Skip to content
This repository was archived by the owner on Feb 16, 2020. It is now read-only.

IPv6 support #57

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

IPv6 support #57

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b0cfa7a
Adds IPv6 support
rmbelousov Dec 1, 2019
66eef37
Removes firewalld from CentOS, use iptables insert instead of add to …
rmbelousov Dec 1, 2019
00481c7
Adds IPv6 subnet generation
rmbelousov Dec 1, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# wireguard-install

[WireGuard](https://www.wireguard.com) [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu 18.04 LTS, Debian 9 and CentOS 7.
[WireGuard](https://www.wireguard.com) [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu 18.04 LTS, Debian 9 and CentOS 7-8.

This script will let you setup your own VPN server in no more than a minute, even if you haven't used WireGuard before. It has been designed to be as unobtrusive and universal as possible.

Expand All @@ -24,6 +24,7 @@ The script can be configured by setting the following environment variables:
* SERVER\_HOST - public IP address, detected by default
* SERVER\_PORT - listening port, picked random by default
* CLIENT\_DNS - comma separated DNS servers to use by the client
* PRIVATE\_SUBNET6 - IPv6 private subnet, empty by default, causes installing with IPv6 support

## Setting up clients

Expand All @@ -34,7 +35,7 @@ Install WireGuard and reboot your computer:
sudo add-apt-repository ppa:wireguard/wireguard -y && sudo apt update && sudo apt install wireguard resolvconf -y
sudo reboot

Copy the file `/root/client-wg0.conf` from a remote server to your local PC path `/etc/wireguard/wg0.conf` and run
Copy the file `/root/client-wg0.conf` from a remote server to your local PC path `/etc/wireguard/wg0.conf` and run
`sudo systemctl start wg-quick@wg0.service`

To show VPN status, run `sudo wg show`.
Expand Down
94 changes: 68 additions & 26 deletions wireguard-install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,23 @@ if [ ! -f "$WG_CONFIG" ]; then
SERVER_PORT=$( get_free_udp_port )
fi

### If you want to enable IPv6, supply PRIVATE_SUBNET6 environment variable or accept using random subnet
### TODO: Add IPv6 subnet validation
PRIVATE_SUBNET6=${PRIVATE_SUBNET6:-""}
if [[ "$PRIVATE_SUBNET6" == "" && "$INTERACTIVE" == "yes" ]]; then
echo "Private subnet for IPv6 is not set."
GENERATED_SUBNET6="$( echo fd$(openssl rand -hex 7) | sed 's/.\{4\}/&:/g' ):/64"
read -p "Do you want to enable IPv6 support with generated subnet $GENERATED_SUBNET6? [n/y]: " -e -i "n" CONFIRM
if [ "$CONFIRM" == "y" ]; then
PRIVATE_SUBNET6="$GENERATED_SUBNET6"
fi
fi
if [ "$PRIVATE_SUBNET6" != "" ]; then
PRIVATE_SUBNET_MASK6=$( echo $PRIVATE_SUBNET6 | cut -d "/" -f 2 )
PRIVATE_SUBNET_ADDRESS6="$( echo $PRIVATE_SUBNET6 | cut -d "/" -f 1 )"
GATEWAY_ADDRESS6="${PRIVATE_SUBNET_ADDRESS6}1"
fi

if [ "$CLIENT_DNS" == "" ]; then
echo "Which DNS do you want to use with the VPN?"
echo " 1) Cloudflare"
Expand Down Expand Up @@ -102,33 +119,45 @@ if [ ! -f "$WG_CONFIG" ]; then
elif [ "$DISTRO" == "CentOS" ]; then
curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install epel-release -y
yum install wireguard-dkms qrencode wireguard-tools firewalld -y
yum remove firewalld -y
yum install wireguard-dkms qrencode wireguard-tools iptables-services -y
fi

SERVER_PRIVKEY=$( wg genkey )
SERVER_PUBKEY=$( echo $SERVER_PRIVKEY | wg pubkey )
CLIENT_PRIVKEY=$( wg genkey )
CLIENT_PUBKEY=$( echo $CLIENT_PRIVKEY | wg pubkey )
CLIENT_ADDRESS="${PRIVATE_SUBNET::-4}3"

INTERFACE_ADDRESS="$GATEWAY_ADDRESS/$PRIVATE_SUBNET_MASK"
CLIENT_ADDRESS="${PRIVATE_SUBNET::-4}3/$PRIVATE_SUBNET_MASK"
CLIENT_ALLOWED_IPS="${PRIVATE_SUBNET::-4}3/32"

mkdir -p /etc/wireguard
touch $WG_CONFIG && chmod 600 $WG_CONFIG

echo "# $PRIVATE_SUBNET $SERVER_HOST:$SERVER_PORT $SERVER_PUBKEY $CLIENT_DNS
[Interface]
Address = $GATEWAY_ADDRESS/$PRIVATE_SUBNET_MASK
echo "# $PRIVATE_SUBNET $SERVER_HOST:$SERVER_PORT $SERVER_PUBKEY $CLIENT_DNS" > $WG_CONFIG

if [ "$PRIVATE_SUBNET6" != "" ]; then
INTERFACE_ADDRESS="$INTERFACE_ADDRESS, $GATEWAY_ADDRESS6/$PRIVATE_SUBNET_MASK6"
CLIENT_ADDRESS="$CLIENT_ADDRESS, ${PRIVATE_SUBNET_ADDRESS6}3/$PRIVATE_SUBNET_MASK6"
CLIENT_ALLOWED_IPS="$CLIENT_ALLOWED_IPS, ${PRIVATE_SUBNET_ADDRESS6}3/128"
echo "# IPV6 $PRIVATE_SUBNET6" >> $WG_CONFIG
fi

echo "[Interface]
Address = $INTERFACE_ADDRESS
ListenPort = $SERVER_PORT
PrivateKey = $SERVER_PRIVKEY
SaveConfig = false" > $WG_CONFIG
SaveConfig = false" >> $WG_CONFIG

echo "# $CLIENT_NAME
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = $CLIENT_ADDRESS/32" >> $WG_CONFIG
AllowedIPs = $CLIENT_ALLOWED_IPS" >> $WG_CONFIG

echo "[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = $CLIENT_ADDRESS/$PRIVATE_SUBNET_MASK
Address = $CLIENT_ADDRESS
DNS = $CLIENT_DNS
[Peer]
PublicKey = $SERVER_PUBKEY
Expand All @@ -143,20 +172,25 @@ qrencode -t ansiutf8 -l L < $HOME/$CLIENT_NAME-wg0.conf
sysctl -p

if [ "$DISTRO" == "CentOS" ]; then
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --zone=public --add-port=$SERVER_PORT/udp
firewall-cmd --zone=trusted --add-source=$PRIVATE_SUBNET
firewall-cmd --permanent --zone=public --add-port=$SERVER_PORT/udp
firewall-cmd --permanent --zone=trusted --add-source=$PRIVATE_SUBNET
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s $PRIVATE_SUBNET ! -d $PRIVATE_SUBNET -j SNAT --to $SERVER_HOST
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s $PRIVATE_SUBNET ! -d $PRIVATE_SUBNET -j SNAT --to $SERVER_HOST
systemctl start iptables
systemctl enable iptables
IPTABLES_CONF="/etc/sysconfig/iptables"
IP6TABLES_CONF="/etc/sysconfig/ip6tables"
else
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -s $PRIVATE_SUBNET -m policy --pol none --dir in -j ACCEPT
iptables -t nat -A POSTROUTING -s $PRIVATE_SUBNET -m policy --pol none --dir out -j MASQUERADE
iptables -A INPUT -p udp --dport $SERVER_PORT -j ACCEPT
iptables-save > /etc/iptables/rules.v4
IPTABLES_CONF="/etc/iptables/rules.v4"
IP6TABLES_CONF="/etc/iptables/rules.v6"
fi

iptables -I FORWARD -m conntrack --ctstate NEW -s $PRIVATE_SUBNET -m policy --pol none --dir in -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -s $PRIVATE_SUBNET -m policy --pol none --dir out -j MASQUERADE
iptables -I INPUT -p udp --dport $SERVER_PORT -j ACCEPT
iptables-save > $IPTABLES_CONF
if [ "$PRIVATE_SUBNET6" != "" ]; then
ip6tables -I FORWARD -m conntrack --ctstate NEW -s $PRIVATE_SUBNET6 -m policy --pol none --dir in -j ACCEPT
ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -t nat -I POSTROUTING -s $PRIVATE_SUBNET6 -m policy --pol none --dir out -j MASQUERADE
ip6tables-save > $IP6TABLES_CONF
fi

systemctl enable wg-quick@wg0.service
Expand All @@ -180,23 +214,31 @@ else
SERVER_PUBKEY=$( head -n1 $WG_CONFIG | awk '{print $4}')
CLIENT_DNS=$( head -n1 $WG_CONFIG | awk '{print $5}')
LASTIP=$( grep "/32" $WG_CONFIG | tail -n1 | awk '{print $3}' | cut -d "/" -f 1 | cut -d "." -f 4 )
CLIENT_ADDRESS="${PRIVATE_SUBNET::-4}$((LASTIP+1))"
CLIENT_ADDRESS="${PRIVATE_SUBNET::-4}$((LASTIP+1))/$PRIVATE_SUBNET_MASK"
CLIENT_ALLOWED_IPS="${PRIVATE_SUBNET::-4}$((LASTIP+1))/32"
if grep -q "IPV6" $WG_CONFIG; then
PRIVATE_SUBNET6=$( grep "IPV6" $WG_CONFIG | awk '{print$NF}' )
PRIVATE_SUBNET_MASK6=$( echo $PRIVATE_SUBNET6 | cut -d "/" -f 2 )
PRIVATE_SUBNET_ADDRESS6="$( echo $PRIVATE_SUBNET6 | cut -d "/" -f 1 )"
CLIENT_ADDRESS="$CLIENT_ADDRESS, ${PRIVATE_SUBNET_ADDRESS6}$((LASTIP+1))/$PRIVATE_SUBNET_MASK6"
CLIENT_ALLOWED_IPS="$CLIENT_ALLOWED_IPS, ${PRIVATE_SUBNET_ADDRESS6}$((LASTIP+1))/128"
fi
echo "# $CLIENT_NAME
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = $CLIENT_ADDRESS/32" >> $WG_CONFIG
AllowedIPs = $CLIENT_ALLOWED_IPS" >> $WG_CONFIG

echo "[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = $CLIENT_ADDRESS/$PRIVATE_SUBNET_MASK
Address = $CLIENT_ADDRESS
DNS = $CLIENT_DNS
[Peer]
PublicKey = $SERVER_PUBKEY
AllowedIPs = 0.0.0.0/0, ::/0
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $SERVER_ENDPOINT
PersistentKeepalive = 25" > $HOME/$CLIENT_NAME-wg0.conf
qrencode -t ansiutf8 -l L < $HOME/$CLIENT_NAME-wg0.conf

ip address | grep -q wg0 && wg set wg0 peer "$CLIENT_PUBKEY" allowed-ips "$CLIENT_ADDRESS/32"
ip address | grep -q wg0 && wg set wg0 peer "$CLIENT_PUBKEY" allowed-ips "$CLIENT_ALLOWED_IPS"
echo "Client added, new configuration file --> $HOME/$CLIENT_NAME-wg0.conf"
fi