|
|
@@ -1,63 +1,82 @@
|
|
|
#!/bin/bash
|
|
|
|
|
|
+# Setup keys, psk and config for a central wireguard server including peers
|
|
|
+
|
|
|
+# Dependencies
|
|
|
+# apk add wireguard-tools libqrencode
|
|
|
+
|
|
|
### References
|
|
|
# https://wiki.archlinux.org/title/WireGuard
|
|
|
|
|
|
-### Installation
|
|
|
-# Install wireguard tools and QR-Code generator and local dns unbound
|
|
|
-apt-get install --yes wireguard qrencode
|
|
|
+# Source global variables
|
|
|
+source server.cfg
|
|
|
|
|
|
-### Variables
|
|
|
-network='192.168.130.1/24'
|
|
|
-confdir='/etc/wireguard'
|
|
|
+# ---------Functions-----------
|
|
|
|
|
|
-### Create key material
|
|
|
-cd $confdir
|
|
|
+## Create key-pair
|
|
|
wgkeypair() { wg genkey | (umask 0077 && tee $1.key) | wg pubkey > $1.pub; }
|
|
|
+
|
|
|
+## Create psk
|
|
|
wgpsk() { wg genpsk | (umask 0077 && cat > $1.psk) }
|
|
|
-wgkeypair host
|
|
|
-peers="dspx4 zino2"
|
|
|
-for peer in $peers; do wgkeypair $peer && wgpsk $peer; done
|
|
|
-
|
|
|
-### Configuration
|
|
|
-# Setup wireguard network interface
|
|
|
-ip link add dev wg0 type wireguard
|
|
|
-ip addr add $network dev wg0
|
|
|
-wg set wg0 listen-port 51871 private-key $confdir/host.key
|
|
|
-
|
|
|
-wgsetpeer() {
|
|
|
-peer=$1
|
|
|
-ip=$2
|
|
|
-wg set wg0 \
|
|
|
- peer `cat $confdir/$peer.pub` \
|
|
|
- preshared-key $confdir/$peer.psk \
|
|
|
- allowed-ips $ip
|
|
|
-ip link set wg0 up
|
|
|
-
|
|
|
-cat >$confdir/$peer.conf <<EOL
|
|
|
+
|
|
|
+## Create peer config file
|
|
|
+wgconfig() {
|
|
|
+ peer=$1
|
|
|
+ ip=$2
|
|
|
+
|
|
|
+ cat >$confdir/$peer.conf <<EOL
|
|
|
# Client config for $peer
|
|
|
[Interface]
|
|
|
PrivateKey = `cat $confdir/$peer.key`
|
|
|
Address = $ip
|
|
|
-DNS = 127.0.0.1
|
|
|
+DNS = $dns
|
|
|
|
|
|
[Peer]
|
|
|
-PublicKey = `cat $confdir/host.pub`
|
|
|
-AllowedIPs = 0.0.0.0/0
|
|
|
-Endpoint = blue.s-up.net:51871
|
|
|
+PublicKey = `cat $confdir/$servername.pub`
|
|
|
+AllowedIPs = $network
|
|
|
+Endpoint = $servername:$serverport
|
|
|
PersistentKeepalive = 15
|
|
|
PresharedKey = `cat $confdir/$peer.psk`
|
|
|
EOL
|
|
|
|
|
|
-qrencode -t ANSIUTF8 -r $confdir/$peer.conf
|
|
|
+ qrencode -t ANSIUTF8 -r $confdir/$peer.conf > $peer-qr.txt
|
|
|
+ qrencode -t png -r $confdir/$peer.conf > $peer.png
|
|
|
}
|
|
|
|
|
|
-wgsetpeer dspx4 192.168.130.2
|
|
|
|
|
|
-# https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/
|
|
|
-iptables -t nat -I POSTROUTING 1 -s 192.168.130.0/24 -o ens3 -j MASQUERADE
|
|
|
-iptables -I INPUT 1 -i wg0 -j ACCEPT
|
|
|
-iptables -I FORWARD 1 -i ens3 -o wg0 -j ACCEPT
|
|
|
-iptables -I FORWARD 1 -i wg0 -o ens3 -j ACCEPT
|
|
|
-iptables -I INPUT 1 -i eth0 -p udp --dport 51871 -j ACCEPT
|
|
|
-sysctl -w net.ipv4.ip_forward=1
|
|
|
+# ---------Functions-----------
|
|
|
+
|
|
|
+## Create and move to output folder
|
|
|
+mkdir -p $confdir
|
|
|
+cd $confdir
|
|
|
+
|
|
|
+## Create server keys
|
|
|
+wgkeypair $servername
|
|
|
+
|
|
|
+## Create server config
|
|
|
+ cat >$confdir/$servername.conf <<EOL
|
|
|
+# Config for $peer
|
|
|
+[Interface]
|
|
|
+PrivateKey = `cat $confdir/$servername.key`
|
|
|
+Address = $serverip
|
|
|
+DNS = $dns
|
|
|
+EOL
|
|
|
+
|
|
|
+## Create peers' key-pair, psk and config from peers.txt
|
|
|
+while read peer;
|
|
|
+ do
|
|
|
+ ip=`echo $peer | cut -d' ' -f1`
|
|
|
+ host=`echo $peer | cut -d' ' -f2`
|
|
|
+
|
|
|
+ wgkeypair $host
|
|
|
+ wgpsk $host
|
|
|
+ wgconfig $host $ip
|
|
|
+
|
|
|
+ # Add peers to server config
|
|
|
+ cat >>$confdir/$servername.conf <<EOL
|
|
|
+[Peer]
|
|
|
+PublicKey = `cat $confdir/$host.pub`
|
|
|
+AllowedIPs = $ip
|
|
|
+PresharedKey = `cat $confdir/$host.psk`
|
|
|
+EOL
|
|
|
+ done < peers.txt
|
Dominik