Created
October 31, 2018 17:38
-
-
Save roboyoshi/50537761b6011612065d56c01e12f9b2 to your computer and use it in GitHub Desktop.
Almost automated WireGuard Setup for Linode Debian Stretch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# + ------------------------- | |
# | Linode Nanode WireGuard | |
# | Debian 9 Stretch | |
# + ------------------------- | |
# + --------------------------------------------------------------------------------------------------------- | |
# | Server Config | |
# + --------------------------------------------------------------------------------------------------------- | |
# General: | |
hostname scherox # set hostname | |
apt-get install -y ufw # install firewall wrapper | |
# Open Basic ports | |
ufw allow 22/tcp | |
ufw allow 51820/udp | |
ufw enable | |
# Wireguard Installation | |
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list | |
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable | |
apt-get update && apt-get upgrade -y | |
apt-get install -y wireguard | |
# Wireguard Configuration | |
mkdir -p /opt/wireguard && cd $_ | |
wg genkey | tee wg-private.key | wg pubkey > wg-public.key | |
# Create Interface | |
tee /etc/wireguard/wg0.conf > /dev/null << END | |
[Interface] | |
PrivateKey = $(cat /opt/wireguard/wg-private.key) | |
ListenPort = 51820 | |
Address = 10.0.0.1/24 | |
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE | |
END | |
# Start Interface | |
wg-quick up wg0 | |
# Show Status | |
wg show | |
# Enable for System reboot | |
systemctl enable wg-quick@wg0 | |
# Allow IPv4 Forwarding: | |
sed -i -r 's/[# ]{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf | |
sysctl -p /etc/sysctl.conf | |
reboot | |
# + --------------------------------------------------------------------------------------------------------- | |
# | Client Config | |
# + --------------------------------------------------------------------------------------------------------- | |
# Retrieve Server Key | |
SERVER_IP4=__YOUR_LINODE_IP4__ | |
SERVER_KEY=$(ssh root@${SERVER_IP4} "cat /opt/wireguard/wg-public.key") | |
mkdir -p /opt/wireguard && cd $_ && wg genkey | tee wg-private.key | wg pubkey > wg-public.key && cd ~ | |
tee /etc/wireguard/wg0.conf > /dev/null << END | |
[Interface] | |
PrivateKey = $(cat /opt/wireguard/wg-private.key) | |
ListenPort = 51820 | |
Address = 10.0.0.230/32 | |
[Peer] | |
PublicKey = ${SERVER_KEY} | |
Endpoint = ${SERVER_IP4}:51820 | |
AllowedIPs = 0.0.0.0/0 | |
PersistentKeepalive = 25 | |
END | |
# Send Peer Info to Server | |
ssh root@${SERVER_IP4} "wg-quick down wg0; tee -a /etc/wireguard/wg0.conf > /dev/null << END | |
[Peer] | |
PublicKey = $(cat /opt/wireguard/wg-public.key) | |
AllowedIPs = 10.0.0.230/32 | |
END | |
wg-quick up wg0" | |
# Start Interface & Show Status | |
wg-quick up wg0 && wg show | |
# Note: You should see a "Latest Handshake" note here! | |
# $ wg show | grep -q 'latest handshake' && echo "Link Established!" | |
# If not: Make sure all keys are correct! | |
# Enable as System Service: | |
systemctl enable wg-quick@wg0 | |
# EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment