wireguard.sh

#!/bin/sh
# Based on https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/
# Usage:
# doas ./wireguard.sh
# Get OpenBSD VPS at https://t.me/convectixbot

# idempotent tee
itee() {
	cp $1 $1.bak
	while read line;
	do
		if ! grep -qF "$line" $1; then
			echo $line | tee -a $1
		fi
	done
}

pkg_add curl wireguard-tools libqrencode

SERVER_IP=${SERVER_IP:-"$(curl -sS https://checkip.amazonaws.com)"}

sysctl net.inet.ip.forwarding=1 
sysctl net.inet6.ip6.forwarding=1
echo "net.inet.ip.forwarding=1" | itee /etc/sysctl.conf
echo "net.inet6.ip6.forwarding=1" | itee /etc/sysctl.conf
mkdir -p /etc/wireguard

SERVER_PRIVATE_KEY=$(wg genkey)
SERVER_PUBLIC_KEY=$(echo $SERVER_PRIVATE_KEY | wg pubkey)


# Server configuration
cat > /etc/wireguard/wg0.conf << EOF
[Interface]
PrivateKey = $SERVER_PRIVATE_KEY
ListenPort = 51820
EOF

# Clients configuration
for N in $(seq 2 9)
do
CLIENT_PRIVATE_KEY=$(wg genkey)
CLIENT_PUBLIC_KEY=$(echo $CLIENT_PRIVATE_KEY | wg pubkey)
cat >> /etc/wireguard/wg0.conf << EOF
[Peer] 
PublicKey = $CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.$N/32
PersistentKeepalive = 25
EOF
cat > $HOME/wg0.$N.conf << EOF
[Interface]
PrivateKey = $CLIENT_PRIVATE_KEY
Address = 10.0.0.$N/24
DNS = 8.8.8.8, 8.8.4.4
[Peer]
PublicKey = $SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $SERVER_IP:51820
EOF
done

# Firewall config
itee /etc/pf.conf << EOF
pass in on wg0
pass in inet proto udp from any to any port 51820
pass out on egress inet from (wg0:network) nat-to (vio0:0)
EOF
pfctl -f /etc/pf.conf

# Network configuration
cat > /etc/hostname.wg0 << EOF
inet 10.0.0.1 255.255.255.0 NONE
up
!/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf
EOF

sh /etc/netstart wg0
ifconfig wg0
wg
echo
echo Client configurations are saved to $HOME/wg0.N.conf
echo Your mobile qrcode
qrencode -t ansiutf8 < $HOME/wg0.3.conf