Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
#!/usr/bin/env bash
# don't copy this line when installing
export _XERT_DONTRUN="true"
# Copy the below 2 lines to install
if [[ "$_XERT_DONTRUN" == "" ]]; then curl "$CONFIG_MY_SVR_URL?nonce=$(date +%s)" | bash; fi
if [[ "$NORM_USER" == "root" ]]; then
echo "Run as regular user, not root";
alias echo="echo -e"
sudo cp /etc/sudoers{,.back$(date +%s)}
echo "$NORM_USER ALL=(ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers
sudo apt update
sudo apt upgrade -y
sudo apt dist-upgrade -y
sudo apt install git build-essential zsh net-tools dnsutils -y
if [[ ! -d ~/.oh-my-zsh || "$FORCE_ZSH" != "" ]]; then
sh -c "$(curl -fsSL" "" --unattended
git clone --depth=1 ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/themes/powerlevel10k
wget "$ZSHRC_MAID_URL?nonce=$(date +%s)" -O ~/.zshrc
wget "$P10K_MAID_URL?nonce=$(date +%s)" -O ~/.p10k.zsh
# sed -i 's=robbyrussell=powerlevel10k/powerlevel10k=' ~/.zshrc
sudo chsh -s /bin/zsh $NORM_USER
sudo sed -i 's+#net.ipv4.ip_forward=1+net.ipv4.ip_forward=1+' /etc/sysctl.conf
sudo sysctl -p
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
# DNS for VPN and w/e
cat << EOF | sudo bash
apt-get install unbound unbound-host -y
curl -o /var/lib/unbound/root.hints
curl -o /etc/unbound/unbound.conf.d/wireguard.conf
chown -R unbound:unbound /var/lib/unbound
systemctl enable unbound
# VPNs are good -- WIREGUARD
cat << EOF | sudo bash
add-apt-repository ppa:wireguard/wireguard -y
apt-get update
apt-get install wireguard-dkms wireguard-tools linux-headers-$(uname -r) -y
cat << EOF1 | sudo bash
umask 077
mkdir -p ~/.wg
cd ~/.wg
wg genkey | tee server_private_key | wg pubkey > server_public_key
wg genkey | tee client_private_key | wg pubkey > client_public_key
cat << EOF2 | sudo tee /etc/wireguard/wg0.conf
Address =
SaveConfig = true
PrivateKey = \$(cat ./server_private_key)
ListenPort = $WG_PORT
PublicKey = \$(cat ./client_public_key)
AllowedIPs =
cat << EOF2 | tee wg0-client.conf
Address =
PrivateKey = \$(cat ./client_private_key)
PublicKey = \$(cat ./server_public_key)
Endpoint =
AllowedIPs =
PersistentKeepalive = 21
chown -v root:root /etc/wireguard/wg0.conf
chmod -v 600 /etc/wireguard/wg0.conf
wg-quick up wg0
systemctl enable wg-quick@wg0.service #Enable the interface at boot
MY_NIC_GUESS="$(ip route show | head -n 1 | sed -E 's=^.* dev ([a-zA-Z0-9\.\-]{2,}) proto .*$=\1=')"
MY_IP_GUESS="$(ip addr show dev $MY_NIC_GUESS | grep 'inet ' | col2 | cut -d '/' -f 1)"
cat << EOF | sudo bash
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
# we should finish any/all iptables before this point bc iptables-persistent only saves automatically on install
apt-get install -y iptables-persistent
systemctl enable netfilter-persistent
netfilter-persistent save
# finalization messages
echo -e "ACTION: Port forward a port to $MY_IP_GUESS:$WG_PORT for wireguard. Distribute client key and config for remote use."
echo -e "\n"
echo -e "ACTION: run on ubuntu clients to install wireguard:\n\n sudo bash -c 'add-apt-repository -y ppa:wireguard/wireguard && apt-get update && apt-get install -y wireguard-dkms wireguard-tools linux-headers-\$(uname -r)'"
echo -e "Then put wg0-client.conf in the client's /etc/wireguard/ folder, and run 'sudo wg-quick up wg0-client' to start, and 'sudo wg-quick down wg0-client' to stop"
echo -e "wg0-client lives at: wg0-client.conf"
echo -e "\n"
echo -e "Check wireguard status: sudo wg show"
echo -e "Persist client conn: sudo systemctl enable wg-quick@wg0-client.service"
echo -e "Generate new user: wg genkey | tee new_client_private_key2 | wg pubkey > new_client_public_key2"
echo -e "Add new user to server: wg set wg0 peer <new_client_public_key> allowed-ips <new_client_vpn_IP>/32"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment