git Service of IN-Ulm e.V. Explore Help
Sign In
ulpeters
/
snippets
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 0a02f942f0
Branches Tags
snippets
/
linux
/
wireguard
/
wireguard-instant.sh

wireguard-instant.sh 2.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293 
  1. #!/bin/bash
    2. 

  2. 

  3. ### Purpose of this script
    4. 

  4. # Setup a central WireGuard instance (vpn server) to
    5. 

  5. # - serve as exit node
    6. 

  6. # - to generate key material / configurations for clients
    7. 

  7. # - help me to memorize WireGuard basics
    8. 

  8. 

  9. ### Files generated:
    10. 

  10. # <hostname>.key  - private key
    11. 

  11. # <hostname>.pub  - public key
    12. 

  12. # <hostname>.psk  - pre-shared key (PSK) per client
    13. 

  13. # <hostname>.conf - configuration file for the client
    14. 

  14. 

  15. ### Client configuration
    16. 

  16. # - Linux
    17. 

  17. #   - Save <hostname>.conf under /etc/wireguard/wg0.conf
    18. 

  18. #   - Run wg-quick up wg0
    19. 

  19. # - Android / iOS
    20. 

  20. #   - Scan QR-Code
    21. 

  21. 

  22. ### References
    23. 

  23. # https://wiki.archlinux.org/title/WireGuard
    24. 

  24. 

  25. ### Installation
    26. 

  26. # Install wireguard and QR-Code generator
    27. 

  27. apt-get install --yes wireguard qrencode 
    28. 

  28. 

  29. ### Variables
    30. 

  30. hostname="vpn.example.com"
    31. 

  31. server_ip='192.168.130.1/24'
    32. 

  32. network='192.168.130.0/24'
    33. 

  33. confdir='/etc/wireguard'
    34. 

  34. interface='ens3'
    35. 

  35. 

  36. ### Create key material
    37. 

  37. cd $confdir
    38. 

  38. # Function to generate private and public keys
    39. 

  39. wgkeypair() { wg genkey | (umask 0077 && tee   $1.key) | wg pubkey > $1.pub; }
    40. 

  40. # Function to generate the pre-shared key (PSK) for clients
    41. 

  41. wgpsk()     { wg genpsk | (umask 0077 && cat > $1.psk) }
    42. 

  42. # Generate key-pair for the central instance
    43. 

  43. wgkeypair $hostname
    44. 

  44. # Generate key-pairs and PSKs for the clients (peers)
    45. 

  45. peers="alice bob"
    46. 

  46. for peer in $peers; do wgkeypair $peer && wgpsk $peer; done
    47. 

  47. 

  48. ### Configuration
    49. 

  49. # Setup wireguard network interface on the client
    50. 

  50. ip link add dev wg0 type wireguard
    51. 

  51. ip addr add $server_ip dev wg0
    52. 

  52. wg set wg0 listen-port 51871 private-key $confdir/$hostname.key 
    53. 

  53. 

  54. # Function to generate
    55. 

  55. # - configure peers on the server
    56. 

  56. # - prepare config files for the peers
    57. 

  57. wgsetpeer() {
    58. 

  58. peer=$1
    59. 

  59. ip=$2
    60. 

  60. wg set wg0                                 \
    61. 

  61.    peer           `cat $confdir/$peer.pub` \
    62. 

  62.    preshared-key  $confdir/$peer.psk       \
    63. 

  63.    allowed-ips    $ip
    64. 

  64. ip link set wg0 up
    65. 

  65. 

  66. cat >$confdir/$peer.conf <<EOL
    67. 

  67. # Client config for $peer
    68. 

  68. [Interface]
    69. 

  69. PrivateKey = `cat $confdir/$peer.key`
    70. 

  70. Address = $ip
    71. 

  71. #DNS = 8.8.8.8
    72. 

  72.  
    73. 

  73. [Peer]
    74. 

  74. PublicKey = `cat $confdir/host.pub`
    75. 

  75. AllowedIPs = $network
    76. 

  76. Endpoint = $hostname:51871
    77. 

  77. #PersistentKeepalive = 15
    78. 

  78. PresharedKey = `cat $confdir/$peer.psk`
    79. 

  79. EOL
    80. 

  80. 

  81. qrencode  -t ANSIUTF8 < $confdir/$peer.conf
    82. 

  82. }
    83. 

  83. 

  84. wgsetpeer alice 192.168.130.2
    85. 

  85. wgsetpeer bob 192.168.130.3
    86. 

  86. 

  87. # https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/
    88. 

  88. iptables -t nat -I POSTROUTING 1 -s $network -o $interface -j MASQUERADE
    89. 

  89. iptables -I INPUT 1 -i wg0 -j ACCEPT
    90. 

  90. iptables -I FORWARD 1 -i $interface -o wg0 -j ACCEPT
    91. 

  91. iptables -I FORWARD 1 -i wg0 -o $interface -j ACCEPT
    92. 

  92. iptables -I INPUT 1 -i $interface -p udp --dport 51871 -j ACCEPT
    93. 

  93. sysctl -w net.ipv4.ip_forward=1
    94.