Skip to content

Instantly share code, notes, and snippets.

@Mehran

Mehran/wireguard.sh

Last active June 16, 2023 11:53
Show Gist options
  • Save Mehran/576610e59db9ffe2e4c65b718e8e47e9 to your computer and use it in GitHub Desktop.
Save Mehran/576610e59db9ffe2e4c65b718e8e47e9 to your computer and use it in GitHub Desktop.
Download ZIP
WireGuard setup Server Side
Raw
wireguard.sh
#!/bin/bash
### Author ###
# By : Mehran Goudarzi
# Release : 2018-10-24
# Update : 2018-12-22
# Description : WireGuard Automation - Server Side
# Version : 1.3
###############
### Color's ###
DARKGRAY='\033[1;30m'
RED='\033[0;31m'
LIGHTRED='\033[1;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
PURPLE='\033[0;35m'
LIGHTPURPLE='\033[1;35m'
CYAN='\033[0;36m'
WHITE='\033[1;37m'
SET='\033[0m'
###############
echo -n "[*] Updating Packages..." >&2
echo -e '\n' | add-apt-repository ppa:wireguard/wireguard >/dev/null 2>&1
apt-get update >/dev/null 2>&1
apt-get install wireguard-dkms wireguard-tools linux-headers-$(uname -r) qrencode -y >/dev/null 2>&1
echo " Done" >&2
echo -n "[*] Generate server and client keys..." >&2
umask 077
mkdir ~/config
wg genkey | tee ~/config/server_private_key | wg pubkey > ~/config/server_public_key
wg genkey | tee ~/config/ios_private_key | wg pubkey > ~/config/ios_public_key
wg genkey | tee ~/config/macos_private_key | wg pubkey > ~/config/macos_public_key
wg genkey | tee ~/config/client1_private_key | wg pubkey > ~/config/client1_public_key
wg genkey | tee ~/config/client2_private_key | wg pubkey > ~/config/client2_public_key
server_private_key=$(cat /root/config/server_private_key)
server_public_key=$(cat /root/config/server_public_key)
ios_private_key=$(cat /root/config/ios_private_key)
ios_public_key=$(cat /root/config/ios_public_key)
macos_private_key=$(cat /root/config/macos_private_key)
macos_public_key=$(cat /root//config/macos_public_key)
client1_private_key=$(cat /root/config/client1_private_key)
client1_public_key=$(cat /root/config/client1_public_key)
client2_private_key=$(cat /root/config/client2_private_key)
client2_public_key=$(cat /root/config/client2_public_key)
server_ip=$(curl -s ipinfo.io/ip)
port=51820
echo " Done" >&2
echo -n "[*] Generate server config..." >&2
echo "[Interface]
Address = 10.200.200.1/24
SaveConfig = true
PrivateKey = $server_private_key
ListenPort = $port
[Peer]
PublicKey = $ios_public_key
AllowedIPs = 10.200.200.2/32
[Peer]
PublicKey = $macos_public_key
AllowedIPs = 10.200.200.3/32
[Peer]
PublicKey = $client1_public_key
AllowedIPs = 10.200.200.4/32
[Peer]
PublicKey = $client2_public_key
AllowedIPs = 10.200.200.5/32" > /etc/wireguard/wg0.conf
echo " Done" >&2
echo -n "[*] Generate Clients config..." >&2
echo "[Interface]
Address = 10.200.200.2/32
PrivateKey = $ios_private_key
DNS = 10.200.200.1
[Peer]
PublicKey = $server_public_key
Endpoint = $server_ip:$port
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21" > ~/config/ios_client.conf
echo "[Interface]
Address = 10.200.200.3/32
PrivateKey = $macos_private_key
DNS = 10.200.200.1
[Peer]
PublicKey = $server_public_key
Endpoint = $server_ip:$port
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21" > ~/config/macos_client.conf
echo "[Interface]
Address = 10.200.200.4/32
PrivateKey = $client1_private_key
DNS = 10.200.200.1
[Peer]
PublicKey = $server_public_key
Endpoint = $server_ip:$port
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21" > ~/config/lient1.conf
echo "[Interface]
Address = 10.200.200.5/32
PrivateKey = $client2_private_key
DNS = 10.200.200.1
[Peer]
PublicKey = $server_public_key
Endpoint = $server_ip:$port
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21" > ~/config/client2.conf
echo " Done" >&2
echo -n "[*] Enable the WireGuard interface on the server..." >&2
chown -v root:root /etc/wireguard/wg0.conf >/dev/null 2>&1
chmod -v 600 /etc/wireguard/wg0.conf >/dev/null 2>&1
wg-quick up wg0 >/dev/null 2>&1
systemctl enable [email protected] >/dev/null 2>&1 #Enable the interface at boot
echo " Done" >&2
echo -n "[*] Check WireGuard interface is up or not ..." >&2
if grep -q 'wg0' <<< "$(ifconfig)" ; then
echo -e " Inteface is UP ${GREEN}[OK]${SET}" >&2
else
echo " Failed" >&2
exit 1
fi
echo -n "[*] Enable IP forwarding on the server ..." >&2
sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sysctl -p >/dev/null 2>&1
echo 1 > /proc/sys/net/ipv4/ip_forward
echo " Done" >&2
echo -n "[*] Configure firewall rules on the server..." >&2
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport $port -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.200.200.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.200.200.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE
export DEBIAN_FRONTEND=noninteractive
apt-get -yq install iptables-persistent >/dev/null 2>&1
systemctl enable netfilter-persistent >/dev/null 2>&1
netfilter-persistent save >/dev/null 2>&1
echo " Done" >&2
echo -n "[*] Configure DNS..." >&2
apt-get install unbound unbound-host -y >/dev/null 2>&1
curl -s -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache >/dev/null 2>&1
systemctl disable systemd-resolved.service >/dev/null 2>&1
service systemd-resolved stop >/dev/null 2>&1
echo "" > /etc/unbound/unbound.conf
echo "server:
num-threads: 4
#Enable logs
verbosity: 1
#list of Root DNS Server
root-hints: "/var/lib/unbound/root.hints"
#Use the root servers key for DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
#Respond to DNS requests on all interfaces
interface: 0.0.0.0
max-udp-size: 3072
#Authorized IPs to access the DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.1 allow
access-control: 10.200.200.0/24 allow
#not allowed to be returned for public internet names
private-address: 10.200.200.0/24
# Hide DNS Server info
hide-identity: yes
hide-version: yes
#Limit DNS Fraud and use DNSSEC
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
#Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
unwanted-reply-threshold: 10000000
#Have the validator print validation failures to the log.
val-log-level: 1
#Minimum lifetime of cache entries in seconds
cache-min-ttl: 1800
#Maximum lifetime of cached entries
cache-max-ttl: 14400
prefetch: yes
prefetch-key: yes" > /etc/unbound/unbound.conf
chown -R unbound:unbound /var/lib/unbound >/dev/null 2>&1
systemctl enable unbound >/dev/null 2>&1
service unbound restart >/dev/null 2>&1
echo " Done" >&2
echo -n "[*] Preparing QR-Code..." >&2
qrencode -t ansiutf8 < ~/config/ios_client.conf > /root/config/ios_Qcode.jpg
qrencode -t ansiutf8 < ~/config/client1.conf > /root/config/client1_Qcode.jpg
cat /root/config/ios_Qcode.jpg
echo " Done" >&2
echo -e "${GREEN}[*] Your WireGurad Server is Ready to Use!${SET}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment