Skip to content

Instantly share code, notes, and snippets.

@kaonis

kaonis/wireguard.sh

Forked from shr00mie/wireguard.sh
Created November 12, 2019 10:15
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kaonis/c682cde2fe0cbaf934a4bc1abcb5a167 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kaonis/c682cde2fe0cbaf934a4bc1abcb5a167 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @shr00mie shr00mie revised this gist Feb 10, 2019. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions wireguard.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -86,6 +86,7 @@ status "Applying IPv4 Forwarding"
    sudo sysctl -p

    status "Creating folders (.wgkey & .wgconfig)"
    cd ~
    mkdir .wgkeys
    mkdir .wgconfig

  2. @shr00mie shr00mie created this gist Feb 10, 2019.
    156 changes: 156 additions & 0 deletions wireguard.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,156 @@
    #!/bin/bash
    #
    ## -------------------------------=[ Info ]=--------------------------------- ##
    #
    ## -=[ Author ]=------------------------------------------------------------- ##
    #
    # shr00mie
    # 01.10.2019
    # v0.2
    #
    ## -=[ Use Case ]=----------------------------------------------------------- ##
    #
    # WireGuard VPN Install on fresh Raspbian Stretch Light
    #
    ## -=[ Breakdown ]=---------------------------------------------------------- ##
    #
    #
    #
    ## -=[ To-Do ]=-------------------------------------------------------------- ##
    #
    # 1. Add allowed routes on endpoint side
    # 2. Set client allowed routes to /24 endpoint VPN LAN and /16 for LAN
    # 3. Encrypt & email configs after creation for distribution (to admin or users)
    #
    ## -=[ Functions ]=---------------------------------------------------------- ##
    #
    # Usage: status "Status Text"
    function status() {
    GREEN='\033[00;32m'
    RESTORE='\033[0m'
    echo -e "\n...${GREEN}$1${RESTORE}...\n"
    }

    function wg_keygen(){
    umask 077
    wg genkey > ~/.wgkeys/$1_private.key
    wg pubkey > ~/.wgkeys/$1_public.key < ~/.wgkeys/$1_private.key
    }
    #
    ## -------------------------=[ Script Variables ]=--------------------------- ##
    #
    # Array of client names for which to generate keys:
    CLIENTS=("Enter" "Your" "Clients" "Here")
    # FQDN for vpn endpoint
    ENDPOINT="vpn server/endpoint ip or fqdn"
    # CIDR IP to route over VPN. 0.0.0.0/0 for route everything
    CLIENT_ROUTES="10.1.0.0/16"
    # Server side DNS. Google if you don't have one.
    CLIENT_DNS="8.8.8.8, 8.8.4.4"
    # physical lan interface to bridge to (eth0, wlan0)
    IFACE="eth0"
    #
    ## ---------------------------=[ Script Start ]=----------------------------- ##

    status "Updating system"
    sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autoclean && sudo apt-get autoremove -y

    status "Installing RaspberryPi Kernel Headers"
    sudo apt-get install raspberrypi-kernel-headers

    status "Adding unstable repo"
    cat << EOF | sudo tee /etc/apt/sources.list.d/unstable.list > /dev/null
    deb http://deb.debian.org/debian/ unstable main
    EOF

    status "Installing dirmngr"
    sudo apt-get install dirmngr -y

    status "Adding keys for unstable branch"
    sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553

    status "Setting unstable apt preferences"
    cat << EOF | sudo tee /etc/apt/preferences.d/limit-unstable > /dev/null
    Package: *
    Pin: release a=unstable
    Pin-Priority: 150
    EOF

    status "Installing WireGuard"
    sudo apt-get update && sudo apt-get install wireguard -y

    status "Configuring IPv4 Forwarding"
    sudo sed -i.back "s/#net\.ipv4\.ip_forward=1/net\.ipv4\.ip_forward=1/" /etc/sysctl.conf

    status "Applying IPv4 Forwarding"
    sudo sysctl -p

    status "Creating folders (.wgkey & .wgconfig)"
    mkdir .wgkeys
    mkdir .wgconfig

    status "Creating server keys"
    wg_keygen "server"
    SERVER_PRIVATE_KEY=$(cat ~/.wgkeys/server_private.key)
    SERVER_PUBLIC_KEY=$(cat ~/.wgkeys/server_public.key)

    status "Creating client keys"
    for i in ${CLIENTS[@]}
    do
    wg_keygen ${i}
    done

    status "Configuring WireGuard interface"
    cat << EOF | sudo tee /etc/wireguard/wg0.conf > /dev/null
    [Interface]
    Address = 192.168.99.1/24
    ListenPort = 51820
    PrivateKey = $SERVER_PRIVATE_KEY
    PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o $IFACE -j ACCEPT; iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
    PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o $IFACE -j ACCEPT; iptables -t nat -D POSTROUTING -o $IFACE -j MASQUERADE
    EOF

    status "Appending peer configuration for each provided client"
    cn=2
    for i in ${CLIENTS[@]}
    do
    CLIENT_PUBLIC_KEY=$(cat ~/.wgkeys/${i}_public.key)
    cat << EOF | sudo tee -a /etc/wireguard/wg0.conf > /dev/null
    [Peer]
    # client ${i}
    PublicKey = $CLIENT_PUBLIC_KEY
    AllowedIPs = 192.168.99.$cn/32
    EOF
    cn=$(( $cn + 1 ))
    done

    status "Starting WireGuard"
    sudo wg-quick up wg0

    status "Enabling WireGuard service"
    sudo systemctl enable wg-quick@wg0

    status "Generating client-side configurations"
    cn=2
    for i in ${CLIENTS[@]}
    do
    CLIENT_ADDRESS="192.168.99.$cn"
    CLIENT_PRIVATE_KEY=$(cat ~/.wgkeys/${i}_private.key)
    cat << EOF | sudo tee ~/.wgconfig/${i}.conf > /dev/null
    [Interface]
    Address = $CLIENT_ADDRESS/24
    PrivateKey = $CLIENT_PRIVATE_KEY
    DNS = $CLIENT_DNS
    [Peer]
    PublicKey = $SERVER_PUBLIC_KEY
    AllowedIPs = 192.168.99.0/24, $CLIENT_ROUTES
    Endpoint = $ENDPOINT:51820
    PersistentKeepalive = 25
    EOF
    cn=$(( $cn + 1 ))
    done