Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
my-ubuntu-20.04-svr.sh
#!/usr/bin/env bash
# don't copy this line when installing
export _XERT_DONTRUN="true"
# Copy the below 2 lines to install
CONFIG_MY_SVR_URL="https://gist.githubusercontent.com/XertroV/898436fe500f264a1fabeac889196f9e/raw/my-ubuntu-20.04-svr.sh"
if [[ "$_XERT_DONTRUN" == "" ]]; then curl "$CONFIG_MY_SVR_URL?nonce=$(date +%s)" | bash; fi
ZSHRC_MAID_URL="https://gist.githubusercontent.com/XertroV/6b9bbe298edff882b202c189e18b9c26/raw/.zshrc"
P10K_MAID_URL="https://gist.githubusercontent.com/XertroV/4c2e5c5ae5bead72558295e7e464b203/raw/.p10k.zsh"
NORM_USER="$USER"
PRE_DIR = "$PWD"
if [[ "$NORM_USER" == "root" ]]; then
echo "Run as regular user, not root";
fi
alias echo="echo -e"
sudo cp /etc/sudoers{,.back$(date +%s)}
echo "$NORM_USER ALL=(ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers
sudo apt update
sudo apt upgrade -y
sudo apt dist-upgrade -y
sudo apt install git build-essential zsh net-tools dnsutils -y
if [[ ! -d ~/.oh-my-zsh || "$FORCE_ZSH" != "" ]]; then
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended
git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/themes/powerlevel10k
wget "$ZSHRC_MAID_URL?nonce=$(date +%s)" -O ~/.zshrc
wget "$P10K_MAID_URL?nonce=$(date +%s)" -O ~/.p10k.zsh
# sed -i 's=robbyrussell=powerlevel10k/powerlevel10k=' ~/.zshrc
sudo chsh -s /bin/zsh $NORM_USER
fi
sudo sed -i 's+#net.ipv4.ip_forward=1+net.ipv4.ip_forward=1+' /etc/sysctl.conf
sudo sysctl -p
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
# DNS for VPN and w/e
cat << EOF | sudo bash
apt-get install unbound unbound-host -y
curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
curl -o /etc/unbound/unbound.conf.d/wireguard.conf https://gist.githubusercontent.com/XertroV/d5779229a53f79e3b46a8acee3df8c58/raw/wireguard.conf
chown -R unbound:unbound /var/lib/unbound
systemctl enable unbound
EOF
# VPNs are good -- WIREGUARD
WG_PORT='51820'
cat << EOF | sudo bash
add-apt-repository ppa:wireguard/wireguard -y
apt-get update
apt-get install wireguard-dkms wireguard-tools linux-headers-$(uname -r) -y
EOF
cat << EOF1 | sudo bash
umask 077
mkdir -p ~/.wg
cd ~/.wg
wg genkey | tee server_private_key | wg pubkey > server_public_key
wg genkey | tee client_private_key | wg pubkey > client_public_key
cat << EOF2 | sudo tee /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.13.37/24
SaveConfig = true
PrivateKey = \$(cat ./server_private_key)
ListenPort = $WG_PORT
[Peer]
PublicKey = \$(cat ./client_public_key)
AllowedIPs = 192.168.13.38/32
EOF2
cat << EOF2 | tee wg0-client.conf
[Interface]
Address = 192.168.13.38/32
PrivateKey = \$(cat ./client_private_key)
DNS = 192.168.13.37
[Peer]
PublicKey = \$(cat ./server_public_key)
Endpoint = THE_FQDN.fish.xk.io:5_THE_PORT_5
AllowedIPs = 192.168.13.37/32
PersistentKeepalive = 21
EOF2
chown -v root:root /etc/wireguard/wg0.conf
chmod -v 600 /etc/wireguard/wg0.conf
wg-quick up wg0
systemctl enable wg-quick@wg0.service #Enable the interface at boot
EOF1
MY_NIC_GUESS="$(ip route show | head -n 1 | sed -E 's=^.* dev ([a-zA-Z0-9\.\-]{2,}) proto .*$=\1=')"
MY_IP_GUESS="$(ip addr show dev $MY_NIC_GUESS | grep 'inet ' | col2 | cut -d '/' -f 1)"
cat << EOF | sudo bash
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 192.168.13.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 192.168.13.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.13.0/24 -o eth0 -j MASQUERADE
# we should finish any/all iptables before this point bc iptables-persistent only saves automatically on install
apt-get install -y iptables-persistent
systemctl enable netfilter-persistent
netfilter-persistent save
EOF
# finalization messages
echo -e "ACTION: Port forward a port to $MY_IP_GUESS:$WG_PORT for wireguard. Distribute client key and config for remote use."
echo -e "\n"
echo -e "ACTION: run on ubuntu clients to install wireguard:\n\n sudo bash -c 'add-apt-repository -y ppa:wireguard/wireguard && apt-get update && apt-get install -y wireguard-dkms wireguard-tools linux-headers-\$(uname -r)'"
echo -e "Then put wg0-client.conf in the client's /etc/wireguard/ folder, and run 'sudo wg-quick up wg0-client' to start, and 'sudo wg-quick down wg0-client' to stop"
echo -e "wg0-client lives at: wg0-client.conf"
echo -e "\n"
echo -e "Check wireguard status: sudo wg show"
echo -e "Persist client conn: sudo systemctl enable wg-quick@wg0-client.service"
echo -e "Generate new user: wg genkey | tee new_client_private_key2 | wg pubkey > new_client_public_key2"
echo -e "Add new user to server: wg set wg0 peer <new_client_public_key> allowed-ips <new_client_vpn_IP>/32"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.