-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathinstall_wireguard
executable file
·145 lines (116 loc) · 4.46 KB
/
install_wireguard
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#!/bin/bash -e
source ./script_lib/std.inc
source ./script_lib/link.inc
source ./script_lib/network.inc
usage() {
local err=$1
local msg=$2
if [[ -n "$msg" ]] ; then
echo "ERROR: $msg"
echo
fi
echo "$0 [-h] -4 ADDRESS/NETMASK -6 ADDRESS6/NETMASK6 -v VPNADDRESS:VPNPORT"
echo
exit $err
}
while getopts "4:6:v:h" opt ; do
case $opt in
4) NETWORK4_T=$OPTARG
ADDRESS4=${NETWORK4_T%/*}
if [[ "$NETWORK4_T" == *"/"* ]] ; then
NETMASK4=${NETWORK4_T#*/}
fi
;;
6) NETWORK6_T=$OPTARG
ADDRESS6=${NETWORK6_T%/*}
if [[ "$NETWORK6_T" == *"/"* ]] ; then
NETMASK6=${NETWORK6_T#*/}
fi
;;
v) VPN_T=$OPTARG
VPN=${VPN_T%:*}
if [[ "$VPN_T" == *":"* ]] ; then
PORT=${VPN_T#*:}
fi
;;
h) usage
;;
esac
done
if [[ -z $ADDRESS4 ]] ; then usage 1 "missing ipv4 address"; fi
if [[ -z $NETMASK4 ]] ; then usage 1 "missing ipv4 netmask"; fi
if [[ -z $ADDRESS6 ]] ; then usage 1 "missing ipv6 address"; fi
if [[ -z $NETMASK6 ]] ; then usage 1 "missing ipv6 netmask"; fi
if [[ -z $VPN ]] ; then usage 1 "missing vpn address"; fi
if [[ -z $PORT ]] ; then usage 1 "missing port"; fi
ADDRESS4ROOT="${ADDRESS4%.*}"
ADDRESS6ROOT="${ADDRESS6%:*}"
sudo apt-get install -y wireguard wireguard-tools qrencode
OUMASK=$(umask)
umask 077
wg genkey | sudo tee /etc/wireguard/server.key | wg pubkey | sudo tee /etc/wireguard/server.pub > /dev/null
echo "[Interface]
Address = $ADDRESS4/$NETMASK4, $ADDRESS6/$NETMASK6
ListenPort = $PORT
PrivateKey = $(sudo cat /etc/wireguard/server.key)
PostUp = nft add table ip wireguard; nft add chain ip wireguard wireguard_chain {type nat hook postrouting priority srcnat\; policy accept\;}; nft add rule ip wireguard wireguard_chain counter packets 0 bytes 0 masquerade; nft add table ip6 wireguard; nft add chain ip6 wireguard wireguard_chain {type nat hook postrouting priority srcnat\; policy accept\;}; nft add rule ip6 wireguard wireguard_chain counter packets 0 bytes 0 masquerade
PostDown = nft delete table ip wireguard; nft delete table ip6 wireguard" | sudo tee /etc/wireguard/wg0.conf > /dev/null
umask $OUMASK
echo '#! /usr/bin/env bash
umask 077
usage() {
local err=$1
local msg=$2
if [[ -n "$msg" ]] ; then
echo "ERROR: $msg"
echo
fi
echo "$0 <client index, starting from 2> <name> [dns]"
echo
exit $err
}
if [[ -z "$2" ]] ; then
usage 1
fi
if [[ "$1" -lt 2 ]] ; then
usage 1 "client index must be 2 or greater"
fi
ipv4="'$ADDRESS4ROOT'.$1"
ipv6="'$ADDRESS6ROOT':$1"
serv4="'$ADDRESS4'"
serv6="'$ADDRESS6'"
dns="${3-'$ADDRESS4'}"
name="$2"
target="'$VPN':'$PORT'"
cd /etc/wireguard
wg genkey | tee "${name}.key" | wg pubkey > "${name}.pub"
wg genpsk > "${name}.psk"
echo "" >> /etc/wireguard/wg0.conf
echo "# $name" >> /etc/wireguard/wg0.conf
echo "[Peer]" >> /etc/wireguard/wg0.conf
echo "PublicKey = $(cat "${name}.pub")" >> /etc/wireguard/wg0.conf
echo "PresharedKey = $(cat "${name}.psk")" >> /etc/wireguard/wg0.conf
echo "AllowedIPs = $ipv4/32, $ipv6/128" >> /etc/wireguard/wg0.conf
echo "" >> /etc/wireguard/wg0.conf
echo "[Interface]" > "${name}.conf"
echo "Address = $ipv4/'$NETMASK4', $ipv6/'$NETMASK6'" >> "${name}.conf"
echo "DNS = ${dns}" >> "${name}.conf" #Specifying DNS Server
echo "PrivateKey = $(cat "${name}.key")" >> "${name}.conf"
echo "" >> "${name}.conf"
echo "[Peer]" >> "${name}.conf"
echo "PublicKey = $(cat server.pub)" >> "${name}.conf"
echo "PresharedKey = $(cat "${name}.psk")" >> "${name}.conf"
echo "Endpoint = $target" >> "${name}.conf"
# echo "AllowedIPs = ${serv4}/32, ${serv6}/128" >> "${name}.conf" # clients isolated from one another
# echo "AllowedIPs = '$ADDRESS4ROOT'.0/'$NETMASK4', '$ADDRESS6ROOT':/'$NETMASK6'" >> "${name}.conf" # clients can see each other
echo "AllowedIPs = 0.0.0.0/0, ::/0" >> "${name}.conf" # client routes all traffic
echo "PersistentKeepalive = 25" >> "${name}.conf"
wg syncconf wg0 <(wg-quick strip wg0)
# Print QR code scanable by the Wireguard mobile app on screen
qrencode -t ansiutf8 < "${name}.conf"' > "$HOME/bin/wg-add-client"
sysctl_set net.ipv4.ip_forward 1
sysctl_set net.ipv6.conf.all.forwarding 1
sudo systemctl enable [email protected]
sudo systemctl daemon-reload
sudo systemctl start wg-quick@wg0
echo "On Router, forward port: $PORT to $(network_get_default_address) ($(network_get_default_interface))"