This repository was archived by the owner on Aug 5, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathinstall.sh
220 lines (195 loc) · 7.89 KB
/
install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
#!/bin/bash
#
# Secure Wireguard server installer for Debian, Ubuntu, CentOS, Fedora and Arch Linux
# https://github.com/yolateng0/Wireguard_install/
#
# Copyright (c) 2018 Viktor Villainov. Released under the MIT License.
# Copyright (c) 2018 yolateng0. Released under the MIT License.
WG_CONFIG="/etc/wireguard/wg0.conf"
function get_free_udp_port
{
local port=$(shuf -i 2000-65000 -n 1)
ss -lau | grep $port > /dev/null
if [[ $? == 1 ]] ; then
echo "$port"
else
get_free_udp_port
fi
}
#root access
if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit
fi
#is tun device available
if [[ ! -e /dev/net/tun ]]; then
echo "The TUN device is not available. You need to enable TUN before running this script"
exit
fi
#OS check
if [ -e /etc/centos-release ]; then
DISTRO="CentOS"
elif [ -e /etc/debian_version ]; then
DISTRO="debian"
elif [[ "$ID" == "ubuntu" ]];then
DISTRO="ubuntu"
elif [[ -e /etc/fedora-release ]]; then
DISTRO="fedora"
elif [[ -e /etc/arch-release ]]; then
DISTRO="arch"
else
echo "Your distribution is not supported (yet)"
exit
fi
if [ ! -f "$WG_CONFIG" ]; then
### Install server and add default client
INTERACTIVE=${INTERACTIVE:-yes}
PRIVATE_SUBNET=${PRIVATE_SUBNET:-"10.9.0.0/24"}
PRIVATE_SUBNET_MASK=$( echo $PRIVATE_SUBNET | cut -d "/" -f 2 )
GATEWAY_ADDRESS="${PRIVATE_SUBNET::-4}1"
if [ "$SERVER_HOST" == "" ]; then
SERVER_HOST=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [ "$INTERACTIVE" == "yes" ]; then
read -p "Servers public IP address is $SERVER_HOST. Is that correct? [y/n]: " -e -i "y" CONFIRM
if [ "$CONFIRM" == "n" ]; then
echo "Aborted. Use environment variable SERVER_HOST to set the correct public IP address"
exit
fi
fi
fi
if [ "$SERVER_PORT" == "" ]; then
SERVER_PORT=$( get_free_udp_port )
fi
if [ "$CLIENT_DNS" == "" ]; then
echo "Which DNS do you want to use with the VPN?"
echo " 1) Cloudflare"
echo " 2) FDNdns (France)"
echo " 3) OpenDNS"
echo " 4) AdGuard DNS"
echo " 5) DNS.WATCH"
echo " 6) Quad9 uncensored (Anycast: worldwide)"
read -p "DNS [1-7]: " -e -i 2 DNS_CHOICE
case $DNS_CHOICE in
1)
CLIENT_DNS="1.1.1.1,1.0.0.1"
;;
2)
CLIENT_DNS="80.67.169.12,80.67.169.40"
;;
3)
CLIENT_DNS="208.67.222.222,208.67.220.220"
;;
4)
CLIENT_DNS="176.103.130.130,176.103.130.131"
;;
5)
CLIENT_DNS="84.200.69.80,84.200.70.40"
;;
6)
CLIENT_DNS="176.103.130.130,176.103.130.131"
;;
esac
fi
# TODO: unattended updates, apt install dnsmasq ntp
if [ "$DISTRO" == "Ubuntu" ]; then
add-apt-repository ppa:wireguard/wireguard -y
apt update
apt install wireguard qrencode iptables-persistent -y
elif [ "$DISTRO" == "Debian" ]; then
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard qrencode iptables-persistentdnsmasq ntp -y
elif [ "$DISTRO" == "CentOS" ]; then
curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install epel-release -y
yum install wireguard-dkms qrencode wireguard-tools dnsmasq ntp -y
elif [ "$DISTRO" == "fedora" ]; then
sudo dnf copr enable jdoss/wireguard
sudo dnf install wireguard-dkms wireguard-tool qrencode iptables-persistent dnsmasq ntp -y
elif [ "$DISTRO" == "arch" ]; then
sudo pacman -S linux-headers
sudo pacman -S wireguard-tools qrencode iptables-persistent dnsmasq ntp -y
fi
SERVER_PRIVKEY=$( wg genkey )
SERVER_PUBKEY=$( echo $SERVER_PRIVKEY | wg pubkey )
CLIENT_PRIVKEY=$( wg genkey )
CLIENT_PUBKEY=$( echo $CLIENT_PRIVKEY | wg pubkey )
CLIENT_ADDRESS="${PRIVATE_SUBNET::-4}3"
mkdir -p /etc/wireguard
touch $WG_CONFIG && chmod 600 $WG_CONFIG
echo "# $PRIVATE_SUBNET $SERVER_HOST:$SERVER_PORT $SERVER_PUBKEY $CLIENT_DNS
[Interface]
Address = $GATEWAY_ADDRESS/$PRIVATE_SUBNET_MASK
ListenPort = $SERVER_PORT
PrivateKey = $SERVER_PRIVKEY
SaveConfig = false" > $WG_CONFIG
echo "# client
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = $CLIENT_ADDRESS/32" >> $WG_CONFIG
echo "[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = $CLIENT_ADDRESS/$PRIVATE_SUBNET_MASK
DNS = $CLIENT_DNS
[Peer]
PublicKey = $SERVER_PUBKEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $SERVER_HOST:$SERVER_PORT
PersistentKeepalive = 25" > $HOME/client-wg0.conf
qrencode -t ansiutf8 -l L < $HOME/client-wg0.conf
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.forwarding=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
sysctl -p
if [ "$DISTRO" == "CentOS" ]; then
firewall-cmd --zone=public --add-port=$SERVER_PORT/udp
firewall-cmd --zone=trusted --add-source=$PRIVATE_SUBNET
firewall-cmd --permanent --zone=public --add-port=$SERVER_PORT/udp
firewall-cmd --permanent --zone=trusted --add-source=$PRIVATE_SUBNET
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s $PRIVATE_SUBNET ! -d $PRIVATE_SUBNET -j SNAT --to $SERVER_HOST
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s $PRIVATE_SUBNET ! -d $PRIVATE_SUBNET -j SNAT --to $SERVER_HOST
else
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -s $PRIVATE_SUBNET -m policy --pol none --dir in -j ACCEPT
iptables -t nat -A POSTROUTING -s $PRIVATE_SUBNET -m policy --pol none --dir out -j MASQUERADE
iptables -A INPUT -p udp --dport $SERVER_PORT -j ACCEPT
iptables-save > /etc/iptables/rules.v4
fi
systemctl enable [email protected]
systemctl start [email protected]
echo "Client config --> $HOME/client-wg0.conf"
echo "Now reboot the server and enjoy your fresh VPN installation! :^)"
else
### Server is installed, creat add a new client
CLIENT_NAME="$1"
if [ "$CLIENT_NAME" == "" ]; then
echo "Tell me a name for the client config file. Use one word only, no special characters."
read -p "Client name: " -e CLIENT_NAME
fi
CLIENT_PRIVKEY=$( wg genkey )
CLIENT_PUBKEY=$( echo $CLIENT_PRIVKEY | wg pubkey )
PRIVATE_SUBNET=$( head -n1 $WG_CONFIG | awk '{print $2}')
PRIVATE_SUBNET_MASK=$( echo $PRIVATE_SUBNET | cut -d "/" -f 2 )
SERVER_ENDPOINT=$( head -n1 $WG_CONFIG | awk '{print $3}')
SERVER_PUBKEY=$( head -n1 $WG_CONFIG | awk '{print $4}')
CLIENT_DNS=$( head -n1 $WG_CONFIG | awk '{print $5}')
LASTIP=$( grep "/32" $WG_CONFIG | tail -n1 | awk '{print $3}' | cut -d "/" -f 1 | cut -d "." -f 4 )
CLIENT_ADDRESS="${PRIVATE_SUBNET::-4}$((LASTIP+1))"
echo "# $CLIENT_NAME
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = $CLIENT_ADDRESS/32" >> $WG_CONFIG
echo "[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = $CLIENT_ADDRESS/$PRIVATE_SUBNET_MASK
DNS = $CLIENT_DNS
[Peer]
PublicKey = $SERVER_PUBKEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $SERVER_ENDPOINT
PersistentKeepalive = 25" > $HOME/$CLIENT_NAME-wg0.conf
qrencode -t ansiutf8 -l L < $HOME/$CLIENT_NAME-wg0.conf
ip address | grep -q wg0 && wg set wg0 peer "$CLIENT_PUBKEY" allowed-ips "$CLIENT_ADDRESS/32"
echo "Client added, new configuration file --> $HOME/$CLIENT_NAME-wg0.conf"
fi