Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Install WireGuard on Raspbian Stretch Light
#!/bin/bash
#
## -------------------------------=[ Info ]=--------------------------------- ##
#
## -=[ Author ]=------------------------------------------------------------- ##
#
# shr00mie
# 01.10.2019
# v0.2
#
## -=[ Use Case ]=----------------------------------------------------------- ##
#
# WireGuard VPN Install on fresh Raspbian Stretch Light
#
## -=[ Breakdown ]=---------------------------------------------------------- ##
#
#
#
## -=[ To-Do ]=-------------------------------------------------------------- ##
#
# 1. Add allowed routes on endpoint side
# 2. Set client allowed routes to /24 endpoint VPN LAN and /16 for LAN
# 3. Encrypt & email configs after creation for distribution (to admin or users)
#
## -=[ Functions ]=---------------------------------------------------------- ##
#
# Usage: status "Status Text"
function status() {
GREEN='\033[00;32m'
RESTORE='\033[0m'
echo -e "\n...${GREEN}$1${RESTORE}...\n"
}
function wg_keygen(){
umask 077
wg genkey > ~/.wgkeys/$1_private.key
wg pubkey > ~/.wgkeys/$1_public.key < ~/.wgkeys/$1_private.key
}
#
## -------------------------=[ Script Variables ]=--------------------------- ##
#
# Array of client names for which to generate keys:
CLIENTS=("Enter" "Your" "Clients" "Here")
# FQDN for vpn endpoint
ENDPOINT="vpn server/endpoint ip or fqdn"
# CIDR IP to route over VPN. 0.0.0.0/0 for route everything
CLIENT_ROUTES="10.1.0.0/16"
# Server side DNS. Google if you don't have one.
CLIENT_DNS="8.8.8.8, 8.8.4.4"
# physical lan interface to bridge to (eth0, wlan0)
IFACE="eth0"
#
## ---------------------------=[ Script Start ]=----------------------------- ##
status "Updating system"
sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autoclean && sudo apt-get autoremove -y
status "Installing RaspberryPi Kernel Headers"
sudo apt-get install raspberrypi-kernel-headers
status "Adding unstable repo"
cat << EOF | sudo tee /etc/apt/sources.list.d/unstable.list > /dev/null
deb http://deb.debian.org/debian/ unstable main
EOF
status "Installing dirmngr"
sudo apt-get install dirmngr -y
status "Adding keys for unstable branch"
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553
status "Setting unstable apt preferences"
cat << EOF | sudo tee /etc/apt/preferences.d/limit-unstable > /dev/null
Package: *
Pin: release a=unstable
Pin-Priority: 150
EOF
status "Installing WireGuard"
sudo apt-get update && sudo apt-get install wireguard -y
status "Configuring IPv4 Forwarding"
sudo sed -i.back "s/#net\.ipv4\.ip_forward=1/net\.ipv4\.ip_forward=1/" /etc/sysctl.conf
status "Applying IPv4 Forwarding"
sudo sysctl -p
status "Creating folders (.wgkey & .wgconfig)"
cd ~
mkdir .wgkeys
mkdir .wgconfig
status "Creating server keys"
wg_keygen "server"
SERVER_PRIVATE_KEY=$(cat ~/.wgkeys/server_private.key)
SERVER_PUBLIC_KEY=$(cat ~/.wgkeys/server_public.key)
status "Creating client keys"
for i in ${CLIENTS[@]}
do
wg_keygen ${i}
done
status "Configuring WireGuard interface"
cat << EOF | sudo tee /etc/wireguard/wg0.conf > /dev/null
[Interface]
Address = 192.168.99.1/24
ListenPort = 51820
PrivateKey = $SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o $IFACE -j ACCEPT; iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o $IFACE -j ACCEPT; iptables -t nat -D POSTROUTING -o $IFACE -j MASQUERADE
EOF
status "Appending peer configuration for each provided client"
cn=2
for i in ${CLIENTS[@]}
do
CLIENT_PUBLIC_KEY=$(cat ~/.wgkeys/${i}_public.key)
cat << EOF | sudo tee -a /etc/wireguard/wg0.conf > /dev/null
[Peer]
# client ${i}
PublicKey = $CLIENT_PUBLIC_KEY
AllowedIPs = 192.168.99.$cn/32
EOF
cn=$(( $cn + 1 ))
done
status "Starting WireGuard"
sudo wg-quick up wg0
status "Enabling WireGuard service"
sudo systemctl enable wg-quick@wg0
status "Generating client-side configurations"
cn=2
for i in ${CLIENTS[@]}
do
CLIENT_ADDRESS="192.168.99.$cn"
CLIENT_PRIVATE_KEY=$(cat ~/.wgkeys/${i}_private.key)
cat << EOF | sudo tee ~/.wgconfig/${i}.conf > /dev/null
[Interface]
Address = $CLIENT_ADDRESS/24
PrivateKey = $CLIENT_PRIVATE_KEY
DNS = $CLIENT_DNS
[Peer]
PublicKey = $SERVER_PUBLIC_KEY
AllowedIPs = 192.168.99.0/24, $CLIENT_ROUTES
Endpoint = $ENDPOINT:51820
PersistentKeepalive = 25
EOF
cn=$(( $cn + 1 ))
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment