Wireguard VPN setup script, to be run on a CentOS 8 fresh installation.
Howto add and remove clients:
One line ssh command to create a client for the VPN
/etc/wireguard/./add-client.sh CLIENT_ID_HERE
Generates QR code and conf files to /etc/wireguard/clients/CLIENT_ID_HERE folder and sends
mail if userid is a valid address.
/etc/wireguard/./rm-client.sh CLIENT_ID_HERE
Disables and removes the client's conf files
0) Update the server:
dnf update -y1) Install Wireguard VPN
dnf install elrepo-release epel-release -y dnf install kmod-wireguard wireguard-tools -y
2) Create an empty WireGuard server config file with proper permissions and generate keys
mkdir -v /etc/wireguard/ cd /etc/wireguard/ sh -c 'umask 077; wg genkey | tee privatekey | wg pubkey > publickey' server_public_key=$( cat publickey ) server_private_key=$(cat privatekey )
3) Create Wireguard conf file
FILE=/etc/wireguard/wg0.conf if test -f "$FILE"; then echo "$FILE already exists." else sh -c 'umask 077; touch $FILE' echo "[Interface] Address = 10.0.0.1/24,::ffff:a00:1/64 SaveConfig = true ListenPort = 53759 PrivateKey = $server_private_key PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE " >> $FILE fi
4) Check file permissions so only root could access
chmod 600 /etc/wireguard/{privatekey,wg0.conf}
5) Launch Wireguard and set autostart
wg-quick up wg0 systemctl enable wg-quick@wg0
6) NAT networking
NATCONFFILE=/etc/sysctl.d/wg.conf if test -f "$NATCONFFILE"; then echo "$NATCONFFILE already exists." else echo "net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1" >> $NATCONFFILE fi sysctl -p $NATCONFFILE
7) Create script to add clients
dnf install qrencode mailx sendmail -y service sendmail start echo '#!/bin/bash if [ $# -eq 0 ] then echo "must pass a client name as an arg: add-client.sh new-client" elif [ -d "/etc/wireguard/clients/$1" ] then echo "A client exists, please pick another id or remove existing first." exit else base_dir=/etc/wireguard echo "Creating client config for: $1" sudo mkdir -p $base_dir/clients/$1 sudo wg genkey | tee $base_dir/clients/$1/$1.priv | wg pubkey > $base_dir/clients/$1/$1.pub key=$(cat $base_dir/clients/$1/$1.priv) ip="10.0.0."$(expr $(cat $base_dir/last-ip.txt | tr "." " " | awk '\''{print $4}'\'') + 1) FQDN=$(hostname -f) SERVER_PUB_KEY=$(cat $base_dir/publickey) cat $base_dir/wg0-client.example.conf | sed -e '\''s/:CLIENT_IP:/'\''"$ip"'\''/'\'' | sed -e '\''s|:CLIENT_KEY:|'\''"$key"'\''|'\'' | sed -e '\''s|:SERVER_PUB_KEY:|'\''"$SERVER_PUB_KEY"'\''|'\'' | sed -e '\''s|:SERVER_ADDRESS:|'\''"$FQDN"'\''|'\'' > $base_dir/clients/$1/AltaGradeVPN.conf echo $ip > $base_dir/last-ip.txt cp $base_dir/SETUP.txt $base_dir/clients/$1/SETUP.txt echo "Created config!" echo "Adding peer" sudo wg set wg0 peer $(cat $base_dir/clients/$1/$1.pub) allowed-ips $ip/32 sudo wg-quick down wg0 sudo wg-quick up wg0 sudo wg show sudo qrencode -t ansiutf8 < $base_dir/clients/$1/AltaGradeVPN.conf sudo qrencode -o $base_dir/clients/$1/AltaGradeVPN-QR.png < $base_dir/clients/$1/AltaGradeVPN.conf # Check if the clientid is an email address if [[ $1 == *"@"* ]] ; then echo "An e-mail with configuration files is sent" echo "Please use provided conf file or the QR code to setup your Wireguard client. For more information please see: https://www.wireguard.com/install/" | mail -s "AltaGrade VPN configuration files" -a $base_dir/clients/$1/AltaGradeVPN.conf -a $base_dir/clients/$1/AltaGradeVPN-QR.png $1 else echo "Provided userid is not a valid e-mail address, no mail was sent" fi fi'> /etc/wireguard/add-client.sh chmod +x /etc/wireguard/add-client.sh
8) Skeleton file for client conf
echo "[Interface] Address = :CLIENT_IP:/24 DNS = 1.1.1.1 PrivateKey = :CLIENT_KEY: [Peer] AllowedIPs = 0.0.0.0/0, ::/0 PublicKey = :SERVER_PUB_KEY: Endpoint = :SERVER_ADDRESS::53759 PersistentKeepalive = 25" > /etc/wireguard/wg0-client.example.conf
9) A file containing last IP to incrementally assign to new clients
echo "10.0.0.1" > last-ip.txt
10) Remove client script
echo '#!/bin/bash if [ $# -eq 0 ] then echo "must have peer id as arg: remove-client.sh <client id>" elif [ -d "/etc/wireguard/clients/$1" ] then key=$(cat /etc/wireguard/clients/$1/$1.pub ) sudo wg set wg0 peer $key remove sudo wg-quick down wg0 sudo wg-quick up wg0 sudo wg show sudo rm -rf /etc/wireguard/clients/$1 else echo "No such client has been registered" fi' > /etc/wireguard/rm-client.sh chmod +x /etc/wireguard/rm-client.sh
11) Create SETUP.txt for clients
echo '# Install instructions for AltaGrade clients created by add-client.sh Wireguard install guides: https://www.wireguard.com/install/' >> /etc/wireguard/SETUP.txt
12) Setup SSH, altagrade user, banner, prompt, aliases
BUG: this part should be run manually since 56th node inside 65 is not being embedded.
65- Log in to post comments
- Copy all the steps