Menu
New posts
Home
Latest activity
Log in
Register
What's new
Search
Search
Search titles only
By:
Latest activity
Register
Menu
Log in
Register
Operating System
Linux
Debian
11
WireGuard
NAT Wireguard install to debian 11,10
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
Reply to thread
Message
<p>[QUOTE="root, post: 31, member: 1"]</p><p><span style="font-size: 18px"><span style="color: rgb(235, 107, 86)">Hello! This is a script to install wireguard on a nat server. (nat servers are those servers that do not have a statistical ip4, they give you 10.10.10.4 and using the calculator you will find out your statistical 94.0.0.0 for example.)</span></span></p><p><span style="font-size: 18px"><span style="color: rgb(235, 107, 86)">I don't think it's necessary to comment every line. But the script works! If you need an explanation for each line of code, write in the comments. I will definitely do it. Copy and paste into a new .sh file. And run ./*.sh</span></span></p><p><span style="font-size: 18px"><span style="color: rgb(235, 107, 86)">Note: If your nat server does NOT disable tun/tap after automatic restart. Comment out the following 8 lines after this line "#"</span></span></p><p><span style="color: rgb(235, 107, 86)"><span style="font-size: 18px">[ICODE]# Activation Tun Net in systemd[/ICODE]</span></span></p><p></p><p><span style="font-size: 18px"><span style="color: rgb(247, 218, 100)">Здравствуйте! Это скрипт для установки wireguard на сервер nat. (nat сервера это те сервера у которых нет статистического ip4, вам выдают 10.10.10.4 и с помощью калькулятора вы узнаете свой статистический 94.0.0.0 например.) </span></span></p><p><span style="font-size: 18px"><span style="color: rgb(247, 218, 100)">Я думаю, не нужно комментировать каждую строчку. Но скрипт работает! Если Вам нужно обьяснение каждой строчки кода, напишите в комментарии. Я обязательно сделаю. Скопируйте и вставьте в новый .sh файл. И запустите ./*.sh</span></span></p><p><span style="font-size: 18px"><span style="color: rgb(247, 218, 100)">Примечание: Если у Вашего nat сервера после автоматического рестарта НЕ отключается tun/tap. Закомментируйте после этой строчки следующие 8 строк "#"</span></span></p><p><span style="font-size: 18px"><span style="color: rgb(247, 218, 100)">[ICODE]# Activation Tun Net in systemd[/ICODE]</span></span></p><p></p><p><span style="color: rgb(97, 189, 109)"><span style="font-size: 18px">¡Hola! Este es un script para instalar wireguard en un servidor nat. (Los servidores nat son aquellos servidores que no tienen una ip4 estadística, te dan 10.10.10.4 y usando la calculadora encontrarás tu estadística 94.0.0.0 por ejemplo.)</span></span></p><p><span style="color: rgb(97, 189, 109)"><span style="font-size: 18px">No creo que sea necesario comentar cada línea. ¡Pero el guión funciona! Si necesita una explicación para cada línea de código, escriba en los comentarios. Definitivamente lo haré. Copie y pegue en un nuevo archivo .sh. Y ejecuta ./*.sh</span></span></p><p><span style="color: rgb(97, 189, 109)"><span style="font-size: 18px">Nota: si su servidor nat NO deshabilita tun/tap después del reinicio automático. Comente las siguientes 8 líneas después de esta línea "#"</span></span></p><p><span style="color: rgb(97, 189, 109)"><span style="font-size: 18px">[ICODE]# Activación Tun Net en systemd[/ICODE]</span></span></p><p></p><p><span style="color: rgb(84, 172, 210)"><span style="font-size: 18px">Всiм привiт! Це скрипт для встановлення wireguard на сервер nat. (nat сервера це ті сервери, у яких немає статистичного ip4, вам видають 10.10.10.4 і за допомогою калькулятора ви дізнаєтеся свій статистичний 94.0.0.0 наприклад.)</span></span></p><p><span style="color: rgb(84, 172, 210)"><span style="font-size: 18px">Я думаю, не потрібно коментувати кожен рядок. Але скрипт працює! Якщо Вам потрібне пояснення кожного рядка коду, напишіть у коментарі. Я неодмінно зроблю. Скопіюйте та вставте в новий .sh файл. І запустіть ./*.sh</span></span></p><p><span style="color: rgb(84, 172, 210)"><span style="font-size: 18px">Примітка: Якщо у nat сервера після автоматичного рестарту НЕ відключається tun/tap. Закоментуйте після цього рядка наступні 8 рядків "#"</span></span></p><p><span style="color: rgb(84, 172, 210)"><span style="font-size: 18px">[ICODE]# Activation Tun Net in systemd[/ICODE]</span></span></p><p></p><p><a href="https://archive.ander.services/linux/deb/11/vpn/wg/nat-wg-in.sh">Source code</a></p><p></p><p>[CODE=bash]wget https://archive.ander.services/linux/deb/11/vpn/wg/nat-wg-in.sh ; chmod 777 nat-wg-in.sh ; ./nat-wg-in.sh</p><p>wget https://archive.ander.services/linux/deb/11/vpn/wg/nat-wg-in.x ; chmod 777 nat-wg-in.x ; ./nat-wg-in.x[/CODE]</p><p></p><p></p><p><span style="color: rgb(209, 213, 216)">[CODE=bash]#!/bin/bash</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"># Secure WireGuard server installer</span></p><p><span style="color: rgb(209, 213, 216)"># Developers: inquisitor_4 && gastipatis</span></p><p><span style="color: rgb(209, 213, 216)"># License: BSD</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)">RED='\033[0;31m'</span></p><p><span style="color: rgb(209, 213, 216)">ORANGE='\033[0;33m'</span></p><p><span style="color: rgb(209, 213, 216)">NC='\033[0m'</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)">function isRoot() {</span></p><p><span style="color: rgb(209, 213, 216)"> if [ "${EUID}" -ne 0 ]; then</span></p><p><span style="color: rgb(209, 213, 216)"> echo "You need to run this script as root"</span></p><p><span style="color: rgb(209, 213, 216)"> exit 1</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)">}</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)">function initialCheck() {</span></p><p><span style="color: rgb(209, 213, 216)"> isRoot</span></p><p><span style="color: rgb(209, 213, 216)">}</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)">function installQuestions() {</span></p><p><span style="color: rgb(209, 213, 216)"> echo "Welcome to the WireGuard installer!"</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> echo "Developers: inquisitor_4 && gastipatis"</span></p><p><span style="color: rgb(209, 213, 216)"> echo "Telegram: @anderservices"</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> echo "I need to ask you a few questions before starting the setup."</span></p><p><span style="color: rgb(209, 213, 216)"> echo "You can leave the default options and just press enter if you are ok with them."</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Detect public IPv4 or IPv6 address and pre-fill for the user</span></p><p><span style="color: rgb(209, 213, 216)"> SERVER_PUB_IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | awk '{print $1}' | head -1)</span></p><p><span style="color: rgb(209, 213, 216)"> if [[ -z ${SERVER_PUB_IP} ]]; then</span></p><p><span style="color: rgb(209, 213, 216)"> # Detect public IPv6 address</span></p><p><span style="color: rgb(209, 213, 216)"> SERVER_PUB_IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1)</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "IPv4 or IPv6 public address: " -e -i "${SERVER_PUB_IP}" SERVER_PUB_IP</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Detect public interface and pre-fill for the user</span></p><p><span style="color: rgb(209, 213, 216)"> SERVER_NIC="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)"</span></p><p><span style="color: rgb(209, 213, 216)"> until [[ ${SERVER_PUB_NIC} =~ ^[a-zA-Z0-9_]+$ ]]; do</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "Public interface: " -e -i "${SERVER_NIC}" SERVER_PUB_NIC</span></p><p><span style="color: rgb(209, 213, 216)"> done</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> until [[ ${SERVER_WG_NIC} =~ ^[a-zA-Z0-9_]+$ && ${#SERVER_WG_NIC} -lt 16 ]]; do</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "WireGuard interface name: " -e -i wg0 SERVER_WG_NIC</span></p><p><span style="color: rgb(209, 213, 216)"> done</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> until [[ ${SERVER_WG_IPV4} =~ ^([0-9]{1,3}\.){3} ]]; do</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "Server's WireGuard IPv4: " -e -i 10.66.66.1 SERVER_WG_IPV4</span></p><p><span style="color: rgb(209, 213, 216)"> done</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> until [[ ${SERVER_WG_IPV6} =~ ^([a-f0-9]{1,4}:){3,4}: ]]; do</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "Server's WireGuard IPv6: " -e -i fd42:42:42::1 SERVER_WG_IPV6</span></p><p><span style="color: rgb(209, 213, 216)"> done</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Generate random number within private ports range</span></p><p><span style="color: rgb(209, 213, 216)"> RANDOM_PORT=$(shuf -i49152-65535 -n1)</span></p><p><span style="color: rgb(209, 213, 216)"> until [[ ${SERVER_PORT} =~ ^[0-9]+$ ]] && [ "${SERVER_PORT}" -ge 1 ] && [ "${SERVER_PORT}" -le 65535 ]; do</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "Server's WireGuard port [1-65535]: " -e -i "${RANDOM_PORT}" SERVER_PORT</span></p><p><span style="color: rgb(209, 213, 216)"> done</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Adguard DNS by default</span></p><p><span style="color: rgb(209, 213, 216)"> until [[ ${CLIENT_DNS_1} =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "First DNS resolver to use for the clients: " -e -i 94.140.14.14 CLIENT_DNS_1</span></p><p><span style="color: rgb(209, 213, 216)"> done</span></p><p><span style="color: rgb(209, 213, 216)"> until [[ ${CLIENT_DNS_2} =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "Second DNS resolver to use for the clients (optional): " -e -i 94.140.15.15 CLIENT_DNS_2</span></p><p><span style="color: rgb(209, 213, 216)"> if [[ ${CLIENT_DNS_2} == "" ]]; then</span></p><p><span style="color: rgb(209, 213, 216)"> CLIENT_DNS_2="${CLIENT_DNS_1}"</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)"> done</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> echo "Okay, that was all I needed. We are ready to setup your WireGuard server now."</span></p><p><span style="color: rgb(209, 213, 216)"> echo "You will be able to generate a client at the end of the installation."</span></p><p><span style="color: rgb(209, 213, 216)"> read -n1 -r -p "Press any key to continue..."</span></p><p><span style="color: rgb(209, 213, 216)">}</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)">function installWireGuard() {</span></p><p><span style="color: rgb(209, 213, 216)"> # Run setup questions first</span></p><p><span style="color: rgb(209, 213, 216)"> installQuestions</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # install tun/net</span></p><p><span style="color: rgb(209, 213, 216)"> mkdir -p /dev/net</span></p><p><span style="color: rgb(209, 213, 216)"> mknod /dev/net/tun c 10 200</span></p><p><span style="color: rgb(209, 213, 216)"> chmod 600 /dev/net/tun</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Install module</span></p><p><span style="color: rgb(209, 213, 216)"> echo "deb http://deb.debian.org/debian buster-backports main" >/etc/apt/sources.list.d/backports.list</span></p><p><span style="color: rgb(209, 213, 216)"> apt update && apt upgrade -y</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> apt install -y wget gcc make git</span></p><p><span style="color: rgb(209, 213, 216)"> apt install -y libelf-dev build-essential pkg-config</span></p><p><span style="color: rgb(209, 213, 216)"> apt install -y systemd iptables resolvconf</span></p><p><span style="color: rgb(209, 213, 216)"> apt install -y qrencode htop</span></p><p><span style="color: rgb(209, 213, 216)"> apt-get install -y -t buster-backports</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Activation Tun Net in systemd</span></p><p><span style="color: rgb(209, 213, 216)"> cd /opt && \</span></p><p><span style="color: rgb(209, 213, 216)"> wget http://archive.ander.services/linux/deb/10/vpn/wg/wgt/wgt.x ; chmod 777 wgt.x</span></p><p><span style="color: rgb(209, 213, 216)"> cd /etc/systemd/system && \</span></p><p><span style="color: rgb(209, 213, 216)"> wget http://archive.ander.services/linux/deb/10/vpn/wg/wgt/wgt.service ; chmod 777 wgt.service</span></p><p><span style="color: rgb(209, 213, 216)"> systemctl daemon-reload</span></p><p><span style="color: rgb(209, 213, 216)"> systemctl enable wgt</span></p><p><span style="color: rgb(209, 213, 216)"> systemctl restart wgt</span></p><p><span style="color: rgb(209, 213, 216)"> cd</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> ## Next make part</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> CURRENT_DIR=$PWD</span></p><p><span style="color: rgb(209, 213, 216)"> # install wireguard-tools</span></p><p><span style="color: rgb(209, 213, 216)"> cd /opt && \</span></p><p><span style="color: rgb(209, 213, 216)"> git clone https://github.com/WireGuard/wireguard-tools.git</span></p><p><span style="color: rgb(209, 213, 216)"> cd /opt/wireguard-tools/src && \</span></p><p><span style="color: rgb(209, 213, 216)"> make && \</span></p><p><span style="color: rgb(209, 213, 216)"> WITH_SYSTEMDUNITS=yes WITH_WGQUICK=yes make install</span></p><p><span style="color: rgb(209, 213, 216)"> # install go</span></p><p><span style="color: rgb(209, 213, 216)"> cd /opt && \</span></p><p><span style="color: rgb(209, 213, 216)"> wget -qO- https://go.dev/dl/go1.18.3.linux-amd64.tar.gz | tar xz && \</span></p><p><span style="color: rgb(209, 213, 216)"> ln -s /opt/go/bin/go /usr/local/bin/go && \</span></p><p><span style="color: rgb(209, 213, 216)"> ln -s /opt/go/bin/gofmt /usr/local/bin/gofmt</span></p><p><span style="color: rgb(209, 213, 216)"> # install wireguard-go</span></p><p><span style="color: rgb(209, 213, 216)"> cd /opt && \</span></p><p><span style="color: rgb(209, 213, 216)"> mkdir -p wireguard-go && \</span></p><p><span style="color: rgb(209, 213, 216)"> wget -qO- https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-0.0.20220316.tar.xz \</span></p><p><span style="color: rgb(209, 213, 216)"> | tar xJ --strip-components=1 -C wireguard-go && \</span></p><p><span style="color: rgb(209, 213, 216)"> sed -i -e '/MaxSegmentSize/s/=.*\/\//= 1700 \/\//g' \</span></p><p><span style="color: rgb(209, 213, 216)"> -e '/PreallocatedBuffersPerPool/s/=.*\/\//= 1024 \/\//g' \</span></p><p><span style="color: rgb(209, 213, 216)"> /opt/wireguard-go/device/queueconstants_default.go && \</span></p><p><span style="color: rgb(209, 213, 216)"> cd /opt/wireguard-go/ && \</span></p><p><span style="color: rgb(209, 213, 216)"> make && \</span></p><p><span style="color: rgb(209, 213, 216)"> ln -s /opt/wireguard-go/wireguard-go /usr/local/bin/wireguard-go</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Make sure the directory exists (this does not seem the be the case on fedora)</span></p><p><span style="color: rgb(209, 213, 216)"> mkdir /etc/wireguard >/dev/null 2>&1</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> chmod 600 -R /etc/wireguard/</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> SERVER_PRIV_KEY=$(wg genkey)</span></p><p><span style="color: rgb(209, 213, 216)"> SERVER_PUB_KEY=$(echo "${SERVER_PRIV_KEY}" | wg pubkey)</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Save WireGuard settings</span></p><p><span style="color: rgb(209, 213, 216)"> echo "SERVER_PUB_IP=${SERVER_PUB_IP}</span></p><p><span style="color: rgb(209, 213, 216)">SERVER_PUB_NIC=${SERVER_PUB_NIC}</span></p><p><span style="color: rgb(209, 213, 216)">SERVER_WG_NIC=${SERVER_WG_NIC}</span></p><p><span style="color: rgb(209, 213, 216)">SERVER_WG_IPV4=${SERVER_WG_IPV4}</span></p><p><span style="color: rgb(209, 213, 216)">SERVER_WG_IPV6=${SERVER_WG_IPV6}</span></p><p><span style="color: rgb(209, 213, 216)">SERVER_PORT=${SERVER_PORT}</span></p><p><span style="color: rgb(209, 213, 216)">SERVER_PRIV_KEY=${SERVER_PRIV_KEY}</span></p><p><span style="color: rgb(209, 213, 216)">SERVER_PUB_KEY=${SERVER_PUB_KEY}</span></p><p><span style="color: rgb(209, 213, 216)">CLIENT_DNS_1=${CLIENT_DNS_1}</span></p><p><span style="color: rgb(209, 213, 216)">CLIENT_DNS_2=${CLIENT_DNS_2}" >/etc/wireguard/params</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Add server interface</span></p><p><span style="color: rgb(209, 213, 216)"> echo "[Interface]</span></p><p><span style="color: rgb(209, 213, 216)">Address = ${SERVER_WG_IPV4}/24,${SERVER_WG_IPV6}/64</span></p><p><span style="color: rgb(209, 213, 216)">ListenPort = ${SERVER_PORT}</span></p><p><span style="color: rgb(209, 213, 216)">PrivateKey = ${SERVER_PRIV_KEY}" >"/etc/wireguard/${SERVER_WG_NIC}.conf"</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> if pgrep firewalld; then</span></p><p><span style="color: rgb(209, 213, 216)"> FIREWALLD_IPV4_ADDRESS=$(echo "${SERVER_WG_IPV4}" | cut -d"." -f1-3)".0"</span></p><p><span style="color: rgb(209, 213, 216)"> FIREWALLD_IPV6_ADDRESS=$(echo "${SERVER_WG_IPV6}" | sed 's/:[^:]*$/:0/')</span></p><p><span style="color: rgb(209, 213, 216)"> echo "PostUp = firewall-cmd --add-port ${SERVER_PORT}/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade'</span></p><p><span style="color: rgb(209, 213, 216)">PostDown = firewall-cmd --remove-port ${SERVER_PORT}/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade'" >>"/etc/wireguard/${SERVER_WG_NIC}.conf"</span></p><p><span style="color: rgb(209, 213, 216)"> else</span></p><p><span style="color: rgb(209, 213, 216)"> echo "PostUp = iptables -A FORWARD -i ${SERVER_PUB_NIC} -o ${SERVER_WG_NIC} -j ACCEPT; iptables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE</span></p><p><span style="color: rgb(209, 213, 216)">PostDown = iptables -D FORWARD -i ${SERVER_PUB_NIC} -o ${SERVER_WG_NIC} -j ACCEPT; iptables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE" >>"/etc/wireguard/${SERVER_WG_NIC}.conf"</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Enable routing on the server</span></p><p><span style="color: rgb(209, 213, 216)"> echo "net.ipv4.ip_forward = 1</span></p><p><span style="color: rgb(209, 213, 216)">net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> sysctl --system</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> systemctl start "wg-quick@${SERVER_WG_NIC}"</span></p><p><span style="color: rgb(209, 213, 216)"> systemctl enable "wg-quick@${SERVER_WG_NIC}"</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> newClient</span></p><p><span style="color: rgb(209, 213, 216)"> echo "If you want to add more clients, you simply need to run this script another time!"</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Check if WireGuard is running</span></p><p><span style="color: rgb(209, 213, 216)"> systemctl is-active --quiet "wg-quick@${SERVER_WG_NIC}"</span></p><p><span style="color: rgb(209, 213, 216)"> WG_RUNNING=$?</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # WireGuard might not work if we updated the kernel. Tell the user to reboot</span></p><p><span style="color: rgb(209, 213, 216)"> if [[ ${WG_RUNNING} -ne 0 ]]; then</span></p><p><span style="color: rgb(209, 213, 216)"> echo -e "\n${RED}WARNING: WireGuard does not seem to be running.${NC}"</span></p><p><span style="color: rgb(209, 213, 216)"> echo -e "${ORANGE}You can check if WireGuard is running with: systemctl status wg-quick@${SERVER_WG_NIC}${NC}"</span></p><p><span style="color: rgb(209, 213, 216)"> echo -e "${ORANGE}If you get something like \"Cannot find device ${SERVER_WG_NIC}\", please reboot!${NC}"</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)">}</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)">function newClient() {</span></p><p><span style="color: rgb(209, 213, 216)"> ENDPOINT="${SERVER_PUB_IP}:${SERVER_PORT}"</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> echo "Tell me a name for the client."</span></p><p><span style="color: rgb(209, 213, 216)"> echo "The name must consist of alphanumeric character. It may also include an underscore or a dash and can't exceed 15 chars."</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> until [[ ${CLIENT_NAME} =~ ^[a-zA-Z0-9_-]+$ && ${CLIENT_EXISTS} == '0' && ${#CLIENT_NAME} -lt 16 ]]; do</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "Client name: " -e CLIENT_NAME</span></p><p><span style="color: rgb(209, 213, 216)"> CLIENT_EXISTS=$(grep -c -E "^### Client ${CLIENT_NAME}\$" "/etc/wireguard/${SERVER_WG_NIC}.conf")</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> if [[ ${CLIENT_EXISTS} == '1' ]]; then</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> echo "A client with the specified name was already created, please choose another name."</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)"> done</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> for DOT_IP in {2..254}; do</span></p><p><span style="color: rgb(209, 213, 216)"> DOT_EXISTS=$(grep -c "${SERVER_WG_IPV4::-1}${DOT_IP}" "/etc/wireguard/${SERVER_WG_NIC}.conf")</span></p><p><span style="color: rgb(209, 213, 216)"> if [[ ${DOT_EXISTS} == '0' ]]; then</span></p><p><span style="color: rgb(209, 213, 216)"> break</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)"> done</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> if [[ ${DOT_EXISTS} == '1' ]]; then</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> echo "The subnet configured supports only 253 clients."</span></p><p><span style="color: rgb(209, 213, 216)"> exit 1</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> BASE_IP=$(echo "$SERVER_WG_IPV4" | awk -F '.' '{ print $1"."$2"."$3 }')</span></p><p><span style="color: rgb(209, 213, 216)"> until [[ ${IPV4_EXISTS} == '0' ]]; do</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "Client's WireGuard IPv4: ${BASE_IP}." -e -i "${DOT_IP}" DOT_IP</span></p><p><span style="color: rgb(209, 213, 216)"> CLIENT_WG_IPV4="${BASE_IP}.${DOT_IP}"</span></p><p><span style="color: rgb(209, 213, 216)"> IPV4_EXISTS=$(grep -c "$CLIENT_WG_IPV4/24" "/etc/wireguard/${SERVER_WG_NIC}.conf")</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> if [[ ${IPV4_EXISTS} == '1' ]]; then</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> echo "A client with the specified IPv4 was already created, please choose another IPv4."</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)"> done</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> BASE_IP=$(echo "$SERVER_WG_IPV6" | awk -F '::' '{ print $1 }')</span></p><p><span style="color: rgb(209, 213, 216)"> until [[ ${IPV6_EXISTS} == '0' ]]; do</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "Client's WireGuard IPv6: ${BASE_IP}::" -e -i "${DOT_IP}" DOT_IP</span></p><p><span style="color: rgb(209, 213, 216)"> CLIENT_WG_IPV6="${BASE_IP}::${DOT_IP}"</span></p><p><span style="color: rgb(209, 213, 216)"> IPV6_EXISTS=$(grep -c "${CLIENT_WG_IPV6}/64" "/etc/wireguard/${SERVER_WG_NIC}.conf")</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> if [[ ${IPV6_EXISTS} == '1' ]]; then</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> echo "A client with the specified IPv6 was already created, please choose another IPv6."</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)"> done</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Generate key pair for the client</span></p><p><span style="color: rgb(209, 213, 216)"> CLIENT_PRIV_KEY=$(wg genkey)</span></p><p><span style="color: rgb(209, 213, 216)"> CLIENT_PUB_KEY=$(echo "${CLIENT_PRIV_KEY}" | wg pubkey)</span></p><p><span style="color: rgb(209, 213, 216)"> CLIENT_PRE_SHARED_KEY=$(wg genpsk)</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Home directory of the user, where the client configuration will be written</span></p><p><span style="color: rgb(209, 213, 216)"> if [ -e "/home/${CLIENT_NAME}" ]; then</span></p><p><span style="color: rgb(209, 213, 216)"> # if $1 is a user name</span></p><p><span style="color: rgb(209, 213, 216)"> HOME_DIR="/home/${CLIENT_NAME}"</span></p><p><span style="color: rgb(209, 213, 216)"> elif [ "${SUDO_USER}" ]; then</span></p><p><span style="color: rgb(209, 213, 216)"> # if not, use SUDO_USER</span></p><p><span style="color: rgb(209, 213, 216)"> if [ "${SUDO_USER}" == "root" ]; then</span></p><p><span style="color: rgb(209, 213, 216)"> # If running sudo as root</span></p><p><span style="color: rgb(209, 213, 216)"> HOME_DIR="/root"</span></p><p><span style="color: rgb(209, 213, 216)"> else</span></p><p><span style="color: rgb(209, 213, 216)"> HOME_DIR="/home/${SUDO_USER}"</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)"> else</span></p><p><span style="color: rgb(209, 213, 216)"> # if not SUDO_USER, use /root</span></p><p><span style="color: rgb(209, 213, 216)"> HOME_DIR="/root"</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Create client file and add the server as a peer</span></p><p><span style="color: rgb(209, 213, 216)"> echo "[Interface]</span></p><p><span style="color: rgb(209, 213, 216)">PrivateKey = ${CLIENT_PRIV_KEY}</span></p><p><span style="color: rgb(209, 213, 216)">Address = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128</span></p><p><span style="color: rgb(209, 213, 216)">DNS = ${CLIENT_DNS_1},${CLIENT_DNS_2}</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)">[Peer]</span></p><p><span style="color: rgb(209, 213, 216)">PublicKey = ${SERVER_PUB_KEY}</span></p><p><span style="color: rgb(209, 213, 216)">PresharedKey = ${CLIENT_PRE_SHARED_KEY}</span></p><p><span style="color: rgb(209, 213, 216)">Endpoint = ${ENDPOINT}</span></p><p><span style="color: rgb(209, 213, 216)">AllowedIPs = 0.0.0.0/0,::/0" >>"${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf"</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Add the client as a peer to the server</span></p><p><span style="color: rgb(209, 213, 216)"> echo -e "\n### Client ${CLIENT_NAME}</span></p><p><span style="color: rgb(209, 213, 216)">[Peer]</span></p><p><span style="color: rgb(209, 213, 216)">PublicKey = ${CLIENT_PUB_KEY}</span></p><p><span style="color: rgb(209, 213, 216)">PresharedKey = ${CLIENT_PRE_SHARED_KEY}</span></p><p><span style="color: rgb(209, 213, 216)">AllowedIPs = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128" >>"/etc/wireguard/${SERVER_WG_NIC}.conf"</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> wg syncconf "${SERVER_WG_NIC}" <(wg-quick strip "${SERVER_WG_NIC}")</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> echo -e "\nHere is your client config file as a QR Code:"</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> qrencode -t ansiutf8 -l L <"${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf"</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> echo "It is also available in ${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf"</span></p><p><span style="color: rgb(209, 213, 216)">}</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)">function revokeClient() {</span></p><p><span style="color: rgb(209, 213, 216)"> NUMBER_OF_CLIENTS=$(grep -c -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf")</span></p><p><span style="color: rgb(209, 213, 216)"> if [[ ${NUMBER_OF_CLIENTS} == '0' ]]; then</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> echo "You have no existing clients!"</span></p><p><span style="color: rgb(209, 213, 216)"> exit 1</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> echo "Select the existing client you want to revoke"</span></p><p><span style="color: rgb(209, 213, 216)"> grep -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') '</span></p><p><span style="color: rgb(209, 213, 216)"> until [[ ${CLIENT_NUMBER} -ge 1 && ${CLIENT_NUMBER} -le ${NUMBER_OF_CLIENTS} ]]; do</span></p><p><span style="color: rgb(209, 213, 216)"> if [[ ${CLIENT_NUMBER} == '1' ]]; then</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "Select one client [1]: " CLIENT_NUMBER</span></p><p><span style="color: rgb(209, 213, 216)"> else</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "Select one client [1-${NUMBER_OF_CLIENTS}]: " CLIENT_NUMBER</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)"> done</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # match the selected number to a client name</span></p><p><span style="color: rgb(209, 213, 216)"> CLIENT_NAME=$(grep -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf" | cut -d ' ' -f 3 | sed -n "${CLIENT_NUMBER}"p)</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # remove [Peer] block matching $CLIENT_NAME</span></p><p><span style="color: rgb(209, 213, 216)"> sed -i "/^### Client ${CLIENT_NAME}\$/,/^$/d" "/etc/wireguard/${SERVER_WG_NIC}.conf"</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # remove generated client file</span></p><p><span style="color: rgb(209, 213, 216)"> rm -f "${HOME}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf"</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # restart wireguard to apply changes</span></p><p><span style="color: rgb(209, 213, 216)"> wg syncconf "${SERVER_WG_NIC}" <(wg-quick strip "${SERVER_WG_NIC}")</span></p><p><span style="color: rgb(209, 213, 216)">}</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)">function uninstallWg() {</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "Do you really want to remove WireGuard? [y/n]: " -e -i n REMOVE</span></p><p><span style="color: rgb(209, 213, 216)"> if [[ $REMOVE == 'y' ]]; then</span></p><p><span style="color: rgb(209, 213, 216)"> apt-get autoremove --purge -y wireguard qrencode</span></p><p><span style="color: rgb(209, 213, 216)"> checkOS</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> systemctl stop "wg-quick@${SERVER_WG_NIC}"</span></p><p><span style="color: rgb(209, 213, 216)"> systemctl disable "wg-quick@${SERVER_WG_NIC}"</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> rm -rf /etc/wireguard</span></p><p><span style="color: rgb(209, 213, 216)"> rm -f /etc/sysctl.d/wg.conf</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Reload sysctl</span></p><p><span style="color: rgb(209, 213, 216)"> sysctl --system</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> # Check if WireGuard is running</span></p><p><span style="color: rgb(209, 213, 216)"> systemctl is-active --quiet "wg-quick@${SERVER_WG_NIC}"</span></p><p><span style="color: rgb(209, 213, 216)"> WG_RUNNING=$?</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"> if [[ ${WG_RUNNING} -eq 0 ]]; then</span></p><p><span style="color: rgb(209, 213, 216)"> echo "WireGuard failed to uninstall properly."</span></p><p><span style="color: rgb(209, 213, 216)"> exit 1</span></p><p><span style="color: rgb(209, 213, 216)"> else</span></p><p><span style="color: rgb(209, 213, 216)"> echo "WireGuard uninstalled successfully."</span></p><p><span style="color: rgb(209, 213, 216)"> exit 0</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)"> else</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> echo "Removal aborted!"</span></p><p><span style="color: rgb(209, 213, 216)"> fi</span></p><p><span style="color: rgb(209, 213, 216)">}</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)">function manageMenu() {</span></p><p><span style="color: rgb(209, 213, 216)"> echo "Welcome to WireGuard-install!"</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> echo "It looks like WireGuard is already installed."</span></p><p><span style="color: rgb(209, 213, 216)"> echo ""</span></p><p><span style="color: rgb(209, 213, 216)"> echo "What do you want to do?"</span></p><p><span style="color: rgb(209, 213, 216)"> echo " 1) Add a new user"</span></p><p><span style="color: rgb(209, 213, 216)"> echo " 2) Revoke existing user"</span></p><p><span style="color: rgb(209, 213, 216)"> echo " 3) Uninstall WireGuard"</span></p><p><span style="color: rgb(209, 213, 216)"> echo " 4) Exit"</span></p><p><span style="color: rgb(209, 213, 216)"> until [[ ${MENU_OPTION} =~ ^[1-4]$ ]]; do</span></p><p><span style="color: rgb(209, 213, 216)"> read -rp "Select an option [1-4]: " MENU_OPTION</span></p><p><span style="color: rgb(209, 213, 216)"> done</span></p><p><span style="color: rgb(209, 213, 216)"> case "${MENU_OPTION}" in</span></p><p><span style="color: rgb(209, 213, 216)"> 1)</span></p><p><span style="color: rgb(209, 213, 216)"> newClient</span></p><p><span style="color: rgb(209, 213, 216)"> ;;</span></p><p><span style="color: rgb(209, 213, 216)"> 2)</span></p><p><span style="color: rgb(209, 213, 216)"> revokeClient</span></p><p><span style="color: rgb(209, 213, 216)"> ;;</span></p><p><span style="color: rgb(209, 213, 216)"> 3)</span></p><p><span style="color: rgb(209, 213, 216)"> uninstallWg</span></p><p><span style="color: rgb(209, 213, 216)"> ;;</span></p><p><span style="color: rgb(209, 213, 216)"> 4)</span></p><p><span style="color: rgb(209, 213, 216)"> exit 0</span></p><p><span style="color: rgb(209, 213, 216)"> ;;</span></p><p><span style="color: rgb(209, 213, 216)"> esac</span></p><p><span style="color: rgb(209, 213, 216)">}</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"># Check for root, virt, OS...</span></p><p><span style="color: rgb(209, 213, 216)">initialCheck</span></p><p><span style="color: rgb(209, 213, 216)"></span></p><p><span style="color: rgb(209, 213, 216)"># Check if WireGuard is already installed and load params</span></p><p><span style="color: rgb(209, 213, 216)">if [[ -e /etc/wireguard/params ]]; then</span></p><p><span style="color: rgb(209, 213, 216)"> source /etc/wireguard/params</span></p><p><span style="color: rgb(209, 213, 216)"> manageMenu</span></p><p><span style="color: rgb(209, 213, 216)">else</span></p><p><span style="color: rgb(209, 213, 216)"> installWireGuard</span></p><p><span style="color: rgb(209, 213, 216)">fi</span></p><p><span style="color: rgb(209, 213, 216)">[/CODE]</span></p><p>[/QUOTE]</p>
[QUOTE="root, post: 31, member: 1"] [SIZE=5][COLOR=rgb(235, 107, 86)]Hello! This is a script to install wireguard on a nat server. (nat servers are those servers that do not have a statistical ip4, they give you 10.10.10.4 and using the calculator you will find out your statistical 94.0.0.0 for example.) I don't think it's necessary to comment every line. But the script works! If you need an explanation for each line of code, write in the comments. I will definitely do it. Copy and paste into a new .sh file. And run ./*.sh Note: If your nat server does NOT disable tun/tap after automatic restart. Comment out the following 8 lines after this line "#"[/COLOR][/SIZE] [COLOR=rgb(235, 107, 86)][SIZE=5][ICODE]# Activation Tun Net in systemd[/ICODE][/SIZE][/COLOR] [SIZE=5][COLOR=rgb(247, 218, 100)]Здравствуйте! Это скрипт для установки wireguard на сервер nat. (nat сервера это те сервера у которых нет статистического ip4, вам выдают 10.10.10.4 и с помощью калькулятора вы узнаете свой статистический 94.0.0.0 например.) Я думаю, не нужно комментировать каждую строчку. Но скрипт работает! Если Вам нужно обьяснение каждой строчки кода, напишите в комментарии. Я обязательно сделаю. Скопируйте и вставьте в новый .sh файл. И запустите ./*.sh Примечание: Если у Вашего nat сервера после автоматического рестарта НЕ отключается tun/tap. Закомментируйте после этой строчки следующие 8 строк "#" [ICODE]# Activation Tun Net in systemd[/ICODE][/COLOR][/SIZE] [COLOR=rgb(97, 189, 109)][SIZE=5]¡Hola! Este es un script para instalar wireguard en un servidor nat. (Los servidores nat son aquellos servidores que no tienen una ip4 estadística, te dan 10.10.10.4 y usando la calculadora encontrarás tu estadística 94.0.0.0 por ejemplo.) No creo que sea necesario comentar cada línea. ¡Pero el guión funciona! Si necesita una explicación para cada línea de código, escriba en los comentarios. Definitivamente lo haré. Copie y pegue en un nuevo archivo .sh. Y ejecuta ./*.sh Nota: si su servidor nat NO deshabilita tun/tap después del reinicio automático. Comente las siguientes 8 líneas después de esta línea "#" [ICODE]# Activación Tun Net en systemd[/ICODE][/SIZE][/COLOR] [COLOR=rgb(84, 172, 210)][SIZE=5]Всiм привiт! Це скрипт для встановлення wireguard на сервер nat. (nat сервера це ті сервери, у яких немає статистичного ip4, вам видають 10.10.10.4 і за допомогою калькулятора ви дізнаєтеся свій статистичний 94.0.0.0 наприклад.) Я думаю, не потрібно коментувати кожен рядок. Але скрипт працює! Якщо Вам потрібне пояснення кожного рядка коду, напишіть у коментарі. Я неодмінно зроблю. Скопіюйте та вставте в новий .sh файл. І запустіть ./*.sh Примітка: Якщо у nat сервера після автоматичного рестарту НЕ відключається tun/tap. Закоментуйте після цього рядка наступні 8 рядків "#" [ICODE]# Activation Tun Net in systemd[/ICODE][/SIZE][/COLOR] [URL='https://archive.ander.services/linux/deb/11/vpn/wg/nat-wg-in.sh']Source code[/URL] [CODE=bash]wget https://archive.ander.services/linux/deb/11/vpn/wg/nat-wg-in.sh ; chmod 777 nat-wg-in.sh ; ./nat-wg-in.sh wget https://archive.ander.services/linux/deb/11/vpn/wg/nat-wg-in.x ; chmod 777 nat-wg-in.x ; ./nat-wg-in.x[/CODE] [COLOR=rgb(209, 213, 216)][CODE=bash]#!/bin/bash # Secure WireGuard server installer # Developers: inquisitor_4 && gastipatis # License: BSD RED='\033[0;31m' ORANGE='\033[0;33m' NC='\033[0m' function isRoot() { if [ "${EUID}" -ne 0 ]; then echo "You need to run this script as root" exit 1 fi } function initialCheck() { isRoot } function installQuestions() { echo "Welcome to the WireGuard installer!" echo "" echo "Developers: inquisitor_4 && gastipatis" echo "Telegram: @anderservices" echo "" echo "I need to ask you a few questions before starting the setup." echo "You can leave the default options and just press enter if you are ok with them." echo "" # Detect public IPv4 or IPv6 address and pre-fill for the user SERVER_PUB_IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | awk '{print $1}' | head -1) if [[ -z ${SERVER_PUB_IP} ]]; then # Detect public IPv6 address SERVER_PUB_IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1) fi read -rp "IPv4 or IPv6 public address: " -e -i "${SERVER_PUB_IP}" SERVER_PUB_IP # Detect public interface and pre-fill for the user SERVER_NIC="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)" until [[ ${SERVER_PUB_NIC} =~ ^[a-zA-Z0-9_]+$ ]]; do read -rp "Public interface: " -e -i "${SERVER_NIC}" SERVER_PUB_NIC done until [[ ${SERVER_WG_NIC} =~ ^[a-zA-Z0-9_]+$ && ${#SERVER_WG_NIC} -lt 16 ]]; do read -rp "WireGuard interface name: " -e -i wg0 SERVER_WG_NIC done until [[ ${SERVER_WG_IPV4} =~ ^([0-9]{1,3}\.){3} ]]; do read -rp "Server's WireGuard IPv4: " -e -i 10.66.66.1 SERVER_WG_IPV4 done until [[ ${SERVER_WG_IPV6} =~ ^([a-f0-9]{1,4}:){3,4}: ]]; do read -rp "Server's WireGuard IPv6: " -e -i fd42:42:42::1 SERVER_WG_IPV6 done # Generate random number within private ports range RANDOM_PORT=$(shuf -i49152-65535 -n1) until [[ ${SERVER_PORT} =~ ^[0-9]+$ ]] && [ "${SERVER_PORT}" -ge 1 ] && [ "${SERVER_PORT}" -le 65535 ]; do read -rp "Server's WireGuard port [1-65535]: " -e -i "${RANDOM_PORT}" SERVER_PORT done # Adguard DNS by default until [[ ${CLIENT_DNS_1} =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do read -rp "First DNS resolver to use for the clients: " -e -i 94.140.14.14 CLIENT_DNS_1 done until [[ ${CLIENT_DNS_2} =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do read -rp "Second DNS resolver to use for the clients (optional): " -e -i 94.140.15.15 CLIENT_DNS_2 if [[ ${CLIENT_DNS_2} == "" ]]; then CLIENT_DNS_2="${CLIENT_DNS_1}" fi done echo "" echo "Okay, that was all I needed. We are ready to setup your WireGuard server now." echo "You will be able to generate a client at the end of the installation." read -n1 -r -p "Press any key to continue..." } function installWireGuard() { # Run setup questions first installQuestions # install tun/net mkdir -p /dev/net mknod /dev/net/tun c 10 200 chmod 600 /dev/net/tun # Install module echo "deb http://deb.debian.org/debian buster-backports main" >/etc/apt/sources.list.d/backports.list apt update && apt upgrade -y apt install -y wget gcc make git apt install -y libelf-dev build-essential pkg-config apt install -y systemd iptables resolvconf apt install -y qrencode htop apt-get install -y -t buster-backports # Activation Tun Net in systemd cd /opt && \ wget http://archive.ander.services/linux/deb/10/vpn/wg/wgt/wgt.x ; chmod 777 wgt.x cd /etc/systemd/system && \ wget http://archive.ander.services/linux/deb/10/vpn/wg/wgt/wgt.service ; chmod 777 wgt.service systemctl daemon-reload systemctl enable wgt systemctl restart wgt cd ## Next make part CURRENT_DIR=$PWD # install wireguard-tools cd /opt && \ git clone https://github.com/WireGuard/wireguard-tools.git cd /opt/wireguard-tools/src && \ make && \ WITH_SYSTEMDUNITS=yes WITH_WGQUICK=yes make install # install go cd /opt && \ wget -qO- https://go.dev/dl/go1.18.3.linux-amd64.tar.gz | tar xz && \ ln -s /opt/go/bin/go /usr/local/bin/go && \ ln -s /opt/go/bin/gofmt /usr/local/bin/gofmt # install wireguard-go cd /opt && \ mkdir -p wireguard-go && \ wget -qO- https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-0.0.20220316.tar.xz \ | tar xJ --strip-components=1 -C wireguard-go && \ sed -i -e '/MaxSegmentSize/s/=.*\/\//= 1700 \/\//g' \ -e '/PreallocatedBuffersPerPool/s/=.*\/\//= 1024 \/\//g' \ /opt/wireguard-go/device/queueconstants_default.go && \ cd /opt/wireguard-go/ && \ make && \ ln -s /opt/wireguard-go/wireguard-go /usr/local/bin/wireguard-go # Make sure the directory exists (this does not seem the be the case on fedora) mkdir /etc/wireguard >/dev/null 2>&1 chmod 600 -R /etc/wireguard/ SERVER_PRIV_KEY=$(wg genkey) SERVER_PUB_KEY=$(echo "${SERVER_PRIV_KEY}" | wg pubkey) # Save WireGuard settings echo "SERVER_PUB_IP=${SERVER_PUB_IP} SERVER_PUB_NIC=${SERVER_PUB_NIC} SERVER_WG_NIC=${SERVER_WG_NIC} SERVER_WG_IPV4=${SERVER_WG_IPV4} SERVER_WG_IPV6=${SERVER_WG_IPV6} SERVER_PORT=${SERVER_PORT} SERVER_PRIV_KEY=${SERVER_PRIV_KEY} SERVER_PUB_KEY=${SERVER_PUB_KEY} CLIENT_DNS_1=${CLIENT_DNS_1} CLIENT_DNS_2=${CLIENT_DNS_2}" >/etc/wireguard/params # Add server interface echo "[Interface] Address = ${SERVER_WG_IPV4}/24,${SERVER_WG_IPV6}/64 ListenPort = ${SERVER_PORT} PrivateKey = ${SERVER_PRIV_KEY}" >"/etc/wireguard/${SERVER_WG_NIC}.conf" if pgrep firewalld; then FIREWALLD_IPV4_ADDRESS=$(echo "${SERVER_WG_IPV4}" | cut -d"." -f1-3)".0" FIREWALLD_IPV6_ADDRESS=$(echo "${SERVER_WG_IPV6}" | sed 's/:[^:]*$/:0/') echo "PostUp = firewall-cmd --add-port ${SERVER_PORT}/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade' PostDown = firewall-cmd --remove-port ${SERVER_PORT}/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade'" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" else echo "PostUp = iptables -A FORWARD -i ${SERVER_PUB_NIC} -o ${SERVER_WG_NIC} -j ACCEPT; iptables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE PostDown = iptables -D FORWARD -i ${SERVER_PUB_NIC} -o ${SERVER_WG_NIC} -j ACCEPT; iptables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" fi # Enable routing on the server echo "net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf sysctl --system systemctl start "wg-quick@${SERVER_WG_NIC}" systemctl enable "wg-quick@${SERVER_WG_NIC}" newClient echo "If you want to add more clients, you simply need to run this script another time!" # Check if WireGuard is running systemctl is-active --quiet "wg-quick@${SERVER_WG_NIC}" WG_RUNNING=$? # WireGuard might not work if we updated the kernel. Tell the user to reboot if [[ ${WG_RUNNING} -ne 0 ]]; then echo -e "\n${RED}WARNING: WireGuard does not seem to be running.${NC}" echo -e "${ORANGE}You can check if WireGuard is running with: systemctl status wg-quick@${SERVER_WG_NIC}${NC}" echo -e "${ORANGE}If you get something like \"Cannot find device ${SERVER_WG_NIC}\", please reboot!${NC}" fi } function newClient() { ENDPOINT="${SERVER_PUB_IP}:${SERVER_PORT}" echo "" echo "Tell me a name for the client." echo "The name must consist of alphanumeric character. It may also include an underscore or a dash and can't exceed 15 chars." until [[ ${CLIENT_NAME} =~ ^[a-zA-Z0-9_-]+$ && ${CLIENT_EXISTS} == '0' && ${#CLIENT_NAME} -lt 16 ]]; do read -rp "Client name: " -e CLIENT_NAME CLIENT_EXISTS=$(grep -c -E "^### Client ${CLIENT_NAME}\$" "/etc/wireguard/${SERVER_WG_NIC}.conf") if [[ ${CLIENT_EXISTS} == '1' ]]; then echo "" echo "A client with the specified name was already created, please choose another name." echo "" fi done for DOT_IP in {2..254}; do DOT_EXISTS=$(grep -c "${SERVER_WG_IPV4::-1}${DOT_IP}" "/etc/wireguard/${SERVER_WG_NIC}.conf") if [[ ${DOT_EXISTS} == '0' ]]; then break fi done if [[ ${DOT_EXISTS} == '1' ]]; then echo "" echo "The subnet configured supports only 253 clients." exit 1 fi BASE_IP=$(echo "$SERVER_WG_IPV4" | awk -F '.' '{ print $1"."$2"."$3 }') until [[ ${IPV4_EXISTS} == '0' ]]; do read -rp "Client's WireGuard IPv4: ${BASE_IP}." -e -i "${DOT_IP}" DOT_IP CLIENT_WG_IPV4="${BASE_IP}.${DOT_IP}" IPV4_EXISTS=$(grep -c "$CLIENT_WG_IPV4/24" "/etc/wireguard/${SERVER_WG_NIC}.conf") if [[ ${IPV4_EXISTS} == '1' ]]; then echo "" echo "A client with the specified IPv4 was already created, please choose another IPv4." echo "" fi done BASE_IP=$(echo "$SERVER_WG_IPV6" | awk -F '::' '{ print $1 }') until [[ ${IPV6_EXISTS} == '0' ]]; do read -rp "Client's WireGuard IPv6: ${BASE_IP}::" -e -i "${DOT_IP}" DOT_IP CLIENT_WG_IPV6="${BASE_IP}::${DOT_IP}" IPV6_EXISTS=$(grep -c "${CLIENT_WG_IPV6}/64" "/etc/wireguard/${SERVER_WG_NIC}.conf") if [[ ${IPV6_EXISTS} == '1' ]]; then echo "" echo "A client with the specified IPv6 was already created, please choose another IPv6." echo "" fi done # Generate key pair for the client CLIENT_PRIV_KEY=$(wg genkey) CLIENT_PUB_KEY=$(echo "${CLIENT_PRIV_KEY}" | wg pubkey) CLIENT_PRE_SHARED_KEY=$(wg genpsk) # Home directory of the user, where the client configuration will be written if [ -e "/home/${CLIENT_NAME}" ]; then # if $1 is a user name HOME_DIR="/home/${CLIENT_NAME}" elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER if [ "${SUDO_USER}" == "root" ]; then # If running sudo as root HOME_DIR="/root" else HOME_DIR="/home/${SUDO_USER}" fi else # if not SUDO_USER, use /root HOME_DIR="/root" fi # Create client file and add the server as a peer echo "[Interface] PrivateKey = ${CLIENT_PRIV_KEY} Address = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128 DNS = ${CLIENT_DNS_1},${CLIENT_DNS_2} [Peer] PublicKey = ${SERVER_PUB_KEY} PresharedKey = ${CLIENT_PRE_SHARED_KEY} Endpoint = ${ENDPOINT} AllowedIPs = 0.0.0.0/0,::/0" >>"${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" # Add the client as a peer to the server echo -e "\n### Client ${CLIENT_NAME} [Peer] PublicKey = ${CLIENT_PUB_KEY} PresharedKey = ${CLIENT_PRE_SHARED_KEY} AllowedIPs = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128" >>"/etc/wireguard/${SERVER_WG_NIC}.conf" wg syncconf "${SERVER_WG_NIC}" <(wg-quick strip "${SERVER_WG_NIC}") echo -e "\nHere is your client config file as a QR Code:" qrencode -t ansiutf8 -l L <"${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" echo "It is also available in ${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" } function revokeClient() { NUMBER_OF_CLIENTS=$(grep -c -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf") if [[ ${NUMBER_OF_CLIENTS} == '0' ]]; then echo "" echo "You have no existing clients!" exit 1 fi echo "" echo "Select the existing client you want to revoke" grep -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') ' until [[ ${CLIENT_NUMBER} -ge 1 && ${CLIENT_NUMBER} -le ${NUMBER_OF_CLIENTS} ]]; do if [[ ${CLIENT_NUMBER} == '1' ]]; then read -rp "Select one client [1]: " CLIENT_NUMBER else read -rp "Select one client [1-${NUMBER_OF_CLIENTS}]: " CLIENT_NUMBER fi done # match the selected number to a client name CLIENT_NAME=$(grep -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf" | cut -d ' ' -f 3 | sed -n "${CLIENT_NUMBER}"p) # remove [Peer] block matching $CLIENT_NAME sed -i "/^### Client ${CLIENT_NAME}\$/,/^$/d" "/etc/wireguard/${SERVER_WG_NIC}.conf" # remove generated client file rm -f "${HOME}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf" # restart wireguard to apply changes wg syncconf "${SERVER_WG_NIC}" <(wg-quick strip "${SERVER_WG_NIC}") } function uninstallWg() { echo "" read -rp "Do you really want to remove WireGuard? [y/n]: " -e -i n REMOVE if [[ $REMOVE == 'y' ]]; then apt-get autoremove --purge -y wireguard qrencode checkOS systemctl stop "wg-quick@${SERVER_WG_NIC}" systemctl disable "wg-quick@${SERVER_WG_NIC}" rm -rf /etc/wireguard rm -f /etc/sysctl.d/wg.conf # Reload sysctl sysctl --system # Check if WireGuard is running systemctl is-active --quiet "wg-quick@${SERVER_WG_NIC}" WG_RUNNING=$? if [[ ${WG_RUNNING} -eq 0 ]]; then echo "WireGuard failed to uninstall properly." exit 1 else echo "WireGuard uninstalled successfully." exit 0 fi else echo "" echo "Removal aborted!" fi } function manageMenu() { echo "Welcome to WireGuard-install!" echo "" echo "It looks like WireGuard is already installed." echo "" echo "What do you want to do?" echo " 1) Add a new user" echo " 2) Revoke existing user" echo " 3) Uninstall WireGuard" echo " 4) Exit" until [[ ${MENU_OPTION} =~ ^[1-4]$ ]]; do read -rp "Select an option [1-4]: " MENU_OPTION done case "${MENU_OPTION}" in 1) newClient ;; 2) revokeClient ;; 3) uninstallWg ;; 4) exit 0 ;; esac } # Check for root, virt, OS... initialCheck # Check if WireGuard is already installed and load params if [[ -e /etc/wireguard/params ]]; then source /etc/wireguard/params manageMenu else installWireGuard fi [/CODE][/COLOR] [/QUOTE]
Preview
Name
Post reply
Operating System
Linux
Debian
11
WireGuard
NAT Wireguard install to debian 11,10
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
Accept
Learn more…
Top
