2021-01-25 15:37:53 -08:00
|
|
|
#!/bin/bash
|
|
|
|
#
|
2021-03-15 11:03:49 -07:00
|
|
|
# vpn-stack
|
2021-01-25 15:37:53 -08:00
|
|
|
# A set of bash scripts for installing and managing a WireGuard VPN server.
|
2021-03-15 11:03:49 -07:00
|
|
|
# https://git.stack-source.com/msb/vpn-stack
|
2022-07-14 12:32:41 -07:00
|
|
|
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
|
|
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
2021-01-25 15:37:53 -08:00
|
|
|
|
2023-03-10 17:13:26 -08:00
|
|
|
# load include file
|
|
|
|
source $(dirname $0)/wg.sh
|
|
|
|
|
|
|
|
help()
|
|
|
|
{
|
|
|
|
thisfilename=$(basename -- "$0")
|
2023-03-13 13:13:13 -07:00
|
|
|
echo "Add VPN client config."
|
2023-03-10 17:13:26 -08:00
|
|
|
echo ""
|
2024-07-24 14:00:18 -07:00
|
|
|
echo "usage: $thisfilename -c <client> [ -d <dnsconfig> ] [-h]"
|
2023-03-10 17:13:26 -08:00
|
|
|
echo ""
|
2024-07-24 14:00:18 -07:00
|
|
|
echo " -h Print this help."
|
|
|
|
echo " -c <client> Name of the client configuration."
|
|
|
|
echo " -d <dnsconfig> Optional. Can be one of the following:"
|
|
|
|
echo " none: Do not use VPN for DNS."
|
|
|
|
echo " stubby: Use the DNS Privacy Stub Resolver on the VPN."
|
|
|
|
echo " dnsmasq: Use the DNS Proxy on the VPN that provides both Privacy with Ad Blocking."
|
|
|
|
echo " Default is dnsmasq and can be changed in wg.sh."
|
2023-03-10 17:13:26 -08:00
|
|
|
}
|
|
|
|
|
2023-03-13 13:13:13 -07:00
|
|
|
wg::getoptions "$@"
|
2023-03-10 17:13:26 -08:00
|
|
|
|
2023-03-13 13:13:13 -07:00
|
|
|
# check for client config name
|
|
|
|
if [[ -z $client ]]; then
|
|
|
|
echo "client name is required"
|
|
|
|
exit
|
2021-01-25 15:37:53 -08:00
|
|
|
fi
|
|
|
|
|
2023-03-13 13:13:13 -07:00
|
|
|
# set config file name
|
|
|
|
config=$client.conf
|
2021-01-25 15:37:53 -08:00
|
|
|
|
|
|
|
# check for existing config
|
|
|
|
if [ -f /etc/wireguard/clients/$config ] || [ -f /etc/wireguard/peers/$config ]; then
|
2023-03-13 13:13:13 -07:00
|
|
|
echo "config for $client already exists"
|
2021-01-25 15:37:53 -08:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2024-07-24 14:00:18 -07:00
|
|
|
# set DNS to be used by config
|
|
|
|
if [[ $dnsconfig = dnsmasq ]]; then
|
|
|
|
DNS="DNS = 10.96.0.1"
|
|
|
|
elif [[ $dnsconfig = stubby ]]; then
|
|
|
|
primaryip=`ip route get 1.1.1.1| head -n 1 | cut -d ' ' -f 7`
|
|
|
|
DNS="DNS = $primaryip"
|
|
|
|
else
|
|
|
|
DNS=""
|
|
|
|
fi
|
2021-01-25 15:37:53 -08:00
|
|
|
|
|
|
|
# get next available IP
|
|
|
|
# note that tests show this code is quick with a few hundred to low thousands of assigned client IPs
|
2024-07-24 14:00:18 -07:00
|
|
|
# but can take serveral minutes when assigned client IPs gets in to the 10s of thousands
|
2021-01-25 15:37:53 -08:00
|
|
|
|
|
|
|
# address unassigned
|
|
|
|
address=0
|
|
|
|
|
2024-07-24 14:00:18 -07:00
|
|
|
# Network: 10.96.0.0/16
|
2021-01-25 15:37:53 -08:00
|
|
|
# HostMin: 10.96.0.1
|
2024-07-24 14:00:18 -07:00
|
|
|
# HostMax: 10.96.255.254
|
2021-01-25 15:37:53 -08:00
|
|
|
|
2024-07-24 14:00:18 -07:00
|
|
|
# 0 - 255
|
|
|
|
thirdoctet=0
|
|
|
|
while [ $thirdoctet -lt 256 ] && [ $address = 0 ]; do
|
2021-01-25 15:37:53 -08:00
|
|
|
|
2024-07-24 14:00:18 -07:00
|
|
|
fourthoctet=1
|
|
|
|
while [ $fourthoctet -lt 256 ] && [ $address = 0 ]; do
|
2021-01-25 15:37:53 -08:00
|
|
|
|
2024-07-24 14:00:18 -07:00
|
|
|
testaddress=10.96.$thirdoctet.$fourthoctet
|
2021-01-25 15:37:53 -08:00
|
|
|
|
2024-07-24 14:00:18 -07:00
|
|
|
# skip reserved addresses
|
|
|
|
if [ $testaddress = "10.96.0.1" ]; then
|
|
|
|
fourthoctet=$[$fourthoctet+1]
|
|
|
|
elif [ $testaddress = "10.96.255.255" ]; then
|
|
|
|
echo "all available addresses used, can not add more clients"
|
|
|
|
exit 1
|
|
|
|
elif `grep -qr "$testaddress/" /etc/wireguard/clients/`; then
|
|
|
|
fourthoctet=$[$fourthoctet+1]
|
|
|
|
else
|
|
|
|
address=$testaddress
|
|
|
|
fi
|
2021-01-25 15:37:53 -08:00
|
|
|
|
|
|
|
done
|
|
|
|
|
2024-07-24 14:00:18 -07:00
|
|
|
thirdoctet=$[$thirdoctet+1]
|
2021-01-25 15:37:53 -08:00
|
|
|
|
|
|
|
done
|
|
|
|
|
|
|
|
# set temp umask for creating wiregaurd configs
|
|
|
|
UMASK=`umask`
|
|
|
|
umask 0077
|
|
|
|
|
|
|
|
# make sure clients config dir exists
|
|
|
|
if [[ ! -d /etc/wireguard/clients ]]; then
|
|
|
|
install --owner=root --group=root --mode=700 --directory /etc/wireguard/clients
|
|
|
|
fi
|
|
|
|
|
|
|
|
# make sure peers config dir exists
|
|
|
|
if [[ ! -d /etc/wireguard/peers ]]; then
|
|
|
|
install --owner=root --group=root --mode=700 --directory /etc/wireguard/peers
|
|
|
|
fi
|
|
|
|
|
|
|
|
key=$(wg genkey)
|
|
|
|
psk=$(wg genpsk)
|
|
|
|
publickey_server=$(cat /etc/wireguard/.publickey)
|
|
|
|
publickey_client=$(wg pubkey <<< $key)
|
|
|
|
|
|
|
|
# create server config for client (peer)
|
|
|
|
cat << EOF >> /etc/wireguard/peers/"$config"
|
|
|
|
[Peer]
|
|
|
|
PublicKey = $publickey_client
|
|
|
|
PresharedKey = $psk
|
|
|
|
AllowedIPs = $address/32
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# enable client on server
|
|
|
|
wg addconf wg0 /etc/wireguard/peers/"$config"
|
|
|
|
# save newly added client to server config
|
|
|
|
wg-quick save wg0
|
|
|
|
|
|
|
|
# create config for client
|
|
|
|
cat << EOF > /etc/wireguard/clients/"$config"
|
|
|
|
[Interface]
|
|
|
|
Address = $address/32
|
|
|
|
PrivateKey = $key
|
2024-07-24 14:00:18 -07:00
|
|
|
$DNS
|
2021-01-25 15:37:53 -08:00
|
|
|
|
|
|
|
[Peer]
|
|
|
|
PublicKey = $publickey_server
|
|
|
|
PresharedKey = $psk
|
2024-07-24 14:00:18 -07:00
|
|
|
AllowedIPs = $AllowedIPs
|
2021-01-25 15:37:53 -08:00
|
|
|
Endpoint = $endpoint:51820
|
|
|
|
PersistentKeepalive = 25
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# revert umask setting
|
|
|
|
umask $UMASK
|