# Install using: sudo su -c "bash <(wget -qO- /url/to/install-wireguard-server.sh)"

# Make sure script is ran as root
if [[ $EUID -ne 0 ]]; then
	exec sudo /bin/bash "$0" "$@"
fi
read -e -p "Enter lan NIC: " -i $(ip route | grep default | sed -e 's/^.*dev.//' -e 's/.proto.*//') NIC_NAME
read -e -p "Enter VPN subnet: " -i "172.19.100" VPN_SUBNET
read -e -p "Enter LAN subnet: " -i "192.168.0" LAN_SUBNET
read -e -p "Enter VPN public hostname: " -i "home.myspace.nu" VPN_PUBLIC_HOST
read -e -p "Enter VPN public portnumber: " -i "51820" VPN_PUBLIC_PORT
read -e -p "Allowed destination LAN IPs (empty for all): " -i "${LAN_SUBNET}.1 ${LAN_SUBNET}.2" ALLOWED_HOST_IPs

if [ $(dpkg-query -W -f='${Status}' wireguard 2>/dev/null | grep -c "ok installed") -eq 0 ];
then
	echo "Installing Wireguard..."
	apt install wireguard -y
fi

mkdir -m 0700 /etc/wireguard/ > /dev/null 2>&1
cd /etc/wireguard/

if [ ! -f privatekey ]
then
	echo "Generating private and public keys..."
	umask 077; wg genkey | tee privatekey | wg pubkey > publickey
fi
SERVER_PRIVATEKEY=$(cat "privatekey")
SERVER_PUBLICKEY=$(cat "publickey")
# sudo ufw allow $VPN_PUBLIC_PORT/udp

if ! grep -q "net.ipv4.ip_forward" "/etc/sysctl.d/10-wireguard.conf"; then
	echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.d/10-wireguard.conf
	echo 'net.ipv6.conf.all.forwarding=1' | sudo tee -a /etc/sysctl.d/10-wireguard.conf
	sysctl -p /etc/sysctl.d/10-wireguard.conf
fi

if [ -z "$ALLOWED_HOST_IPs" ]
then
	POSTUP="$POSTUP""PostUp = iptables -A FORWARD -i %i -d $LAN_SUBNET.0/24 -j ACCEPT
"
	POSTDOWN="$POSTDOWN""PostDown = iptables -D FORWARD -i %i -d $LAN_SUBNET.0/24 -j ACCEPT
"
else
	for ip in ${ALLOWED_HOST_IPs// / }
	do
		if [[ $ip == *":"* ]]; then
			port=$(echo $ip | cut -f2 -d:)
			ip=$(echo $ip | cut -f1 -d:)
			POSTUP="$POSTUP""PostUp = iptables -A FORWARD -i %i -d $ip/32 -p tcp -m multiport --dports $port -j ACCEPT
"
			POSTDOWN="$POSTDOWN""PostDown = iptables -D FORWARD -i %i -d $ip/32 -p tcp -m multiport --dports $port -j ACCEPT
"
		else
			POSTUP="$POSTUP""PostUp = iptables -A FORWARD -i %i -d $ip/32 -j ACCEPT
"
			POSTDOWN="$POSTDOWN""PostDown = iptables -D FORWARD -i %i -d $ip/32 -j ACCEPT
"
		fi
	done
fi

sudo tee /etc/wireguard/wg0.conf.base > /dev/null <<EOL
[Interface]
Address = $VPN_SUBNET.1/24
ListenPort = $VPN_PUBLIC_PORT
PrivateKey = ${SERVER_PRIVATEKEY}

${POSTUP}
PostUp = iptables -A FORWARD -i %i -d $VPN_SUBNET.0/24 -j ACCEPT
PostUp = iptables -A FORWARD -i %i -d 0.0.0.0/0 -j DROP
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ${NIC_NAME,,} -j MASQUERADE

${POSTDOWN}
PostDown = iptables -D FORWARD -i %i -d $VPN_SUBNET.0/24 -j ACCEPT
PostDown = iptables -D FORWARD -i %i -d 0.0.0.0/0 -j DROP
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ${NIC_NAME,,} -j MASQUERADE

# [Peer]
# Client 1
# PublicKey = ...
# AllowedIPs = $VPN_SUBNET.2/32

EOL
cat /etc/wireguard/wg0.conf.base /etc/wireguard/wg0.conf.clients > /etc/wireguard/wg0.conf

if ! systemctl is-active --quiet "wg-quick@wg0.service" ; then
	systemctl enable wg-quick@wg0
	systemctl start wg-quick@wg0
	systemctl --no-pager status wg-quick@wg0
	wg
	ip a show wg0
fi


sudo tee /usr/local/bin/wg-adduser.sh > /dev/null <<EOL
read -e -p "Enter username: " -i "Anonymous" WGCLIENT
for i in {2..255}; do
	ip="$VPN_SUBNET.\$i"
	if ! grep -q "\$ip" "/etc/wireguard/wg0.conf"; then
		break
	fi
done
CLIENT_PRIVATEKEY=\$(wg genkey)
CLIENT_PUBLICKEY=\$(echo "\$CLIENT_PRIVATEKEY" | wg pubkey)
SERVER_PUBLICKEY=$(cat "/etc/wireguard/publickey")

sudo tee /etc/wireguard/client-\$WGCLIENT.conf > /dev/null <<LOE
# Private key: \$CLIENT_PRIVATEKEY
# Public key:  \$CLIENT_PUBLICKEY
[Interface]
PrivateKey = \$CLIENT_PRIVATEKEY
Address = \$ip/24
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = \$SERVER_PUBLICKEY
# AllowedIPs = 0.0.0.0/0 # Will route all traffic through the VPN
AllowedIPs = $LAN_SUBNET.0/24, $VPN_SUBNET.0/24
Endpoint = $VPN_PUBLIC_HOST:$VPN_PUBLIC_PORT
PersistentKeepalive = 25
LOE

cat <<LOE >> "/etc/wireguard/wg0.conf.clients"

[Peer]
# Client: \$WGCLIENT
PublicKey = \$CLIENT_PUBLICKEY
AllowedIPs = \$ip/32
LOE
cat /etc/wireguard/wg0.conf.base /etc/wireguard/wg0.conf.clients > /etc/wireguard/wg0.conf
wg-quick down wg0 && wg-quick up wg0
printf "\n\n_[ client-\$WGCLIENT.conf ]________________________________________\n"
cat /etc/wireguard/client-\$WGCLIENT.conf
EOL
chmod 777 /usr/local/bin/wg-adduser.sh

sudo tee /usr/local/bin/wg-restart.sh > /dev/null <<EOL
wg-quick down wg0 && wg-quick up wg0
EOL
chmod 777 /usr/local/bin/wg-restart.sh