Last active
December 20, 2020 08:30
-
-
Save shr00mie/c93d4990211326af03b76d6878bc2d6a to your computer and use it in GitHub Desktop.
Install WireGuard on Raspbian Stretch Light
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| ## -------------------------------=[ Info ]=--------------------------------- ## | |
| # | |
| ## -=[ Author ]=------------------------------------------------------------- ## | |
| # | |
| # shr00mie | |
| # 01.10.2019 | |
| # v0.2 | |
| # | |
| ## -=[ Use Case ]=----------------------------------------------------------- ## | |
| # | |
| # WireGuard VPN Install on fresh Raspbian Stretch Light | |
| # | |
| ## -=[ Breakdown ]=---------------------------------------------------------- ## | |
| # | |
| # | |
| # | |
| ## -=[ To-Do ]=-------------------------------------------------------------- ## | |
| # | |
| # 1. Add allowed routes on endpoint side | |
| # 2. Set client allowed routes to /24 endpoint VPN LAN and /16 for LAN | |
| # 3. Encrypt & email configs after creation for distribution (to admin or users) | |
| # | |
| ## -=[ Functions ]=---------------------------------------------------------- ## | |
| # | |
| # Usage: status "Status Text" | |
| function status() { | |
| GREEN='\033[00;32m' | |
| RESTORE='\033[0m' | |
| echo -e "\n...${GREEN}$1${RESTORE}...\n" | |
| } | |
| function wg_keygen(){ | |
| umask 077 | |
| wg genkey > ~/.wgkeys/$1_private.key | |
| wg pubkey > ~/.wgkeys/$1_public.key < ~/.wgkeys/$1_private.key | |
| } | |
| # | |
| ## -------------------------=[ Script Variables ]=--------------------------- ## | |
| # | |
| # Array of client names for which to generate keys: | |
| CLIENTS=("Enter" "Your" "Clients" "Here") | |
| # FQDN for vpn endpoint | |
| ENDPOINT="vpn server/endpoint ip or fqdn" | |
| # CIDR IP to route over VPN. 0.0.0.0/0 for route everything | |
| CLIENT_ROUTES="10.1.0.0/16" | |
| # Server side DNS. Google if you don't have one. | |
| CLIENT_DNS="8.8.8.8, 8.8.4.4" | |
| # physical lan interface to bridge to (eth0, wlan0) | |
| IFACE="eth0" | |
| # | |
| ## ---------------------------=[ Script Start ]=----------------------------- ## | |
| status "Updating system" | |
| sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autoclean && sudo apt-get autoremove -y | |
| status "Installing RaspberryPi Kernel Headers" | |
| sudo apt-get install raspberrypi-kernel-headers | |
| status "Adding unstable repo" | |
| cat << EOF | sudo tee /etc/apt/sources.list.d/unstable.list > /dev/null | |
| deb http://deb.debian.org/debian/ unstable main | |
| EOF | |
| status "Installing dirmngr" | |
| sudo apt-get install dirmngr -y | |
| status "Adding keys for unstable branch" | |
| sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 | |
| status "Setting unstable apt preferences" | |
| cat << EOF | sudo tee /etc/apt/preferences.d/limit-unstable > /dev/null | |
| Package: * | |
| Pin: release a=unstable | |
| Pin-Priority: 150 | |
| EOF | |
| status "Installing WireGuard" | |
| sudo apt-get update && sudo apt-get install wireguard -y | |
| status "Configuring IPv4 Forwarding" | |
| sudo sed -i.back "s/#net\.ipv4\.ip_forward=1/net\.ipv4\.ip_forward=1/" /etc/sysctl.conf | |
| status "Applying IPv4 Forwarding" | |
| sudo sysctl -p | |
| status "Creating folders (.wgkey & .wgconfig)" | |
| cd ~ | |
| mkdir .wgkeys | |
| mkdir .wgconfig | |
| status "Creating server keys" | |
| wg_keygen "server" | |
| SERVER_PRIVATE_KEY=$(cat ~/.wgkeys/server_private.key) | |
| SERVER_PUBLIC_KEY=$(cat ~/.wgkeys/server_public.key) | |
| status "Creating client keys" | |
| for i in ${CLIENTS[@]} | |
| do | |
| wg_keygen ${i} | |
| done | |
| status "Configuring WireGuard interface" | |
| cat << EOF | sudo tee /etc/wireguard/wg0.conf > /dev/null | |
| [Interface] | |
| Address = 192.168.99.1/24 | |
| ListenPort = 51820 | |
| PrivateKey = $SERVER_PRIVATE_KEY | |
| PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o $IFACE -j ACCEPT; iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE | |
| PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o $IFACE -j ACCEPT; iptables -t nat -D POSTROUTING -o $IFACE -j MASQUERADE | |
| EOF | |
| status "Appending peer configuration for each provided client" | |
| cn=2 | |
| for i in ${CLIENTS[@]} | |
| do | |
| CLIENT_PUBLIC_KEY=$(cat ~/.wgkeys/${i}_public.key) | |
| cat << EOF | sudo tee -a /etc/wireguard/wg0.conf > /dev/null | |
| [Peer] | |
| # client ${i} | |
| PublicKey = $CLIENT_PUBLIC_KEY | |
| AllowedIPs = 192.168.99.$cn/32 | |
| EOF | |
| cn=$(( $cn + 1 )) | |
| done | |
| status "Starting WireGuard" | |
| sudo wg-quick up wg0 | |
| status "Enabling WireGuard service" | |
| sudo systemctl enable wg-quick@wg0 | |
| status "Generating client-side configurations" | |
| cn=2 | |
| for i in ${CLIENTS[@]} | |
| do | |
| CLIENT_ADDRESS="192.168.99.$cn" | |
| CLIENT_PRIVATE_KEY=$(cat ~/.wgkeys/${i}_private.key) | |
| cat << EOF | sudo tee ~/.wgconfig/${i}.conf > /dev/null | |
| [Interface] | |
| Address = $CLIENT_ADDRESS/24 | |
| PrivateKey = $CLIENT_PRIVATE_KEY | |
| DNS = $CLIENT_DNS | |
| [Peer] | |
| PublicKey = $SERVER_PUBLIC_KEY | |
| AllowedIPs = 192.168.99.0/24, $CLIENT_ROUTES | |
| Endpoint = $ENDPOINT:51820 | |
| PersistentKeepalive = 25 | |
| EOF | |
| cn=$(( $cn + 1 )) | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment