Last active
May 31, 2020 02:01
-
-
Save XertroV/898436fe500f264a1fabeac889196f9e to your computer and use it in GitHub Desktop.
my-ubuntu-20.04-svr.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # don't copy this line when installing | |
| export _XERT_DONTRUN="true" | |
| # Copy the below 2 lines to install | |
| CONFIG_MY_SVR_URL="https://gist.githubusercontent.com/XertroV/898436fe500f264a1fabeac889196f9e/raw/my-ubuntu-20.04-svr.sh" | |
| if [[ "$_XERT_DONTRUN" == "" ]]; then curl "$CONFIG_MY_SVR_URL?nonce=$(date +%s)" | bash; fi | |
| ZSHRC_MAID_URL="https://gist.githubusercontent.com/XertroV/6b9bbe298edff882b202c189e18b9c26/raw/.zshrc" | |
| P10K_MAID_URL="https://gist.githubusercontent.com/XertroV/4c2e5c5ae5bead72558295e7e464b203/raw/.p10k.zsh" | |
| NORM_USER="$USER" | |
| PRE_DIR = "$PWD" | |
| if [[ "$NORM_USER" == "root" ]]; then | |
| echo "Run as regular user, not root"; | |
| fi | |
| alias echo="echo -e" | |
| sudo cp /etc/sudoers{,.back$(date +%s)} | |
| echo "$NORM_USER ALL=(ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers | |
| sudo apt update | |
| sudo apt upgrade -y | |
| sudo apt dist-upgrade -y | |
| sudo apt install git build-essential zsh net-tools dnsutils -y | |
| if [[ ! -d ~/.oh-my-zsh || "$FORCE_ZSH" != "" ]]; then | |
| sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended | |
| git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/themes/powerlevel10k | |
| wget "$ZSHRC_MAID_URL?nonce=$(date +%s)" -O ~/.zshrc | |
| wget "$P10K_MAID_URL?nonce=$(date +%s)" -O ~/.p10k.zsh | |
| # sed -i 's=robbyrussell=powerlevel10k/powerlevel10k=' ~/.zshrc | |
| sudo chsh -s /bin/zsh $NORM_USER | |
| fi | |
| sudo sed -i 's+#net.ipv4.ip_forward=1+net.ipv4.ip_forward=1+' /etc/sysctl.conf | |
| sudo sysctl -p | |
| echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward | |
| # DNS for VPN and w/e | |
| cat << EOF | sudo bash | |
| apt-get install unbound unbound-host -y | |
| curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache | |
| curl -o /etc/unbound/unbound.conf.d/wireguard.conf https://gist.githubusercontent.com/XertroV/d5779229a53f79e3b46a8acee3df8c58/raw/wireguard.conf | |
| chown -R unbound:unbound /var/lib/unbound | |
| systemctl enable unbound | |
| EOF | |
| # VPNs are good -- WIREGUARD | |
| WG_PORT='51820' | |
| cat << EOF | sudo bash | |
| add-apt-repository ppa:wireguard/wireguard -y | |
| apt-get update | |
| apt-get install wireguard-dkms wireguard-tools linux-headers-$(uname -r) -y | |
| EOF | |
| cat << EOF1 | sudo bash | |
| umask 077 | |
| mkdir -p ~/.wg | |
| cd ~/.wg | |
| wg genkey | tee server_private_key | wg pubkey > server_public_key | |
| wg genkey | tee client_private_key | wg pubkey > client_public_key | |
| cat << EOF2 | sudo tee /etc/wireguard/wg0.conf | |
| [Interface] | |
| Address = 192.168.13.37/24 | |
| SaveConfig = true | |
| PrivateKey = \$(cat ./server_private_key) | |
| ListenPort = $WG_PORT | |
| [Peer] | |
| PublicKey = \$(cat ./client_public_key) | |
| AllowedIPs = 192.168.13.38/32 | |
| EOF2 | |
| cat << EOF2 | tee wg0-client.conf | |
| [Interface] | |
| Address = 192.168.13.38/32 | |
| PrivateKey = \$(cat ./client_private_key) | |
| DNS = 192.168.13.37 | |
| [Peer] | |
| PublicKey = \$(cat ./server_public_key) | |
| Endpoint = THE_FQDN.fish.xk.io:5_THE_PORT_5 | |
| AllowedIPs = 192.168.13.37/32 | |
| PersistentKeepalive = 21 | |
| EOF2 | |
| chown -v root:root /etc/wireguard/wg0.conf | |
| chmod -v 600 /etc/wireguard/wg0.conf | |
| wg-quick up wg0 | |
| systemctl enable [email protected] #Enable the interface at boot | |
| EOF1 | |
| MY_NIC_GUESS="$(ip route show | head -n 1 | sed -E 's=^.* dev ([a-zA-Z0-9\.\-]{2,}) proto .*$=\1=')" | |
| MY_IP_GUESS="$(ip addr show dev $MY_NIC_GUESS | grep 'inet ' | col2 | cut -d '/' -f 1)" | |
| cat << EOF | sudo bash | |
| iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j ACCEPT | |
| iptables -A INPUT -s 192.168.13.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT | |
| iptables -A INPUT -s 192.168.13.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT | |
| iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT | |
| iptables -t nat -A POSTROUTING -s 192.168.13.0/24 -o eth0 -j MASQUERADE | |
| # we should finish any/all iptables before this point bc iptables-persistent only saves automatically on install | |
| apt-get install -y iptables-persistent | |
| systemctl enable netfilter-persistent | |
| netfilter-persistent save | |
| EOF | |
| # finalization messages | |
| echo -e "ACTION: Port forward a port to $MY_IP_GUESS:$WG_PORT for wireguard. Distribute client key and config for remote use." | |
| echo -e "\n" | |
| echo -e "ACTION: run on ubuntu clients to install wireguard:\n\n sudo bash -c 'add-apt-repository -y ppa:wireguard/wireguard && apt-get update && apt-get install -y wireguard-dkms wireguard-tools linux-headers-\$(uname -r)'" | |
| echo -e "Then put wg0-client.conf in the client's /etc/wireguard/ folder, and run 'sudo wg-quick up wg0-client' to start, and 'sudo wg-quick down wg0-client' to stop" | |
| echo -e "wg0-client lives at: wg0-client.conf" | |
| echo -e "\n" | |
| echo -e "Check wireguard status: sudo wg show" | |
| echo -e "Persist client conn: sudo systemctl enable [email protected]" | |
| echo -e "Generate new user: wg genkey | tee new_client_private_key2 | wg pubkey > new_client_public_key2" | |
| echo -e "Add new user to server: wg set wg0 peer <new_client_public_key> allowed-ips <new_client_vpn_IP>/32" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment