Merge master into branch multiple-client

2024-06-05 04:50:49 +00:00 · 2020-04-08 14:05:11 +02:00 · 2020-04-08 14:05:11 +02:00 · e761f37d07
commit e761f37d07
parent 0bd4fb3039 7c2e299a02
3 changed files with 35 additions and 22 deletions
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@ -8,6 +8,6 @@ jobs:
    - name: shellcheck
      uses: ludeeus/action-shellcheck@0.0.1
      env:
-        SHELLCHECK_OPTS: -e SC1091,SC1117
+        SHELLCHECK_OPTS: -e SC1091,SC1117,SC2001
      with:
        args: wireguard-install.sh
--- a/README.md
+++ b/README.md
@ -1,6 +1,13 @@
 # WireGuard installer

-Easily set up a dual-stack [WireGuard](https://www.wireguard.com/) VPN on a Linux server. See the issues for the WIP.
+**This project is a bash script that aims to setup a [WireGuard](https://www.wireguard.com/) VPN on a Linux server, as easily as possible!**
+
+WireGuard is a point-to-point VPN that can be used in different ways. Here, we mean a VPN as in: the client will forward all its traffic trough an encrypted tunnel to the server.
+The server will apply NAT to the client's traffic so it will appear as if the client is browsing the web with the server's IP.
+
+The script supports both IPv4 and IPv6. Please check the [issues](https://github.com/angristan/wireguard-install/issues) for ongoing development, bugs and planned features!
+
+WireGuard does not fit your environment? Check out [openvpn-install](https://github.com/angristan/openvpn-install).

 ## Requirements

@ -9,7 +16,7 @@ Supported distributions:
 - Ubuntu
 - Debian
 - Fedora
- Centos
+- CentOS
 - Arch Linux

 I recommend these cheap cloud providers for your VPN server:
@ -20,19 +27,14 @@ I recommend these cheap cloud providers for your VPN server:

 ## Usage

-First, get the script and make it executable :
+Download and execute the script. Answer the questions asked by the script and it will take care of the rest.

 ```bash
 curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
 chmod +x wireguard-install.sh
-```
-
-Then run it :
-
-```sh
 ./wireguard-install.sh
 ```

-It will install wireguard on the server, configure, create a systemd service and a client configuration file. Mutliple clients are not yet supported.
+It will install WireGuard (kernel module and tools) on the server, configure it, create a systemd service and a client configuration file. Multiple clients are not yet supported. (WIP!)

 Contributions are welcome!
--- a/wireguard-install.sh
+++ b/wireguard-install.sh
@ -96,7 +96,8 @@ if [[ -e /etc/debian_version ]]; then
    source /etc/os-release
    OS=$ID # debian or ubuntu
 elif [[ -e /etc/fedora-release ]]; then
-    OS=fedora
+    source /etc/os-release
+    OS=$ID
 elif [[ -e /etc/centos-release ]]; then
    OS=centos
 elif [[ -e /etc/arch-release ]]; then
@ -118,13 +119,14 @@ SERVER_WG_NIC="wg0"
 read -rp "WireGuard interface name: " -e -i "$SERVER_WG_NIC" SERVER_WG_NIC

 SERVER_WG_IPV4="10.66.66.1"
-read -rp "Server's WireGuard IPv4 " -e -i "$SERVER_WG_IPV4" SERVER_WG_IPV4
+read -rp "Server's WireGuard IPv4: " -e -i "$SERVER_WG_IPV4" SERVER_WG_IPV4

 SERVER_WG_IPV6="fd42:42:42::1"
-read -rp "Server's WireGuard IPv6 " -e -i "$SERVER_WG_IPV6" SERVER_WG_IPV6
+read -rp "Server's WireGuard IPv6: " -e -i "$SERVER_WG_IPV6" SERVER_WG_IPV6

-SERVER_PORT=1194
-read -rp "Server's WireGuard port " -e -i "$SERVER_PORT" SERVER_PORT
+# Generate random number within private ports range
+SERVER_PORT=$(shuf -i49152-65535 -n1)
+read -rp "Server's WireGuard port: " -e -i "$SERVER_PORT" SERVER_PORT

 # Install WireGuard tools and module
 if [[ "$OS" = 'ubuntu' ]]; then
@ -140,9 +142,12 @@ elif [[ "$OS" = 'debian' ]]; then
    apt-get install -y "linux-headers-$(uname -r)"
    apt-get install -y wireguard iptables resolvconf qrencode
 elif [[ "$OS" = 'fedora' ]]; then
-    dnf install -y dnf-plugins-core
-    dnf copr enable -y jdoss/wireguard
-    dnf install -y wireguard-dkms wireguard-tools iptables qrencode
+    if [[ "$VERSION_ID" -lt 32 ]]; then
+        dnf install -y dnf-plugins-core
+        dnf copr enable -y jdoss/wireguard
+        dnf install -y wireguard-dkms
+    fi
+    dnf install -y wireguard-tools iptables qrencode
 elif [[ "$OS" = 'centos' ]]; then
    curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
    yum -y install epel-release
@ -177,11 +182,17 @@ source /etc/wireguard/params
 echo "[Interface]
 Address = $SERVER_WG_IPV4/24,$SERVER_WG_IPV6/64
 ListenPort = $SERVER_PORT
+PrivateKey = $SERVER_PRIV_KEY" > "/etc/wireguard/$SERVER_WG_NIC.conf"

-PrivateKey = $SERVER_PRIV_KEY
-
-PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE
-PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE" > "/etc/wireguard/$SERVER_WG_NIC.conf"
+if [ -x "$(command -v firewall-cmd)" ]; then
+    FIREWALLD_IPV4_ADDRESS=$(echo "$SERVER_WG_IPV4" | cut -d"." -f1-3)".0"
+    FIREWALLD_IPV6_ADDRESS=$(echo "$SERVER_WG_IPV6" | sed 's/:[^:]*$/:0/')
+    echo "PostUp = firewall-cmd --add-port $SERVER_PORT/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade'
+PostDown = firewall-cmd --remove-port $SERVER_PORT/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=$FIREWALLD_IPV4_ADDRESS/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=$FIREWALLD_IPV6_ADDRESS/24 masquerade'" >> "/etc/wireguard/$SERVER_WG_NIC.conf"
+else
+    echo "PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE
+PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $SERVER_PUB_NIC -j MASQUERADE" >> "/etc/wireguard/$SERVER_WG_NIC.conf"
+fi

 # Enable routing on the server
 echo "net.ipv4.ip_forward = 1