luizberti · March 4, 2021 13:45
diff --git a/wireguard.sh b/wireguard.sh
 #!/usr/bin/env bash
 set -o errexit
 set -o pipefail

 command -v ufw       &> /dev/null || { echo you need to install ufw;      exit 1; }
 command -v wg        &> /dev/null || { echo you need to install wg;       exit 1; }
 command -v wg-quick  &> /dev/null || { echo you need to install wg-quick; exit 1; }
 command -v systemctl &> /dev/null || { echo you need systemd to use $0;   exit 1; }
 modprobe wireguard  # checks if kernel module is present


 # FIREWALLING
 # ===========

 # NETWORK POLICY
 sudo ufw allow 22/tcp
 sudo ufw allow 51820/udp
 sudo ufw allow in on wg0 to any

 # SYSCTL NETWORK SETTINGS
 sudo tee -a /etc/ufw/sysctl.conf <<EOF
 # ALLOW FORWARDING ACROSS INTERFACES
 net/ipv4/ip_forward=1
 net/ipv6/conf/default/forwarding=1
 net/ipv6/conf/all/forwarding=1
 EOF


 # WIREGUARD
 # =========

 # FILES AND PERMISSIONS
 sudo mkdir -p        /etc/wireguard/
 sudo touch           /etc/wireguard/{wg0.conf,wg0.key,wg0.pub,[email protected]}
 sudo chown root:root /etc/wireguard/{wg0.conf,wg0.key,wg0.pub,[email protected]}
 sudo chmod 600       /etc/wireguard/wg0.{conf,key}
 sudo chmod 644       /etc/wireguard/{wg0.pub,[email protected]}
 sudo ln -sf          /etc/{wireguard,systemd/user}/[email protected]

 # GENERATE KEY PAIR
 test -n "$(sudo cat /etc/wireguard/wg0.key)" || wg genkey | sudo tee /etc/wireguard/wg0.key > /dev/null
 sudo cat /etc/wireguard/wg0.key | wg pubkey | sudo tee /etc/wireguard/wg0.pub

 # INTERFACE CONFIGURATION
 sudo tee /etc/wireguard/wg0.conf <<EOF
 [Interface]
 PrivateKey = $(sudo cat /etc/wireguard/wg0.key)
 Address = 100.64.0.1/10  # RFC6598 CGNAT IPv4 RANGE [100.64.0.0, 100.127.255.255]
 ListenPort = 51820
 EOF

 # SYSTEMD SERVICE
 sudo tee /etc/wireguard/[email protected] <<EOF
 [Unit]
 Description=WireGuard via wg-quick(8) for %I
 After=network-online.target nss-lookup.target
 Wants=network-online.target nss-lookup.target
 Documentation=man:wg-quick(8)
 Documentation=man:wg(8)
 Documentation=https://www.wireguard.com/
 Documentation=https://www.wireguard.com/quickstart/
 Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
 Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8

 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/bin/wg-quick up %i
 ExecStop=/usr/bin/wg-quick down %i
 Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

 [Install]
 WantedBy=multi-user.target
 EOF

 echo this script is not complete. quitting...
 exit 99


 # PEERING
 # =======

 sudo tee -a /etc/wireguard/wg0.conf <<EOF
 [Peer]
 # Name = $(name)
 PublicKey = SPL3lFMWgWGuSTwimAYW42CUBWp1P2Q7arjabUpd2go=
 AllowedIPs = 100.64.0.0/10
 EOF


 # DAEMONIZE
 # =========

 sudo ufw --force enable
 sudo systemctl enable --now [email protected]
	#!/usr/bin/env bash
	set -o errexit
	set -o pipefail

	command -v ufw &> /dev/null \|\| { echo you need to install ufw; exit 1; }
	command -v wg &> /dev/null \|\| { echo you need to install wg; exit 1; }
	command -v wg-quick &> /dev/null \|\| { echo you need to install wg-quick; exit 1; }
	command -v systemctl &> /dev/null \|\| { echo you need systemd to use $0; exit 1; }
	modprobe wireguard # checks if kernel module is present


	# FIREWALLING
	# ===========

	# NETWORK POLICY
	sudo ufw allow 22/tcp
	sudo ufw allow 51820/udp
	sudo ufw allow in on wg0 to any

	# SYSCTL NETWORK SETTINGS
	sudo tee -a /etc/ufw/sysctl.conf <<EOF
	# ALLOW FORWARDING ACROSS INTERFACES
	net/ipv4/ip_forward=1
	net/ipv6/conf/default/forwarding=1
	net/ipv6/conf/all/forwarding=1
	EOF


	# WIREGUARD
	# =========

	# FILES AND PERMISSIONS
	sudo mkdir -p /etc/wireguard/
	sudo touch /etc/wireguard/{wg0.conf,wg0.key,wg0.pub,[email protected]}
	sudo chown root:root /etc/wireguard/{wg0.conf,wg0.key,wg0.pub,[email protected]}
	sudo chmod 600 /etc/wireguard/wg0.{conf,key}
	sudo chmod 644 /etc/wireguard/{wg0.pub,[email protected]}
	sudo ln -sf /etc/{wireguard,systemd/user}/[email protected]

	# GENERATE KEY PAIR
	test -n "$(sudo cat /etc/wireguard/wg0.key)" \|\| wg genkey \| sudo tee /etc/wireguard/wg0.key > /dev/null
	sudo cat /etc/wireguard/wg0.key \| wg pubkey \| sudo tee /etc/wireguard/wg0.pub

	# INTERFACE CONFIGURATION
	sudo tee /etc/wireguard/wg0.conf <<EOF
	[Interface]
	PrivateKey = $(sudo cat /etc/wireguard/wg0.key)
	Address = 100.64.0.1/10 # RFC6598 CGNAT IPv4 RANGE [100.64.0.0, 100.127.255.255]
	ListenPort = 51820
	EOF

	# SYSTEMD SERVICE
	sudo tee /etc/wireguard/[email protected] <<EOF
	[Unit]
	Description=WireGuard via wg-quick(8) for %I
	After=network-online.target nss-lookup.target
	Wants=network-online.target nss-lookup.target
	Documentation=man:wg-quick(8)
	Documentation=man:wg(8)
	Documentation=https://www.wireguard.com/
	Documentation=https://www.wireguard.com/quickstart/
	Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
	Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8

	[Service]
	Type=oneshot
	RemainAfterExit=yes
	ExecStart=/usr/bin/wg-quick up %i
	ExecStop=/usr/bin/wg-quick down %i
	Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

	[Install]
	WantedBy=multi-user.target
	EOF

	echo this script is not complete. quitting...
	exit 99


	# PEERING
	# =======

	sudo tee -a /etc/wireguard/wg0.conf <<EOF
	[Peer]
	# Name = $(name)
	PublicKey = SPL3lFMWgWGuSTwimAYW42CUBWp1P2Q7arjabUpd2go=
	AllowedIPs = 100.64.0.0/10
	EOF


	# DAEMONIZE
	# =========

	sudo ufw --force enable
	sudo systemctl enable --now [email protected]