|
|
@@ -0,0 +1,60 @@
|
|
|
+#!/bin/bash
|
|
|
+
|
|
|
+### Installation
|
|
|
+# Install wireguard tools and QR-Code generator
|
|
|
+apt-get install --yes wireguard qrencode
|
|
|
+
|
|
|
+### Variables
|
|
|
+network='192.168.130.1/24'
|
|
|
+confdir='/etc/wireguard'
|
|
|
+
|
|
|
+### Create key material
|
|
|
+cd $confdir
|
|
|
+wgkeypair() { wg genkey | (umask 0077 && tee $1.key) | wg pubkey > $1.pub; }
|
|
|
+wgpsk() { wg genpsk | (umask 0077 && cat > $1.psk) }
|
|
|
+wgkeypair host
|
|
|
+peers="dspx4 zino2"
|
|
|
+for peer in $peers; do wgkeypair $peer && wgpsk $peer; done
|
|
|
+
|
|
|
+### Configuration
|
|
|
+# Setup wireguard network interface
|
|
|
+ip link add dev wg0 type wireguard
|
|
|
+ip addr add $network dev wg0
|
|
|
+wg set wg0 listen-port 51871 private-key $confdir/host.key
|
|
|
+
|
|
|
+wgsetpeer() {
|
|
|
+peer=$1
|
|
|
+ip=$2
|
|
|
+wg set wg0 \
|
|
|
+ peer `cat $confdir/$peer.pub` \
|
|
|
+ preshared-key $confdir/$peer.psk \
|
|
|
+ allowed-ips $ip
|
|
|
+ip link set wg0 up
|
|
|
+
|
|
|
+cat >$confdir/$peer.conf <<EOL
|
|
|
+# Client config for $peer
|
|
|
+[Interface]
|
|
|
+PrivateKey = `cat $confdir/$peer.key`
|
|
|
+Address = $ip
|
|
|
+DNS = 8.8.8.8
|
|
|
+
|
|
|
+[Peer]
|
|
|
+PublicKey = `cat $confdir/host.pub`
|
|
|
+AllowedIPs = 0.0.0.0/0
|
|
|
+Endpoint = blue.s-up.net:51871
|
|
|
+PersistentKeepalive = 15
|
|
|
+PresharedKey = `cat $confdir/$peer.psk`
|
|
|
+EOL
|
|
|
+
|
|
|
+qrencode -t ANSIUTF8 -r $confdir/$peer.conf
|
|
|
+}
|
|
|
+
|
|
|
+wgsetpeer dspx4 192.168.130.2
|
|
|
+
|
|
|
+# https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/
|
|
|
+iptables -t nat -I POSTROUTING 1 -s 192.168.130.0/24 -o ens3 -j MASQUERADE
|
|
|
+iptables -I INPUT 1 -i wg0 -j ACCEPT
|
|
|
+iptables -I FORWARD 1 -i ens3 -o wg0 -j ACCEPT
|
|
|
+iptables -I FORWARD 1 -i wg0 -o ens3 -j ACCEPT
|
|
|
+iptables -I INPUT 1 -i eth0 -p udp --dport 51871 -j ACCEPT
|
|
|
+sysctl -w net.ipv4.ip_forward=1
|
