forked from drew2a/wireguard
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwg-server-up.sh
285 lines (241 loc) · 10.4 KB
/
wg-server-up.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
#!/usr/bin/env bash
# usage:
# wg-ubuntu-server-up.sh -d
function version_gt() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"; }
dns_service="none"
print_help=true
os_name=$(sudo cat /etc/os-release | grep NAME=\" | grep -v _ | sed -e "s/^NAME=\"//" -e "s/\"$//" 2>&1)
os_version=$(sudo cat /etc/os-release | grep VERSION_ID=\" | sed -e "s/^VERSION_ID=\"//" -e "s/\"$//" 2>&1)
os_workaround=18.04
os_forceupgrade=false
while getopts "d:" opt; do
case ${opt} in
d) # process proxy
temp_var=${OPTARG^^}
if [[ "$temp_var" == "UNBOUND" || "$temp_var" == "PIHOLE" || "$temp_var" == "NONE" ]]
then
dns_service=${temp_var}
print_help=false
else
echo "Invalid argument given: $OPTARG" >&2
print_help=true
fi
;;
u) # process dist-upgrade
os_forceupgrade=true
;;
:)
echo "Option -$OPTARG requires an argument." >&2
print_help=true
;;
\? )
print_help=true
;;
esac
done
if (${print_help})
then
echo "Usage: wg-server-up.sh [-d] <unbound|pihole>"
echo "-d: Specifies which DNS service to use - Unbound, Pihole or None"
echo "-u: Force a distribution upgrade: (apt update dist-upgrade)"
exit 1
fi
working_dir="$HOME/wireguard"
#mkdir -p "${working_dir}"
mkdir -p "/etc/wireguard"
echo ----------------------------------------------update current patch to latest
sudo apt -y update
sudo apt -y upgrade
if $os_forceupgrade
then
echo ---------------------------------------update current distribution to latest
sudo apt -y dist-upgrade
fi
echo ------------------------------------------------------install linux headers
sudo apt install -y linux-headers-"$(uname -r)"
echo ------------------------------------------install software-properties-common
sudo apt install -y software-properties-common
echo ------------------------------------------------------------------install bc
sudo apt install -y bc
echo -----------------------------------------------------------install net-tools
sudo apt install -y net-tools
if [[ "${dns_service}" == "PIHOLE" ]]
then
echo && echo ------------------------------------------install and configure pihole DNS
# workaround for 127.0.0.53 for installation ONLY in Ubuntu 18.04 and lower (https://www.reddit.com/r/pihole/comments/8sgro3/server_name_resolution_messed_up_when_running/
# and https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624320/comments/8)
# echo "Detecting version..."
# if [[ "${os_name}" == "Ubuntu" ]]
# then
# echo "Ubuntu detected."
# rm -f /etc/resolv.conf
# ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
# fi
# preparing pihole
wget -O basic-pihole-install.sh https://install.pi-hole.net
chmod 700 basic-pihole-install.sh
./basic-pihole-install.sh --unattended --disable-install-webserver
# configuring pihole-dns in similar workaround fashion
# if [[ "${os_name}" == "Ubuntu" ]]
# then
# cat > /run/systemd/resolve/pihole-resolv.conf << ENDOFFILE
# nameserver 127.0.0.1
# ENDOFFILE
# rm -f /etc/resolv.conf
# ln -s /run/systemd/resolve/pihole-resolv.conf /etc/resolv.conf
# fi
# configure server to use pihole
sed -i.bak "s/^ static domain_name_servers=.*/ static domain_name_servers=127.0.0.1/" /etc/dhcpcd.conf
#sed -i '42s/.*/ static domain_name_servers=127.0.0.1/' /etc/dhcpcd.conf
systemctl restart dhcpcd
fi
if [[ "${os_name}" == "Debian GNU/Linux" ]]
then
echo ----------------------------------------install software-properties-common
sudo apt update
sudo apt install -y software-properties-common
echo ----------------------------------------enable Debian backports repository
sudo sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list"
sudo apt update
fi
echo ---------------------------------------------------------install wireguard
# if [[ "${os_name}" == "Ubuntu" ]]
# then
# echo "Adding Wireguard repository."
# sudo add-apt-repository -y ppa:wireguard/wireguard
# fi
sudo apt update && sudo apt upgrade -y
echo "Installing Wireguard."
sudo apt install -y wireguard
sudo modprobe wireguard
echo ----------------------------------------------------------install qrencode
sudo apt install -y qrencode
echo ---------------------------------------------- download wg-genconf-user.sh
#cd "${working_dir}" &&
wget -O wg-genconf-user.sh https://raw.githubusercontent.com/tessharp/wireguard/master/wg-genconf-user.sh
chmod +x ./wg-genconf-user.sh
#echo ----------------------generate configurations for "${clients_count}" clients
#./wg-genconf.sh "${clients_count}"
echo ----------------------------------------------generate server configuration
# identify the public IP address of the server
echo "Retrieving public server IP and interface."
server_ip=$(dig @resolver1.opendns.com ANY myip.opendns.com +short)
# configuring the private server
server_private_key=$(wg genkey)
server_public_key=$(echo "${server_private_key}" | wg pubkey)
server_config=wg0.conf
# identifying the public interface of the server
server_public_interface=$(route -n | awk '$1 == "0.0.0.0" {print $8}')
echo "Writing Wireguard server configuration."
echo Generate server \("${server_ip}"\) config:
echo
echo -e "\t//etc//wireguard//${server_config}"
#
# writing server config to file
#
cat > "${server_config}" <<EOL
[Interface]
Address = 10.0.0.1/24
SaveConfig = false
ListenPort = 1194
PrivateKey = ${server_private_key}
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ${server_public_interface} -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ${server_public_interface} -j MASQUERADE
EOL
echo -----------------------------------move server\'s config to /etc/wireguard/
mv -v ./wg0.conf /etc/wireguard/
chown -v root:root /etc/wireguard/wg0.conf
chmod -v 600 /etc/wireguard/wg0.conf
echo ------------------------------------------------------------- run wireguard
wg-quick up wg0
systemctl enable wg-quick@wg0
echo ------------------------------------------------------enable IPv4 forwarding
sysctl net.ipv4.ip_forward=1
echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.d/99-sysctl.conf
echo ---------------------------------------------------configure firewall rules
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 55000 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -s 10.0.0.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -s 10.0.0.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# make firewall changes persistent
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
sudo apt install -y iptables-persistent
sudo systemctl enable netfilter-persistent
sudo netfilter-persistent save
if [[ "${dns_service}" == "UNBOUND" ]]
then
echo && echo -----------------------------------------install and configure unbound DNS
sudo apt install -y unbound unbound-host
curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
echo 'curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache' > /etc/cron.monthly/curl_root_hints.sh
chmod +x /etc/cron.monthly/curl_root_hints.sh
cat > /etc/unbound/unbound.conf << ENDOFFILE
server:
num-threads: 4
# disable logs
verbosity: 0
# list of root DNS servers
root-hints: "/var/lib/unbound/root.hints"
# use the root server's key for DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# respond to DNS requests on all interfaces
interface: 0.0.0.0
max-udp-size: 3072
# IPs authorised to access the DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.1 allow
access-control: 10.0.0.0/24 allow
# not allowed to be returned for public Internet names
private-address: 10.0.0.0/24
#hide DNS Server info
hide-identity: yes
hide-version: yes
# limit DNS fraud and use DNSSEC
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
# add an unwanted reply threshold to clean the cache and avoid, when possible, DNS poisoning
unwanted-reply-threshold: 10000000
# have the validator print validation failures to the log
val-log-level: 1
# minimum lifetime of cache entries in seconds
cache-min-ttl: 1800
# maximum lifetime of cached entries in seconds
cache-max-ttl: 14400
prefetch: yes
prefetch-key: yes
# don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# reduce EDNS reassembly buffer size.
# suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# ensure privacy of local IP ranges
private-address: 10.0.0.0/24
ENDOFFILE
# give root ownership of the Unbound config
sudo chown -R unbound:unbound /var/lib/unbound
# disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
# enable Unbound in place of systemd-resovled
sudo systemctl enable unbound
sudo systemctl start unbound
fi
# show wg
wg show
echo && echo "You can add new clients by executing the following command:"
echo -e "\twg-genconf-user.sh -c [Wireguard config file] -a [Name of client] -o [Client IP last octet]"
echo && echo "Please check if the interface for Wireguard is currently working by executing the following command upon reboot:"
echo -e "\tip addr show wg0"
echo && echo "If the interface is not available, it may be due to headers/OS upgrade. Please run the following commands:"
echo -e "\tapt install linux-headers-$(uname -r)"
echo -e "\tsudo modprobe wireguard"
echo -e "\treboot"
# reboot to make changes effective
echo All done, reboot...
reboot