├── LICENSE
├── README.md
├── addpeer.sh
└── wireguard.sh


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2020 oneMarcFifty
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # wireguard_vps_vpn
 2 | Wireguard Installation Scripts
 3 | 
 4 | these scripts can be used to install wireguard on a virtual private server (VPS), i.e.
 5 | a server that you have running in the cloud.
 6 | 
 7 | Alternatively you can use it to install wireguard VPN software on a Ubuntu / Debian Server (tested with **Ubuntu 18** and **Debian 11**).
 8 | 
 9 | There is an installation script called wireguard.sh that does all the necessary things for you in order to install wireguard on the virtual server.
10 | 
11 | A second script called addpeer.sh can be used to add an additional client or peer, such as a laptop running windows or an iPhone.
12 | 
13 | I have designed the scripts in a way that you can either transfer them over to the server as a file and call them from the command line or – alternatively – you can copy and paste the content directly into the terminal window.
14 | 
15 | Find all details on [my youtube channel](https://www.youtube.com/channel/UCG5Ph9Mm6UEQLJJ-kGIC2AQ)
16 | 
17 | If you are having issues with these scripts (they don't work as expected etc.) then please reach out to me on [my Discord server](https://discord.gg/cshnaHkqYy)
18 | 


--------------------------------------------------------------------------------
/addpeer.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # ###########################################
 4 | # ###########################################
 5 | #
 6 | # Wireguard script to add a peer
 7 | # by OneMarcFifty
 8 | # the place for digital DIY
 9 | #
10 | # https://www.youtube.com/channel/UCG5Ph9Mm6UEQLJJ-kGIC2AQ
11 | #
12 | # ###########################################
13 | # ###########################################
14 | 
15 | 
16 | # ###############################
17 | # This needs to be run as root !
18 | # ###############################
19 | 
20 | # first parameter is the clientname
21 | # second parameter is the IP address it gets on the VPN
22 | 
23 | [[ ! -z "$1" ]] && WGCLIENTNAME=$1 || WGCLIENTNAME=newclient
24 | [[ ! -z "$2" ]] && WGCLIENTADDRESS=$2 || WGCLIENTADDRESS="192.168.88.2/32"
25 | 
26 | echo -e "\ngenerating peer $WGCLIENTNAME with IP $WGCLIENTADDRESS\n"
27 | 
28 | 
29 | # generate a new keypair
30 | 
31 | export NEW_PRIVATE_KEY=`wg genkey`
32 | export NEW_PUBLIC_KEY=$(echo "$NEW_PRIVATE_KEY" | wg pubkey)
33 | 
34 | # read out this server's pubkey
35 | 
36 | readarray -d : -t templine <<< $(wg | grep "public key")
37 | export SERVER_PUBLIC_KEY=${templine[1]};
38 | readarray -d : -t templine <<< $(wg | grep "listening port")
39 | #SERVER_LISTENING_PORT=${templine[1]};
40 | # we need to remove the leading space 
41 | export SERVER_LISTENING_PORT=${templine[1]// /}
42 | 
43 | # guess our own internet address
44 | 
45 | # ip addr show | grep "scope global" |grep -v "wg0"
46 | # echo $SSH_CONNECTION
47 | # curl ipinfo.io/ip
48 | # it presents a risk to curl as root so we sudo as nobody ....
49 | 
50 | export OUR_OWN_IP=`sudo -u nobody curl -s ipinfo.io/ip`
51 | 
52 | # generate the config output
53 | 
54 | export new_config_file_name=/etc/wireguard/newpeer.conf
55 | umask 077
56 | echo "# ######################################################" > $new_config_file_name
57 | echo "# ########### COPY PASTE BELOW #########################" >> $new_config_file_name
58 | echo "# ######################################################" >> $new_config_file_name
59 | echo -e "[Interface]\nPrivateKey = $NEW_PRIVATE_KEY\nAddress=$WGCLIENTADDRESS\nDNS=8.8.8.8\n" >>$new_config_file_name
60 | echo -e "[Peer]\nPublicKey = $SERVER_PUBLIC_KEY\nAllowedIPs=0.0.0.0/0\nEndPoint=$OUR_OWN_IP:"${SERVER_LISTENING_PORT}"\n" >> $new_config_file_name
61 | echo "# ######################################################" >> $new_config_file_name
62 | echo "# ########### COPY PASTE ABOVE #########################" >> $new_config_file_name
63 | echo "# ######################################################" >> $new_config_file_name
64 | 
65 | 
66 | 
67 | # add the new peer to the wg0 config file
68 | 
69 | wg set wg0 peer $NEW_PUBLIC_KEY allowed-ips $WGCLIENTADDRESS
70 | 
71 | # we need to down and up the interface in order to 
72 | # make changes persistent
73 | 
74 | wg-quick down wg0 && wg-quick up wg0
75 | 
76 | # clean out all critcal variables in case the user
77 | # ran the script with copy/paste into the
78 | # terminal window
79 | 
80 | export -n NEW_PRIVATE_KEY
81 | export -n NEW_PUBLIC_KEY
82 | export -n SERVER_PUBLIC_KEY
83 | 
84 | 
85 | 
86 | # show the config as a barcode
87 | cat $new_config_file_name  | qrencode -t ANSIUTF8
88 | # show the config as text
89 | cat $new_config_file_name
90 | 


--------------------------------------------------------------------------------
/wireguard.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # ###########################################
  4 | # ###########################################
  5 | #
  6 | # Wireguard installation script for Ubuntu 18.04
  7 | # by OneMarcFifty
  8 | # the place for digital DIY
  9 | #
 10 | # https://www.youtube.com/channel/UCG5Ph9Mm6UEQLJJ-kGIC2AQ
 11 | #
 12 | # ###########################################
 13 | # ###########################################
 14 | 
 15 | # ###############################
 16 | # This needs to be run as root !
 17 | # ###############################
 18 | 
 19 | # ###########################################
 20 | # Delete any old config
 21 | # ###########################################
 22 | 
 23 | rm -f "/etc/wireguard/wg0.conf"
 24 | rm -f "/etc/wireguard/privatekey"
 25 | rm -f "/etc/wireguard/publickey"
 26 | 
 27 | if ip -br link | grep wg0 ; then
 28 |    ip link delete wg0
 29 | fi
 30 | 
 31 | # ###############################
 32 | # update the software sources
 33 | # ###############################
 34 | 
 35 | apt update
 36 | apt install -y software-properties-common curl qrencode
 37 | 
 38 | # this will succeed on Ubuntu 18 but fail on Debian 11
 39 | # let's jsut
 40 | add-apt-repository -y ppa:wireguard/wireguard >/dev/null 2>&1
 41 | 
 42 | # ###############################
 43 | # install wireguard
 44 | # ###############################
 45 | 
 46 | apt install -y wireguard
 47 | 
 48 | # let's also clean up a little bit
 49 | # in case some redundant packages exist
 50 | 
 51 | apt -y autoremove
 52 | 
 53 | # ###############################
 54 | # generate a key pair
 55 | # ###############################
 56 | 
 57 | 
 58 | # --- this works
 59 | 
 60 | #touch /etc/wireguard/privatekey 
 61 | #chmod 600 /etc/wireguard/privatekey 
 62 | #cat  /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
 63 | 
 64 | # --- this is more elegant
 65 | 
 66 | umask 077
 67 | wg genkey > /etc/wireguard/privatekey
 68 | wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey
 69 | 
 70 | # ###############################
 71 | # enable routing
 72 | # ###############################
 73 | 
 74 | # --- remove the comment from the forward flag in sysctl.conf
 75 | #sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
 76 | 
 77 | # enable ip4 forwarding with sysctl
 78 | sysctl -w net.ipv4.ip_forward=1
 79 | 
 80 | # --- print out the content of sysctl.conf
 81 | sysctl -p
 82 | 
 83 | # let's make this permanent
 84 | sed -i s/^.*net.ipv4.ip_forward.*$/net.ipv4.ip_forward=1/ /etc/sysctl.conf
 85 | if ! grep ^net.ipv4.ip_forward=1$ /etc/sysctl.conf ; then 
 86 |   echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf
 87 | fi
 88 | 
 89 | # ###########################################
 90 | # define the wg0 interface
 91 | # ###########################################
 92 | 
 93 | # change this if you want
 94 | export WG0ADDRESS=192.168.88.1/24
 95 | # we are using export to allow for copy paste
 96 | 
 97 | ip link add dev wg0 type wireguard
 98 | ip address add dev wg0 $WG0ADDRESS
 99 | wg set wg0 private-key /etc/wireguard/privatekey
100 | wg set wg0 listen-port 51820
101 | 
102 | # ###########################################
103 | # up the interface
104 | # ###########################################
105 | 
106 | #ip link set wg0 up
107 | 
108 | # --- this would not be persistent, i.e. needs to be redone afer reboot
109 | # --- so we create a config file and make it persistent:
110 | 
111 | wg showconf wg0 > /etc/wireguard/wg0.conf
112 | 
113 | # -- the showconf command does not give the IP address so we just print it into the config file
114 | 
115 | echo "Address=$WG0ADDRESS" >> /etc/wireguard/wg0.conf
116 | echo "SaveConfig = true" >> /etc/wireguard/wg0.conf
117 | 
118 | # find our own public IP address
119 | # we get this info from the internet
120 | # using curl with root is dangerous, so we
121 | # run it as nobody
122 | 
123 | 
124 | export OUR_OWN_IP=`sudo -u nobody curl -s ipinfo.io/ip`
125 | 
126 | # find out which interface the public IP address is on
127 | 
128 | readarray -d " " -t templine <<< $(ip -br addr | grep $OUR_OWN_IP)
129 | export OUR_INTERFACE=${templine[0]}
130 | 
131 | echo "our interface:$OUR_INTERFACE:"
132 | 
133 | # The initial idea here was to find the interface that has the public IP
134 | # address. This will not work in a NAT environment, i.e.
135 | # where the VPS is behind a NAT router and does not have the
136 | # public address directly.
137 | 
138 | # Fix : If we do not get an interface this way we just use the first 
139 | # interface with the default route - we check for a minimum length of 3
140 | # checking for zero length like this 
141 | # [ -z "$OUR_WAN_INTERFACE" ] && export OUR_WAN_INTERFACE = ip route | grep default | sed s/.*dev\ //g | sed s/\ .*//g
142 | # does not work because there is a line feed
143 | # in the variable
144 | 
145 | if [ ${#OUR_INTERFACE} -le 2 ]; then
146 |     echo "WAN Interface not found - was:${OUR_INTERFACE}:"
147 |     export OUR_INTERFACE=`ip route | grep default | sed s/.*dev\ //g | sed s/\ .*//g`
148 |     echo "WAN Interface is now: $OUR_INTERFACE"
149 | fi
150 | 
151 | # At this point, our VPN Server yould just be a router
152 | # but we want it to mask our IP address.
153 | # Also the ISP would not route our private 192.168.88.x address
154 | # hence we need some firewall rules added
155 | 
156 | echo "PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $OUR_INTERFACE -j MASQUERADE" >> /etc/wireguard/wg0.conf
157 | echo "PostDOWN = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $OUR_INTERFACE -j MASQUERADE" >> /etc/wireguard/wg0.conf
158 | 
159 | 
160 | # ###########################################################
161 | # this will automatically bring up the interface after reboot
162 | # ###########################################################
163 | 
164 | systemctl enable wg-quick@wg0.service
165 | 
166 | # ###########################################
167 | # ###########################################
168 | 
169 | 
170 | 


--------------------------------------------------------------------------------