From a810f727ddc5b4cb0da6beccbaa12e24fe1fe945 Mon Sep 17 00:00:00 2001 From: Andrew Prokhorenkov Date: Sat, 21 Mar 2020 15:47:23 -0500 Subject: [PATCH 1/5] Use native WireGuard in Fedora >= 32 + support firewalld (#55) --- wireguard-install.sh | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index aa8283b..68c4783 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -24,7 +24,8 @@ if [[ -e /etc/debian_version ]]; then source /etc/os-release OS=$ID # debian or ubuntu elif [[ -e /etc/fedora-release ]]; then - OS=fedora + source /etc/os-release + OS=$ID elif [[ -e /etc/centos-release ]]; then OS=centos elif [[ -e /etc/arch-release ]]; then @@ -93,9 +94,12 @@ elif [[ "$OS" = 'debian' ]]; then apt-get install -y "linux-headers-$(uname -r)" apt-get install -y wireguard iptables resolvconf qrencode elif [[ "$OS" = 'fedora' ]]; then - dnf install -y dnf-plugins-core - dnf copr enable -y jdoss/wireguard - dnf install -y wireguard-dkms wireguard-tools iptables qrencode + if [[ "$VERSION_ID" -lt 32 ]]; then + dnf install -y dnf-plugins-core + dnf copr enable -y jdoss/wireguard + dnf install -y wireguard-dkms + fi + dnf install -y wireguard-tools iptables qrencode elif [[ "$OS" = 'centos' ]]; then curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo yum -y install epel-release @@ -120,9 +124,17 @@ CLIENT_PUB_KEY=$(echo "$CLIENT_PRIV_KEY" | wg pubkey) echo "[Interface] Address = $SERVER_WG_IPV4/24,$SERVER_WG_IPV6/64 ListenPort = $SERVER_PORT -PrivateKey = $SERVER_PRIV_KEY -PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE -PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE" > "/etc/wireguard/$SERVER_WG_NIC.conf" +PrivateKey = $SERVER_PRIV_KEY" > "/etc/wireguard/$SERVER_WG_NIC.conf" + +if [ -x "$(command -v firewall-cmd)" ]; then + FIREWALLD_IPV4_ADDRESS=$(echo $SERVER_WG_IPV4 | cut -d"." -f1-3)".0" + FIREWALLD_IPV6_ADDRESS=$(echo $SERVER_WG_IPV6 | sed 's/:[^:]*$/:0/') + echo "PostUp = firewall-cmd --add-port $SERVER_PORT/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade' +PostDown = firewall-cmd --remove-port $SERVER_PORT/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade'" >> "/etc/wireguard/$SERVER_WG_NIC.conf" +else + echo "PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE +PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE" >> "/etc/wireguard/$SERVER_WG_NIC.conf" +fi # Add the client as a peer to the server echo "[Peer] From 8130dc7b70d6df28423b948af4de61cc172f0bd6 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Sat, 21 Mar 2020 21:53:06 +0100 Subject: [PATCH 2/5] Fix shellcheck --- .github/workflows/push.yml | 2 +- wireguard-install.sh | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 7c67b74..33edafa 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -8,6 +8,6 @@ jobs: - name: shellcheck uses: ludeeus/action-shellcheck@0.0.1 env: - SHELLCHECK_OPTS: -e SC1091,SC1117 + SHELLCHECK_OPTS: -e SC1091,SC1117,SC2001 with: args: wireguard-install.sh diff --git a/wireguard-install.sh b/wireguard-install.sh index 68c4783..a35efe6 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -97,7 +97,7 @@ elif [[ "$OS" = 'fedora' ]]; then if [[ "$VERSION_ID" -lt 32 ]]; then dnf install -y dnf-plugins-core dnf copr enable -y jdoss/wireguard - dnf install -y wireguard-dkms + dnf install -y wireguard-dkms fi dnf install -y wireguard-tools iptables qrencode elif [[ "$OS" = 'centos' ]]; then @@ -127,8 +127,8 @@ ListenPort = $SERVER_PORT PrivateKey = $SERVER_PRIV_KEY" > "/etc/wireguard/$SERVER_WG_NIC.conf" if [ -x "$(command -v firewall-cmd)" ]; then - FIREWALLD_IPV4_ADDRESS=$(echo $SERVER_WG_IPV4 | cut -d"." -f1-3)".0" - FIREWALLD_IPV6_ADDRESS=$(echo $SERVER_WG_IPV6 | sed 's/:[^:]*$/:0/') + FIREWALLD_IPV4_ADDRESS=$(echo "$SERVER_WG_IPV4" | cut -d"." -f1-3)".0" + FIREWALLD_IPV6_ADDRESS=$(echo "$SERVER_WG_IPV6" | sed 's/:[^:]*$/:0/') echo "PostUp = firewall-cmd --add-port $SERVER_PORT/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade' PostDown = firewall-cmd --remove-port $SERVER_PORT/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade'" >> "/etc/wireguard/$SERVER_WG_NIC.conf" else From 01bdb56b98d5e8a8f59ca2c626ee66efc5b8957a Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Fri, 27 Mar 2020 22:21:57 +0100 Subject: [PATCH 3/5] Make README more friendly --- README.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index c6fed81..2cfe1a7 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,13 @@ # WireGuard installer -Easily set up a dual-stack [WireGuard](https://www.wireguard.com/) VPN on a Linux server. See the issues for the WIP. +**This project is a bash script that aims to setup a [WireGuard](https://www.wireguard.com/) VPN on a Linux server, as easily as possible!** + +WireGuard is a point-to-point VPN that can be used in different ways. Here, we mean a VPN as in: the client will forward all its traffic trough an encrypted tunnel to the server. +The server will apply NAT to the client's traffic so it will appear as if the client is browsing the web with the server's IP. + +The script supports both IPv4 and IPv6. Please check the [issues](https://github.com/angristan/wireguard-install/issues) for ongoing development, bugs and planned features! + +WireGuard does not fit your environment? Check out [openvpn-install](https://github.com/angristan/openvpn-install). ## Requirements @@ -9,7 +16,7 @@ Supported distributions: - Ubuntu - Debian - Fedora -- Centos +- CentOS - Arch Linux I recommend these cheap cloud providers for your VPN server: @@ -20,19 +27,14 @@ I recommend these cheap cloud providers for your VPN server: ## Usage -First, get the script and make it executable : +Download and execute the script. Answer the questions asked by the script and it will take care of the rest. ```bash curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh chmod +x wireguard-install.sh -``` - -Then run it : - -```sh ./wireguard-install.sh ``` -It will install wireguard on the server, configure, create a systemd service and a client configuration file. Mutliple clients are not yet supported. +It will install WireGuard (kernel module and tools) on the server, configure it, create a systemd service and a client configuration file. Multiple clients are not yet supported. (WIP!) Contributions are welcome! From 3b342e531c06160c54d354a55b8fca39fa6c855c Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Fri, 3 Apr 2020 16:16:59 +0000 Subject: [PATCH 4/5] Prompt with random port during setup (#64) --- wireguard-install.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index a35efe6..4221da6 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -52,7 +52,8 @@ read -rp "Server's WireGuard IPv4 " -e -i "$SERVER_WG_IPV4" SERVER_WG_IPV4 SERVER_WG_IPV6="fd42:42:42::1" read -rp "Server's WireGuard IPv6 " -e -i "$SERVER_WG_IPV6" SERVER_WG_IPV6 -SERVER_PORT=1194 +# Generate random number within private ports range +SERVER_PORT=$(shuf -i49152-65535 -n1) read -rp "Server's WireGuard port " -e -i "$SERVER_PORT" SERVER_PORT CLIENT_WG_IPV4="10.66.66.2" From 7c2e299a028f60ea8fbc24d3386fa21b71882371 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Fri, 3 Apr 2020 18:33:36 +0200 Subject: [PATCH 5/5] Add missing colons to setup questions Signed-off-by: Stanislas Lange --- wireguard-install.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 4221da6..3fef101 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -47,20 +47,20 @@ SERVER_WG_NIC="wg0" read -rp "WireGuard interface name: " -e -i "$SERVER_WG_NIC" SERVER_WG_NIC SERVER_WG_IPV4="10.66.66.1" -read -rp "Server's WireGuard IPv4 " -e -i "$SERVER_WG_IPV4" SERVER_WG_IPV4 +read -rp "Server's WireGuard IPv4: " -e -i "$SERVER_WG_IPV4" SERVER_WG_IPV4 SERVER_WG_IPV6="fd42:42:42::1" -read -rp "Server's WireGuard IPv6 " -e -i "$SERVER_WG_IPV6" SERVER_WG_IPV6 +read -rp "Server's WireGuard IPv6: " -e -i "$SERVER_WG_IPV6" SERVER_WG_IPV6 # Generate random number within private ports range SERVER_PORT=$(shuf -i49152-65535 -n1) -read -rp "Server's WireGuard port " -e -i "$SERVER_PORT" SERVER_PORT +read -rp "Server's WireGuard port: " -e -i "$SERVER_PORT" SERVER_PORT CLIENT_WG_IPV4="10.66.66.2" -read -rp "Client's WireGuard IPv4 " -e -i "$CLIENT_WG_IPV4" CLIENT_WG_IPV4 +read -rp "Client's WireGuard IPv4: " -e -i "$CLIENT_WG_IPV4" CLIENT_WG_IPV4 CLIENT_WG_IPV6="fd42:42:42::2" -read -rp "Client's WireGuard IPv6 " -e -i "$CLIENT_WG_IPV6" CLIENT_WG_IPV6 +read -rp "Client's WireGuard IPv6: " -e -i "$CLIENT_WG_IPV6" CLIENT_WG_IPV6 # Adguard DNS by default CLIENT_DNS_1="176.103.130.130"