This repository has been archived by the owner on Feb 16, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 166
/
wireguard-install.sh
executable file
·202 lines (177 loc) · 7.25 KB
/
wireguard-install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
#!/bin/bash
#
# https://github.com/l-n-s/wireguard-install
#
# Copyright (c) 2018 Viktor Villainov. Released under the MIT License.
WG_CONFIG="/etc/wireguard/wg0.conf"
function get_free_udp_port
{
local port=$(shuf -i 2000-65000 -n 1)
ss -lau | grep $port > /dev/null
if [[ $? == 1 ]] ; then
echo "$port"
else
get_free_udp_port
fi
}
if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit
fi
if [[ ! -e /dev/net/tun ]]; then
echo "The TUN device is not available. You need to enable TUN before running this script"
exit
fi
if [ -e /etc/centos-release ]; then
DISTRO="CentOS"
elif [ -e /etc/debian_version ]; then
DISTRO=$( lsb_release -is )
else
echo "Your distribution is not supported (yet)"
exit
fi
if [ "$( systemd-detect-virt )" == "openvz" ]; then
echo "OpenVZ virtualization is not supported"
exit
fi
if [ ! -f "$WG_CONFIG" ]; then
### Install server and add default client
INTERACTIVE=${INTERACTIVE:-yes}
PRIVATE_SUBNET=${PRIVATE_SUBNET:-"10.9.0.0/24"}
PRIVATE_SUBNET_MASK=$( echo $PRIVATE_SUBNET | cut -d "/" -f 2 )
GATEWAY_ADDRESS="${PRIVATE_SUBNET::-4}1"
if [ "$SERVER_HOST" == "" ]; then
SERVER_HOST=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [ "$INTERACTIVE" == "yes" ]; then
read -p "Servers public IP address is $SERVER_HOST. Is that correct? [y/n]: " -e -i "y" CONFIRM
if [ "$CONFIRM" == "n" ]; then
echo "Aborted. Use environment variable SERVER_HOST to set the correct public IP address"
exit
fi
fi
fi
if [ "$SERVER_PORT" == "" ]; then
SERVER_PORT=$( get_free_udp_port )
fi
if [ "$CLIENT_DNS" == "" ]; then
echo "Which DNS do you want to use with the VPN?"
echo " 1) Cloudflare"
echo " 2) Google"
echo " 3) OpenDNS"
read -p "DNS [1-3]: " -e -i 1 DNS_CHOICE
case $DNS_CHOICE in
1)
CLIENT_DNS="1.1.1.1,1.0.0.1"
;;
2)
CLIENT_DNS="8.8.8.8,8.8.4.4"
;;
3)
CLIENT_DNS="208.67.222.222,208.67.220.220"
;;
esac
fi
if [ "$CLIENT_NAME" == "" ]; then
read -p "Tell me a name for the client config file. Use one word only, no special characters: " -e -i "client" CLIENT_NAME
fi
if [ "$DISTRO" == "Ubuntu" ]; then
apt-get install software-properties-common -y
add-apt-repository ppa:wireguard/wireguard -y
apt update
apt install linux-headers-$(uname -r) wireguard qrencode iptables-persistent -y
elif [ "$DISTRO" == "Debian" ]; then
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt-get install software-properties-common -y
apt update
apt install linux-headers-$(uname -r) wireguard qrencode iptables-persistent -y
elif [ "$DISTRO" == "CentOS" ]; then
curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install epel-release -y
yum install wireguard-dkms qrencode wireguard-tools firewalld -y
fi
SERVER_PRIVKEY=$( wg genkey )
SERVER_PUBKEY=$( echo $SERVER_PRIVKEY | wg pubkey )
CLIENT_PRIVKEY=$( wg genkey )
CLIENT_PUBKEY=$( echo $CLIENT_PRIVKEY | wg pubkey )
CLIENT_ADDRESS="${PRIVATE_SUBNET::-4}3"
mkdir -p /etc/wireguard
touch $WG_CONFIG && chmod 600 $WG_CONFIG
echo "# $PRIVATE_SUBNET $SERVER_HOST:$SERVER_PORT $SERVER_PUBKEY $CLIENT_DNS
[Interface]
Address = $GATEWAY_ADDRESS/$PRIVATE_SUBNET_MASK
ListenPort = $SERVER_PORT
PrivateKey = $SERVER_PRIVKEY
SaveConfig = false" > $WG_CONFIG
echo "# $CLIENT_NAME
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = $CLIENT_ADDRESS/32" >> $WG_CONFIG
echo "[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = $CLIENT_ADDRESS/$PRIVATE_SUBNET_MASK
DNS = $CLIENT_DNS
[Peer]
PublicKey = $SERVER_PUBKEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $SERVER_HOST:$SERVER_PORT
PersistentKeepalive = 25" > $HOME/$CLIENT_NAME-wg0.conf
qrencode -t ansiutf8 -l L < $HOME/$CLIENT_NAME-wg0.conf
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.forwarding=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
sysctl -p
if [ "$DISTRO" == "CentOS" ]; then
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --zone=public --add-port=$SERVER_PORT/udp
firewall-cmd --zone=trusted --add-source=$PRIVATE_SUBNET
firewall-cmd --permanent --zone=public --add-port=$SERVER_PORT/udp
firewall-cmd --permanent --zone=trusted --add-source=$PRIVATE_SUBNET
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s $PRIVATE_SUBNET ! -d $PRIVATE_SUBNET -j SNAT --to $SERVER_HOST
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s $PRIVATE_SUBNET ! -d $PRIVATE_SUBNET -j SNAT --to $SERVER_HOST
else
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -s $PRIVATE_SUBNET -m policy --pol none --dir in -j ACCEPT
iptables -t nat -A POSTROUTING -s $PRIVATE_SUBNET -m policy --pol none --dir out -j MASQUERADE
iptables -A INPUT -p udp --dport $SERVER_PORT -j ACCEPT
iptables-save > /etc/iptables/rules.v4
fi
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service
# TODO: unattended updates, apt install dnsmasq ntp
echo "Client config --> $HOME/$CLIENT_NAME-wg0.conf"
echo "Now reboot the server and enjoy your fresh VPN installation! :^)"
else
### Server is installed, add a new client
CLIENT_NAME="$1"
if [ "$CLIENT_NAME" == "" ]; then
echo "Tell me a name for the client config file. Use one word only, no special characters."
read -p "Client name: " -e CLIENT_NAME
fi
CLIENT_PRIVKEY=$( wg genkey )
CLIENT_PUBKEY=$( echo $CLIENT_PRIVKEY | wg pubkey )
PRIVATE_SUBNET=$( head -n1 $WG_CONFIG | awk '{print $2}')
PRIVATE_SUBNET_MASK=$( echo $PRIVATE_SUBNET | cut -d "/" -f 2 )
SERVER_ENDPOINT=$( head -n1 $WG_CONFIG | awk '{print $3}')
SERVER_PUBKEY=$( head -n1 $WG_CONFIG | awk '{print $4}')
CLIENT_DNS=$( head -n1 $WG_CONFIG | awk '{print $5}')
LASTIP=$( grep "/32" $WG_CONFIG | tail -n1 | awk '{print $3}' | cut -d "/" -f 1 | cut -d "." -f 4 )
CLIENT_ADDRESS="${PRIVATE_SUBNET::-4}$((LASTIP+1))"
echo "# $CLIENT_NAME
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = $CLIENT_ADDRESS/32" >> $WG_CONFIG
echo "[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = $CLIENT_ADDRESS/$PRIVATE_SUBNET_MASK
DNS = $CLIENT_DNS
[Peer]
PublicKey = $SERVER_PUBKEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $SERVER_ENDPOINT
PersistentKeepalive = 25" > $HOME/$CLIENT_NAME-wg0.conf
qrencode -t ansiutf8 -l L < $HOME/$CLIENT_NAME-wg0.conf
ip address | grep -q wg0 && wg set wg0 peer "$CLIENT_PUBKEY" allowed-ips "$CLIENT_ADDRESS/32"
echo "Client added, new configuration file --> $HOME/$CLIENT_NAME-wg0.conf"
fi