From 1ffbf87dc6f8c4f821f89ed52e1049379e4bf3ef Mon Sep 17 00:00:00 2001 From: robiiinos Date: Sat, 18 Jul 2020 21:32:09 +0200 Subject: [PATCH 1/8] Add Dependabot --- .github/dependabot.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f4d737f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + assignees: + - "angristan" + reviewers: + - "angristan" From 13df50739369be654d08564b70891e54e76e1ebf Mon Sep 17 00:00:00 2001 From: robiiinos Date: Sat, 18 Jul 2020 21:31:03 +0200 Subject: [PATCH 2/8] Update GitHub Actions --- .github/workflows/lint.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 43ee65c..e3c5e63 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,19 +7,21 @@ on: - master name: Lint + jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@v2 - name: shellcheck - uses: ludeeus/action-shellcheck@0.0.1 + uses: ludeeus/action-shellcheck@0.4.1 env: SHELLCHECK_OPTS: -e SC1091,SC1117,SC2001 + shfmt: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@v2 - name: shfmt uses: bltavares/actions/shfmt@master env: From dfd7736a7dd4e1ee34e64b8d8414ba7b3c337b36 Mon Sep 17 00:00:00 2001 From: Ian Date: Mon, 27 Jul 2020 11:54:06 +0200 Subject: [PATCH 3/8] Add colon --- wireguard-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 40c08ce..3dfcb07 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -13,10 +13,10 @@ function addClient() { fi CLIENT_WG_IPV4="10.66.66.2" - read -rp "Client's WireGuard IPv4 " -e -i "$CLIENT_WG_IPV4" CLIENT_WG_IPV4 + read -rp "Client's WireGuard IPv4: " -e -i "$CLIENT_WG_IPV4" CLIENT_WG_IPV4 CLIENT_WG_IPV6="fd42:42:42::2" - read -rp "Client's WireGuard IPv6 " -e -i "$CLIENT_WG_IPV6" CLIENT_WG_IPV6 + read -rp "Client's WireGuard IPv6: " -e -i "$CLIENT_WG_IPV6" CLIENT_WG_IPV6 # Adguard DNS by default CLIENT_DNS_1="176.103.130.130" From 8464fc4ea205492819262bcc523d3f9d88e7097c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 Jul 2020 06:23:41 +0000 Subject: [PATCH 4/8] Bump ludeeus/action-shellcheck from 0.4.1 to 0.5.0 Bumps [ludeeus/action-shellcheck](https://github.com/ludeeus/action-shellcheck) from 0.4.1 to 0.5.0. - [Release notes](https://github.com/ludeeus/action-shellcheck/releases) - [Commits](https://github.com/ludeeus/action-shellcheck/compare/0.4.1...c489c81f79527f818be72b97b918b06e75eaee6d) Signed-off-by: dependabot[bot] --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index e3c5e63..31fe34f 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: shellcheck - uses: ludeeus/action-shellcheck@0.4.1 + uses: ludeeus/action-shellcheck@0.5.0 env: SHELLCHECK_OPTS: -e SC1091,SC1117,SC2001 From 6e518633f340b8281f032ed47d07f61b4d91fe59 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Wed, 29 Jul 2020 12:20:51 +0200 Subject: [PATCH 5/8] Fix Debian installation: use backports And limit to Debian 10. Fix #101 --- wireguard-install.sh | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 40c08ce..93c755d 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -98,6 +98,14 @@ fi if [[ -e /etc/debian_version ]]; then source /etc/os-release OS=$ID # debian or ubuntu + if [[ -e /etc/debian_version ]]; then + if [[ $ID == "debian" || $ID == "raspbian" ]]; then + if [[ $VERSION_ID -ne 10 ]]; then + echo "Your version of Debian ($VERSION_ID) is not supported. Please use Debian 10 Buster" + exit 1 + fi + fi + fi elif [[ -e /etc/fedora-release ]]; then source /etc/os-release OS=$ID @@ -139,12 +147,13 @@ if [[ $OS == 'ubuntu' ]]; then apt-get install -y "linux-headers-$(uname -r)" apt-get install -y wireguard iptables resolvconf qrencode elif [[ $OS == 'debian' ]]; then - echo "deb http://deb.debian.org/debian/ unstable main" >/etc/apt/sources.list.d/unstable.list - printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' >/etc/apt/preferences.d/limit-unstable + if ! grep -rqs "^deb .* buster-backports" /etc/apt/; then + echo "deb http://deb.debian.org/debian buster-backports main" >/etc/apt/sources.list.d/backports.list + apt-get update + fi apt update - apt-get install -y "linux-headers-$(uname -r)" - apt-get install -y wireguard iptables resolvconf qrencode - apt-get install -y bc # mitigate https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956869 + apt-get install -y iptables resolvconf qrencode + apt-get install -y -t buster-backports wireguard elif [[ $OS == 'fedora' ]]; then if [[ $VERSION_ID -lt 32 ]]; then dnf install -y dnf-plugins-core From 5f82b76bc0df06a5ad8cbe2c6069ef016867ae04 Mon Sep 17 00:00:00 2001 From: randomshell Date: Fri, 31 Jul 2020 12:59:20 +0000 Subject: [PATCH 6/8] Refactor script (#92) - cleaned some minor code - use IPv6 if IPv4 isn't available - add input validations, fixes #86 . - assign secondary DNS to primary DNS value if it's empty. Fixes #68 - use `$SERVER_WG_IPV4` and `$SERVER_WG_IPV6` when suggesting the client IP - save user DNS to `params` file and apply it to all clients, removing support for customizing DNS for individual clients. If this is a problem we can add again the code to allow customization but maybe use the sourced DNS as a suggestion for clients that need a different one - add shellcheck ignores, needed for IDE that have shellcheck support - escaped variables to `"${var}"` style - updated README to reflect changes - fixed the kernel mismatch issue on CentOS by updating the kernel https://github.com/angristan/wireguard-install/issues/95#issuecomment-653696198. Fedora might need this change too - Use `firewall-cmd` only if `firewalld` is running. Fixes #95 - Fix the client's subnet mask. Fixes #87 - Save the client configuration in the correct `$HOME`. Fixes #96 Co-authored-by: Chris Lewicki Co-authored-by: Stanislas --- README.md | 6 - wireguard-install.sh | 470 +++++++++++++++++++++++++------------------ 2 files changed, 272 insertions(+), 204 deletions(-) diff --git a/README.md b/README.md index 94c1005..deae325 100644 --- a/README.md +++ b/README.md @@ -37,12 +37,6 @@ chmod +x wireguard-install.sh It will install WireGuard (kernel module and tools) on the server, configure it, create a systemd service and a client configuration file. -To generate more client files, run the following: - -```sh -./wireguard-install.sh add-client -``` - Make sure you choose different IPs for you clients. Contributions are welcome! diff --git a/wireguard-install.sh b/wireguard-install.sh index b05c6b8..707b4e3 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -1,29 +1,234 @@ #!/bin/bash -function addClient() { - # Load params - source /etc/wireguard/params +# Secure WireGuard server installer for Debian, Ubuntu, CentOS, Fedora and Arch Linux +# https://github.com/angristan/wireguard-install - if [[ $SERVER_PUB_IP =~ .*:.* ]]; then - echo "IPv6 Detected" - ENDPOINT="[$SERVER_PUB_IP]:$SERVER_PORT" - else - echo "IPv4 Detected" - ENDPOINT="$SERVER_PUB_IP:$SERVER_PORT" +function isRoot() { + if [ "${EUID}" -ne 0 ]; then + echo "You need to run this script as root" + exit 1 + fi +} + +function checkVirt() { + if [ "$(systemd-detect-virt)" == "openvz" ]; then + echo "OpenVZ is not supported" + exit 1 fi - CLIENT_WG_IPV4="10.66.66.2" - read -rp "Client's WireGuard IPv4: " -e -i "$CLIENT_WG_IPV4" CLIENT_WG_IPV4 + if [ "$(systemd-detect-virt)" == "lxc" ]; then + echo "LXC is not supported (yet)." + echo "WireGuard can technically run in an LXC container," + echo "but the kernel module has to be installed on the host," + echo "the container has to be run with some specific parameters" + echo "and only the tools need to be installed in the container." + exit 1 + fi +} - CLIENT_WG_IPV6="fd42:42:42::2" - read -rp "Client's WireGuard IPv6: " -e -i "$CLIENT_WG_IPV6" CLIENT_WG_IPV6 +function checkOS() { + # Check OS version + if [[ -e /etc/debian_version ]]; then + # shellcheck disable=SC1091 + source /etc/os-release + OS="${ID}" # debian or ubuntu + if [[ -e /etc/debian_version ]]; then + if [[ $ID == "debian" || $ID == "raspbian" ]]; then + if [[ $VERSION_ID -ne 10 ]]; then + echo "Your version of Debian ($VERSION_ID) is not supported. Please use Debian 10 Buster" + exit 1 + fi + fi + fi + elif [[ -e /etc/fedora-release ]]; then + # shellcheck disable=SC1091 + source /etc/os-release + OS="${ID}" + elif [[ -e /etc/centos-release ]]; then + OS=centos + elif [[ -e /etc/arch-release ]]; then + OS=arch + else + echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS or Arch Linux system" + exit 1 + fi +} + +function initialCheck() { + isRoot + checkVirt + checkOS +} + +function installQuestions() { + echo "Welcome to the WireGuard installer!" + echo "The git repository is available at: https://github.com/angristan/wireguard-install" + echo "" + echo "I need to ask you a few questions before starting the setup." + echo "You can leave the default options and just press enter if you are ok with them." + echo "" + + # Detect public IPv4 or IPv6 address and pre-fill for the user + SERVER_PUB_IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1) + if [[ -z "${SERVER_PUB_IP}" ]]; then + # Detect public IPv6 address + SERVER_PUB_IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1) + fi + read -rp "IPv4 or IPv6 public address: " -e -i "${SERVER_PUB_IP}" SERVER_PUB_IP + + # Detect public interface and pre-fill for the user + SERVER_NIC="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)" + until [[ "${SERVER_PUB_NIC}" =~ ^[a-zA-Z0-9_]+$ ]]; do + read -rp "Public interface: " -e -i "${SERVER_NIC}" SERVER_PUB_NIC + done + + until [[ "${SERVER_WG_NIC}" =~ ^[a-zA-Z0-9_]+$ ]]; do + # shellcheck disable=SC2034 + read -rp "WireGuard interface name: " -e -i wg0 SERVER_WG_NIC + done + + until [[ "${SERVER_WG_IPV4}" =~ ^([0-9]{1,3}\.){3} ]]; do + read -rp "Server's WireGuard IPv4: " -e -i 10.66.66.1 SERVER_WG_IPV4 + done + + until [[ "${SERVER_WG_IPV6}" =~ ^([a-f0-9]{1,4}:){3,4}: ]]; do + read -rp "Server's WireGuard IPv6: " -e -i fd42:42:42::1 SERVER_WG_IPV6 + done + + # Generate random number within private ports range + RANDOM_PORT=$(shuf -i49152-65535 -n1) + until [[ "${SERVER_PORT}" =~ ^[0-9]+$ ]] && [ "${SERVER_PORT}" -ge 1 ] && [ "${SERVER_PORT}" -le 65535 ]; do + read -rp "Server's WireGuard port [1-65535]: " -e -i "${RANDOM_PORT}" SERVER_PORT + done # Adguard DNS by default - CLIENT_DNS_1="176.103.130.130" - read -rp "First DNS resolver to use for the client: " -e -i "$CLIENT_DNS_1" CLIENT_DNS_1 + until [[ "${CLIENT_DNS_1}" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + read -rp "First DNS resolver to use for the clients: " -e -i 176.103.130.130 CLIENT_DNS_1 + done + until [[ "${CLIENT_DNS_2}" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + read -rp "Second DNS resolver to use for the clients (optional): " -e -i 176.103.130.131 CLIENT_DNS_2 + if [[ "${CLIENT_DNS_2}" == "" ]]; then + CLIENT_DNS_2="${CLIENT_DNS_1}" + fi + done - CLIENT_DNS_2="176.103.130.131" - read -rp "Second DNS resolver to use for the client: " -e -i "$CLIENT_DNS_2" CLIENT_DNS_2 + echo "" + echo "Okay, that was all I needed. We are ready to setup your WireGuard server now." + echo "You will be able to generate a client at the end of the installation." + read -n1 -r -p "Press any key to continue..." +} + +function installWireGuard() { + # Run setup questions first + installQuestions + + # Install WireGuard tools and module + if [[ "${OS}" == 'ubuntu' ]]; then + apt-get install -y software-properties-common + add-apt-repository -y ppa:wireguard/wireguard + apt-get update + apt-get install -y "linux-headers-$(uname -r)" + apt-get install -y wireguard iptables resolvconf qrencode + elif [[ "${OS}" == 'debian' ]]; then + if ! grep -rqs "^deb .* buster-backports" /etc/apt/; then + echo "deb http://deb.debian.org/debian buster-backports main" >/etc/apt/sources.list.d/backports.list + apt-get update + fi + apt update + apt-get install -y iptables resolvconf qrencode + apt-get install -y -t buster-backports wireguard + elif [[ "${OS}" == 'fedora' ]]; then + if [[ "${VERSION_ID}" -lt 32 ]]; then + dnf install -y dnf-plugins-core + dnf copr enable -y jdoss/wireguard + dnf install -y wireguard-dkms + fi + dnf install -y wireguard-tools iptables qrencode + elif [[ "${OS}" == 'centos' ]]; then + curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo + yum -y install epel-release kernel kernel-devel kernel-headers + yum -y install wireguard-dkms wireguard-tools iptables qrencode + elif [[ "${OS}" == 'arch' ]]; then + pacman -S --noconfirm linux-headers + pacman -S --noconfirm wireguard-tools iptables qrencode + fi + + # Make sure the directory exists (this does not seem the be the case on fedora) + mkdir /etc/wireguard >/dev/null 2>&1 + + chmod 600 -R /etc/wireguard/ + + SERVER_PRIV_KEY=$(wg genkey) + SERVER_PUB_KEY=$(echo "${SERVER_PRIV_KEY}" | wg pubkey) + + # Save WireGuard settings + echo "SERVER_PUB_IP=${SERVER_PUB_IP} +SERVER_PUB_NIC=${SERVER_PUB_NIC} +SERVER_WG_NIC=${SERVER_WG_NIC} +SERVER_WG_IPV4=${SERVER_WG_IPV4} +SERVER_WG_IPV6=${SERVER_WG_IPV6} +SERVER_PORT=${SERVER_PORT} +SERVER_PRIV_KEY=${SERVER_PRIV_KEY} +SERVER_PUB_KEY=${SERVER_PUB_KEY} +CLIENT_DNS_1=${CLIENT_DNS_1} +CLIENT_DNS_2=${CLIENT_DNS_2}" >/etc/wireguard/params + + # Add server interface + echo "[Interface] +Address = ${SERVER_WG_IPV4}/24,${SERVER_WG_IPV6}/64 +ListenPort = ${SERVER_PORT} +PrivateKey = ${SERVER_PRIV_KEY}" >"/etc/wireguard/${SERVER_WG_NIC}.conf" + + if pgrep firewalld; then + FIREWALLD_IPV4_ADDRESS=$(echo "${SERVER_WG_IPV4}" | cut -d"." -f1-3)".0" + # shellcheck disable=SC2001 + FIREWALLD_IPV6_ADDRESS=$(echo "${SERVER_WG_IPV6}" | sed 's/:[^:]*$/:0/') + echo "PostUp = firewall-cmd --add-port ${SERVER_PORT}/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade' +PostDown = firewall-cmd --remove-port ${SERVER_PORT}/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade'" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" + else + echo "PostUp = iptables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE +PostDown = iptables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" + fi + + # Enable routing on the server + echo "net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf + + sysctl --system + + systemctl start "wg-quick@${SERVER_WG_NIC}" + systemctl enable "wg-quick@${SERVER_WG_NIC}" + + # Check if WireGuard is running + systemctl is-active --quiet "wg-quick@${SERVER_WG_NIC}" + WG_RUNNING=$? + + # WireGuard might not work if we updated the kernel. Tell the user to reboot + if [[ "${WG_RUNNING}" -ne 0 ]]; then + echo -e "\nWARNING: WireGuard does not seem to be running." + echo "You can check if WireGuard is running with: systemctl status wg-quick@${SERVER_WG_NIC}" + echo 'If you get something like "Cannot find device wg0", please reboot!' + fi + + newClient + echo "If you want to add more clients, you simply need to run this script another time!" +} + +function newClient() { + # Load params + # shellcheck disable=SC1091 + source /etc/wireguard/params + + ENDPOINT="${SERVER_PUB_IP}:${SERVER_PORT}" + + printf "\n" + until [[ "${CLIENT_WG_IPV4}" =~ ^([0-9]{1,3}\.?){4}$ ]]; do + read -rp "Client's WireGuard IPv4: " -e -i "${SERVER_WG_IPV4::-1}"2 CLIENT_WG_IPV4 + done + + until [[ "${CLIENT_WG_IPV6}" =~ ^([a-f0-9]{1,4}:?:?){3,5} ]]; do + read -rp "Client's WireGuard IPv6 : " -e -i "${SERVER_WG_IPV6::-1}"2 CLIENT_WG_IPV6 + done CLIENT_NAME=$( head /dev/urandom | tr -dc A-Za-z0-9 | head -c 10 @@ -32,204 +237,73 @@ function addClient() { # Generate key pair for the client CLIENT_PRIV_KEY=$(wg genkey) - CLIENT_PUB_KEY=$(echo "$CLIENT_PRIV_KEY" | wg pubkey) + CLIENT_PUB_KEY=$(echo "${CLIENT_PRIV_KEY}" | wg pubkey) CLIENT_PRE_SHARED_KEY=$(wg genpsk) + # Home directory of the user, where the client configuration will be written + if [ -e "/home/${CLIENT_NAME}" ]; then # if $1 is a user name + HOME_DIR="/home/${CLIENT_NAME}" + elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER + HOME_DIR="/home/${SUDO_USER}" + else # if not SUDO_USER, use /root + HOME_DIR="/root" + fi + # Create client file and add the server as a peer echo "[Interface] -PrivateKey = $CLIENT_PRIV_KEY -Address = $CLIENT_WG_IPV4/24,$CLIENT_WG_IPV6/64 -DNS = $CLIENT_DNS_1,$CLIENT_DNS_2 +PrivateKey = ${CLIENT_PRIV_KEY} +Address = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128 +DNS = ${CLIENT_DNS_1},${CLIENT_DNS_2} [Peer] -PublicKey = $SERVER_PUB_KEY -PresharedKey = $CLIENT_PRE_SHARED_KEY -Endpoint = $ENDPOINT -AllowedIPs = 0.0.0.0/0,::/0" >>"$HOME/$SERVER_WG_NIC-client-$CLIENT_NAME.conf" +PublicKey = ${SERVER_PUB_KEY} +PresharedKey = ${CLIENT_PRE_SHARED_KEY} +Endpoint = ${ENDPOINT} +AllowedIPs = 0.0.0.0/0,::/0" >>"${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" # Add the client as a peer to the server echo -e "\n[Peer] -PublicKey = $CLIENT_PUB_KEY -PresharedKey = $CLIENT_PRE_SHARED_KEY -AllowedIPs = $CLIENT_WG_IPV4/32,$CLIENT_WG_IPV6/128" >>"/etc/wireguard/$SERVER_WG_NIC.conf" +PublicKey = ${CLIENT_PUB_KEY} +PresharedKey = ${CLIENT_PRE_SHARED_KEY} +AllowedIPs = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" - systemctl restart "wg-quick@$SERVER_WG_NIC" + systemctl restart "wg-quick@${SERVER_WG_NIC}" echo -e "\nHere is your client config file as a QR Code:" - qrencode -t ansiutf8 -l L <"$HOME/$SERVER_WG_NIC-client-$CLIENT_NAME.conf" + qrencode -t ansiutf8 -l L <"${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" - echo "It is also available in $HOME/$SERVER_WG_NIC-client-$CLIENT_NAME.conf" + echo "It is also available in ${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" } -if [ "$EUID" -ne 0 ]; then - echo "You need to run this script as root" - exit 1 -fi - -if [ "$(systemd-detect-virt)" == "openvz" ]; then - echo "OpenVZ is not supported" - exit -fi - -if [ "$(systemd-detect-virt)" == "lxc" ]; then - echo "LXC is not supported (yet)." - echo "WireGuard can technically run in an LXC container," - echo "but the kernel module has to be installed on the host," - echo "the container has to be run with some specific parameters" - echo "and only the tools need to be installed in the container." - exit -fi - -if [[ $1 == "add-client" ]]; then - if [[ -e /etc/wireguard/params ]]; then - addClient +function manageMenu() { + echo "Welcome to WireGuard-install!" + echo "The git repository is available at: https://github.com/angristan/wireguard-install" + echo "" + echo "It looks like WireGuard is already installed." + echo "" + echo "What do you want to do?" + echo " 1) Add a new user" + echo " 2) Exit" + until [[ "${MENU_OPTION}" =~ ^[1-2]$ ]]; do + read -rp "Select an option [1-2]: " MENU_OPTION + done + case "${MENU_OPTION}" in + 1) + newClient + ;; + 2) exit 0 - else - echo "Please install and configure WireGuard first." - exit 1 - fi -elif [[ -e /etc/wireguard/params ]]; then - echo "WireGuard is already installed. Run with 'add-client' to add a client." - exit 1 -fi + ;; + esac +} -# Check OS version -if [[ -e /etc/debian_version ]]; then - source /etc/os-release - OS=$ID # debian or ubuntu - if [[ -e /etc/debian_version ]]; then - if [[ $ID == "debian" || $ID == "raspbian" ]]; then - if [[ $VERSION_ID -ne 10 ]]; then - echo "Your version of Debian ($VERSION_ID) is not supported. Please use Debian 10 Buster" - exit 1 - fi - fi - fi -elif [[ -e /etc/fedora-release ]]; then - source /etc/os-release - OS=$ID -elif [[ -e /etc/centos-release ]]; then - OS=centos -elif [[ -e /etc/arch-release ]]; then - OS=arch +# Check for root, virt, OS... +initialCheck + +# Check if WireGuard is already installed +if [[ -e /etc/wireguard/params ]]; then + manageMenu else - echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS or Arch Linux system" - exit 1 + installWireGuard fi - -# Detect public IPv4 address and pre-fill for the user -SERVER_PUB_IPV4=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) -read -rp "IPv4 or IPv6 public address: " -e -i "$SERVER_PUB_IPV4" SERVER_PUB_IP - -# Detect public interface and pre-fill for the user -SERVER_PUB_NIC="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)" -read -rp "Public interface: " -e -i "$SERVER_PUB_NIC" SERVER_PUB_NIC - -SERVER_WG_NIC="wg0" -read -rp "WireGuard interface name: " -e -i "$SERVER_WG_NIC" SERVER_WG_NIC - -SERVER_WG_IPV4="10.66.66.1" -read -rp "Server's WireGuard IPv4: " -e -i "$SERVER_WG_IPV4" SERVER_WG_IPV4 - -SERVER_WG_IPV6="fd42:42:42::1" -read -rp "Server's WireGuard IPv6: " -e -i "$SERVER_WG_IPV6" SERVER_WG_IPV6 - -# Generate random number within private ports range -SERVER_PORT=$(shuf -i49152-65535 -n1) -read -rp "Server's WireGuard port: " -e -i "$SERVER_PORT" SERVER_PORT - -# Install WireGuard tools and module -if [[ $OS == 'ubuntu' ]]; then - apt-get install -y software-properties-common - add-apt-repository -y ppa:wireguard/wireguard - apt-get update - apt-get install -y "linux-headers-$(uname -r)" - apt-get install -y wireguard iptables resolvconf qrencode -elif [[ $OS == 'debian' ]]; then - if ! grep -rqs "^deb .* buster-backports" /etc/apt/; then - echo "deb http://deb.debian.org/debian buster-backports main" >/etc/apt/sources.list.d/backports.list - apt-get update - fi - apt update - apt-get install -y iptables resolvconf qrencode - apt-get install -y -t buster-backports wireguard -elif [[ $OS == 'fedora' ]]; then - if [[ $VERSION_ID -lt 32 ]]; then - dnf install -y dnf-plugins-core - dnf copr enable -y jdoss/wireguard - dnf install -y wireguard-dkms - fi - dnf install -y wireguard-tools iptables qrencode -elif [[ $OS == 'centos' ]]; then - curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo - yum -y install epel-release - yum -y install wireguard-dkms wireguard-tools iptables qrencode -elif [[ $OS == 'arch' ]]; then - pacman -S --noconfirm linux-headers - pacman -S --noconfirm wireguard-tools iptables qrencode -fi - -# Make sure the directory exists (this does not seem the be the case on fedora) -mkdir /etc/wireguard >/dev/null 2>&1 - -chmod 600 -R /etc/wireguard/ - -SERVER_PRIV_KEY=$(wg genkey) -SERVER_PUB_KEY=$(echo "$SERVER_PRIV_KEY" | wg pubkey) - -# Save WireGuard settings -echo "SERVER_PUB_IP=$SERVER_PUB_IP -SERVER_PUB_NIC=$SERVER_PUB_NIC -SERVER_WG_NIC=$SERVER_WG_NIC -SERVER_WG_IPV4=$SERVER_WG_IPV4 -SERVER_WG_IPV6=$SERVER_WG_IPV6 -SERVER_PORT=$SERVER_PORT -SERVER_PRIV_KEY=$SERVER_PRIV_KEY -SERVER_PUB_KEY=$SERVER_PUB_KEY" >/etc/wireguard/params - -source /etc/wireguard/params - -# Add server interface -echo "[Interface] -Address = $SERVER_WG_IPV4/24,$SERVER_WG_IPV6/64 -ListenPort = $SERVER_PORT -PrivateKey = $SERVER_PRIV_KEY" >"/etc/wireguard/$SERVER_WG_NIC.conf" - -if [ -x "$(command -v firewall-cmd)" ]; then - FIREWALLD_IPV4_ADDRESS=$(echo "$SERVER_WG_IPV4" | cut -d"." -f1-3)".0" - FIREWALLD_IPV6_ADDRESS=$(echo "$SERVER_WG_IPV6" | sed 's/:[^:]*$/:0/') - echo "PostUp = firewall-cmd --add-port $SERVER_PORT/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade' -PostDown = firewall-cmd --remove-port $SERVER_PORT/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade'" >>"/etc/wireguard/$SERVER_WG_NIC.conf" -else - echo "PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE -PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE" >>"/etc/wireguard/$SERVER_WG_NIC.conf" -fi - -# Enable routing on the server -echo "net.ipv4.ip_forward = 1 -net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf - -sysctl --system - -systemctl start "wg-quick@$SERVER_WG_NIC" -systemctl enable "wg-quick@$SERVER_WG_NIC" - -# Check if WireGuard is running -systemctl is-active --quiet "wg-quick@$SERVER_WG_NIC" -WG_RUNNING=$? - -# Warn user about kernel version mismatch with headers -if [[ $OS =~ (fedora|centos) ]] && [[ $WG_RUNNING -ne 0 ]]; then - echo -e "\nWARNING: WireGuard does not seem to be running." - echo "Due to kernel mismatch issues on $OS, WireGuard might work if your system is out of date." - echo "You can check if WireGuard is running with: systemctl status wg-quick@$SERVER_WG_NIC" - echo 'If you get something like "Cannot find device wg0", please run:' - if [[ $OS == 'fedora' ]]; then - echo "dnf update -y && reboot" - elif [[ $OS == 'centos' ]]; then - echo "yum update -y && reboot" - fi -fi - -addClient From 31bee4542964b03ede9458e694aae5c28f7eb675 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Fri, 31 Jul 2020 15:02:26 +0200 Subject: [PATCH 7/8] Format with shfmt --- wireguard-install.sh | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 707b4e3..7c428e0 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -70,7 +70,7 @@ function installQuestions() { # Detect public IPv4 or IPv6 address and pre-fill for the user SERVER_PUB_IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1) - if [[ -z "${SERVER_PUB_IP}" ]]; then + if [[ -z ${SERVER_PUB_IP} ]]; then # Detect public IPv6 address SERVER_PUB_IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1) fi @@ -78,36 +78,36 @@ function installQuestions() { # Detect public interface and pre-fill for the user SERVER_NIC="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)" - until [[ "${SERVER_PUB_NIC}" =~ ^[a-zA-Z0-9_]+$ ]]; do + until [[ ${SERVER_PUB_NIC} =~ ^[a-zA-Z0-9_]+$ ]]; do read -rp "Public interface: " -e -i "${SERVER_NIC}" SERVER_PUB_NIC done - until [[ "${SERVER_WG_NIC}" =~ ^[a-zA-Z0-9_]+$ ]]; do + until [[ ${SERVER_WG_NIC} =~ ^[a-zA-Z0-9_]+$ ]]; do # shellcheck disable=SC2034 read -rp "WireGuard interface name: " -e -i wg0 SERVER_WG_NIC done - until [[ "${SERVER_WG_IPV4}" =~ ^([0-9]{1,3}\.){3} ]]; do + until [[ ${SERVER_WG_IPV4} =~ ^([0-9]{1,3}\.){3} ]]; do read -rp "Server's WireGuard IPv4: " -e -i 10.66.66.1 SERVER_WG_IPV4 done - until [[ "${SERVER_WG_IPV6}" =~ ^([a-f0-9]{1,4}:){3,4}: ]]; do + until [[ ${SERVER_WG_IPV6} =~ ^([a-f0-9]{1,4}:){3,4}: ]]; do read -rp "Server's WireGuard IPv6: " -e -i fd42:42:42::1 SERVER_WG_IPV6 done # Generate random number within private ports range RANDOM_PORT=$(shuf -i49152-65535 -n1) - until [[ "${SERVER_PORT}" =~ ^[0-9]+$ ]] && [ "${SERVER_PORT}" -ge 1 ] && [ "${SERVER_PORT}" -le 65535 ]; do + until [[ ${SERVER_PORT} =~ ^[0-9]+$ ]] && [ "${SERVER_PORT}" -ge 1 ] && [ "${SERVER_PORT}" -le 65535 ]; do read -rp "Server's WireGuard port [1-65535]: " -e -i "${RANDOM_PORT}" SERVER_PORT done # Adguard DNS by default - until [[ "${CLIENT_DNS_1}" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + until [[ ${CLIENT_DNS_1} =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do read -rp "First DNS resolver to use for the clients: " -e -i 176.103.130.130 CLIENT_DNS_1 done - until [[ "${CLIENT_DNS_2}" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + until [[ ${CLIENT_DNS_2} =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do read -rp "Second DNS resolver to use for the clients (optional): " -e -i 176.103.130.131 CLIENT_DNS_2 - if [[ "${CLIENT_DNS_2}" == "" ]]; then + if [[ ${CLIENT_DNS_2} == "" ]]; then CLIENT_DNS_2="${CLIENT_DNS_1}" fi done @@ -123,13 +123,13 @@ function installWireGuard() { installQuestions # Install WireGuard tools and module - if [[ "${OS}" == 'ubuntu' ]]; then + if [[ ${OS} == 'ubuntu' ]]; then apt-get install -y software-properties-common add-apt-repository -y ppa:wireguard/wireguard apt-get update apt-get install -y "linux-headers-$(uname -r)" apt-get install -y wireguard iptables resolvconf qrencode - elif [[ "${OS}" == 'debian' ]]; then + elif [[ ${OS} == 'debian' ]]; then if ! grep -rqs "^deb .* buster-backports" /etc/apt/; then echo "deb http://deb.debian.org/debian buster-backports main" >/etc/apt/sources.list.d/backports.list apt-get update @@ -137,18 +137,18 @@ function installWireGuard() { apt update apt-get install -y iptables resolvconf qrencode apt-get install -y -t buster-backports wireguard - elif [[ "${OS}" == 'fedora' ]]; then - if [[ "${VERSION_ID}" -lt 32 ]]; then + elif [[ ${OS} == 'fedora' ]]; then + if [[ ${VERSION_ID} -lt 32 ]]; then dnf install -y dnf-plugins-core dnf copr enable -y jdoss/wireguard dnf install -y wireguard-dkms fi dnf install -y wireguard-tools iptables qrencode - elif [[ "${OS}" == 'centos' ]]; then + elif [[ ${OS} == 'centos' ]]; then curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo yum -y install epel-release kernel kernel-devel kernel-headers yum -y install wireguard-dkms wireguard-tools iptables qrencode - elif [[ "${OS}" == 'arch' ]]; then + elif [[ ${OS} == 'arch' ]]; then pacman -S --noconfirm linux-headers pacman -S --noconfirm wireguard-tools iptables qrencode fi @@ -204,7 +204,7 @@ net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf WG_RUNNING=$? # WireGuard might not work if we updated the kernel. Tell the user to reboot - if [[ "${WG_RUNNING}" -ne 0 ]]; then + if [[ ${WG_RUNNING} -ne 0 ]]; then echo -e "\nWARNING: WireGuard does not seem to be running." echo "You can check if WireGuard is running with: systemctl status wg-quick@${SERVER_WG_NIC}" echo 'If you get something like "Cannot find device wg0", please reboot!' @@ -222,11 +222,11 @@ function newClient() { ENDPOINT="${SERVER_PUB_IP}:${SERVER_PORT}" printf "\n" - until [[ "${CLIENT_WG_IPV4}" =~ ^([0-9]{1,3}\.?){4}$ ]]; do + until [[ ${CLIENT_WG_IPV4} =~ ^([0-9]{1,3}\.?){4}$ ]]; do read -rp "Client's WireGuard IPv4: " -e -i "${SERVER_WG_IPV4::-1}"2 CLIENT_WG_IPV4 done - until [[ "${CLIENT_WG_IPV6}" =~ ^([a-f0-9]{1,4}:?:?){3,5} ]]; do + until [[ ${CLIENT_WG_IPV6} =~ ^([a-f0-9]{1,4}:?:?){3,5} ]]; do read -rp "Client's WireGuard IPv6 : " -e -i "${SERVER_WG_IPV6::-1}"2 CLIENT_WG_IPV6 done @@ -285,7 +285,7 @@ function manageMenu() { echo "What do you want to do?" echo " 1) Add a new user" echo " 2) Exit" - until [[ "${MENU_OPTION}" =~ ^[1-2]$ ]]; do + until [[ ${MENU_OPTION} =~ ^[1-2]$ ]]; do read -rp "Select an option [1-2]: " MENU_OPTION done case "${MENU_OPTION}" in From 40cc13b1f445bc5937a2e1feb19a72910af76730 Mon Sep 17 00:00:00 2001 From: Navratan Gupta <37469234+navilg@users.noreply.github.com> Date: Fri, 31 Jul 2020 19:23:05 +0530 Subject: [PATCH 8/8] Add uninstall feature (#88) Fix #2 Co-authored-by: Stanislas Lange Co-authored-by: randomshell --- wireguard-install.sh | 61 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 58 insertions(+), 3 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 7c428e0..55f24df 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -276,6 +276,57 @@ AllowedIPs = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128" >>"/etc/wireguard/${SER echo "It is also available in ${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" } +function uninstallWg() { + if [[ ! -e /etc/wireguard/params ]]; then + echo "WireGuard is not installed." + exit 1 + fi + + checkOS + source /etc/wireguard/params + + systemctl stop "wg-quick@$SERVER_WG_NIC" + systemctl disable "wg-quick@$SERVER_WG_NIC" + + if [[ $OS == 'ubuntu' ]]; then + apt-get autoremove --purge -y wireguard qrencode + add-apt-repository -y -r ppa:wireguard/wireguard + elif [[ $OS == 'debian' ]]; then + apt-get autoremove --purge -y wireguard qrencode + elif [[ $OS == 'fedora' ]]; then + dnf remove -y wireguard-tools qrencode + if [[ $VERSION_ID -lt 32 ]]; then + dnf remove -y wireguard-dkms + dnf copr disable -y jdoss/wireguard + fi + dnf autoremove -y + elif [[ $OS == 'centos' ]]; then + yum -y remove wireguard-dkms wireguard-tools qrencode + rm -f "/etc/yum.repos.d/wireguard.repo" + yum -y autoremove + elif [[ $OS == 'arch' ]]; then + pacman -Rs --noconfirm wireguard-tools qrencode + fi + + rm -rf /etc/wireguard + rm -f /etc/sysctl.d/wg.conf + + # Reload sysctl + sysctl --system + + # Check if WireGuard is running + systemctl is-active --quiet "wg-quick@$SERVER_WG_NIC" + WG_RUNNING=$? + + if [[ $WG_RUNNING -eq 0 ]]; then + echo "WireGuard failed to uninstall properly." + exit 1 + else + echo "WireGuard uninstalled successfully." + exit 0 + fi +} + function manageMenu() { echo "Welcome to WireGuard-install!" echo "The git repository is available at: https://github.com/angristan/wireguard-install" @@ -284,15 +335,19 @@ function manageMenu() { echo "" echo "What do you want to do?" echo " 1) Add a new user" - echo " 2) Exit" - until [[ ${MENU_OPTION} =~ ^[1-2]$ ]]; do - read -rp "Select an option [1-2]: " MENU_OPTION + echo " 2) Uninstall WireGuard" + echo " 3) Exit" + until [[ ${MENU_OPTION} =~ ^[1-3]$ ]]; do + read -rp "Select an option [1-3]: " MENU_OPTION done case "${MENU_OPTION}" in 1) newClient ;; 2) + uninstallWg + ;; + 3) exit 0 ;; esac