Skip to content

Instantly share code, notes, and snippets.

@psct
Last active May 27, 2022 06:17
Show Gist options
  • Save psct/ecb4cfbd8d2fa3c3e976820ace17deb3 to your computer and use it in GitHub Desktop.
Save psct/ecb4cfbd8d2fa3c3e976820ace17deb3 to your computer and use it in GitHub Desktop.
WireGuard-Server per Skript einrichten
#!/bin/bash
# Wireguard auf Debian/Raspbian einrichten,
# nach c't 15/2019, S. 166
# * läuft auf Raspbian oder Debian Netinst (Buster)
# * bitte nur auf frischen Installationen verwenden
# * Skript überschreibt Netzwerkkonfiguration
# * als pi (Raspbian) oder als root/passwortloses sudo (Debian) ausführen
# * schreibt Protokoll nach /var/log/wgstrap.log
# * zweistufiger Prozess, der einen Reboot erfordert
# * anschließend einfach das Skript erneut starten
# * QR-Code kann WireGuard-Client scannen für interne Testverbindung
# * ddclient wird nur eingerichtet und gepatcht
# * Port-Weiterleitung und DynDNS-Setup sind von Hand zu erledigen
# * evtl. springt die IP-Adresse des Geräts während der Einrichtung
# => Benutzung auf eigene Gefahr!
set -e
shopt -s expand_aliases
VER=100
IPV6HOST=fd00:24::1
IPV6CLIENT=fd00:24::100
IPV4HOST=192.168.24.1
IPV4CLIENT=192.168.24.100
ID=$(id -un)
ZERO=$(uname -a | grep "armv6l" || true)
RASPI=$(uname -a | grep "armv7l" || true)
SUDO=$(echo "" | sudo -S -l 2> /dev/null | grep NOPASSWD | grep ALL || true)
if [[ ! -z "$ZERO" ]]; then
echo "Raspberry Pi Zero und andere mit armv6l werden nicht unterstützt, sorry"
exit 1
fi
if [ -z "$SUDO" ]; then
if [ "$ID" != "root" ]; then
echo "User muss für passwortloses sudo konfiguriert sein, sorry"
exit 1
fi
if [ "$ID" != "$USER" ]; then
echo "Entweder richtig root oder sudo, sorry"
exit 1
fi
alias sudo=''
alias sudominuss='bash'
else
alias sudominuss='sudo -s '
fi
if [ -z "$RASPI" ]; then
NIC=$(ip route | grep default | cut -d" " -f5)
EXTRAPKGS="linux-headers-"$(uname -r)
else
NIC=eth0
EXTRAPKGS="raspberrypi-kernel-headers"
fi
WD=$(pwd)
LOG=/var/log/wgstrap.log
sudo touch $LOG
sudo chown $USER $LOG
trap 'error_report $LINENO' ERR
error_report() {
echo "Installation leider fehlgeschlagen in Zeile $1."
}
echo "==> Einrichtung eines Wireguard-Servers auf Debian/Raspbian ($VER)" | tee -a $LOG
if [ ! -f $WD/.schritt1 ]; then
echo "* Erster Teil:" | tee -a $LOG
echo "* Paketquellen setzen" | tee -a $LOG
sudo sh -c 'echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list'
sudo sh -c 'echo "Package: *" > /etc/apt/preferences.d/limit-unstable'
sudo sh -c 'echo "Pin: release a=unstable" >> /etc/apt/preferences.d/limit-unstable'
sudo sh -c 'echo "Pin-Priority: 90" >> /etc/apt/preferences.d/limit-unstable'
echo "* Hilfspaket laden & hinzufügen, Paketlisten aktualisieren" | tee -a $LOG
cd /tmp/
wget http://ftp.de.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2019.1_all.deb >> $LOG 2>&1
sudo dpkg -i /tmp/debian-archive-keyring_2019.1_all.deb >> $LOG 2>&1
echo "* Debian/Raspbian aktualisieren ..." | tee -a $LOG
sudo apt-get update >> $LOG 2>&1
sudo apt-get -y --allow-downgrades dist-upgrade >> $LOG 2>&1
echo " => erster Schritt abgeschlossen."
echo ""
echo "Starten Sie Ihren zukünfitgen WireGuard-Server jetzt neu: reboot now (ggf. mit sudo)"
touch $WD/.schritt1
exit 0
fi
echo "* Zweiter Teil:" | tee -a $LOG
echo "* Pakete vorkonfigurieren" | tee -a $LOG
echo "ddclient ddclient/password password
ddclient ddclient/password-repeat password
ddclient ddclient/checkip boolean false
ddclient ddclient/fetchhosts select Manually
ddclient ddclient/run_ipup boolean true
ddclient ddclient/hostslist multiselect
ddclient ddclient/names string
ddclient ddclient/protocol select dyndns2
ddclient ddclient/interface string
ddclient ddclient/service select other
ddclient ddclient/run_daemon boolean false
ddclient ddclient/server string
ddclient ddclient/run_dhclient boolean false
ddclient ddclient/daemon_interval string 300
ddclient ddclient/username string " > /tmp/ddclient
sudo debconf-set-selections /tmp/ddclient >> $LOG 2>&1
echo "iptables-persistent iptables-persistent/autosave_v6 boolean false
iptables-persistent iptables-persistent/autosave_v4 boolean false" > /tmp/iptables-persistent
sudo debconf-set-selections /tmp/iptables-persistent >> $LOG 2>&1
echo "* Netzwerkkonfiguration anpassen ..." | tee -a $LOG
sudominuss << HERE
echo "# interfaces(5) file used by ifup(8) and ifdown(8)
# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and man dhcpcd.conf
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
# for zero/w
#auto wlan0
#iface wlan0 inet dhcp
# wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
# wireless-power off
#iface wlan0 inet6 auto
auto $NIC
iface $NIC inet dhcp
iface $NIC inet6 auto
auto wg0
iface wg0 inet static
address $IPV4HOST
netmask 255.255.255.0
pre-up ip link add wg0 type wireguard
pre-up wg setconf wg0 /etc/wireguard/wg0.conf
up ip link set wg0 up
down ip link delete wg0
iface wg0 inet6 static
address $IPV6HOST
netmask 64" > /etc/network/interfaces
HERE
sudo sh -c 'echo "net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1" > /etc/sysctl.d/wireguard.conf'
echo "* Pakete hinzufügen ..." | tee -a $LOG
sudo apt-get install -y --no-install-recommends dkms $EXTRAPKGS >> $LOG 2>&1
#cd /tmp
#wget http://ftp.de.debian.org/debian/pool/main/w/wireguard-linux-compat/wireguard-dkms_0.0.20191226-1_all.deb
#sudo dpkg -i /tmp/wireguard-dkms_0.0.20191226-1_all.deb >> $LOG 2>&1
sudo apt-get -y --no-install-recommends --ignore-hold --reinstall install wireguard qrencode ddclient libdata-validate-ip-perl iptables-persistent >> $LOG 2>&1
cd /tmp/
wget https://ct.de/s/mK7P -O d.patch >> $LOG 2>&1
sudo patch -d /usr/sbin < d.patch >> $LOG 2>&1
sudo apt-mark hold ddclient >> $LOG 2>&1
sudo iptables -A FORWARD -i wg0 -j ACCEPT >> $LOG 2>&1
sudo iptables -t nat -A POSTROUTING -o $NIC -j MASQUERADE >> $LOG 2>&1
sudo ip6tables -A FORWARD -i wg0 -j ACCEPT >> $LOG 2>&1
sudo ip6tables -t nat -A POSTROUTING -o $NIC -j MASQUERADE >> $LOG 2>&1
sudo netfilter-persistent save >> $LOG 2>&1
sudominuss << HERE
umask 077
wg genkey > /etc/wireguard/server.key
HERE
KEY=$(sudo cat /etc/wireguard/server.key)
PUBKEY=$(sudo cat /etc/wireguard/server.key | wg pubkey)
sudominuss <<HERE
echo "[Interface]
ListenPort=40404
PrivateKey=$KEY" > /etc/wireguard/wg0.conf
HERE
sudo mkdir -p /etc/wireguard/clients >> $LOG 2>&1
sudominuss << HERE
umask 077
wg genkey > /etc/wireguard/clients/client1.key
HERE
CKEY=$(sudo cat /etc/wireguard/clients/client1.key)
CPUBKEY=$(sudo cat /etc/wireguard/clients/client1.key | wg pubkey)
sudominuss <<HERE
echo "# client1
[Peer]
PublicKey=$CPUBKEY
AllowedIPs=$IPV4CLIENT/32,$IPV6CLIENT/64" >> /etc/wireguard/wg0.conf
HERE
MYIP=$(ip -4 addr show $NIC | grep -v "127.0.0.1" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
sudominuss <<HERE
echo "[Interface]
PrivateKey=$CKEY
Address=$IPV4CLIENT,$IPV6CLIENT
DNS=1.1.1.1,2606:4700:4700::1111
[Peer]
PublicKey=$PUBKEY
Endpoint=$MYIP:40404
AllowedIPs=0.0.0.0/0,::/0" > /etc/wireguard/clients/client1.conf
HERE
#sudo wg setconf wg0 /etc/wireguard/wg0.conf >> $LOG 2>&1
sudo cat /etc/wireguard/clients/client1.conf | qrencode -t ansiutf8
echo "==> Installation erfolgreich abgeschlossen." | tee -a $LOG
echo ""
echo "Starten Sie Ihren WireGuard-Server jetzt letztmals neu: reboot now (ggf. mit sudo)"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment