forked from l-n-s/wireguard-install
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwireguard-install.sh
More file actions
executable file
·134 lines (115 loc) · 4.57 KB
/
wireguard-install.sh
File metadata and controls
executable file
·134 lines (115 loc) · 4.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/bin/bash
#
# https://github.com/l-n-s/wireguard-install
#
# Copyright (c) 2018 Viktor Villainov. Released under the MIT License.
WG_CONFIG="/etc/wireguard/wg0.conf"
function get_free_udp_port
{
local port=$(shuf -i 2000-65000 -n 1)
ss -lau | grep $port > /dev/null
if [[ $? == 1 ]] ; then
echo "$port"
else
get_free_udp_port
fi
}
if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit
fi
if [[ ! -e /dev/net/tun ]]; then
echo "The TUN device is not available. You need to enable TUN before running this script"
exit
fi
# TODO: check if distro is supported
# TODO: add Debian and CentOS support
if [ ! -f "$WG_CONFIG" ]; then
### Install server and add default client
INTERACTIVE=${INTERACTIVE:-yes}
PRIVATE_SUBNET=${PRIVATE_SUBNET:-"10.9.0.0/24"}
PRIVATE_SUBNET_MASK=$( echo $PRIVATE_SUBNET | cut -d "/" -f 2 )
GATEWAY_ADDRESS="${PRIVATE_SUBNET::-4}1"
if [ "$SERVER_HOST" == "" ]; then
SERVER_HOST=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [ "$INTERACTIVE" == "yes" ]; then
read -p "Servers public IP address is $SERVER_HOST. Is that correct? [y/n]: " -e -i "y" CONFIRM
if [ "$CONFIRM" == "n" ]; then
echo "Aborted. Use environment variable SERVER_HOST to set the correct public IP address"
exit
fi
fi
fi
if [ "$SERVER_PORT" == "" ]; then
SERVER_PORT=$( get_free_udp_port )
fi
add-apt-repository ppa:wireguard/wireguard -y
apt-get update
apt install wireguard iptables-persistent -y
SERVER_PRIVKEY=$( wg genkey )
SERVER_PUBKEY=$( echo $SERVER_PRIVKEY | wg pubkey )
CLIENT_PRIVKEY=$( wg genkey )
CLIENT_PUBKEY=$( echo $CLIENT_PRIVKEY | wg pubkey )
CLIENT_ADDRESS="${PRIVATE_SUBNET::-4}3"
echo "# $PRIVATE_SUBNET $SERVER_HOST:$SERVER_PORT $SERVER_PUBKEY
[Interface]
Address = $GATEWAY_ADDRESS/$PRIVATE_SUBNET_MASK
ListenPort = $SERVER_PORT
PrivateKey = $SERVER_PRIVKEY
SaveConfig = false" > $WG_CONFIG
echo "# client
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = $CLIENT_ADDRESS/32" >> $WG_CONFIG
echo "[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = $CLIENT_ADDRESS/$PRIVATE_SUBNET_MASK
[Peer]
PublicKey = $SERVER_PUBKEY
AllowedIPs = 0.0.0.0/0
Endpoint = $SERVER_HOST:$SERVER_PORT
PersistentKeepalive = 25" > $HOME/client-wg0.conf
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.forwarding=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
sysctl -p
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -s $PRIVATE_SUBNET -m policy --pol none --dir in -j ACCEPT
iptables -t nat -A POSTROUTING -s $PRIVATE_SUBNET -m policy --pol none --dir out -j MASQUERADE
iptables -A INPUT -p udp --dport $SERVER_PORT -j ACCEPT
iptables-save > /etc/iptables/rules.v4
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service
# TODO: unattended updates, apt install dnsmasq ntp
echo "Client config --> $HOME/client-wg0.conf"
echo "Now reboot the server and enjoy your fresh VPN installation! :^)"
else
### Server is installed, add a new client
CLIENT_NAME="$1"
if [ "$CLIENT_NAME" == "" ]; then
echo "Tell me a name for the client config file. Use one word only, no special characters."
read -p "Client name: " -e CLIENT_NAME
fi
CLIENT_PRIVKEY=$( wg genkey )
CLIENT_PUBKEY=$( echo $CLIENT_PRIVKEY | wg pubkey )
PRIVATE_SUBNET=$( head -n1 $WG_CONFIG | awk '{print $2}')
PRIVATE_SUBNET_MASK=$( echo $PRIVATE_SUBNET | cut -d "/" -f 2 )
SERVER_ENDPOINT=$( head -n1 $WG_CONFIG | awk '{print $3}')
SERVER_PUBKEY=$( head -n1 $WG_CONFIG | awk '{print $4}')
LASTIP=$( grep "/32" $WG_CONFIG | tail -n1 | awk '{print $3}' | cut -d "/" -f 1 | cut -d "." -f 4 )
CLIENT_ADDRESS="${PRIVATE_SUBNET::-4}$((LASTIP+1))"
echo "# $CLIENT_NAME
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = $CLIENT_ADDRESS/32" >> $WG_CONFIG
echo "[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = $CLIENT_ADDRESS/$PRIVATE_SUBNET_MASK
[Peer]
PublicKey = $SERVER_PUBKEY
AllowedIPs = 0.0.0.0/0
Endpoint = $SERVER_ENDPOINT
PersistentKeepalive = 25" > $HOME/$CLIENT_NAME-wg0.conf
ip address | grep -q wg0 && wg set wg0 peer "$CLIENT_PUBKEY" allowed-ips "$CLIENT_ADDRESS/32"
echo "Client added, new configuration file --> $HOME/$CLIENT_NAME-wg0.conf"
fi