-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathwireguard.sh
169 lines (120 loc) · 5.06 KB
/
wireguard.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
#!/bin/bash
# ###########################################
# ###########################################
#
# Wireguard installation script for Ubuntu 18.04
# by OneMarcFifty
# the place for digital DIY
#
# https://www.youtube.com/channel/UCG5Ph9Mm6UEQLJJ-kGIC2AQ
#
# ###########################################
# ###########################################
# ###############################
# This needs to be run as root !
# ###############################
# ###########################################
# Delete any old config
# ###########################################
rm -f "/etc/wireguard/wg0.conf"
rm -f "/etc/wireguard/privatekey"
rm -f "/etc/wireguard/publickey"
if ip -br link | grep wg0 ; then
ip link delete wg0
fi
# ###############################
# update the software sources
# ###############################
apt update
apt install -y software-properties-common curl qrencode
# this will succeed on Ubuntu 18 but fail on Debian 11
# let's jsut
add-apt-repository -y ppa:wireguard/wireguard >/dev/null 2>&1
# ###############################
# install wireguard
# ###############################
apt install -y wireguard
# let's also clean up a little bit
# in case some redundant packages exist
apt -y autoremove
# ###############################
# generate a key pair
# ###############################
# --- this works
#touch /etc/wireguard/privatekey
#chmod 600 /etc/wireguard/privatekey
#cat /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
# --- this is more elegant
umask 077
wg genkey > /etc/wireguard/privatekey
wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey
# ###############################
# enable routing
# ###############################
# --- remove the comment from the forward flag in sysctl.conf
#sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
# enable ip4 forwarding with sysctl
sysctl -w net.ipv4.ip_forward=1
# --- print out the content of sysctl.conf
sysctl -p
# let's make this permanent
sed -i s/^.*net.ipv4.ip_forward.*$/net.ipv4.ip_forward=1/ /etc/sysctl.conf
if ! grep ^net.ipv4.ip_forward=1$ /etc/sysctl.conf ; then
echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf
fi
# ###########################################
# define the wg0 interface
# ###########################################
# change this if you want
export WG0ADDRESS=192.168.88.1/24
# we are using export to allow for copy paste
ip link add dev wg0 type wireguard
ip address add dev wg0 $WG0ADDRESS
wg set wg0 private-key /etc/wireguard/privatekey
wg set wg0 listen-port 51820
# ###########################################
# up the interface
# ###########################################
#ip link set wg0 up
# --- this would not be persistent, i.e. needs to be redone afer reboot
# --- so we create a config file and make it persistent:
wg showconf wg0 > /etc/wireguard/wg0.conf
# -- the showconf command does not give the IP address so we just print it into the config file
echo "Address=$WG0ADDRESS" >> /etc/wireguard/wg0.conf
echo "SaveConfig = true" >> /etc/wireguard/wg0.conf
# find our own public IP address
# we get this info from the internet
# using curl with root is dangerous, so we
# run it as nobody
export OUR_OWN_IP=`sudo -u nobody curl -s ipinfo.io/ip`
# find out which interface the public IP address is on
readarray -d " " -t templine <<< $(ip -br addr | grep $OUR_OWN_IP)
export OUR_INTERFACE=${templine[0]}
echo "our interface:$OUR_INTERFACE:"
# The initial idea here was to find the interface that has the public IP
# address. This will not work in a NAT environment, i.e.
# where the VPS is behind a NAT router and does not have the
# public address directly.
# Fix : If we do not get an interface this way we just use the first
# interface with the default route - we check for a minimum length of 3
# checking for zero length like this
# [ -z "$OUR_WAN_INTERFACE" ] && export OUR_WAN_INTERFACE = ip route | grep default | sed s/.*dev\ //g | sed s/\ .*//g
# does not work because there is a line feed
# in the variable
if [ ${#OUR_INTERFACE} -le 2 ]; then
echo "WAN Interface not found - was:${OUR_INTERFACE}:"
export OUR_INTERFACE=`ip route | grep default | sed s/.*dev\ //g | sed s/\ .*//g`
echo "WAN Interface is now: $OUR_INTERFACE"
fi
# At this point, our VPN Server yould just be a router
# but we want it to mask our IP address.
# Also the ISP would not route our private 192.168.88.x address
# hence we need some firewall rules added
echo "PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $OUR_INTERFACE -j MASQUERADE" >> /etc/wireguard/wg0.conf
echo "PostDOWN = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $OUR_INTERFACE -j MASQUERADE" >> /etc/wireguard/wg0.conf
# ###########################################################
# this will automatically bring up the interface after reboot
# ###########################################################
systemctl enable [email protected]
# ###########################################
# ###########################################