added comments, generalized, fixed some errors

linux/wireguard/wireguard-instant.sh

@@ -1,14 +1,33 @@
 #!/bin/bash
 
+### Purpose of this script
+# Setup a central WireGuard instance (vpn server) to
+# - serve as exit node
+# - to generate key material / configurations for clients
+# - help me to memorize WireGuard basics
+
+### Files generated:
+# <hostname>.key  - private key
+# <hostname>.pub  - public key
+# <hostname>.psk  - pre-shared key (PSK) per client
+# <hostname>.conf - configuration file for the client
+
+### Client configuration
+# - Linux
+#   - Save <hostname>.conf under /etc/wireguard/wg0.conf
+#   - Run wg-quick up wg0
+# - Android / iOS
+#   - Scan QR-Code
+
 ### References
 # https://wiki.archlinux.org/title/WireGuard
 
 ### Installation
-# Install wireguard tools and QR-Code generator and local dns unbound
+# Install wireguard and QR-Code generator
 apt-get install --yes wireguard qrencode 
 
 ### Variables
-hostname="blue.s-up.net"
+hostname="vpn.example.com"
 server_ip='192.168.130.1/24'
 network='192.168.130.0/24'
 confdir='/etc/wireguard'
@@ -16,18 +35,25 @@ interface='ens3'
 
 ### Create key material
 cd $confdir
+# Function to generate private and public keys
 wgkeypair() { wg genkey | (umask 0077 && tee   $1.key) | wg pubkey > $1.pub; }
-wgpsk()     { wg genpsk | (umask 0077 && cat > $1.psk) } 
-wgkeypair host
-peers="dspx4 zino2"
+# Function to generate the pre-shared key (PSK) for clients
+wgpsk()     { wg genpsk | (umask 0077 && cat > $1.psk) }
+# Generate key-pair for the central instance
+wgkeypair $hostname
+# Generate key-pairs and PSKs for the clients (peers)
+peers="alice bob"
 for peer in $peers; do wgkeypair $peer && wgpsk $peer; done
 
 ### Configuration
-# Setup wireguard network interface
+# Setup wireguard network interface on the client
 ip link add dev wg0 type wireguard
 ip addr add $server_ip dev wg0
-wg set wg0 listen-port 51871 private-key $confdir/host.key 
+wg set wg0 listen-port 51871 private-key $confdir/$hostname.key 
 
+# Function to generate
+# - configure peers on the server
+# - prepare config files for the peers
 wgsetpeer() {
 peer=$1
 ip=$2
@@ -42,25 +68,26 @@ cat >$confdir/$peer.conf <<EOL
 [Interface]
 PrivateKey = `cat $confdir/$peer.key`
 Address = $ip
-DNS = 127.0.0.1
+#DNS = 8.8.8.8
  
 [Peer]
 PublicKey = `cat $confdir/host.pub`
-AllowedIPs = 0.0.0.0/0
+AllowedIPs = $network
 Endpoint = $hostname:51871
-PersistentKeepalive = 15
+#PersistentKeepalive = 15
 PresharedKey = `cat $confdir/$peer.psk`
 EOL
 
-qrencode  -t ANSIUTF8 -r $confdir/$peer.conf
+qrencode  -t ANSIUTF8 < $confdir/$peer.conf
 }
 
-wgsetpeer dspx4 192.168.130.2
+wgsetpeer alice 192.168.130.2
+wgsetpeer bob 192.168.130.3
 
 # https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/
 iptables -t nat -I POSTROUTING 1 -s $network -o $interface -j MASQUERADE
 iptables -I INPUT 1 -i wg0 -j ACCEPT
-iptables -I FORWARD 1 -i ens3 -o wg0 -j ACCEPT
-iptables -I FORWARD 1 -i wg0 -o ens3 -j ACCEPT
-iptables -I INPUT 1 -i eth0 -p udp --dport 51871 -j ACCEPT
+iptables -I FORWARD 1 -i $interface -o wg0 -j ACCEPT
+iptables -I FORWARD 1 -i wg0 -o $interface -j ACCEPT
+iptables -I INPUT 1 -i $interface -p udp --dport 51871 -j ACCEPT
 sysctl -w net.ipv4.ip_forward=1