luizberti/wireguard.sh

## wireguard.sh
#!/usr/bin/env bash
set -o errexit
set -o pipefail

command -v ufw       &> /dev/null || { echo you need to install ufw;      exit 1; }
command -v wg        &> /dev/null || { echo you need to install wg;       exit 1; }
command -v wg-quick  &> /dev/null || { echo you need to install wg-quick; exit 1; }
command -v systemctl &> /dev/null || { echo you need systemd to use $0;   exit 1; }
modprobe wireguard  # checks if kernel module is present


# FIREWALLING
# ===========

# NETWORK POLICY
sudo ufw allow 22/tcp
sudo ufw allow 51820/udp
sudo ufw allow in on wg0 to any

# SYSCTL NETWORK SETTINGS
sudo tee -a /etc/ufw/sysctl.conf <<EOF
# ALLOW FORWARDING ACROSS INTERFACES
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
EOF


# WIREGUARD
# =========

# FILES AND PERMISSIONS
sudo mkdir -p        /etc/wireguard/
sudo touch           /etc/wireguard/{wg0.conf,wg0.key,wg0.pub,wg-quick@.service}
sudo chown root:root /etc/wireguard/{wg0.conf,wg0.key,wg0.pub,wg-quick@.service}
sudo chmod 600       /etc/wireguard/wg0.{conf,key}
sudo chmod 644       /etc/wireguard/{wg0.pub,wg-quick@.service}
sudo ln -sf          /etc/{wireguard,systemd/user}/wg-quick@.service

# GENERATE KEY PAIR
test -n "$(sudo cat /etc/wireguard/wg0.key)" || wg genkey | sudo tee /etc/wireguard/wg0.key > /dev/null
sudo cat /etc/wireguard/wg0.key | wg pubkey | sudo tee /etc/wireguard/wg0.pub

# INTERFACE CONFIGURATION
sudo tee /etc/wireguard/wg0.conf <<EOF
[Interface]
PrivateKey = $(sudo cat /etc/wireguard/wg0.key)
Address = 100.64.0.1/10  # RFC6598 CGNAT IPv4 RANGE [100.64.0.0, 100.127.255.255]
ListenPort = 51820
EOF

# SYSTEMD SERVICE
sudo tee /etc/wireguard/wg-quick@.service <<EOF
[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
Documentation=man:wg-quick(8)
Documentation=man:wg(8)
Documentation=https://www.wireguard.com/
Documentation=https://www.wireguard.com/quickstart/
Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

[Install]
WantedBy=multi-user.target
EOF

echo this script is not complete. quitting...
exit 99


# PEERING
# =======

sudo tee -a /etc/wireguard/wg0.conf <<EOF
[Peer]
# Name = $(name)
PublicKey = SPL3lFMWgWGuSTwimAYW42CUBWp1P2Q7arjabUpd2go=
AllowedIPs = 100.64.0.0/10
EOF


# DAEMONIZE
# =========

sudo ufw --force enable
sudo systemctl enable --now wg-quick@wg0.service
	#!/usr/bin/env bash
	set -o errexit
	set -o pipefail

	command -v ufw &> /dev/null \|\| { echo you need to install ufw; exit 1; }
	command -v wg &> /dev/null \|\| { echo you need to install wg; exit 1; }
	command -v wg-quick &> /dev/null \|\| { echo you need to install wg-quick; exit 1; }
	command -v systemctl &> /dev/null \|\| { echo you need systemd to use $0; exit 1; }
	modprobe wireguard # checks if kernel module is present


	# FIREWALLING
	# ===========

	# NETWORK POLICY
	sudo ufw allow 22/tcp
	sudo ufw allow 51820/udp
	sudo ufw allow in on wg0 to any

	# SYSCTL NETWORK SETTINGS
	sudo tee -a /etc/ufw/sysctl.conf <<EOF
	# ALLOW FORWARDING ACROSS INTERFACES
	net/ipv4/ip_forward=1
	net/ipv6/conf/default/forwarding=1
	net/ipv6/conf/all/forwarding=1
	EOF


	# WIREGUARD
	# =========

	# FILES AND PERMISSIONS
	sudo mkdir -p /etc/wireguard/
	sudo touch /etc/wireguard/{wg0.conf,wg0.key,wg0.pub,wg-quick@.service}
	sudo chown root:root /etc/wireguard/{wg0.conf,wg0.key,wg0.pub,wg-quick@.service}
	sudo chmod 600 /etc/wireguard/wg0.{conf,key}
	sudo chmod 644 /etc/wireguard/{wg0.pub,wg-quick@.service}
	sudo ln -sf /etc/{wireguard,systemd/user}/wg-quick@.service

	# GENERATE KEY PAIR
	test -n "$(sudo cat /etc/wireguard/wg0.key)" \|\| wg genkey \| sudo tee /etc/wireguard/wg0.key > /dev/null
	sudo cat /etc/wireguard/wg0.key \| wg pubkey \| sudo tee /etc/wireguard/wg0.pub

	# INTERFACE CONFIGURATION
	sudo tee /etc/wireguard/wg0.conf <<EOF
	[Interface]
	PrivateKey = $(sudo cat /etc/wireguard/wg0.key)
	Address = 100.64.0.1/10 # RFC6598 CGNAT IPv4 RANGE [100.64.0.0, 100.127.255.255]
	ListenPort = 51820
	EOF

	# SYSTEMD SERVICE
	sudo tee /etc/wireguard/wg-quick@.service <<EOF
	[Unit]
	Description=WireGuard via wg-quick(8) for %I
	After=network-online.target nss-lookup.target
	Wants=network-online.target nss-lookup.target
	Documentation=man:wg-quick(8)
	Documentation=man:wg(8)
	Documentation=https://www.wireguard.com/
	Documentation=https://www.wireguard.com/quickstart/
	Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
	Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8

	[Service]
	Type=oneshot
	RemainAfterExit=yes
	ExecStart=/usr/bin/wg-quick up %i
	ExecStop=/usr/bin/wg-quick down %i
	Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

	[Install]
	WantedBy=multi-user.target
	EOF

	echo this script is not complete. quitting...
	exit 99


	# PEERING
	# =======

	sudo tee -a /etc/wireguard/wg0.conf <<EOF
	[Peer]
	# Name = $(name)
	PublicKey = SPL3lFMWgWGuSTwimAYW42CUBWp1P2Q7arjabUpd2go=
	AllowedIPs = 100.64.0.0/10
	EOF


	# DAEMONIZE
	# =========

	sudo ufw --force enable
	sudo systemctl enable --now wg-quick@wg0.service