 30sn boot delay" -ForegroundColor DarkGray
Write-Host " [FIX-BOOT-5] monitor.ps1 boot bekleme: 20sn -> 90sn" -ForegroundColor DarkGray
Write-Host " [FIX-BOOT-7] Deneme araligi: 5sn -> 10sn" -ForegroundColor DarkGray
Write-Host " [FIX-BOOT-8] 5 deneme basarisiz = 3dk bekle + tekrar (sonsuz)" -ForegroundColor DarkGray
Write-Host " [FIX-BOOT-9] onarim.ps1 monitor'u dogrudan da baslatir" -ForegroundColor DarkGray
Write-Host " [FIX-SERVIS] servis-monitor.ps1: 60sn -> 30sn kontrol" -ForegroundColor DarkGray
Write-Host ""
Write-Host " Log: C:\WireGuard\killswitch.log" -ForegroundColor Gray
Write-Host ""
pause
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment