Mehran/wireguard.sh

## wireguard.sh
#!/bin/bash
### Author ###
# By : Mehran Goudarzi
# Release : 2018-10-24
# Update : 2018-12-22
# Description : WireGuard Automation - Server Side
# Version : 1.3
###############

### Color's ###
DARKGRAY='\033[1;30m'
RED='\033[0;31m'
LIGHTRED='\033[1;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
PURPLE='\033[0;35m'
LIGHTPURPLE='\033[1;35m'
CYAN='\033[0;36m'
WHITE='\033[1;37m'
SET='\033[0m'
###############

echo -n "[*] Updating Packages..." >&2
echo -e '\n' | add-apt-repository ppa:wireguard/wireguard >/dev/null 2>&1
apt-get update >/dev/null 2>&1
apt-get install wireguard-dkms wireguard-tools linux-headers-$(uname -r) qrencode -y >/dev/null 2>&1
echo " Done" >&2

echo -n "[*] Generate server and client keys..." >&2
umask 077
mkdir ~/config
wg genkey | tee  ~/config/server_private_key | wg pubkey > ~/config/server_public_key
wg genkey | tee  ~/config/ios_private_key | wg pubkey > ~/config/ios_public_key
wg genkey | tee  ~/config/macos_private_key | wg pubkey > ~/config/macos_public_key
wg genkey | tee  ~/config/client1_private_key | wg pubkey > ~/config/client1_public_key
wg genkey | tee  ~/config/client2_private_key | wg pubkey > ~/config/client2_public_key

server_private_key=$(cat /root/config/server_private_key)
server_public_key=$(cat /root/config/server_public_key)
ios_private_key=$(cat /root/config/ios_private_key)
ios_public_key=$(cat /root/config/ios_public_key)
macos_private_key=$(cat /root/config/macos_private_key)
macos_public_key=$(cat /root//config/macos_public_key)
client1_private_key=$(cat /root/config/client1_private_key)
client1_public_key=$(cat /root/config/client1_public_key)
client2_private_key=$(cat /root/config/client2_private_key)
client2_public_key=$(cat /root/config/client2_public_key)
server_ip=$(curl -s ipinfo.io/ip)
port=51820
echo " Done" >&2


echo -n "[*] Generate server config..." >&2
echo "[Interface]
Address = 10.200.200.1/24
SaveConfig = true
PrivateKey = $server_private_key
ListenPort = $port
[Peer]
PublicKey = $ios_public_key
AllowedIPs = 10.200.200.2/32
[Peer]
PublicKey = $macos_public_key
AllowedIPs = 10.200.200.3/32
[Peer]
PublicKey = $client1_public_key
AllowedIPs = 10.200.200.4/32
[Peer]
PublicKey = $client2_public_key
AllowedIPs = 10.200.200.5/32" > /etc/wireguard/wg0.conf
echo " Done" >&2


echo -n "[*] Generate Clients config..." >&2
echo "[Interface]
Address = 10.200.200.2/32
PrivateKey = $ios_private_key
DNS = 10.200.200.1

[Peer]
PublicKey = $server_public_key
Endpoint = $server_ip:$port
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21" > ~/config/ios_client.conf

echo "[Interface]
Address = 10.200.200.3/32
PrivateKey = $macos_private_key
DNS = 10.200.200.1

[Peer]
PublicKey = $server_public_key
Endpoint = $server_ip:$port
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21" > ~/config/macos_client.conf

echo "[Interface]
Address = 10.200.200.4/32
PrivateKey = $client1_private_key
DNS = 10.200.200.1

[Peer]
PublicKey = $server_public_key
Endpoint = $server_ip:$port
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21" > ~/config/lient1.conf

echo "[Interface]
Address = 10.200.200.5/32
PrivateKey = $client2_private_key
DNS = 10.200.200.1

[Peer]
PublicKey = $server_public_key
Endpoint = $server_ip:$port
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21" > ~/config/client2.conf

echo " Done" >&2


echo -n "[*] Enable the WireGuard interface on the server..."  >&2
chown -v root:root /etc/wireguard/wg0.conf >/dev/null 2>&1
chmod -v 600 /etc/wireguard/wg0.conf >/dev/null 2>&1
wg-quick up wg0 >/dev/null 2>&1
systemctl enable wg-quick@wg0.service >/dev/null 2>&1 #Enable the interface at boot
echo " Done" >&2


echo -n "[*] Check WireGuard interface is up or not ..." >&2
if grep -q 'wg0' <<< "$(ifconfig)" ; then
    echo -e " Inteface is UP ${GREEN}[OK]${SET}"  >&2
    else
    echo " Failed"  >&2
    exit 1
fi

echo -n  "[*] Enable IP forwarding on the server ..." >&2
sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sysctl -p >/dev/null 2>&1
echo 1 > /proc/sys/net/ipv4/ip_forward
echo " Done" >&2

echo -n "[*] Configure firewall rules on the server..." >&2
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport $port -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.200.200.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.200.200.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE
export DEBIAN_FRONTEND=noninteractive
apt-get -yq install iptables-persistent  >/dev/null 2>&1
systemctl enable netfilter-persistent >/dev/null 2>&1
netfilter-persistent save  >/dev/null 2>&1
echo " Done" >&2


echo -n "[*] Configure DNS..."  >&2
apt-get install unbound unbound-host -y >/dev/null 2>&1
curl -s -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache >/dev/null 2>&1
systemctl disable systemd-resolved.service >/dev/null 2>&1
service systemd-resolved stop >/dev/null 2>&1
echo "" > /etc/unbound/unbound.conf
echo "server:

  num-threads: 4

  #Enable logs
  verbosity: 1

  #list of Root DNS Server
  root-hints: "/var/lib/unbound/root.hints"

  #Use the root servers key for DNSSEC
  auto-trust-anchor-file: "/var/lib/unbound/root.key"

  #Respond to DNS requests on all interfaces
  interface: 0.0.0.0
  max-udp-size: 3072

  #Authorized IPs to access the DNS Server
  access-control: 0.0.0.0/0                 refuse
  access-control: 127.0.0.1                 allow
  access-control: 10.200.200.0/24         allow

  #not allowed to be returned for public internet  names
  private-address: 10.200.200.0/24

  # Hide DNS Server info
  hide-identity: yes
  hide-version: yes

  #Limit DNS Fraud and use DNSSEC
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes

  #Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
  unwanted-reply-threshold: 10000000

  #Have the validator print validation failures to the log.
  val-log-level: 1

  #Minimum lifetime of cache entries in seconds
  cache-min-ttl: 1800

  #Maximum lifetime of cached entries
  cache-max-ttl: 14400
  prefetch: yes
  prefetch-key: yes" > /etc/unbound/unbound.conf
chown -R unbound:unbound /var/lib/unbound >/dev/null 2>&1
systemctl enable unbound >/dev/null 2>&1
service unbound restart >/dev/null 2>&1
echo " Done" >&2

echo -n "[*] Preparing QR-Code..."  >&2
qrencode -t ansiutf8 < ~/config/ios_client.conf > /root/config/ios_Qcode.jpg
qrencode -t ansiutf8 < ~/config/client1.conf > /root/config/client1_Qcode.jpg

cat /root/config/ios_Qcode.jpg
echo " Done" >&2

echo -e "${GREEN}[*] Your WireGurad Server is Ready to Use!${SET}"
	#!/bin/bash
	### Author ###
	# By : Mehran Goudarzi
	# Release : 2018-10-24
	# Update : 2018-12-22
	# Description : WireGuard Automation - Server Side
	# Version : 1.3
	###############

	### Color's ###
	DARKGRAY='\033[1;30m'
	RED='\033[0;31m'
	LIGHTRED='\033[1;31m'
	GREEN='\033[0;32m'
	YELLOW='\033[1;33m'
	BLUE='\033[0;34m'
	PURPLE='\033[0;35m'
	LIGHTPURPLE='\033[1;35m'
	CYAN='\033[0;36m'
	WHITE='\033[1;37m'
	SET='\033[0m'
	###############

	echo -n "[*] Updating Packages..." >&2
	echo -e '\n' \| add-apt-repository ppa:wireguard/wireguard >/dev/null 2>&1
	apt-get update >/dev/null 2>&1
	apt-get install wireguard-dkms wireguard-tools linux-headers-$(uname -r) qrencode -y >/dev/null 2>&1
	echo " Done" >&2

	echo -n "[*] Generate server and client keys..." >&2
	umask 077
	mkdir ~/config
	wg genkey \| tee ~/config/server_private_key \| wg pubkey > ~/config/server_public_key
	wg genkey \| tee ~/config/ios_private_key \| wg pubkey > ~/config/ios_public_key
	wg genkey \| tee ~/config/macos_private_key \| wg pubkey > ~/config/macos_public_key
	wg genkey \| tee ~/config/client1_private_key \| wg pubkey > ~/config/client1_public_key
	wg genkey \| tee ~/config/client2_private_key \| wg pubkey > ~/config/client2_public_key

	server_private_key=$(cat /root/config/server_private_key)
	server_public_key=$(cat /root/config/server_public_key)
	ios_private_key=$(cat /root/config/ios_private_key)
	ios_public_key=$(cat /root/config/ios_public_key)
	macos_private_key=$(cat /root/config/macos_private_key)
	macos_public_key=$(cat /root//config/macos_public_key)
	client1_private_key=$(cat /root/config/client1_private_key)
	client1_public_key=$(cat /root/config/client1_public_key)
	client2_private_key=$(cat /root/config/client2_private_key)
	client2_public_key=$(cat /root/config/client2_public_key)
	server_ip=$(curl -s ipinfo.io/ip)
	port=51820
	echo " Done" >&2


	echo -n "[*] Generate server config..." >&2
	echo "[Interface]
	Address = 10.200.200.1/24
	SaveConfig = true
	PrivateKey = $server_private_key
	ListenPort = $port
	[Peer]
	PublicKey = $ios_public_key
	AllowedIPs = 10.200.200.2/32
	[Peer]
	PublicKey = $macos_public_key
	AllowedIPs = 10.200.200.3/32
	[Peer]
	PublicKey = $client1_public_key
	AllowedIPs = 10.200.200.4/32
	[Peer]
	PublicKey = $client2_public_key
	AllowedIPs = 10.200.200.5/32" > /etc/wireguard/wg0.conf
	echo " Done" >&2


	echo -n "[*] Generate Clients config..." >&2
	echo "[Interface]
	Address = 10.200.200.2/32
	PrivateKey = $ios_private_key
	DNS = 10.200.200.1

	[Peer]
	PublicKey = $server_public_key
	Endpoint = $server_ip:$port
	AllowedIPs = 0.0.0.0/0
	PersistentKeepalive = 21" > ~/config/ios_client.conf

	echo "[Interface]
	Address = 10.200.200.3/32
	PrivateKey = $macos_private_key
	DNS = 10.200.200.1

	[Peer]
	PublicKey = $server_public_key
	Endpoint = $server_ip:$port
	AllowedIPs = 0.0.0.0/0
	PersistentKeepalive = 21" > ~/config/macos_client.conf

	echo "[Interface]
	Address = 10.200.200.4/32
	PrivateKey = $client1_private_key
	DNS = 10.200.200.1

	[Peer]
	PublicKey = $server_public_key
	Endpoint = $server_ip:$port
	AllowedIPs = 0.0.0.0/0
	PersistentKeepalive = 21" > ~/config/lient1.conf

	echo "[Interface]
	Address = 10.200.200.5/32
	PrivateKey = $client2_private_key
	DNS = 10.200.200.1

	[Peer]
	PublicKey = $server_public_key
	Endpoint = $server_ip:$port
	AllowedIPs = 0.0.0.0/0
	PersistentKeepalive = 21" > ~/config/client2.conf

	echo " Done" >&2


	echo -n "[*] Enable the WireGuard interface on the server..." >&2
	chown -v root:root /etc/wireguard/wg0.conf >/dev/null 2>&1
	chmod -v 600 /etc/wireguard/wg0.conf >/dev/null 2>&1
	wg-quick up wg0 >/dev/null 2>&1
	systemctl enable wg-quick@wg0.service >/dev/null 2>&1 #Enable the interface at boot
	echo " Done" >&2


	echo -n "[*] Check WireGuard interface is up or not ..." >&2
	if grep -q 'wg0' <<< "$(ifconfig)" ; then
	echo -e " Inteface is UP ${GREEN}[OK]${SET}" >&2
	else
	echo " Failed" >&2
	exit 1
	fi

	echo -n "[*] Enable IP forwarding on the server ..." >&2
	sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
	sysctl -p >/dev/null 2>&1
	echo 1 > /proc/sys/net/ipv4/ip_forward
	echo " Done" >&2

	echo -n "[*] Configure firewall rules on the server..." >&2
	iptables -F
	iptables -X
	iptables -t nat -F
	iptables -t nat -X
	iptables -t mangle -F
	iptables -t mangle -X
	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p udp -m udp --dport $port -m conntrack --ctstate NEW -j ACCEPT
	iptables -A INPUT -s 10.200.200.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
	iptables -A INPUT -s 10.200.200.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
	iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
	iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE
	export DEBIAN_FRONTEND=noninteractive
	apt-get -yq install iptables-persistent >/dev/null 2>&1
	systemctl enable netfilter-persistent >/dev/null 2>&1
	netfilter-persistent save >/dev/null 2>&1
	echo " Done" >&2



	echo -n "[*] Configure DNS..." >&2
	apt-get install unbound unbound-host -y >/dev/null 2>&1
	curl -s -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache >/dev/null 2>&1
	systemctl disable systemd-resolved.service >/dev/null 2>&1
	service systemd-resolved stop >/dev/null 2>&1
	echo "" > /etc/unbound/unbound.conf
	echo "server:

	num-threads: 4

	#Enable logs
	verbosity: 1

	#list of Root DNS Server
	root-hints: "/var/lib/unbound/root.hints"

	#Use the root servers key for DNSSEC
	auto-trust-anchor-file: "/var/lib/unbound/root.key"

	#Respond to DNS requests on all interfaces
	interface: 0.0.0.0
	max-udp-size: 3072

	#Authorized IPs to access the DNS Server
	access-control: 0.0.0.0/0 refuse
	access-control: 127.0.0.1 allow
	access-control: 10.200.200.0/24 allow

	#not allowed to be returned for public internet names
	private-address: 10.200.200.0/24

	# Hide DNS Server info
	hide-identity: yes
	hide-version: yes

	#Limit DNS Fraud and use DNSSEC
	harden-glue: yes
	harden-dnssec-stripped: yes
	harden-referral-path: yes

	#Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
	unwanted-reply-threshold: 10000000

	#Have the validator print validation failures to the log.
	val-log-level: 1

	#Minimum lifetime of cache entries in seconds
	cache-min-ttl: 1800

	#Maximum lifetime of cached entries
	cache-max-ttl: 14400
	prefetch: yes
	prefetch-key: yes" > /etc/unbound/unbound.conf
	chown -R unbound:unbound /var/lib/unbound >/dev/null 2>&1
	systemctl enable unbound >/dev/null 2>&1
	service unbound restart >/dev/null 2>&1
	echo " Done" >&2

	echo -n "[*] Preparing QR-Code..." >&2
	qrencode -t ansiutf8 < ~/config/ios_client.conf > /root/config/ios_Qcode.jpg
	qrencode -t ansiutf8 < ~/config/client1.conf > /root/config/client1_Qcode.jpg

	cat /root/config/ios_Qcode.jpg
	echo " Done" >&2

	echo -e "${GREEN}[*] Your WireGurad Server is Ready to Use!${SET}"