From dfd9637db531490c70b52664c0f612edd73cab18 Mon Sep 17 00:00:00 2001 From: Alexander Mahr Date: Sat, 26 Oct 2024 12:14:30 +0200 Subject: [PATCH] setup shellscript to config wireguard --- README.md | 21 +++++++++ wireguard.sh | 120 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 141 insertions(+) create mode 100644 README.md create mode 100644 wireguard.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..99be63d --- /dev/null +++ b/README.md @@ -0,0 +1,21 @@ +# shell script to bootstrap wireguard on ubuntu 22.04 + +despite installing the wireguard-tools package there is much more to be done + +* private-public-keypairs for the wireguard-server and +* private-public-keypairs for the wireguard-clients (user1, user2 ..) + +need to be generated +* the setup needs to setup the correct ip addreses + +ideally a qrcode for porting the generated wireguard-user conifguration is desired to +quickly setup the clients + + +* lastly the package forwarding +* a systemd service should be setup + + + + + diff --git a/wireguard.sh b/wireguard.sh new file mode 100644 index 0000000..b6a329f --- /dev/null +++ b/wireguard.sh @@ -0,0 +1,120 @@ +#!/bin/bash + +set -x + +#re-exec as root (via sudo) +test "$(id -u)" = 0 || exec sudo "$0" + + +# if needed install +dpkg -l | grep wireguard-tools || apt-get install -y wireguard-tools +dpkg -l | grep python3-qrcodegen || apt-get install -y python3-qrcodegen +test -f /bin/qrcode || { + cat >/bin/qrcode << 'PYTHON' +#!/usr/bin/python3 +from qrcodegen import QrCode, QrSegment +import sys; + +def print_qr(qrcode: QrCode) -> None: + border = 4 + for y in range(-border, qrcode.get_size() + border): + for x in range(-border, qrcode.get_size() + border): + print("\u2588 "[1 if qrcode.get_module(x,y) else 0] * 2, end="") + print() + print() + +data = sys.stdin.read(); +# Make and print the QR Code symbol +print_qr(QrCode.encode_text( data , QrCode.Ecc.MEDIUM)) +print( data); +PYTHON + chmod a+rx /bin/qrcode +} +test -f /etc/sysctl.d/ipv4.forward|| { +cat > /etc/sysctl.d/ipv4.forward << SYSCTL +net.ipv4.ip_forward=1 +net.ipv6.conf.all.forwarding=1 +SYSCTL +} + +wg-quick down wg0 + +test -f /etc/wireguard/privatekey || { + wg genkey > /etc/wireguard/privatekey + chmod 0600 /etc/wireguard/privatekey +} +test -f /etc/wireguard/publickey || { + wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey + chmod 0600 /etc/wireguard/publickey +} + + +test -d /etc/wireguard/peers || { + mkdir /etc/wireguard/peers +} + +NUM=1 +for PEERNAME in user1 user2 user3 +do + PEERINFO="/etc/wireguard/peers/peer.$NUM.$PEERNAME.txt" + test -f "$PEERINFO" || { + PRIVATEKEY="$(wg genkey | tee "$PEERINFO")" + wg pubkey >> "$PEERINFO" <<< "$PRIVATEKEY" + } + NUM=$((NUM+1)) +done + +INTENRNET_NIC="$(ip route get 8.8.8.8 | head -n 1 | sed 's/.*dev //;s/src.*//')"; + +rm /etc/wireguard/wg0.conf +test -f /etc/wireguard/wg0.conf || { + cat > /etc/wireguard/wg0.conf << WGCONF +[Interface] +Address = 10.1.1.1/24 +Address = fdaa::1/24 +SaveConfig = true +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $INTENRNET_NIC -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $INTENRNET_NIC -j MASQUERADE +ListenPort = 78 +PrivateKey = $(cat /etc/wireguard/privatekey) + +$( + cd /etc/wireguard/peers + for PEER in peer*.txt + do + NUM="${PEER#peer.}" + NUM="${NUM%.*.txt}" + cat << PEERINFO +[Peer] +PublicKey = $(tail -n 1 "$PEER") +AllowedIPs = 10.1.1.$((NUM + 1))/32 +PEERINFO + done +) +WGCONF +} + +( + cd /etc/wireguard/peers + for PEER in peer*.txt + do + NUM="${PEER#peer.}" + NUM="${NUM%.*.txt}" + tee "$PEER".conf << PEERINFO | qrcode | tee "$PEER".qrcode +[Interface] +PrivateKey = $(head -n 1 "$PEER") +Address = 10.1.1.$((NUM + 1))/32,fdaa::$((NUM + 1))/64 +DNS = 8.8.8.8 + +[Peer] +PublicKey = $(cat /etc/wireguard/publickey) +AllowedIPs = 0.0.0.0/0 +Endpoint = $(ip -br a s | grep -e '^en' | sed 's/\/32 metric.*//;s/.* //'):78 +PEERINFO + done +) + +wg-quick up wg0 +sleep 1 +wg show +systemctl enable 'wg-quick@wg0'