From 071466eccd95b439312c6fd4aa465ba8532ffb01 Mon Sep 17 00:00:00 2001 From: Jelle Dekker Date: Wed, 22 Apr 2020 21:50:49 +0200 Subject: [PATCH 01/34] Generate unique pre-shared key for each client (#69) --- wireguard-install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 11ba63c..c8a0515 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -31,6 +31,7 @@ function addClient () { # Generate key pair for the client CLIENT_PRIV_KEY=$(wg genkey) CLIENT_PUB_KEY=$(echo "$CLIENT_PRIV_KEY" | wg pubkey) + CLIENT_PRE_SHARED_KEY=$(wg genpsk) # Create client file and add the server as a peer echo "[Interface] @@ -40,14 +41,14 @@ DNS = $CLIENT_DNS_1,$CLIENT_DNS_2 [Peer] PublicKey = $SERVER_PUB_KEY -PresharedKey = $SYMM_PRE_KEY +PresharedKey = $CLIENT_PRE_SHARED_KEY Endpoint = $ENDPOINT AllowedIPs = 0.0.0.0/0,::/0" >> "$HOME/$SERVER_WG_NIC-client-$CLIENT_NAME.conf" # Add the client as a peer to the server echo -e "\n[Peer] PublicKey = $CLIENT_PUB_KEY -PresharedKey = $SYMM_PRE_KEY +PresharedKey = $CLIENT_PRE_SHARED_KEY AllowedIPs = $CLIENT_WG_IPV4/32,$CLIENT_WG_IPV6/128" >> "/etc/wireguard/$SERVER_WG_NIC.conf" systemctl restart "wg-quick@$SERVER_WG_NIC" @@ -173,8 +174,7 @@ SERVER_WG_IPV4=$SERVER_WG_IPV4 SERVER_WG_IPV6=$SERVER_WG_IPV6 SERVER_PORT=$SERVER_PORT SERVER_PRIV_KEY=$SERVER_PRIV_KEY -SERVER_PUB_KEY=$SERVER_PUB_KEY -SYMM_PRE_KEY=$( wg genpsk )" > /etc/wireguard/params +SERVER_PUB_KEY=$SERVER_PUB_KEY" > /etc/wireguard/params source /etc/wireguard/params From 89258ba91d5d8720c56466501c2fb23123deef2f Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sun, 26 Apr 2020 12:54:03 +0200 Subject: [PATCH 02/34] Mitigate Debian packaging issue bc is missing as dependency: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956869 fix #70 --- wireguard-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/wireguard-install.sh b/wireguard-install.sh index c8a0515..031dc33 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -142,6 +142,7 @@ elif [[ "$OS" = 'debian' ]]; then apt update apt-get install -y "linux-headers-$(uname -r)" apt-get install -y wireguard iptables resolvconf qrencode + apt-get install -y bc # mitigate https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956869 elif [[ "$OS" = 'fedora' ]]; then if [[ "$VERSION_ID" -lt 32 ]]; then dnf install -y dnf-plugins-core From 5b1ec52ac26bc9bc1f840e1b6cea566ef6d6abc9 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Tue, 28 Apr 2020 15:02:30 +0200 Subject: [PATCH 03/34] chore(args): rename add_client to add-client --- README.md | 2 +- wireguard-install.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index fb81e47..94c1005 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ It will install WireGuard (kernel module and tools) on the server, configure it, To generate more client files, run the following: ```sh -./wireguard-install.sh add_client +./wireguard-install.sh add-client ``` Make sure you choose different IPs for you clients. diff --git a/wireguard-install.sh b/wireguard-install.sh index 031dc33..c811ce8 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -79,7 +79,7 @@ if [ "$(systemd-detect-virt)" == "lxc" ]; then exit fi -if [[ $1 == "add_client" ]];then +if [[ $1 == "add-client" ]];then if [[ -e /etc/wireguard ]]; then addClient exit 0 @@ -88,7 +88,7 @@ if [[ $1 == "add_client" ]];then exit 1 fi elif [[ -e /etc/wireguard ]]; then - echo "WireGuard is already installed. Run with 'add_client' to add a client." + echo "WireGuard is already installed. Run with 'add-client' to add a client." exit 1 fi From efa9e5031a3acb77b9eda7a1965941769d4c382b Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Tue, 28 Apr 2020 15:03:21 +0200 Subject: [PATCH 04/34] style(script) format with shfmt --- wireguard-install.sh | 222 ++++++++++++++++++++++--------------------- 1 file changed, 112 insertions(+), 110 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index c811ce8..f6768fb 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -1,40 +1,42 @@ #!/bin/bash -function addClient () { - # Load params - source /etc/wireguard/params +function addClient() { + # Load params + source /etc/wireguard/params - if [[ $SERVER_PUB_IP =~ .*:.* ]] - then - echo "IPv6 Detected" - ENDPOINT="[$SERVER_PUB_IP]:$SERVER_PORT" - else - echo "IPv4 Detected" - ENDPOINT="$SERVER_PUB_IP:$SERVER_PORT" - fi + if [[ $SERVER_PUB_IP =~ .*:.* ]]; then + echo "IPv6 Detected" + ENDPOINT="[$SERVER_PUB_IP]:$SERVER_PORT" + else + echo "IPv4 Detected" + ENDPOINT="$SERVER_PUB_IP:$SERVER_PORT" + fi - CLIENT_WG_IPV4="10.66.66.2" - read -rp "Client's WireGuard IPv4 " -e -i "$CLIENT_WG_IPV4" CLIENT_WG_IPV4 + CLIENT_WG_IPV4="10.66.66.2" + read -rp "Client's WireGuard IPv4 " -e -i "$CLIENT_WG_IPV4" CLIENT_WG_IPV4 - CLIENT_WG_IPV6="fd42:42:42::2" - read -rp "Client's WireGuard IPv6 " -e -i "$CLIENT_WG_IPV6" CLIENT_WG_IPV6 + CLIENT_WG_IPV6="fd42:42:42::2" + read -rp "Client's WireGuard IPv6 " -e -i "$CLIENT_WG_IPV6" CLIENT_WG_IPV6 - # Adguard DNS by default - CLIENT_DNS_1="176.103.130.130" - read -rp "First DNS resolver to use for the client: " -e -i "$CLIENT_DNS_1" CLIENT_DNS_1 + # Adguard DNS by default + CLIENT_DNS_1="176.103.130.130" + read -rp "First DNS resolver to use for the client: " -e -i "$CLIENT_DNS_1" CLIENT_DNS_1 - CLIENT_DNS_2="176.103.130.131" - read -rp "Second DNS resolver to use for the client: " -e -i "$CLIENT_DNS_2" CLIENT_DNS_2 + CLIENT_DNS_2="176.103.130.131" + read -rp "Second DNS resolver to use for the client: " -e -i "$CLIENT_DNS_2" CLIENT_DNS_2 - CLIENT_NAME=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 10 ; echo '') + CLIENT_NAME=$( + head /dev/urandom | tr -dc A-Za-z0-9 | head -c 10 + echo '' + ) - # Generate key pair for the client - CLIENT_PRIV_KEY=$(wg genkey) - CLIENT_PUB_KEY=$(echo "$CLIENT_PRIV_KEY" | wg pubkey) - CLIENT_PRE_SHARED_KEY=$(wg genpsk) + # Generate key pair for the client + CLIENT_PRIV_KEY=$(wg genkey) + CLIENT_PUB_KEY=$(echo "$CLIENT_PRIV_KEY" | wg pubkey) + CLIENT_PRE_SHARED_KEY=$(wg genpsk) - # Create client file and add the server as a peer - echo "[Interface] + # Create client file and add the server as a peer + echo "[Interface] PrivateKey = $CLIENT_PRIV_KEY Address = $CLIENT_WG_IPV4/24,$CLIENT_WG_IPV6/64 DNS = $CLIENT_DNS_1,$CLIENT_DNS_2 @@ -43,69 +45,69 @@ DNS = $CLIENT_DNS_1,$CLIENT_DNS_2 PublicKey = $SERVER_PUB_KEY PresharedKey = $CLIENT_PRE_SHARED_KEY Endpoint = $ENDPOINT -AllowedIPs = 0.0.0.0/0,::/0" >> "$HOME/$SERVER_WG_NIC-client-$CLIENT_NAME.conf" +AllowedIPs = 0.0.0.0/0,::/0" >>"$HOME/$SERVER_WG_NIC-client-$CLIENT_NAME.conf" - # Add the client as a peer to the server - echo -e "\n[Peer] + # Add the client as a peer to the server + echo -e "\n[Peer] PublicKey = $CLIENT_PUB_KEY PresharedKey = $CLIENT_PRE_SHARED_KEY -AllowedIPs = $CLIENT_WG_IPV4/32,$CLIENT_WG_IPV6/128" >> "/etc/wireguard/$SERVER_WG_NIC.conf" +AllowedIPs = $CLIENT_WG_IPV4/32,$CLIENT_WG_IPV6/128" >>"/etc/wireguard/$SERVER_WG_NIC.conf" - systemctl restart "wg-quick@$SERVER_WG_NIC" + systemctl restart "wg-quick@$SERVER_WG_NIC" - echo -e "\nHere is your client config file as a QR Code:" + echo -e "\nHere is your client config file as a QR Code:" - qrencode -t ansiutf8 -l L < "$HOME/$SERVER_WG_NIC-client-$CLIENT_NAME.conf" + qrencode -t ansiutf8 -l L <"$HOME/$SERVER_WG_NIC-client-$CLIENT_NAME.conf" - echo "It is also available in $HOME/$SERVER_WG_NIC-client-$CLIENT_NAME.conf" + echo "It is also available in $HOME/$SERVER_WG_NIC-client-$CLIENT_NAME.conf" } if [ "$EUID" -ne 0 ]; then - echo "You need to run this script as root" - exit 1 + echo "You need to run this script as root" + exit 1 fi if [ "$(systemd-detect-virt)" == "openvz" ]; then - echo "OpenVZ is not supported" - exit + echo "OpenVZ is not supported" + exit fi if [ "$(systemd-detect-virt)" == "lxc" ]; then - echo "LXC is not supported (yet)." - echo "WireGuard can technically run in an LXC container," - echo "but the kernel module has to be installed on the host," - echo "the container has to be run with some specific parameters" - echo "and only the tools need to be installed in the container." - exit + echo "LXC is not supported (yet)." + echo "WireGuard can technically run in an LXC container," + echo "but the kernel module has to be installed on the host," + echo "the container has to be run with some specific parameters" + echo "and only the tools need to be installed in the container." + exit fi -if [[ $1 == "add-client" ]];then - if [[ -e /etc/wireguard ]]; then - addClient - exit 0 - else - echo "Please install WireGuard first." - exit 1 - fi +if [[ $1 == "add-client" ]]; then + if [[ -e /etc/wireguard ]]; then + addClient + exit 0 + else + echo "Please install WireGuard first." + exit 1 + fi elif [[ -e /etc/wireguard ]]; then - echo "WireGuard is already installed. Run with 'add-client' to add a client." - exit 1 + echo "WireGuard is already installed. Run with 'add-client' to add a client." + exit 1 fi # Check OS version if [[ -e /etc/debian_version ]]; then - source /etc/os-release - OS=$ID # debian or ubuntu + source /etc/os-release + OS=$ID # debian or ubuntu elif [[ -e /etc/fedora-release ]]; then - source /etc/os-release - OS=$ID + source /etc/os-release + OS=$ID elif [[ -e /etc/centos-release ]]; then - OS=centos + OS=centos elif [[ -e /etc/arch-release ]]; then - OS=arch + OS=arch else - echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS or Arch Linux system" - exit 1 + echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS or Arch Linux system" + exit 1 fi # Detect public IPv4 address and pre-fill for the user @@ -130,37 +132,37 @@ SERVER_PORT=$(shuf -i49152-65535 -n1) read -rp "Server's WireGuard port: " -e -i "$SERVER_PORT" SERVER_PORT # Install WireGuard tools and module -if [[ "$OS" = 'ubuntu' ]]; then - apt-get install -y software-properties-common - add-apt-repository -y ppa:wireguard/wireguard - apt-get update - apt-get install -y "linux-headers-$(uname -r)" - apt-get install -y wireguard iptables resolvconf qrencode -elif [[ "$OS" = 'debian' ]]; then - echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list - printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable - apt update - apt-get install -y "linux-headers-$(uname -r)" - apt-get install -y wireguard iptables resolvconf qrencode - apt-get install -y bc # mitigate https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956869 -elif [[ "$OS" = 'fedora' ]]; then - if [[ "$VERSION_ID" -lt 32 ]]; then - dnf install -y dnf-plugins-core - dnf copr enable -y jdoss/wireguard - dnf install -y wireguard-dkms - fi - dnf install -y wireguard-tools iptables qrencode -elif [[ "$OS" = 'centos' ]]; then - curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo - yum -y install epel-release - yum -y install wireguard-dkms wireguard-tools iptables qrencode -elif [[ "$OS" = 'arch' ]]; then - pacman -S --noconfirm linux-headers - pacman -S --noconfirm wireguard-tools iptables wireguard-arch qrencode +if [[ $OS == 'ubuntu' ]]; then + apt-get install -y software-properties-common + add-apt-repository -y ppa:wireguard/wireguard + apt-get update + apt-get install -y "linux-headers-$(uname -r)" + apt-get install -y wireguard iptables resolvconf qrencode +elif [[ $OS == 'debian' ]]; then + echo "deb http://deb.debian.org/debian/ unstable main" >/etc/apt/sources.list.d/unstable.list + printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' >/etc/apt/preferences.d/limit-unstable + apt update + apt-get install -y "linux-headers-$(uname -r)" + apt-get install -y wireguard iptables resolvconf qrencode + apt-get install -y bc # mitigate https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956869 +elif [[ $OS == 'fedora' ]]; then + if [[ $VERSION_ID -lt 32 ]]; then + dnf install -y dnf-plugins-core + dnf copr enable -y jdoss/wireguard + dnf install -y wireguard-dkms + fi + dnf install -y wireguard-tools iptables qrencode +elif [[ $OS == 'centos' ]]; then + curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo + yum -y install epel-release + yum -y install wireguard-dkms wireguard-tools iptables qrencode +elif [[ $OS == 'arch' ]]; then + pacman -S --noconfirm linux-headers + pacman -S --noconfirm wireguard-tools iptables wireguard-arch qrencode fi # Make sure the directory exists (this does not seem the be the case on fedora) -mkdir /etc/wireguard > /dev/null 2>&1 +mkdir /etc/wireguard >/dev/null 2>&1 chmod 600 -R /etc/wireguard/ @@ -175,7 +177,7 @@ SERVER_WG_IPV4=$SERVER_WG_IPV4 SERVER_WG_IPV6=$SERVER_WG_IPV6 SERVER_PORT=$SERVER_PORT SERVER_PRIV_KEY=$SERVER_PRIV_KEY -SERVER_PUB_KEY=$SERVER_PUB_KEY" > /etc/wireguard/params +SERVER_PUB_KEY=$SERVER_PUB_KEY" >/etc/wireguard/params source /etc/wireguard/params @@ -183,21 +185,21 @@ source /etc/wireguard/params echo "[Interface] Address = $SERVER_WG_IPV4/24,$SERVER_WG_IPV6/64 ListenPort = $SERVER_PORT -PrivateKey = $SERVER_PRIV_KEY" > "/etc/wireguard/$SERVER_WG_NIC.conf" +PrivateKey = $SERVER_PRIV_KEY" >"/etc/wireguard/$SERVER_WG_NIC.conf" if [ -x "$(command -v firewall-cmd)" ]; then - FIREWALLD_IPV4_ADDRESS=$(echo "$SERVER_WG_IPV4" | cut -d"." -f1-3)".0" - FIREWALLD_IPV6_ADDRESS=$(echo "$SERVER_WG_IPV6" | sed 's/:[^:]*$/:0/') - echo "PostUp = firewall-cmd --add-port $SERVER_PORT/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade' -PostDown = firewall-cmd --remove-port $SERVER_PORT/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade'" >> "/etc/wireguard/$SERVER_WG_NIC.conf" + FIREWALLD_IPV4_ADDRESS=$(echo "$SERVER_WG_IPV4" | cut -d"." -f1-3)".0" + FIREWALLD_IPV6_ADDRESS=$(echo "$SERVER_WG_IPV6" | sed 's/:[^:]*$/:0/') + echo "PostUp = firewall-cmd --add-port $SERVER_PORT/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade' +PostDown = firewall-cmd --remove-port $SERVER_PORT/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade'" >>"/etc/wireguard/$SERVER_WG_NIC.conf" else - echo "PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE -PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE" >> "/etc/wireguard/$SERVER_WG_NIC.conf" + echo "PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE +PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE" >>"/etc/wireguard/$SERVER_WG_NIC.conf" fi # Enable routing on the server echo "net.ipv4.ip_forward = 1 -net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf +net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf sysctl --system @@ -209,16 +211,16 @@ systemctl is-active --quiet "wg-quick@$SERVER_WG_NIC" WG_RUNNING=$? # Warn user about kernel version mismatch with headers -if [[ "$OS" =~ (fedora|centos) ]] && [[ $WG_RUNNING -ne 0 ]]; then - echo -e "\nWARNING: WireGuard does not seem to be running." - echo "Due to kernel mismatch issues on $OS, WireGuard might work if your system is out of date." - echo "You can check if WireGuard is running with: systemctl status wg-quick@$SERVER_WG_NIC" - echo "If you get something like \"Cannot find device wg0\", please run:" - if [[ "$OS" = 'fedora' ]]; then - echo "dnf update -y && reboot" - elif [[ "$OS" = 'centos' ]]; then - echo "yum update -y && reboot" - fi +if [[ $OS =~ (fedora|centos) ]] && [[ $WG_RUNNING -ne 0 ]]; then + echo -e "\nWARNING: WireGuard does not seem to be running." + echo "Due to kernel mismatch issues on $OS, WireGuard might work if your system is out of date." + echo "You can check if WireGuard is running with: systemctl status wg-quick@$SERVER_WG_NIC" + echo 'If you get something like "Cannot find device wg0", please run:' + if [[ $OS == 'fedora' ]]; then + echo "dnf update -y && reboot" + elif [[ $OS == 'centos' ]]; then + echo "yum update -y && reboot" + fi fi addClient From 2e492d263ae35b6874831ea1bbc6025f150d9f9f Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Tue, 28 Apr 2020 15:04:16 +0200 Subject: [PATCH 05/34] ci(workflow): refactor and add shmft --- .github/workflows/lint.yml | 26 ++++++++++++++++++++++++++ .github/workflows/push.yml | 13 ------------- 2 files changed, 26 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/lint.yml delete mode 100644 .github/workflows/push.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..43ee65c --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,26 @@ +on: + push: + branches: + - master + pull_request: + branches: + - master + +name: Lint +jobs: + shellcheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: shellcheck + uses: ludeeus/action-shellcheck@0.0.1 + env: + SHELLCHECK_OPTS: -e SC1091,SC1117,SC2001 + shfmt: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: shfmt + uses: bltavares/actions/shfmt@master + env: + SHFMT_ARGS: -d diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml deleted file mode 100644 index 33edafa..0000000 --- a/.github/workflows/push.yml +++ /dev/null @@ -1,13 +0,0 @@ -on: push -name: ShellCheck -jobs: - shellcheck: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@master - - name: shellcheck - uses: ludeeus/action-shellcheck@0.0.1 - env: - SHELLCHECK_OPTS: -e SC1091,SC1117,SC2001 - with: - args: wireguard-install.sh From 7c6da8df0ebf39f37beae5aa45898c4120d64041 Mon Sep 17 00:00:00 2001 From: Deface <32715156+FollowMeDown@users.noreply.github.com> Date: Sun, 14 Jun 2020 16:24:12 +0200 Subject: [PATCH 06/34] Arch: do not install wireguard-arch (#84) --- wireguard-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index f6768fb..065de2e 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -158,7 +158,7 @@ elif [[ $OS == 'centos' ]]; then yum -y install wireguard-dkms wireguard-tools iptables qrencode elif [[ $OS == 'arch' ]]; then pacman -S --noconfirm linux-headers - pacman -S --noconfirm wireguard-tools iptables wireguard-arch qrencode + pacman -S --noconfirm wireguard-tools iptables qrencode fi # Make sure the directory exists (this does not seem the be the case on fedora) From e04fa5356d9a41a67c050b1c04e6400d004ea272 Mon Sep 17 00:00:00 2001 From: randomshell Date: Fri, 26 Jun 2020 18:38:29 +0000 Subject: [PATCH 07/34] Change check for previously installed wireguard --- wireguard-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 065de2e..40c08ce 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -82,14 +82,14 @@ if [ "$(systemd-detect-virt)" == "lxc" ]; then fi if [[ $1 == "add-client" ]]; then - if [[ -e /etc/wireguard ]]; then + if [[ -e /etc/wireguard/params ]]; then addClient exit 0 else - echo "Please install WireGuard first." + echo "Please install and configure WireGuard first." exit 1 fi -elif [[ -e /etc/wireguard ]]; then +elif [[ -e /etc/wireguard/params ]]; then echo "WireGuard is already installed. Run with 'add-client' to add a client." exit 1 fi From 1ffbf87dc6f8c4f821f89ed52e1049379e4bf3ef Mon Sep 17 00:00:00 2001 From: robiiinos Date: Sat, 18 Jul 2020 21:32:09 +0200 Subject: [PATCH 08/34] Add Dependabot --- .github/dependabot.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f4d737f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + assignees: + - "angristan" + reviewers: + - "angristan" From 13df50739369be654d08564b70891e54e76e1ebf Mon Sep 17 00:00:00 2001 From: robiiinos Date: Sat, 18 Jul 2020 21:31:03 +0200 Subject: [PATCH 09/34] Update GitHub Actions --- .github/workflows/lint.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 43ee65c..e3c5e63 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,19 +7,21 @@ on: - master name: Lint + jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@v2 - name: shellcheck - uses: ludeeus/action-shellcheck@0.0.1 + uses: ludeeus/action-shellcheck@0.4.1 env: SHELLCHECK_OPTS: -e SC1091,SC1117,SC2001 + shfmt: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@v2 - name: shfmt uses: bltavares/actions/shfmt@master env: From dfd7736a7dd4e1ee34e64b8d8414ba7b3c337b36 Mon Sep 17 00:00:00 2001 From: Ian Date: Mon, 27 Jul 2020 11:54:06 +0200 Subject: [PATCH 10/34] Add colon --- wireguard-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 40c08ce..3dfcb07 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -13,10 +13,10 @@ function addClient() { fi CLIENT_WG_IPV4="10.66.66.2" - read -rp "Client's WireGuard IPv4 " -e -i "$CLIENT_WG_IPV4" CLIENT_WG_IPV4 + read -rp "Client's WireGuard IPv4: " -e -i "$CLIENT_WG_IPV4" CLIENT_WG_IPV4 CLIENT_WG_IPV6="fd42:42:42::2" - read -rp "Client's WireGuard IPv6 " -e -i "$CLIENT_WG_IPV6" CLIENT_WG_IPV6 + read -rp "Client's WireGuard IPv6: " -e -i "$CLIENT_WG_IPV6" CLIENT_WG_IPV6 # Adguard DNS by default CLIENT_DNS_1="176.103.130.130" From 8464fc4ea205492819262bcc523d3f9d88e7097c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 Jul 2020 06:23:41 +0000 Subject: [PATCH 11/34] Bump ludeeus/action-shellcheck from 0.4.1 to 0.5.0 Bumps [ludeeus/action-shellcheck](https://github.com/ludeeus/action-shellcheck) from 0.4.1 to 0.5.0. - [Release notes](https://github.com/ludeeus/action-shellcheck/releases) - [Commits](https://github.com/ludeeus/action-shellcheck/compare/0.4.1...c489c81f79527f818be72b97b918b06e75eaee6d) Signed-off-by: dependabot[bot] --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index e3c5e63..31fe34f 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: shellcheck - uses: ludeeus/action-shellcheck@0.4.1 + uses: ludeeus/action-shellcheck@0.5.0 env: SHELLCHECK_OPTS: -e SC1091,SC1117,SC2001 From 6e518633f340b8281f032ed47d07f61b4d91fe59 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Wed, 29 Jul 2020 12:20:51 +0200 Subject: [PATCH 12/34] Fix Debian installation: use backports And limit to Debian 10. Fix #101 --- wireguard-install.sh | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 40c08ce..93c755d 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -98,6 +98,14 @@ fi if [[ -e /etc/debian_version ]]; then source /etc/os-release OS=$ID # debian or ubuntu + if [[ -e /etc/debian_version ]]; then + if [[ $ID == "debian" || $ID == "raspbian" ]]; then + if [[ $VERSION_ID -ne 10 ]]; then + echo "Your version of Debian ($VERSION_ID) is not supported. Please use Debian 10 Buster" + exit 1 + fi + fi + fi elif [[ -e /etc/fedora-release ]]; then source /etc/os-release OS=$ID @@ -139,12 +147,13 @@ if [[ $OS == 'ubuntu' ]]; then apt-get install -y "linux-headers-$(uname -r)" apt-get install -y wireguard iptables resolvconf qrencode elif [[ $OS == 'debian' ]]; then - echo "deb http://deb.debian.org/debian/ unstable main" >/etc/apt/sources.list.d/unstable.list - printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' >/etc/apt/preferences.d/limit-unstable + if ! grep -rqs "^deb .* buster-backports" /etc/apt/; then + echo "deb http://deb.debian.org/debian buster-backports main" >/etc/apt/sources.list.d/backports.list + apt-get update + fi apt update - apt-get install -y "linux-headers-$(uname -r)" - apt-get install -y wireguard iptables resolvconf qrencode - apt-get install -y bc # mitigate https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956869 + apt-get install -y iptables resolvconf qrencode + apt-get install -y -t buster-backports wireguard elif [[ $OS == 'fedora' ]]; then if [[ $VERSION_ID -lt 32 ]]; then dnf install -y dnf-plugins-core From 5f82b76bc0df06a5ad8cbe2c6069ef016867ae04 Mon Sep 17 00:00:00 2001 From: randomshell Date: Fri, 31 Jul 2020 12:59:20 +0000 Subject: [PATCH 13/34] Refactor script (#92) - cleaned some minor code - use IPv6 if IPv4 isn't available - add input validations, fixes #86 . - assign secondary DNS to primary DNS value if it's empty. Fixes #68 - use `$SERVER_WG_IPV4` and `$SERVER_WG_IPV6` when suggesting the client IP - save user DNS to `params` file and apply it to all clients, removing support for customizing DNS for individual clients. If this is a problem we can add again the code to allow customization but maybe use the sourced DNS as a suggestion for clients that need a different one - add shellcheck ignores, needed for IDE that have shellcheck support - escaped variables to `"${var}"` style - updated README to reflect changes - fixed the kernel mismatch issue on CentOS by updating the kernel https://github.com/angristan/wireguard-install/issues/95#issuecomment-653696198. Fedora might need this change too - Use `firewall-cmd` only if `firewalld` is running. Fixes #95 - Fix the client's subnet mask. Fixes #87 - Save the client configuration in the correct `$HOME`. Fixes #96 Co-authored-by: Chris Lewicki Co-authored-by: Stanislas --- README.md | 6 - wireguard-install.sh | 470 +++++++++++++++++++++++++------------------ 2 files changed, 272 insertions(+), 204 deletions(-) diff --git a/README.md b/README.md index 94c1005..deae325 100644 --- a/README.md +++ b/README.md @@ -37,12 +37,6 @@ chmod +x wireguard-install.sh It will install WireGuard (kernel module and tools) on the server, configure it, create a systemd service and a client configuration file. -To generate more client files, run the following: - -```sh -./wireguard-install.sh add-client -``` - Make sure you choose different IPs for you clients. Contributions are welcome! diff --git a/wireguard-install.sh b/wireguard-install.sh index b05c6b8..707b4e3 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -1,29 +1,234 @@ #!/bin/bash -function addClient() { - # Load params - source /etc/wireguard/params +# Secure WireGuard server installer for Debian, Ubuntu, CentOS, Fedora and Arch Linux +# https://github.com/angristan/wireguard-install - if [[ $SERVER_PUB_IP =~ .*:.* ]]; then - echo "IPv6 Detected" - ENDPOINT="[$SERVER_PUB_IP]:$SERVER_PORT" - else - echo "IPv4 Detected" - ENDPOINT="$SERVER_PUB_IP:$SERVER_PORT" +function isRoot() { + if [ "${EUID}" -ne 0 ]; then + echo "You need to run this script as root" + exit 1 + fi +} + +function checkVirt() { + if [ "$(systemd-detect-virt)" == "openvz" ]; then + echo "OpenVZ is not supported" + exit 1 fi - CLIENT_WG_IPV4="10.66.66.2" - read -rp "Client's WireGuard IPv4: " -e -i "$CLIENT_WG_IPV4" CLIENT_WG_IPV4 + if [ "$(systemd-detect-virt)" == "lxc" ]; then + echo "LXC is not supported (yet)." + echo "WireGuard can technically run in an LXC container," + echo "but the kernel module has to be installed on the host," + echo "the container has to be run with some specific parameters" + echo "and only the tools need to be installed in the container." + exit 1 + fi +} - CLIENT_WG_IPV6="fd42:42:42::2" - read -rp "Client's WireGuard IPv6: " -e -i "$CLIENT_WG_IPV6" CLIENT_WG_IPV6 +function checkOS() { + # Check OS version + if [[ -e /etc/debian_version ]]; then + # shellcheck disable=SC1091 + source /etc/os-release + OS="${ID}" # debian or ubuntu + if [[ -e /etc/debian_version ]]; then + if [[ $ID == "debian" || $ID == "raspbian" ]]; then + if [[ $VERSION_ID -ne 10 ]]; then + echo "Your version of Debian ($VERSION_ID) is not supported. Please use Debian 10 Buster" + exit 1 + fi + fi + fi + elif [[ -e /etc/fedora-release ]]; then + # shellcheck disable=SC1091 + source /etc/os-release + OS="${ID}" + elif [[ -e /etc/centos-release ]]; then + OS=centos + elif [[ -e /etc/arch-release ]]; then + OS=arch + else + echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS or Arch Linux system" + exit 1 + fi +} + +function initialCheck() { + isRoot + checkVirt + checkOS +} + +function installQuestions() { + echo "Welcome to the WireGuard installer!" + echo "The git repository is available at: https://github.com/angristan/wireguard-install" + echo "" + echo "I need to ask you a few questions before starting the setup." + echo "You can leave the default options and just press enter if you are ok with them." + echo "" + + # Detect public IPv4 or IPv6 address and pre-fill for the user + SERVER_PUB_IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1) + if [[ -z "${SERVER_PUB_IP}" ]]; then + # Detect public IPv6 address + SERVER_PUB_IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1) + fi + read -rp "IPv4 or IPv6 public address: " -e -i "${SERVER_PUB_IP}" SERVER_PUB_IP + + # Detect public interface and pre-fill for the user + SERVER_NIC="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)" + until [[ "${SERVER_PUB_NIC}" =~ ^[a-zA-Z0-9_]+$ ]]; do + read -rp "Public interface: " -e -i "${SERVER_NIC}" SERVER_PUB_NIC + done + + until [[ "${SERVER_WG_NIC}" =~ ^[a-zA-Z0-9_]+$ ]]; do + # shellcheck disable=SC2034 + read -rp "WireGuard interface name: " -e -i wg0 SERVER_WG_NIC + done + + until [[ "${SERVER_WG_IPV4}" =~ ^([0-9]{1,3}\.){3} ]]; do + read -rp "Server's WireGuard IPv4: " -e -i 10.66.66.1 SERVER_WG_IPV4 + done + + until [[ "${SERVER_WG_IPV6}" =~ ^([a-f0-9]{1,4}:){3,4}: ]]; do + read -rp "Server's WireGuard IPv6: " -e -i fd42:42:42::1 SERVER_WG_IPV6 + done + + # Generate random number within private ports range + RANDOM_PORT=$(shuf -i49152-65535 -n1) + until [[ "${SERVER_PORT}" =~ ^[0-9]+$ ]] && [ "${SERVER_PORT}" -ge 1 ] && [ "${SERVER_PORT}" -le 65535 ]; do + read -rp "Server's WireGuard port [1-65535]: " -e -i "${RANDOM_PORT}" SERVER_PORT + done # Adguard DNS by default - CLIENT_DNS_1="176.103.130.130" - read -rp "First DNS resolver to use for the client: " -e -i "$CLIENT_DNS_1" CLIENT_DNS_1 + until [[ "${CLIENT_DNS_1}" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + read -rp "First DNS resolver to use for the clients: " -e -i 176.103.130.130 CLIENT_DNS_1 + done + until [[ "${CLIENT_DNS_2}" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + read -rp "Second DNS resolver to use for the clients (optional): " -e -i 176.103.130.131 CLIENT_DNS_2 + if [[ "${CLIENT_DNS_2}" == "" ]]; then + CLIENT_DNS_2="${CLIENT_DNS_1}" + fi + done - CLIENT_DNS_2="176.103.130.131" - read -rp "Second DNS resolver to use for the client: " -e -i "$CLIENT_DNS_2" CLIENT_DNS_2 + echo "" + echo "Okay, that was all I needed. We are ready to setup your WireGuard server now." + echo "You will be able to generate a client at the end of the installation." + read -n1 -r -p "Press any key to continue..." +} + +function installWireGuard() { + # Run setup questions first + installQuestions + + # Install WireGuard tools and module + if [[ "${OS}" == 'ubuntu' ]]; then + apt-get install -y software-properties-common + add-apt-repository -y ppa:wireguard/wireguard + apt-get update + apt-get install -y "linux-headers-$(uname -r)" + apt-get install -y wireguard iptables resolvconf qrencode + elif [[ "${OS}" == 'debian' ]]; then + if ! grep -rqs "^deb .* buster-backports" /etc/apt/; then + echo "deb http://deb.debian.org/debian buster-backports main" >/etc/apt/sources.list.d/backports.list + apt-get update + fi + apt update + apt-get install -y iptables resolvconf qrencode + apt-get install -y -t buster-backports wireguard + elif [[ "${OS}" == 'fedora' ]]; then + if [[ "${VERSION_ID}" -lt 32 ]]; then + dnf install -y dnf-plugins-core + dnf copr enable -y jdoss/wireguard + dnf install -y wireguard-dkms + fi + dnf install -y wireguard-tools iptables qrencode + elif [[ "${OS}" == 'centos' ]]; then + curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo + yum -y install epel-release kernel kernel-devel kernel-headers + yum -y install wireguard-dkms wireguard-tools iptables qrencode + elif [[ "${OS}" == 'arch' ]]; then + pacman -S --noconfirm linux-headers + pacman -S --noconfirm wireguard-tools iptables qrencode + fi + + # Make sure the directory exists (this does not seem the be the case on fedora) + mkdir /etc/wireguard >/dev/null 2>&1 + + chmod 600 -R /etc/wireguard/ + + SERVER_PRIV_KEY=$(wg genkey) + SERVER_PUB_KEY=$(echo "${SERVER_PRIV_KEY}" | wg pubkey) + + # Save WireGuard settings + echo "SERVER_PUB_IP=${SERVER_PUB_IP} +SERVER_PUB_NIC=${SERVER_PUB_NIC} +SERVER_WG_NIC=${SERVER_WG_NIC} +SERVER_WG_IPV4=${SERVER_WG_IPV4} +SERVER_WG_IPV6=${SERVER_WG_IPV6} +SERVER_PORT=${SERVER_PORT} +SERVER_PRIV_KEY=${SERVER_PRIV_KEY} +SERVER_PUB_KEY=${SERVER_PUB_KEY} +CLIENT_DNS_1=${CLIENT_DNS_1} +CLIENT_DNS_2=${CLIENT_DNS_2}" >/etc/wireguard/params + + # Add server interface + echo "[Interface] +Address = ${SERVER_WG_IPV4}/24,${SERVER_WG_IPV6}/64 +ListenPort = ${SERVER_PORT} +PrivateKey = ${SERVER_PRIV_KEY}" >"/etc/wireguard/${SERVER_WG_NIC}.conf" + + if pgrep firewalld; then + FIREWALLD_IPV4_ADDRESS=$(echo "${SERVER_WG_IPV4}" | cut -d"." -f1-3)".0" + # shellcheck disable=SC2001 + FIREWALLD_IPV6_ADDRESS=$(echo "${SERVER_WG_IPV6}" | sed 's/:[^:]*$/:0/') + echo "PostUp = firewall-cmd --add-port ${SERVER_PORT}/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade' +PostDown = firewall-cmd --remove-port ${SERVER_PORT}/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade'" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" + else + echo "PostUp = iptables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE +PostDown = iptables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" + fi + + # Enable routing on the server + echo "net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf + + sysctl --system + + systemctl start "wg-quick@${SERVER_WG_NIC}" + systemctl enable "wg-quick@${SERVER_WG_NIC}" + + # Check if WireGuard is running + systemctl is-active --quiet "wg-quick@${SERVER_WG_NIC}" + WG_RUNNING=$? + + # WireGuard might not work if we updated the kernel. Tell the user to reboot + if [[ "${WG_RUNNING}" -ne 0 ]]; then + echo -e "\nWARNING: WireGuard does not seem to be running." + echo "You can check if WireGuard is running with: systemctl status wg-quick@${SERVER_WG_NIC}" + echo 'If you get something like "Cannot find device wg0", please reboot!' + fi + + newClient + echo "If you want to add more clients, you simply need to run this script another time!" +} + +function newClient() { + # Load params + # shellcheck disable=SC1091 + source /etc/wireguard/params + + ENDPOINT="${SERVER_PUB_IP}:${SERVER_PORT}" + + printf "\n" + until [[ "${CLIENT_WG_IPV4}" =~ ^([0-9]{1,3}\.?){4}$ ]]; do + read -rp "Client's WireGuard IPv4: " -e -i "${SERVER_WG_IPV4::-1}"2 CLIENT_WG_IPV4 + done + + until [[ "${CLIENT_WG_IPV6}" =~ ^([a-f0-9]{1,4}:?:?){3,5} ]]; do + read -rp "Client's WireGuard IPv6 : " -e -i "${SERVER_WG_IPV6::-1}"2 CLIENT_WG_IPV6 + done CLIENT_NAME=$( head /dev/urandom | tr -dc A-Za-z0-9 | head -c 10 @@ -32,204 +237,73 @@ function addClient() { # Generate key pair for the client CLIENT_PRIV_KEY=$(wg genkey) - CLIENT_PUB_KEY=$(echo "$CLIENT_PRIV_KEY" | wg pubkey) + CLIENT_PUB_KEY=$(echo "${CLIENT_PRIV_KEY}" | wg pubkey) CLIENT_PRE_SHARED_KEY=$(wg genpsk) + # Home directory of the user, where the client configuration will be written + if [ -e "/home/${CLIENT_NAME}" ]; then # if $1 is a user name + HOME_DIR="/home/${CLIENT_NAME}" + elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER + HOME_DIR="/home/${SUDO_USER}" + else # if not SUDO_USER, use /root + HOME_DIR="/root" + fi + # Create client file and add the server as a peer echo "[Interface] -PrivateKey = $CLIENT_PRIV_KEY -Address = $CLIENT_WG_IPV4/24,$CLIENT_WG_IPV6/64 -DNS = $CLIENT_DNS_1,$CLIENT_DNS_2 +PrivateKey = ${CLIENT_PRIV_KEY} +Address = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128 +DNS = ${CLIENT_DNS_1},${CLIENT_DNS_2} [Peer] -PublicKey = $SERVER_PUB_KEY -PresharedKey = $CLIENT_PRE_SHARED_KEY -Endpoint = $ENDPOINT -AllowedIPs = 0.0.0.0/0,::/0" >>"$HOME/$SERVER_WG_NIC-client-$CLIENT_NAME.conf" +PublicKey = ${SERVER_PUB_KEY} +PresharedKey = ${CLIENT_PRE_SHARED_KEY} +Endpoint = ${ENDPOINT} +AllowedIPs = 0.0.0.0/0,::/0" >>"${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" # Add the client as a peer to the server echo -e "\n[Peer] -PublicKey = $CLIENT_PUB_KEY -PresharedKey = $CLIENT_PRE_SHARED_KEY -AllowedIPs = $CLIENT_WG_IPV4/32,$CLIENT_WG_IPV6/128" >>"/etc/wireguard/$SERVER_WG_NIC.conf" +PublicKey = ${CLIENT_PUB_KEY} +PresharedKey = ${CLIENT_PRE_SHARED_KEY} +AllowedIPs = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" - systemctl restart "wg-quick@$SERVER_WG_NIC" + systemctl restart "wg-quick@${SERVER_WG_NIC}" echo -e "\nHere is your client config file as a QR Code:" - qrencode -t ansiutf8 -l L <"$HOME/$SERVER_WG_NIC-client-$CLIENT_NAME.conf" + qrencode -t ansiutf8 -l L <"${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" - echo "It is also available in $HOME/$SERVER_WG_NIC-client-$CLIENT_NAME.conf" + echo "It is also available in ${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" } -if [ "$EUID" -ne 0 ]; then - echo "You need to run this script as root" - exit 1 -fi - -if [ "$(systemd-detect-virt)" == "openvz" ]; then - echo "OpenVZ is not supported" - exit -fi - -if [ "$(systemd-detect-virt)" == "lxc" ]; then - echo "LXC is not supported (yet)." - echo "WireGuard can technically run in an LXC container," - echo "but the kernel module has to be installed on the host," - echo "the container has to be run with some specific parameters" - echo "and only the tools need to be installed in the container." - exit -fi - -if [[ $1 == "add-client" ]]; then - if [[ -e /etc/wireguard/params ]]; then - addClient +function manageMenu() { + echo "Welcome to WireGuard-install!" + echo "The git repository is available at: https://github.com/angristan/wireguard-install" + echo "" + echo "It looks like WireGuard is already installed." + echo "" + echo "What do you want to do?" + echo " 1) Add a new user" + echo " 2) Exit" + until [[ "${MENU_OPTION}" =~ ^[1-2]$ ]]; do + read -rp "Select an option [1-2]: " MENU_OPTION + done + case "${MENU_OPTION}" in + 1) + newClient + ;; + 2) exit 0 - else - echo "Please install and configure WireGuard first." - exit 1 - fi -elif [[ -e /etc/wireguard/params ]]; then - echo "WireGuard is already installed. Run with 'add-client' to add a client." - exit 1 -fi + ;; + esac +} -# Check OS version -if [[ -e /etc/debian_version ]]; then - source /etc/os-release - OS=$ID # debian or ubuntu - if [[ -e /etc/debian_version ]]; then - if [[ $ID == "debian" || $ID == "raspbian" ]]; then - if [[ $VERSION_ID -ne 10 ]]; then - echo "Your version of Debian ($VERSION_ID) is not supported. Please use Debian 10 Buster" - exit 1 - fi - fi - fi -elif [[ -e /etc/fedora-release ]]; then - source /etc/os-release - OS=$ID -elif [[ -e /etc/centos-release ]]; then - OS=centos -elif [[ -e /etc/arch-release ]]; then - OS=arch +# Check for root, virt, OS... +initialCheck + +# Check if WireGuard is already installed +if [[ -e /etc/wireguard/params ]]; then + manageMenu else - echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS or Arch Linux system" - exit 1 + installWireGuard fi - -# Detect public IPv4 address and pre-fill for the user -SERVER_PUB_IPV4=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) -read -rp "IPv4 or IPv6 public address: " -e -i "$SERVER_PUB_IPV4" SERVER_PUB_IP - -# Detect public interface and pre-fill for the user -SERVER_PUB_NIC="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)" -read -rp "Public interface: " -e -i "$SERVER_PUB_NIC" SERVER_PUB_NIC - -SERVER_WG_NIC="wg0" -read -rp "WireGuard interface name: " -e -i "$SERVER_WG_NIC" SERVER_WG_NIC - -SERVER_WG_IPV4="10.66.66.1" -read -rp "Server's WireGuard IPv4: " -e -i "$SERVER_WG_IPV4" SERVER_WG_IPV4 - -SERVER_WG_IPV6="fd42:42:42::1" -read -rp "Server's WireGuard IPv6: " -e -i "$SERVER_WG_IPV6" SERVER_WG_IPV6 - -# Generate random number within private ports range -SERVER_PORT=$(shuf -i49152-65535 -n1) -read -rp "Server's WireGuard port: " -e -i "$SERVER_PORT" SERVER_PORT - -# Install WireGuard tools and module -if [[ $OS == 'ubuntu' ]]; then - apt-get install -y software-properties-common - add-apt-repository -y ppa:wireguard/wireguard - apt-get update - apt-get install -y "linux-headers-$(uname -r)" - apt-get install -y wireguard iptables resolvconf qrencode -elif [[ $OS == 'debian' ]]; then - if ! grep -rqs "^deb .* buster-backports" /etc/apt/; then - echo "deb http://deb.debian.org/debian buster-backports main" >/etc/apt/sources.list.d/backports.list - apt-get update - fi - apt update - apt-get install -y iptables resolvconf qrencode - apt-get install -y -t buster-backports wireguard -elif [[ $OS == 'fedora' ]]; then - if [[ $VERSION_ID -lt 32 ]]; then - dnf install -y dnf-plugins-core - dnf copr enable -y jdoss/wireguard - dnf install -y wireguard-dkms - fi - dnf install -y wireguard-tools iptables qrencode -elif [[ $OS == 'centos' ]]; then - curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo - yum -y install epel-release - yum -y install wireguard-dkms wireguard-tools iptables qrencode -elif [[ $OS == 'arch' ]]; then - pacman -S --noconfirm linux-headers - pacman -S --noconfirm wireguard-tools iptables qrencode -fi - -# Make sure the directory exists (this does not seem the be the case on fedora) -mkdir /etc/wireguard >/dev/null 2>&1 - -chmod 600 -R /etc/wireguard/ - -SERVER_PRIV_KEY=$(wg genkey) -SERVER_PUB_KEY=$(echo "$SERVER_PRIV_KEY" | wg pubkey) - -# Save WireGuard settings -echo "SERVER_PUB_IP=$SERVER_PUB_IP -SERVER_PUB_NIC=$SERVER_PUB_NIC -SERVER_WG_NIC=$SERVER_WG_NIC -SERVER_WG_IPV4=$SERVER_WG_IPV4 -SERVER_WG_IPV6=$SERVER_WG_IPV6 -SERVER_PORT=$SERVER_PORT -SERVER_PRIV_KEY=$SERVER_PRIV_KEY -SERVER_PUB_KEY=$SERVER_PUB_KEY" >/etc/wireguard/params - -source /etc/wireguard/params - -# Add server interface -echo "[Interface] -Address = $SERVER_WG_IPV4/24,$SERVER_WG_IPV6/64 -ListenPort = $SERVER_PORT -PrivateKey = $SERVER_PRIV_KEY" >"/etc/wireguard/$SERVER_WG_NIC.conf" - -if [ -x "$(command -v firewall-cmd)" ]; then - FIREWALLD_IPV4_ADDRESS=$(echo "$SERVER_WG_IPV4" | cut -d"." -f1-3)".0" - FIREWALLD_IPV6_ADDRESS=$(echo "$SERVER_WG_IPV6" | sed 's/:[^:]*$/:0/') - echo "PostUp = firewall-cmd --add-port $SERVER_PORT/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade' -PostDown = firewall-cmd --remove-port $SERVER_PORT/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade'" >>"/etc/wireguard/$SERVER_WG_NIC.conf" -else - echo "PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE -PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE" >>"/etc/wireguard/$SERVER_WG_NIC.conf" -fi - -# Enable routing on the server -echo "net.ipv4.ip_forward = 1 -net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf - -sysctl --system - -systemctl start "wg-quick@$SERVER_WG_NIC" -systemctl enable "wg-quick@$SERVER_WG_NIC" - -# Check if WireGuard is running -systemctl is-active --quiet "wg-quick@$SERVER_WG_NIC" -WG_RUNNING=$? - -# Warn user about kernel version mismatch with headers -if [[ $OS =~ (fedora|centos) ]] && [[ $WG_RUNNING -ne 0 ]]; then - echo -e "\nWARNING: WireGuard does not seem to be running." - echo "Due to kernel mismatch issues on $OS, WireGuard might work if your system is out of date." - echo "You can check if WireGuard is running with: systemctl status wg-quick@$SERVER_WG_NIC" - echo 'If you get something like "Cannot find device wg0", please run:' - if [[ $OS == 'fedora' ]]; then - echo "dnf update -y && reboot" - elif [[ $OS == 'centos' ]]; then - echo "yum update -y && reboot" - fi -fi - -addClient From 31bee4542964b03ede9458e694aae5c28f7eb675 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Fri, 31 Jul 2020 15:02:26 +0200 Subject: [PATCH 14/34] Format with shfmt --- wireguard-install.sh | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 707b4e3..7c428e0 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -70,7 +70,7 @@ function installQuestions() { # Detect public IPv4 or IPv6 address and pre-fill for the user SERVER_PUB_IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1) - if [[ -z "${SERVER_PUB_IP}" ]]; then + if [[ -z ${SERVER_PUB_IP} ]]; then # Detect public IPv6 address SERVER_PUB_IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1) fi @@ -78,36 +78,36 @@ function installQuestions() { # Detect public interface and pre-fill for the user SERVER_NIC="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)" - until [[ "${SERVER_PUB_NIC}" =~ ^[a-zA-Z0-9_]+$ ]]; do + until [[ ${SERVER_PUB_NIC} =~ ^[a-zA-Z0-9_]+$ ]]; do read -rp "Public interface: " -e -i "${SERVER_NIC}" SERVER_PUB_NIC done - until [[ "${SERVER_WG_NIC}" =~ ^[a-zA-Z0-9_]+$ ]]; do + until [[ ${SERVER_WG_NIC} =~ ^[a-zA-Z0-9_]+$ ]]; do # shellcheck disable=SC2034 read -rp "WireGuard interface name: " -e -i wg0 SERVER_WG_NIC done - until [[ "${SERVER_WG_IPV4}" =~ ^([0-9]{1,3}\.){3} ]]; do + until [[ ${SERVER_WG_IPV4} =~ ^([0-9]{1,3}\.){3} ]]; do read -rp "Server's WireGuard IPv4: " -e -i 10.66.66.1 SERVER_WG_IPV4 done - until [[ "${SERVER_WG_IPV6}" =~ ^([a-f0-9]{1,4}:){3,4}: ]]; do + until [[ ${SERVER_WG_IPV6} =~ ^([a-f0-9]{1,4}:){3,4}: ]]; do read -rp "Server's WireGuard IPv6: " -e -i fd42:42:42::1 SERVER_WG_IPV6 done # Generate random number within private ports range RANDOM_PORT=$(shuf -i49152-65535 -n1) - until [[ "${SERVER_PORT}" =~ ^[0-9]+$ ]] && [ "${SERVER_PORT}" -ge 1 ] && [ "${SERVER_PORT}" -le 65535 ]; do + until [[ ${SERVER_PORT} =~ ^[0-9]+$ ]] && [ "${SERVER_PORT}" -ge 1 ] && [ "${SERVER_PORT}" -le 65535 ]; do read -rp "Server's WireGuard port [1-65535]: " -e -i "${RANDOM_PORT}" SERVER_PORT done # Adguard DNS by default - until [[ "${CLIENT_DNS_1}" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + until [[ ${CLIENT_DNS_1} =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do read -rp "First DNS resolver to use for the clients: " -e -i 176.103.130.130 CLIENT_DNS_1 done - until [[ "${CLIENT_DNS_2}" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + until [[ ${CLIENT_DNS_2} =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do read -rp "Second DNS resolver to use for the clients (optional): " -e -i 176.103.130.131 CLIENT_DNS_2 - if [[ "${CLIENT_DNS_2}" == "" ]]; then + if [[ ${CLIENT_DNS_2} == "" ]]; then CLIENT_DNS_2="${CLIENT_DNS_1}" fi done @@ -123,13 +123,13 @@ function installWireGuard() { installQuestions # Install WireGuard tools and module - if [[ "${OS}" == 'ubuntu' ]]; then + if [[ ${OS} == 'ubuntu' ]]; then apt-get install -y software-properties-common add-apt-repository -y ppa:wireguard/wireguard apt-get update apt-get install -y "linux-headers-$(uname -r)" apt-get install -y wireguard iptables resolvconf qrencode - elif [[ "${OS}" == 'debian' ]]; then + elif [[ ${OS} == 'debian' ]]; then if ! grep -rqs "^deb .* buster-backports" /etc/apt/; then echo "deb http://deb.debian.org/debian buster-backports main" >/etc/apt/sources.list.d/backports.list apt-get update @@ -137,18 +137,18 @@ function installWireGuard() { apt update apt-get install -y iptables resolvconf qrencode apt-get install -y -t buster-backports wireguard - elif [[ "${OS}" == 'fedora' ]]; then - if [[ "${VERSION_ID}" -lt 32 ]]; then + elif [[ ${OS} == 'fedora' ]]; then + if [[ ${VERSION_ID} -lt 32 ]]; then dnf install -y dnf-plugins-core dnf copr enable -y jdoss/wireguard dnf install -y wireguard-dkms fi dnf install -y wireguard-tools iptables qrencode - elif [[ "${OS}" == 'centos' ]]; then + elif [[ ${OS} == 'centos' ]]; then curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo yum -y install epel-release kernel kernel-devel kernel-headers yum -y install wireguard-dkms wireguard-tools iptables qrencode - elif [[ "${OS}" == 'arch' ]]; then + elif [[ ${OS} == 'arch' ]]; then pacman -S --noconfirm linux-headers pacman -S --noconfirm wireguard-tools iptables qrencode fi @@ -204,7 +204,7 @@ net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf WG_RUNNING=$? # WireGuard might not work if we updated the kernel. Tell the user to reboot - if [[ "${WG_RUNNING}" -ne 0 ]]; then + if [[ ${WG_RUNNING} -ne 0 ]]; then echo -e "\nWARNING: WireGuard does not seem to be running." echo "You can check if WireGuard is running with: systemctl status wg-quick@${SERVER_WG_NIC}" echo 'If you get something like "Cannot find device wg0", please reboot!' @@ -222,11 +222,11 @@ function newClient() { ENDPOINT="${SERVER_PUB_IP}:${SERVER_PORT}" printf "\n" - until [[ "${CLIENT_WG_IPV4}" =~ ^([0-9]{1,3}\.?){4}$ ]]; do + until [[ ${CLIENT_WG_IPV4} =~ ^([0-9]{1,3}\.?){4}$ ]]; do read -rp "Client's WireGuard IPv4: " -e -i "${SERVER_WG_IPV4::-1}"2 CLIENT_WG_IPV4 done - until [[ "${CLIENT_WG_IPV6}" =~ ^([a-f0-9]{1,4}:?:?){3,5} ]]; do + until [[ ${CLIENT_WG_IPV6} =~ ^([a-f0-9]{1,4}:?:?){3,5} ]]; do read -rp "Client's WireGuard IPv6 : " -e -i "${SERVER_WG_IPV6::-1}"2 CLIENT_WG_IPV6 done @@ -285,7 +285,7 @@ function manageMenu() { echo "What do you want to do?" echo " 1) Add a new user" echo " 2) Exit" - until [[ "${MENU_OPTION}" =~ ^[1-2]$ ]]; do + until [[ ${MENU_OPTION} =~ ^[1-2]$ ]]; do read -rp "Select an option [1-2]: " MENU_OPTION done case "${MENU_OPTION}" in From 40cc13b1f445bc5937a2e1feb19a72910af76730 Mon Sep 17 00:00:00 2001 From: Navratan Gupta <37469234+navilg@users.noreply.github.com> Date: Fri, 31 Jul 2020 19:23:05 +0530 Subject: [PATCH 15/34] Add uninstall feature (#88) Fix #2 Co-authored-by: Stanislas Lange Co-authored-by: randomshell --- wireguard-install.sh | 61 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 58 insertions(+), 3 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 7c428e0..55f24df 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -276,6 +276,57 @@ AllowedIPs = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128" >>"/etc/wireguard/${SER echo "It is also available in ${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" } +function uninstallWg() { + if [[ ! -e /etc/wireguard/params ]]; then + echo "WireGuard is not installed." + exit 1 + fi + + checkOS + source /etc/wireguard/params + + systemctl stop "wg-quick@$SERVER_WG_NIC" + systemctl disable "wg-quick@$SERVER_WG_NIC" + + if [[ $OS == 'ubuntu' ]]; then + apt-get autoremove --purge -y wireguard qrencode + add-apt-repository -y -r ppa:wireguard/wireguard + elif [[ $OS == 'debian' ]]; then + apt-get autoremove --purge -y wireguard qrencode + elif [[ $OS == 'fedora' ]]; then + dnf remove -y wireguard-tools qrencode + if [[ $VERSION_ID -lt 32 ]]; then + dnf remove -y wireguard-dkms + dnf copr disable -y jdoss/wireguard + fi + dnf autoremove -y + elif [[ $OS == 'centos' ]]; then + yum -y remove wireguard-dkms wireguard-tools qrencode + rm -f "/etc/yum.repos.d/wireguard.repo" + yum -y autoremove + elif [[ $OS == 'arch' ]]; then + pacman -Rs --noconfirm wireguard-tools qrencode + fi + + rm -rf /etc/wireguard + rm -f /etc/sysctl.d/wg.conf + + # Reload sysctl + sysctl --system + + # Check if WireGuard is running + systemctl is-active --quiet "wg-quick@$SERVER_WG_NIC" + WG_RUNNING=$? + + if [[ $WG_RUNNING -eq 0 ]]; then + echo "WireGuard failed to uninstall properly." + exit 1 + else + echo "WireGuard uninstalled successfully." + exit 0 + fi +} + function manageMenu() { echo "Welcome to WireGuard-install!" echo "The git repository is available at: https://github.com/angristan/wireguard-install" @@ -284,15 +335,19 @@ function manageMenu() { echo "" echo "What do you want to do?" echo " 1) Add a new user" - echo " 2) Exit" - until [[ ${MENU_OPTION} =~ ^[1-2]$ ]]; do - read -rp "Select an option [1-2]: " MENU_OPTION + echo " 2) Uninstall WireGuard" + echo " 3) Exit" + until [[ ${MENU_OPTION} =~ ^[1-3]$ ]]; do + read -rp "Select an option [1-3]: " MENU_OPTION done case "${MENU_OPTION}" in 1) newClient ;; 2) + uninstallWg + ;; + 3) exit 0 ;; esac From 1923aa17e6b27d94876411ea73ebb65647324547 Mon Sep 17 00:00:00 2001 From: randomshell Date: Mon, 3 Aug 2020 14:24:43 +0000 Subject: [PATCH 16/34] Add clientRevoke() and improve addClient() (#94) Added `clientRevoke()` based on openvpn-install repo, fixes #4 Some other changes were required for this to work: - client names aren't random anymore - client names are saved above the `[Peer]` block of the server configuration file to keep track of them - checks added for existing IPv4, IPv6 and client name. I used `until` to ask the user again if this is the case to not make him loose its work if, for example, the client name and IPv4 inserted are unique but not the IPv6. - using `until` instead of `exit` isn't idempotent but it's more user friendly. This will be a future goal. - default options should be safe to use so the suggestion for the client IP is automatically incremented. The subnet of `SERVER_WG_IPV` is hard-coded inside `CLIENT_WG_IPV` for obvious reasons --- wireguard-install.sh | 141 +++++++++++++++++++++++++++++++------------ 1 file changed, 104 insertions(+), 37 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 55f24df..1eb4263 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -33,9 +33,9 @@ function checkOS() { source /etc/os-release OS="${ID}" # debian or ubuntu if [[ -e /etc/debian_version ]]; then - if [[ $ID == "debian" || $ID == "raspbian" ]]; then - if [[ $VERSION_ID -ne 10 ]]; then - echo "Your version of Debian ($VERSION_ID) is not supported. Please use Debian 10 Buster" + if [[ ${ID} == "debian" || ${ID} == "raspbian" ]]; then + if [[ ${VERSION_ID} -ne 10 ]]; then + echo "Your version of Debian (${VERSION_ID}) is not supported. Please use Debian 10 Buster" exit 1 fi fi @@ -215,25 +215,59 @@ net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf } function newClient() { - # Load params - # shellcheck disable=SC1091 - source /etc/wireguard/params - ENDPOINT="${SERVER_PUB_IP}:${SERVER_PORT}" - printf "\n" - until [[ ${CLIENT_WG_IPV4} =~ ^([0-9]{1,3}\.?){4}$ ]]; do - read -rp "Client's WireGuard IPv4: " -e -i "${SERVER_WG_IPV4::-1}"2 CLIENT_WG_IPV4 + echo "" + echo "Tell me a name for the client." + echo "Use one word only, no special characters." + + until [[ "${CLIENT_NAME}" =~ ^[a-zA-Z0-9_]+$ && "${CLIENT_EXISTS}" == '0' ]]; do + read -rp "Client name: " -e CLIENT_NAME + CLIENT_EXISTS=$(grep -c -E "^### Client ${CLIENT_NAME}\$" "/etc/wireguard/${SERVER_WG_NIC}.conf") + + if [[ ${CLIENT_EXISTS} == '1' ]]; then + echo "" + echo "A client with the specified name was already created, please choose another name." + echo "" + fi done - until [[ ${CLIENT_WG_IPV6} =~ ^([a-f0-9]{1,4}:?:?){3,5} ]]; do - read -rp "Client's WireGuard IPv6 : " -e -i "${SERVER_WG_IPV6::-1}"2 CLIENT_WG_IPV6 + for DOT_IP in {2..254}; do + DOT_EXISTS=$(grep -c "${SERVER_WG_IPV4::-1}${DOT_IP}" "/etc/wireguard/${SERVER_WG_NIC}.conf") + if [[ ${DOT_EXISTS} == '0' ]]; then + break + fi done - CLIENT_NAME=$( - head /dev/urandom | tr -dc A-Za-z0-9 | head -c 10 - echo '' - ) + if [[ ${DOT_EXISTS} == '1' ]]; then + echo "" + echo "The subnet configured supports only 253 clients." + exit 1 + fi + + until [[ "${IPV4_EXISTS}" == '0' ]]; do + read -rp "Client's WireGuard IPv4: ${SERVER_WG_IPV4::-1}" -e -i "${DOT_IP}" DOT_IP + CLIENT_WG_IPV4="${SERVER_WG_IPV4::-1}${DOT_IP}" + IPV4_EXISTS=$(grep -c "$CLIENT_WG_IPV4" "/etc/wireguard/${SERVER_WG_NIC}.conf") + + if [[ ${IPV4_EXISTS} == '1' ]]; then + echo "" + echo "A client with the specified IPv4 was already created, please choose another IPv4." + echo "" + fi + done + + until [[ "${IPV6_EXISTS}" == '0' ]]; do + read -rp "Client's WireGuard IPv6: ${SERVER_WG_IPV6::-1}" -e -i "${DOT_IP}" DOT_IP + CLIENT_WG_IPV6="${SERVER_WG_IPV6::-1}${DOT_IP}" + IPV6_EXISTS=$(grep -c "${CLIENT_WG_IPV6}" "/etc/wireguard/${SERVER_WG_NIC}.conf") + + if [[ ${IPV6_EXISTS} == '1' ]]; then + echo "" + echo "A client with the specified IPv6 was already created, please choose another IPv6." + echo "" + fi + done # Generate key pair for the client CLIENT_PRIV_KEY=$(wg genkey) @@ -262,7 +296,8 @@ Endpoint = ${ENDPOINT} AllowedIPs = 0.0.0.0/0,::/0" >>"${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" # Add the client as a peer to the server - echo -e "\n[Peer] + echo -e "\n### Client ${CLIENT_NAME} +[Peer] PublicKey = ${CLIENT_PUB_KEY} PresharedKey = ${CLIENT_PRE_SHARED_KEY} AllowedIPs = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" @@ -276,35 +311,61 @@ AllowedIPs = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128" >>"/etc/wireguard/${SER echo "It is also available in ${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" } -function uninstallWg() { - if [[ ! -e /etc/wireguard/params ]]; then - echo "WireGuard is not installed." +function revokeClient() { + NUMBER_OF_CLIENTS=$(grep -c -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf") + if [[ ${NUMBER_OF_CLIENTS} == '0' ]]; then + echo "" + echo "You have no existing clients!" exit 1 fi + echo "" + echo "Select the existing client you want to revoke" + grep -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') ' + until [[ ${CLIENT_NUMBER} -ge 1 && ${CLIENT_NUMBER} -le ${NUMBER_OF_CLIENTS} ]]; do + if [[ ${CLIENT_NUMBER} == '1' ]]; then + read -rp "Select one client [1]: " CLIENT_NUMBER + else + read -rp "Select one client [1-${NUMBER_OF_CLIENTS}]: " CLIENT_NUMBER + fi + done + + # match the selected number to a client name + CLIENT_NAME=$(grep -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf" | cut -d ' ' -f 3 | sed -n "${CLIENT_NUMBER}"p) + + # remove [Peer] block matching $CLIENT_NAME + sed -i "/^### Client ${CLIENT_NAME}\$/,/^$/d" "/etc/wireguard/${SERVER_WG_NIC}.conf" + + # remove generated client file + rm -f "${HOME}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" + + # restart wireguard to apply changes + systemctl restart "wg-quick@${SERVER_WG_NIC}" +} + +function uninstallWg() { checkOS - source /etc/wireguard/params - systemctl stop "wg-quick@$SERVER_WG_NIC" - systemctl disable "wg-quick@$SERVER_WG_NIC" + systemctl stop "wg-quick@${SERVER_WG_NIC}" + systemctl disable "wg-quick@${SERVER_WG_NIC}" - if [[ $OS == 'ubuntu' ]]; then + if [[ ${OS} == 'ubuntu' ]]; then apt-get autoremove --purge -y wireguard qrencode add-apt-repository -y -r ppa:wireguard/wireguard - elif [[ $OS == 'debian' ]]; then + elif [[ ${OS} == 'debian' ]]; then apt-get autoremove --purge -y wireguard qrencode - elif [[ $OS == 'fedora' ]]; then + elif [[ ${OS} == 'fedora' ]]; then dnf remove -y wireguard-tools qrencode - if [[ $VERSION_ID -lt 32 ]]; then + if [[ ${VERSION_ID} -lt 32 ]]; then dnf remove -y wireguard-dkms dnf copr disable -y jdoss/wireguard fi dnf autoremove -y - elif [[ $OS == 'centos' ]]; then + elif [[ ${OS} == 'centos' ]]; then yum -y remove wireguard-dkms wireguard-tools qrencode rm -f "/etc/yum.repos.d/wireguard.repo" yum -y autoremove - elif [[ $OS == 'arch' ]]; then + elif [[ ${OS} == 'arch' ]]; then pacman -Rs --noconfirm wireguard-tools qrencode fi @@ -315,10 +376,10 @@ function uninstallWg() { sysctl --system # Check if WireGuard is running - systemctl is-active --quiet "wg-quick@$SERVER_WG_NIC" + systemctl is-active --quiet "wg-quick@${SERVER_WG_NIC}" WG_RUNNING=$? - if [[ $WG_RUNNING -eq 0 ]]; then + if [[ ${WG_RUNNING} -eq 0 ]]; then echo "WireGuard failed to uninstall properly." exit 1 else @@ -335,19 +396,23 @@ function manageMenu() { echo "" echo "What do you want to do?" echo " 1) Add a new user" - echo " 2) Uninstall WireGuard" - echo " 3) Exit" - until [[ ${MENU_OPTION} =~ ^[1-3]$ ]]; do - read -rp "Select an option [1-3]: " MENU_OPTION + echo " 2) Revoke existing user" + echo " 3) Uninstall WireGuard" + echo " 4) Exit" + until [[ ${MENU_OPTION} =~ ^[1-4]$ ]]; do + read -rp "Select an option [1-4]: " MENU_OPTION done case "${MENU_OPTION}" in 1) newClient ;; 2) - uninstallWg + revokeClient ;; 3) + uninstallWg + ;; + 4) exit 0 ;; esac @@ -356,8 +421,10 @@ function manageMenu() { # Check for root, virt, OS... initialCheck -# Check if WireGuard is already installed +# Check if WireGuard is already installed and load params if [[ -e /etc/wireguard/params ]]; then + # shellcheck disable=SC1091 + source /etc/wireguard/params manageMenu else installWireGuard From 4138ada539c7f9fbcd4fd97b769fe7c627330b18 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 3 Aug 2020 16:26:29 +0200 Subject: [PATCH 17/34] Format with shfmt --- wireguard-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 1eb4263..fda5711 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -221,7 +221,7 @@ function newClient() { echo "Tell me a name for the client." echo "Use one word only, no special characters." - until [[ "${CLIENT_NAME}" =~ ^[a-zA-Z0-9_]+$ && "${CLIENT_EXISTS}" == '0' ]]; do + until [[ ${CLIENT_NAME} =~ ^[a-zA-Z0-9_]+$ && ${CLIENT_EXISTS} == '0' ]]; do read -rp "Client name: " -e CLIENT_NAME CLIENT_EXISTS=$(grep -c -E "^### Client ${CLIENT_NAME}\$" "/etc/wireguard/${SERVER_WG_NIC}.conf") @@ -245,7 +245,7 @@ function newClient() { exit 1 fi - until [[ "${IPV4_EXISTS}" == '0' ]]; do + until [[ ${IPV4_EXISTS} == '0' ]]; do read -rp "Client's WireGuard IPv4: ${SERVER_WG_IPV4::-1}" -e -i "${DOT_IP}" DOT_IP CLIENT_WG_IPV4="${SERVER_WG_IPV4::-1}${DOT_IP}" IPV4_EXISTS=$(grep -c "$CLIENT_WG_IPV4" "/etc/wireguard/${SERVER_WG_NIC}.conf") @@ -257,7 +257,7 @@ function newClient() { fi done - until [[ "${IPV6_EXISTS}" == '0' ]]; do + until [[ ${IPV6_EXISTS} == '0' ]]; do read -rp "Client's WireGuard IPv6: ${SERVER_WG_IPV6::-1}" -e -i "${DOT_IP}" DOT_IP CLIENT_WG_IPV6="${SERVER_WG_IPV6::-1}${DOT_IP}" IPV6_EXISTS=$(grep -c "${CLIENT_WG_IPV6}" "/etc/wireguard/${SERVER_WG_NIC}.conf") From 70b44989e637faf1471ff007cba42bed06a44c0b Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 3 Aug 2020 16:30:00 +0200 Subject: [PATCH 18/34] Update README --- README.md | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index deae325..dda6d9b 100644 --- a/README.md +++ b/README.md @@ -13,18 +13,12 @@ WireGuard does not fit your environment? Check out [openvpn-install](https://git Supported distributions: -- Ubuntu -- Debian +- Ubuntu 16.04+ +- Debian 10 - Fedora - CentOS - Arch Linux -I recommend these cheap cloud providers for your VPN server: - -- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at $3.50/month -- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month -- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at $5/month - ## Usage Download and execute the script. Answer the questions asked by the script and it will take care of the rest. @@ -37,6 +31,13 @@ chmod +x wireguard-install.sh It will install WireGuard (kernel module and tools) on the server, configure it, create a systemd service and a client configuration file. -Make sure you choose different IPs for you clients. +Run the script again to add or remove clients! -Contributions are welcome! +## Providers + +I recommend these cheap cloud providers for your VPN server: + +- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month +- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month +- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month +- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month From f14751805010cf75c24718f1d141ddab3621b0cc Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 3 Aug 2020 17:06:03 +0200 Subject: [PATCH 19/34] Ubuntu: remove PPA, use native packages Fix #108 --- README.md | 2 +- wireguard-install.sh | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/README.md b/README.md index dda6d9b..db67ebe 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ WireGuard does not fit your environment? Check out [openvpn-install](https://git Supported distributions: -- Ubuntu 16.04+ +- Ubuntu >= 16.04 - Debian 10 - Fedora - CentOS diff --git a/wireguard-install.sh b/wireguard-install.sh index fda5711..b2e9a41 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -124,10 +124,7 @@ function installWireGuard() { # Install WireGuard tools and module if [[ ${OS} == 'ubuntu' ]]; then - apt-get install -y software-properties-common - add-apt-repository -y ppa:wireguard/wireguard apt-get update - apt-get install -y "linux-headers-$(uname -r)" apt-get install -y wireguard iptables resolvconf qrencode elif [[ ${OS} == 'debian' ]]; then if ! grep -rqs "^deb .* buster-backports" /etc/apt/; then From 2363b36735c2992476bb60f3f7253fd2d17a216b Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 3 Aug 2020 17:47:22 +0200 Subject: [PATCH 20/34] Shellcheck: move excludes to action env --- .github/workflows/lint.yml | 28 +++++++++++----------------- wireguard-install.sh | 5 ----- 2 files changed, 11 insertions(+), 22 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 31fe34f..c123233 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,10 +1,4 @@ -on: - push: - branches: - - master - pull_request: - branches: - - master +on: push name: Lint @@ -12,17 +6,17 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: shellcheck - uses: ludeeus/action-shellcheck@0.5.0 - env: - SHELLCHECK_OPTS: -e SC1091,SC1117,SC2001 + - uses: actions/checkout@v2 + - name: shellcheck + uses: ludeeus/action-shellcheck@0.5.0 + env: + SHELLCHECK_OPTS: -e SC1091,SC1117,SC2001,SC2034 shfmt: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: shfmt - uses: bltavares/actions/shfmt@master - env: - SHFMT_ARGS: -d + - uses: actions/checkout@v2 + - name: shfmt + uses: bltavares/actions/shfmt@master + env: + SHFMT_ARGS: -d diff --git a/wireguard-install.sh b/wireguard-install.sh index b2e9a41..a8ce2d2 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -29,7 +29,6 @@ function checkVirt() { function checkOS() { # Check OS version if [[ -e /etc/debian_version ]]; then - # shellcheck disable=SC1091 source /etc/os-release OS="${ID}" # debian or ubuntu if [[ -e /etc/debian_version ]]; then @@ -41,7 +40,6 @@ function checkOS() { fi fi elif [[ -e /etc/fedora-release ]]; then - # shellcheck disable=SC1091 source /etc/os-release OS="${ID}" elif [[ -e /etc/centos-release ]]; then @@ -83,7 +81,6 @@ function installQuestions() { done until [[ ${SERVER_WG_NIC} =~ ^[a-zA-Z0-9_]+$ ]]; do - # shellcheck disable=SC2034 read -rp "WireGuard interface name: " -e -i wg0 SERVER_WG_NIC done @@ -178,7 +175,6 @@ PrivateKey = ${SERVER_PRIV_KEY}" >"/etc/wireguard/${SERVER_WG_NIC}.conf" if pgrep firewalld; then FIREWALLD_IPV4_ADDRESS=$(echo "${SERVER_WG_IPV4}" | cut -d"." -f1-3)".0" - # shellcheck disable=SC2001 FIREWALLD_IPV6_ADDRESS=$(echo "${SERVER_WG_IPV6}" | sed 's/:[^:]*$/:0/') echo "PostUp = firewall-cmd --add-port ${SERVER_PORT}/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade' PostDown = firewall-cmd --remove-port ${SERVER_PORT}/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade'" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" @@ -420,7 +416,6 @@ initialCheck # Check if WireGuard is already installed and load params if [[ -e /etc/wireguard/params ]]; then - # shellcheck disable=SC1091 source /etc/wireguard/params manageMenu else From 2848ceefa5d31b1fc99e854025594f83c917460d Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Tue, 4 Aug 2020 12:20:27 +0200 Subject: [PATCH 21/34] Remove PPA removal for Ubuntu An oversight from https://github.com/angristan/wireguard-install/pull/109 --- wireguard-install.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index a8ce2d2..ea4f7a5 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -344,7 +344,6 @@ function uninstallWg() { if [[ ${OS} == 'ubuntu' ]]; then apt-get autoremove --purge -y wireguard qrencode - add-apt-repository -y -r ppa:wireguard/wireguard elif [[ ${OS} == 'debian' ]]; then apt-get autoremove --purge -y wireguard qrencode elif [[ ${OS} == 'fedora' ]]; then From d7523dc30e060f895100a866e8f4d8f634f1dd0f Mon Sep 17 00:00:00 2001 From: randomshell Date: Tue, 4 Aug 2020 10:47:14 +0000 Subject: [PATCH 22/34] Fix reboot message --- wireguard-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index ea4f7a5..59f7946 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -200,7 +200,7 @@ net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf if [[ ${WG_RUNNING} -ne 0 ]]; then echo -e "\nWARNING: WireGuard does not seem to be running." echo "You can check if WireGuard is running with: systemctl status wg-quick@${SERVER_WG_NIC}" - echo 'If you get something like "Cannot find device wg0", please reboot!' + echo "If you get something like \"Cannot find device ${SERVER_WG_NIC}\", please reboot!" fi newClient From 2125b67cd787c55f159779829e53f112ac80825f Mon Sep 17 00:00:00 2001 From: Aleksander Date: Wed, 5 Aug 2020 21:16:03 +0300 Subject: [PATCH 23/34] Updated client name input restrictions and hint --- wireguard-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 59f7946..d450d99 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -212,9 +212,9 @@ function newClient() { echo "" echo "Tell me a name for the client." - echo "Use one word only, no special characters." + echo "The name must consist of alphanumeric character. It may also include an underscore or a dash." - until [[ ${CLIENT_NAME} =~ ^[a-zA-Z0-9_]+$ && ${CLIENT_EXISTS} == '0' ]]; do + until [[ ${CLIENT_NAME} =~ ^[a-zA-Z0-9_-]+$ && ${CLIENT_EXISTS} == '0' ]]; do read -rp "Client name: " -e CLIENT_NAME CLIENT_EXISTS=$(grep -c -E "^### Client ${CLIENT_NAME}\$" "/etc/wireguard/${SERVER_WG_NIC}.conf") From 8cdb0c596885935452ca3cf24f9ec041d07ef4ef Mon Sep 17 00:00:00 2001 From: xiagw Date: Mon, 21 Sep 2020 14:01:12 +0700 Subject: [PATCH 24/34] remove duplicate if -d /etc/debian_version (#136) --- wireguard-install.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index d450d99..c752dbf 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -31,12 +31,10 @@ function checkOS() { if [[ -e /etc/debian_version ]]; then source /etc/os-release OS="${ID}" # debian or ubuntu - if [[ -e /etc/debian_version ]]; then - if [[ ${ID} == "debian" || ${ID} == "raspbian" ]]; then - if [[ ${VERSION_ID} -ne 10 ]]; then - echo "Your version of Debian (${VERSION_ID}) is not supported. Please use Debian 10 Buster" - exit 1 - fi + if [[ ${ID} == "debian" || ${ID} == "raspbian" ]]; then + if [[ ${VERSION_ID} -ne 10 ]]; then + echo "Your version of Debian (${VERSION_ID}) is not supported. Please use Debian 10 Buster" + exit 1 fi fi elif [[ -e /etc/fedora-release ]]; then From 235d81aa4cdac70fe3b8f1549b6f805a3b1c86d4 Mon Sep 17 00:00:00 2001 From: pyramidenkoenig <44556055+pyramidenkoenig@users.noreply.github.com> Date: Wed, 23 Sep 2020 23:55:55 +0200 Subject: [PATCH 25/34] Readme updated to include Hetzner in Finland (#141) Hetzner also has their own Datacenter in Helsinki, Finland. Mentioning this for completeness. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index db67ebe..3d0bfda 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,6 @@ Run the script again to add or remove clients! I recommend these cheap cloud providers for your VPN server: - [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month -- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month +- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany and Finland, IPv6, 20 TB of traffic, starting at €3/month - [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month - [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month From 2cd6191c936fe6e1136915f7243ccb09ea94d16d Mon Sep 17 00:00:00 2001 From: Stanislas Date: Fri, 2 Oct 2020 21:30:30 +0200 Subject: [PATCH 26/34] Add badges to README --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 3d0bfda..0e12e7d 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ # WireGuard installer +![Lint](https://github.com/angristan/wireguard-install/workflows/Lint/badge.svg) [![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Fangristan%2Fwireguard-install&count_bg=%2379C83D&title_bg=%23555555&icon=&icon_color=%23E7E7E7&title=hits&edge_flat=false)](https://hits.seeyoufarm.com) + + **This project is a bash script that aims to setup a [WireGuard](https://www.wireguard.com/) VPN on a Linux server, as easily as possible!** WireGuard is a point-to-point VPN that can be used in different ways. Here, we mean a VPN as in: the client will forward all its traffic trough an encrypted tunnel to the server. From 487aa4fedad8e0b41c59caebe4569b546312c77a Mon Sep 17 00:00:00 2001 From: Farzin Monsef Date: Sat, 10 Oct 2020 16:12:19 +0330 Subject: [PATCH 27/34] arch: Install LTS kernel headers when running LTS kernel (#135) --- wireguard-install.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index c752dbf..140dda5 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -141,7 +141,13 @@ function installWireGuard() { yum -y install epel-release kernel kernel-devel kernel-headers yum -y install wireguard-dkms wireguard-tools iptables qrencode elif [[ ${OS} == 'arch' ]]; then - pacman -S --noconfirm linux-headers + # Check if current running kernel is LTS + ARCH_KERNEL_RELEASE=$(uname -r) + if [[ ${ARCH_KERNEL_RELEASE} == *lts* ]]; then + pacman -S --noconfirm linux-lts-headers + else + pacman -S --noconfirm linux-headers + fi pacman -S --noconfirm wireguard-tools iptables qrencode fi From ddbaca7fbba20e94f74f0c309c5a061582a0d4fa Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 10 Oct 2020 15:49:18 +0200 Subject: [PATCH 28/34] centos: update installation process From https://www.wireguard.com/install/. Using kmod instead of dkms. Seems to work without reboot now. Close #118 #111 #147 --- wireguard-install.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 140dda5..bcdaef8 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -41,6 +41,7 @@ function checkOS() { source /etc/os-release OS="${ID}" elif [[ -e /etc/centos-release ]]; then + source /etc/os-release OS=centos elif [[ -e /etc/arch-release ]]; then OS=arch @@ -137,9 +138,11 @@ function installWireGuard() { fi dnf install -y wireguard-tools iptables qrencode elif [[ ${OS} == 'centos' ]]; then - curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo - yum -y install epel-release kernel kernel-devel kernel-headers - yum -y install wireguard-dkms wireguard-tools iptables qrencode + yum -y install epel-release elrepo-release + if [[ ${VERSION_ID} -eq 7 ]]; then + yum -y install yum-plugin-elrepo + fi + yum -y install kmod-wireguard wireguard-tools iptables qrencode elif [[ ${OS} == 'arch' ]]; then # Check if current running kernel is LTS ARCH_KERNEL_RELEASE=$(uname -r) @@ -358,8 +361,7 @@ function uninstallWg() { fi dnf autoremove -y elif [[ ${OS} == 'centos' ]]; then - yum -y remove wireguard-dkms wireguard-tools qrencode - rm -f "/etc/yum.repos.d/wireguard.repo" + yum -y remove kmod-wireguard wireguard-tools qrencode yum -y autoremove elif [[ ${OS} == 'arch' ]]; then pacman -Rs --noconfirm wireguard-tools qrencode From 664b6dca17afb9e7b7cf61b18a64cbffa63ee72e Mon Sep 17 00:00:00 2001 From: Stefan A Date: Sat, 10 Oct 2020 15:50:42 +0200 Subject: [PATCH 29/34] Add forwarding eth0 -> wg0 (#132) If the FORWARD chain policy defaults to DENY, it must explicitly allow traffic from the external to the wg interface. To solve this, the patch just adds iptables -A FORWARD -i ${SERVER_PUB_NIC} -o ${SERVER_WG_NIC} -j ACCEPT; --- wireguard-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index bcdaef8..77f4f3c 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -186,8 +186,8 @@ PrivateKey = ${SERVER_PRIV_KEY}" >"/etc/wireguard/${SERVER_WG_NIC}.conf" echo "PostUp = firewall-cmd --add-port ${SERVER_PORT}/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade' PostDown = firewall-cmd --remove-port ${SERVER_PORT}/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade'" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" else - echo "PostUp = iptables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE -PostDown = iptables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" + echo "PostUp = iptables -A FORWARD -i ${SERVER_PUB_NIC} -o ${SERVER_WG_NIC} -j ACCEPT; iptables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE +PostDown = iptables -D FORWARD -i ${SERVER_PUB_NIC} -o ${SERVER_WG_NIC} -j ACCEPT; iptables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" fi # Enable routing on the server From cde97b221a4914dde7fdcfa6a8370e74dff87351 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 10 Oct 2020 15:55:06 +0200 Subject: [PATCH 30/34] ci: update triggers --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index c123233..839d2eb 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,4 +1,4 @@ -on: push +on: [push, pull_request, pull_request_target] name: Lint From 3f2848f066d2a36f73bb9b4917293ac56c5ebeff Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 19 Oct 2020 12:06:13 +0200 Subject: [PATCH 31/34] readme: update badge --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0e12e7d..2f0b6f6 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # WireGuard installer -![Lint](https://github.com/angristan/wireguard-install/workflows/Lint/badge.svg) [![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Fangristan%2Fwireguard-install&count_bg=%2379C83D&title_bg=%23555555&icon=&icon_color=%23E7E7E7&title=hits&edge_flat=false)](https://hits.seeyoufarm.com) - +![Lint](https://github.com/angristan/wireguard-install/workflows/Lint/badge.svg) +![visitors](https://visitor-badge.glitch.me/badge?page_id=angristan.wireguard-install) **This project is a bash script that aims to setup a [WireGuard](https://www.wireguard.com/) VPN on a Linux server, as easily as possible!** From e2755467172abfd42c2f45c3415782db3082caf9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Oct 2020 15:50:47 +0100 Subject: [PATCH 32/34] Bump ludeeus/action-shellcheck from 0.5.0 to 1.0.0 (#152) Bumps [ludeeus/action-shellcheck](https://github.com/ludeeus/action-shellcheck) from 0.5.0 to 1.0.0. - [Release notes](https://github.com/ludeeus/action-shellcheck/releases) - [Commits](https://github.com/ludeeus/action-shellcheck/compare/0.5.0...d586102c117f97e63d7e3b56629d269efc9a7c60) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 839d2eb..0951108 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,7 +8,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: shellcheck - uses: ludeeus/action-shellcheck@0.5.0 + uses: ludeeus/action-shellcheck@1.0.0 env: SHELLCHECK_OPTS: -e SC1091,SC1117,SC2001,SC2034 From a1b1ac2ececa50d35a6ddd078a86dd6f28003fb3 Mon Sep 17 00:00:00 2001 From: randomshell Date: Sat, 14 Nov 2020 00:47:36 +0000 Subject: [PATCH 33/34] Add confirmation before removing WireGuard (#156) --- wireguard-install.sh | 69 ++++++++++++++++++++++++-------------------- 1 file changed, 38 insertions(+), 31 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 77f4f3c..9e09caa 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -344,45 +344,52 @@ function revokeClient() { } function uninstallWg() { - checkOS + echo "" + read -rp "Do you really want to remove WireGuard? [y/n]: " -e -i n REMOVE + if [[ $REMOVE == 'y' ]]; then + checkOS - systemctl stop "wg-quick@${SERVER_WG_NIC}" - systemctl disable "wg-quick@${SERVER_WG_NIC}" + systemctl stop "wg-quick@${SERVER_WG_NIC}" + systemctl disable "wg-quick@${SERVER_WG_NIC}" - if [[ ${OS} == 'ubuntu' ]]; then - apt-get autoremove --purge -y wireguard qrencode - elif [[ ${OS} == 'debian' ]]; then - apt-get autoremove --purge -y wireguard qrencode - elif [[ ${OS} == 'fedora' ]]; then - dnf remove -y wireguard-tools qrencode - if [[ ${VERSION_ID} -lt 32 ]]; then - dnf remove -y wireguard-dkms - dnf copr disable -y jdoss/wireguard + if [[ ${OS} == 'ubuntu' ]]; then + apt-get autoremove --purge -y wireguard qrencode + elif [[ ${OS} == 'debian' ]]; then + apt-get autoremove --purge -y wireguard qrencode + elif [[ ${OS} == 'fedora' ]]; then + dnf remove -y wireguard-tools qrencode + if [[ ${VERSION_ID} -lt 32 ]]; then + dnf remove -y wireguard-dkms + dnf copr disable -y jdoss/wireguard + fi + dnf autoremove -y + elif [[ ${OS} == 'centos' ]]; then + yum -y remove kmod-wireguard wireguard-tools qrencode + yum -y autoremove + elif [[ ${OS} == 'arch' ]]; then + pacman -Rs --noconfirm wireguard-tools qrencode fi - dnf autoremove -y - elif [[ ${OS} == 'centos' ]]; then - yum -y remove kmod-wireguard wireguard-tools qrencode - yum -y autoremove - elif [[ ${OS} == 'arch' ]]; then - pacman -Rs --noconfirm wireguard-tools qrencode - fi - rm -rf /etc/wireguard - rm -f /etc/sysctl.d/wg.conf + rm -rf /etc/wireguard + rm -f /etc/sysctl.d/wg.conf - # Reload sysctl - sysctl --system + # Reload sysctl + sysctl --system - # Check if WireGuard is running - systemctl is-active --quiet "wg-quick@${SERVER_WG_NIC}" - WG_RUNNING=$? + # Check if WireGuard is running + systemctl is-active --quiet "wg-quick@${SERVER_WG_NIC}" + WG_RUNNING=$? - if [[ ${WG_RUNNING} -eq 0 ]]; then - echo "WireGuard failed to uninstall properly." - exit 1 + if [[ ${WG_RUNNING} -eq 0 ]]; then + echo "WireGuard failed to uninstall properly." + exit 1 + else + echo "WireGuard uninstalled successfully." + exit 0 + fi else - echo "WireGuard uninstalled successfully." - exit 0 + echo "" + echo "Removal aborted!" fi } From af935850cd233843c910cb1877294c4ac6115b9c Mon Sep 17 00:00:00 2001 From: Julian Gaal <22290570+juliangaal@users.noreply.github.com> Date: Tue, 24 Nov 2020 15:33:39 +0100 Subject: [PATCH 34/34] Forbid interface names exceeding 15 chars in length (#157) --- wireguard-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 9e09caa..cd0b5e0 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -79,7 +79,7 @@ function installQuestions() { read -rp "Public interface: " -e -i "${SERVER_NIC}" SERVER_PUB_NIC done - until [[ ${SERVER_WG_NIC} =~ ^[a-zA-Z0-9_]+$ ]]; do + until [[ ${SERVER_WG_NIC} =~ ^[a-zA-Z0-9_]+$ && ${#SERVER_WG_NIC} -lt 16 ]]; do read -rp "WireGuard interface name: " -e -i wg0 SERVER_WG_NIC done @@ -219,9 +219,9 @@ function newClient() { echo "" echo "Tell me a name for the client." - echo "The name must consist of alphanumeric character. It may also include an underscore or a dash." + echo "The name must consist of alphanumeric character. It may also include an underscore or a dash and can't exceed 15 chars." - until [[ ${CLIENT_NAME} =~ ^[a-zA-Z0-9_-]+$ && ${CLIENT_EXISTS} == '0' ]]; do + until [[ ${CLIENT_NAME} =~ ^[a-zA-Z0-9_-]+$ && ${CLIENT_EXISTS} == '0' && ${#CLIENT_NAME} -lt 16 ]]; do read -rp "Client name: " -e CLIENT_NAME CLIENT_EXISTS=$(grep -c -E "^### Client ${CLIENT_NAME}\$" "/etc/wireguard/${SERVER_WG_NIC}.conf")