144 lines
4.5 KiB
Bash
144 lines
4.5 KiB
Bash
# Install using: sudo su -c "bash <(wget -qO- /url/to/install-wireguard-server.sh)"
|
|
|
|
# Make sure script is ran as root
|
|
if [[ $EUID -ne 0 ]]; then
|
|
exec sudo /bin/bash "$0" "$@"
|
|
fi
|
|
read -e -p "Enter lan NIC: " -i $(ip route | grep default | sed -e 's/^.*dev.//' -e 's/.proto.*//') NIC_NAME
|
|
read -e -p "Enter VPN subnet: " -i "172.19.100" VPN_SUBNET
|
|
read -e -p "Enter LAN subnet: " -i "192.168.0" LAN_SUBNET
|
|
read -e -p "Enter VPN public hostname: " -i "home.myspace.nu" VPN_PUBLIC_HOST
|
|
read -e -p "Enter VPN public portnumber: " -i "51820" VPN_PUBLIC_PORT
|
|
read -e -p "Allowed destination LAN IPs (empty for all): " -i "${LAN_SUBNET}.1 ${LAN_SUBNET}.2" ALLOWED_HOST_IPs
|
|
|
|
if [ $(dpkg-query -W -f='${Status}' wireguard 2>/dev/null | grep -c "ok installed") -eq 0 ];
|
|
then
|
|
echo "Installing Wireguard..."
|
|
apt install wireguard -y
|
|
fi
|
|
|
|
mkdir -m 0700 /etc/wireguard/ > /dev/null 2>&1
|
|
cd /etc/wireguard/
|
|
|
|
if [ ! -f privatekey ]
|
|
then
|
|
echo "Generating private and public keys..."
|
|
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
|
|
fi
|
|
SERVER_PRIVATEKEY=$(cat "privatekey")
|
|
SERVER_PUBLICKEY=$(cat "publickey")
|
|
# sudo ufw allow $VPN_PUBLIC_PORT/udp
|
|
|
|
if ! grep -q "net.ipv4.ip_forward" "/etc/sysctl.d/10-wireguard.conf"; then
|
|
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.d/10-wireguard.conf
|
|
echo 'net.ipv6.conf.all.forwarding=1' | sudo tee -a /etc/sysctl.d/10-wireguard.conf
|
|
sysctl -p /etc/sysctl.d/10-wireguard.conf
|
|
fi
|
|
|
|
if [ -z "$ALLOWED_HOST_IPs" ]
|
|
then
|
|
POSTUP="$POSTUP""PostUp = iptables -A FORWARD -i %i -d $LAN_SUBNET.0/24 -j ACCEPT
|
|
"
|
|
POSTDOWN="$POSTDOWN""PostDown = iptables -D FORWARD -i %i -d $LAN_SUBNET.0/24 -j ACCEPT
|
|
"
|
|
else
|
|
for ip in ${ALLOWED_HOST_IPs// / }
|
|
do
|
|
if [[ $ip == *":"* ]]; then
|
|
port=$(echo $ip | cut -f2 -d:)
|
|
ip=$(echo $ip | cut -f1 -d:)
|
|
POSTUP="$POSTUP""PostUp = iptables -A FORWARD -i %i -d $ip/32 -p tcp -m multiport --dports $port -j ACCEPT
|
|
"
|
|
POSTDOWN="$POSTDOWN""PostDown = iptables -D FORWARD -i %i -d $ip/32 -p tcp -m multiport --dports $port -j ACCEPT
|
|
"
|
|
else
|
|
POSTUP="$POSTUP""PostUp = iptables -A FORWARD -i %i -d $ip/32 -j ACCEPT
|
|
"
|
|
POSTDOWN="$POSTDOWN""PostDown = iptables -D FORWARD -i %i -d $ip/32 -j ACCEPT
|
|
"
|
|
fi
|
|
done
|
|
fi
|
|
|
|
sudo tee /etc/wireguard/wg0.conf.base > /dev/null <<EOL
|
|
[Interface]
|
|
Address = $VPN_SUBNET.1/24
|
|
ListenPort = $VPN_PUBLIC_PORT
|
|
PrivateKey = ${SERVER_PRIVATEKEY}
|
|
|
|
${POSTUP}
|
|
PostUp = iptables -A FORWARD -i %i -d $VPN_SUBNET.0/24 -j ACCEPT
|
|
PostUp = iptables -A FORWARD -i %i -d 0.0.0.0/0 -j DROP
|
|
PostUp = iptables -A FORWARD -o %i -j ACCEPT
|
|
PostUp = iptables -t nat -A POSTROUTING -o ${NIC_NAME,,} -j MASQUERADE
|
|
|
|
${POSTDOWN}
|
|
PostDown = iptables -D FORWARD -i %i -d $VPN_SUBNET.0/24 -j ACCEPT
|
|
PostDown = iptables -D FORWARD -i %i -d 0.0.0.0/0 -j DROP
|
|
PostDown = iptables -D FORWARD -o %i -j ACCEPT
|
|
PostDown = iptables -t nat -D POSTROUTING -o ${NIC_NAME,,} -j MASQUERADE
|
|
|
|
# [Peer]
|
|
# Client 1
|
|
# PublicKey = ...
|
|
# AllowedIPs = $VPN_SUBNET.2/32
|
|
|
|
EOL
|
|
cat /etc/wireguard/wg0.conf.base /etc/wireguard/wg0.conf.clients > /etc/wireguard/wg0.conf
|
|
|
|
if ! systemctl is-active --quiet "wg-quick@wg0.service" ; then
|
|
systemctl enable wg-quick@wg0
|
|
systemctl start wg-quick@wg0
|
|
systemctl --no-pager status wg-quick@wg0
|
|
wg
|
|
ip a show wg0
|
|
fi
|
|
|
|
|
|
sudo tee /usr/local/bin/wg-adduser.sh > /dev/null <<EOL
|
|
read -e -p "Enter username: " -i "Anonymous" WGCLIENT
|
|
for i in {2..255}; do
|
|
ip="$VPN_SUBNET.\$i"
|
|
if ! grep -q "\$ip" "/etc/wireguard/wg0.conf"; then
|
|
break
|
|
fi
|
|
done
|
|
CLIENT_PRIVATEKEY=\$(wg genkey)
|
|
CLIENT_PUBLICKEY=\$(echo "\$CLIENT_PRIVATEKEY" | wg pubkey)
|
|
SERVER_PUBLICKEY=$(cat "/etc/wireguard/publickey")
|
|
|
|
sudo tee /etc/wireguard/client-\$WGCLIENT.conf > /dev/null <<LOE
|
|
# Private key: \$CLIENT_PRIVATEKEY
|
|
# Public key: \$CLIENT_PUBLICKEY
|
|
[Interface]
|
|
PrivateKey = \$CLIENT_PRIVATEKEY
|
|
Address = \$ip/24
|
|
DNS = 1.1.1.1, 8.8.8.8
|
|
|
|
[Peer]
|
|
PublicKey = \$SERVER_PUBLICKEY
|
|
# AllowedIPs = 0.0.0.0/0 # Will route all traffic through the VPN
|
|
AllowedIPs = $LAN_SUBNET.0/24, $VPN_SUBNET.0/24
|
|
Endpoint = $VPN_PUBLIC_HOST:$VPN_PUBLIC_PORT
|
|
PersistentKeepalive = 25
|
|
LOE
|
|
|
|
cat <<LOE >> "/etc/wireguard/wg0.conf.clients"
|
|
|
|
[Peer]
|
|
# Client: \$WGCLIENT
|
|
PublicKey = \$CLIENT_PUBLICKEY
|
|
AllowedIPs = \$ip/32
|
|
LOE
|
|
cat /etc/wireguard/wg0.conf.base /etc/wireguard/wg0.conf.clients > /etc/wireguard/wg0.conf
|
|
wg-quick down wg0 && wg-quick up wg0
|
|
printf "\n\n_[ client-\$WGCLIENT.conf ]________________________________________\n"
|
|
cat /etc/wireguard/client-\$WGCLIENT.conf
|
|
EOL
|
|
chmod 777 /usr/local/bin/wg-adduser.sh
|
|
|
|
sudo tee /usr/local/bin/wg-restart.sh > /dev/null <<EOL
|
|
wg-quick down wg0 && wg-quick up wg0
|
|
EOL
|
|
chmod 777 /usr/local/bin/wg-restart.sh
|