-
Notifications
You must be signed in to change notification settings - Fork 3
/
connect_to_wireguard_with_token.ps1
141 lines (122 loc) · 6.57 KB
/
connect_to_wireguard_with_token.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
if ([System.Environment]::OSVersion.Platform -ne "Win32NT") {
Write-Host -ForegroundColor Red "This script can only be run on Windows. For Linux, please use the bash script."
exit 1
}
# PIA currently does not support IPv6. In order to be sure your VPN
# connection does not leak, it is best to disabled IPv6 altogether.
Write-Host "PIA currently does not support IPv6. In order to be sure your VPN"
Write-Host "connection does not leak, it is best to disabled IPv6 altogether."
# Check if the mandatory environment variables are set.
if ((-Not $WG_SERVER_IP) -or (-Not $WG_HOSTNAME) -or (-Not $PIA_TOKEN)) {
Write-Host -ForegroundColor Red "This script requires 3 env vars:"
Write-Host -ForegroundColor Red "WG_SERVER_IP - IP that you want to connect to"
Write-Host -ForegroundColor Red "WG_HOSTNAME - name of the server, required for ssl"
Write-Host -ForegroundColor Red "PIA_TOKEN - your authentication token"
Write-Host
Write-Host -ForegroundColor Red "You can also specify optional env vars:"
Write-Host -ForegroundColor Red "PIA_PF - enable port forwarding"
Write-Host -ForegroundColor Red "PAYLOAD_AND_SIGNATURE - In case you already have a port."
Write-Host
Write-Host -ForegroundColor Red "An easy solution is to just run get_region_and_token.ps1"
Write-Host -ForegroundColor Red "as it will guide you through getting the best server and"
Write-Host -ForegroundColor Red "also a token. Detailed information can be found here:"
Write-Host -ForegroundColor Red "https://github.com/pia-foss/manual-connections"
exit 1
}
# Create ephemeral wireguard keys, that we don't need to save to disk.
$privKey = wg genkey
$pubKey = $privKey | wg pubkey
# Authenticate via the PIA WireGuard RESTful API.
# This will return a JSON with data required for authentication.
# The certificate is required to verify the identity of the VPN server.
# In case you didn't clone the entire repo, get the certificate from:
# https://github.com/pia-foss/manual-connections/blob/master/ca.rsa.4096.crt
# In case you want to troubleshoot the script, replace -s with -v.
Write-Host "Trying to connect to the PIA WireGuard API on $WG_SERVER_IP..."
##### -k has to be used because cacert is untrusted (?) ######
$wireguard_json = Invoke-Expression -Command 'curl.exe -k -s -G --connect-to "$($WG_HOSTNAME)::$($WG_SERVER_IP):" --cacert "ca.rsa.4096.crt" --data-urlencode "pt=$($PIA_TOKEN)" --data-urlencode "pubkey=$($pubKey)" "https://$($WG_HOSTNAME):1337/addKey"' | ConvertFrom-Json
# Check if the API returned OK and stop this script if it didn't.
if ($wireguard_json.status -ne "OK") {
Write-Error "Server did not return OK. Stopping now."
exit 1
}
# Multi-hop is out of the scope of this repo, but you should be able to
# get multi-hop running with both WireGuard and OpenVPN by playing with
# these scripts. Feel free to fork the project and test it out.
Write-Host
Write-Host "Trying to disable a PIA WG connection in case it exists..."
if ((Invoke-Expression -Command "wg.exe show" | Select-Object -First 1) -eq "interface: pia") {
Invoke-Expression -Command "wireguard.exe /uninstalltunnelservice pia"
Start-Sleep 1
Write-Host -ForegroundColor Green "PIA WG connection disabled!"
}
# Create the WireGuard config based on the JSON received from the API
# In case you want this section to also add the DNS setting, please
# start the script with PIA_DNS=true.
# This uses a PersistentKeepalive of 25 seconds to keep the NAT active
# on firewalls. You can remove that line if your network does not
# require it.
if ($PIA_DNS) {
$dnsServer = $wireguard_json.dns_servers[0]
Write-Host "Trying to set up DNS to $dnsServer."
Write-Host
$dnsSettingForVPN = "DNS = $dnsServer"
}
if (-Not $ALLOWED_IPS) {
if ($LOCAL_NETWORK_BYPASS -eq "true") {
$ALLOWED_IPS = "0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3"
}
else {
$ALLOWED_IPS = "0.0.0.0/0"
}
}
Write-Host "Trying to write $env:USERPROFILE\piavpn-manual\wireguard\pia.conf..."
New-Item -Path "$env:USERPROFILE\piavpn-manual\wireguard" -ItemType "Directory" -ErrorAction SilentlyContinue
"[Interface]
Address = $($wireguard_json.peer_ip)
PrivateKey = $privKey
$dnsSettingForVPN
[Peer]
PersistentKeepalive = 25
PublicKey = $($wireguard_json.server_key)
AllowedIPs = $($ALLOWED_IPS)
Endpoint = ${WG_SERVER_IP}:$($wireguard_json.server_port)" | Out-File "$env:USERPROFILE\piavpn-manual\wireguard\pia.conf"
Write-Host -ForegroundColor Green "OK!"
# Start the WireGuard interface.
# If something failed, stop this script.
Write-Host
Write-Host "Trying to create the wireguard interface..."
Invoke-Expression -Command "wireguard.exe /installtunnelservice $env:USERPROFILE\piavpn-manual\wireguard\pia.conf"
if (-Not $?) {
exit 1
}
Write-Host
Write-Host -ForegroundColor Green "The WireGuard interface got created."
Write-Host "At this point, internet should work via VPN.
The Wireguard GUI might not be showing accurate information
about the interface, but in the `"Log`" tab it'll show.
To disconnect the VPN, run:
--> " -NoNewline; Write-Host -ForegroundColor Green "wireguard.exe /uninstalltunnelservice pia" -NoNewline; Write-Host " <--"
# This section will stop the script if PIA_PF is not set to "true".
if (-Not $PIA_PF) {
Write-Host "If you want to also enable port forwarding, you can start the script:"
Write-Host -ForegroundColor Green "> `$PIA_TOKEN = $PIA_TOKEN; `$PF_GATEWAY = $WG_SERVER_IP; `$PF_HOSTNAME = $WG_HOSTNAME; ./port_forwarding.ps1"
Write-Host
Write-Host "The location used must be port forwarding enabled, or this will fail."
Write-Host "Calling the ./get_region script with `$PIA_PF=true will provide a filtered list."
exit 1
}
Write-Host "This script got started with " -NoNewline; Write-Host -ForegroundColor Green "`$PIA_PF=true" -NoNewline; Write-Host ".
Starting port forwarding in " -NoNewline
for ($i = 5; $i -gt 0; $i--) {
Write-Host "$i..." -NoNewline
Start-Sleep 1
}
Write-Host
Write-Host
Write-Host "Starting procedure to enable port forwarding by running the following command:
> " -NoNewline; Write-Host -ForegroundColor Green "`$PIA_TOKEN = $PIA_TOKEN; `$PF_GATEWAY = $WG_SERVER_IP; `$PF_HOSTNAME = $WG_HOSTNAME; ./port_forwarding.ps1"
$PIA_TOKEN = $PIA_TOKEN
$PF_GATEWAY = $WG_SERVER_IP
$PF_HOSTNAME = $WG_HOSTNAME
Invoke-Expression -Command "./port_forwarding.ps1"