diff --git a/install.sh b/install.sh index 75b43f0..fc25436 100755 --- a/install.sh +++ b/install.sh @@ -223,9 +223,13 @@ umask $UMASK systemctl enable wg-quick@wg0.service systemctl start wg-quick@wg0.service +# install wg*.sh scripts in to /usr/local/sbin/ +cp wg*.sh /usr/local/sbin/ +chmod 755 /usr/local/sbin/wg*.sh + # set up wireguard timer for wg-cron.sh # removes inactive peers (clients) endpoint (last connected IP) data from wireguard -# /usr/lib/systemd/system/wg-cron.timer +mkdir -p /usr/local/lib/systemd/system/ echo '[Unit]' > /usr/lib/systemd/system/wg-cron.timer echo 'Description=wiregaurd cron every 5 minutes' >> /usr/lib/systemd/system/wg-cron.timer echo '' >> /usr/lib/systemd/system/wg-cron.timer @@ -245,14 +249,22 @@ echo 'ExecStart=/usr/local/sbin/wg-cron.sh' >> /usr/lib/systemd/system/wg-cron.s echo '' >> /usr/lib/systemd/system/wg-cron.service echo '[Install]' >> /usr/lib/systemd/system/wg-cron.service echo 'WantedBy=multi-user.target' >> /usr/lib/systemd/system/wg-cron.service -# enable wg-cront.timer +# enable wg-cron.timer systemctl daemon-reload systemctl enable wg-cron.timer systemctl start wg-cron.timer -# install wg-*.sh scripts in to /usr/local/sbin/ -cp wg-*.sh /usr/local/sbin/ -chmod 755 /usr/local/sbin/wg-*.sh +# install fail2ban. configure draconian ssh failure blocking +DEBIAN_FRONTEND=noninteractive apt-get -y install fail2ban +echo "[Definition]" > /etc/fail2ban/fail2ban.local +echo "dbfile = :memory:" >> /etc/fail2ban/fail2ban.local +echo "[DEFAULT]" > /etc/fail2ban/jail.local +echo "ignoreip = 127.0.0.1/8" >> /etc/fail2ban/jail.local +echo "banaction = ufw" >> /etc/fail2ban/jail.local +echo "bantime = 24h" >> /etc/fail2ban/jail.d/defaults-debian.conf +echo "maxretry = 1" >> /etc/fail2ban/jail.d/defaults-debian.conf +systemctl enable fail2ban +systemctl start fail2ban # display installation confirmation message echo "WireGuard is now installed and configured and running." diff --git a/wg-client-add.sh b/wg-client-add.sh index 0debf45..c532ead 100755 --- a/wg-client-add.sh +++ b/wg-client-add.sh @@ -12,48 +12,28 @@ source $(dirname $0)/wg.sh help() { thisfilename=$(basename -- "$0") - echo "Add virtualhost to this server." + echo "Add VPN client config." echo "" - echo "usage: $thisfilename -d -u [-h]" + echo "usage: $thisfilename -c [-h]" echo "" echo " -h Print this help." - echo " -d Domain name to add as a VirtualHost. www. subdomain is automatically aliased." - echo " -u Username to install VirtualHost for. Username must already exist." - echo " If need be run vhost-user-add.sh first." - echo " Or use vhost-deploy.sh instead to automatically generate username." + echo " -c Name of the client configuration." } -vhost:getoptions "$@" +wg::getoptions "$@" -# require root -if [ "${EUID}" -ne 0 ]; then - echo "This script must be run as root" - exit 1 +# check for client config name +if [[ -z $client ]]; then + echo "client name is required" + exit fi -# check for and set client name -if [ -n "$1" ]; then - client=$1 - # set beginning of config file name - config=$client -else - echo "client name not set" - exit 1 -fi - -# check if device name was set -if [ -n "$2" ]; then - device=$2 -else - device=default -fi - -# add device name & .conf to config file name -config=$config.$device.conf +# set config file name +config=$client.conf # check for existing config if [ -f /etc/wireguard/clients/$config ] || [ -f /etc/wireguard/peers/$config ]; then - echo "config for $client $device already exists" + echo "config for $client already exists" exit 1 fi diff --git a/wg-client-create-zip.sh b/wg-client-create-zip.sh index b036afe..fe8e740 100755 --- a/wg-client-create-zip.sh +++ b/wg-client-create-zip.sh @@ -6,32 +6,30 @@ # Copyright (c) 2022 Matthew Saunders Brown # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -# require root -if [ "${EUID}" -ne 0 ]; then - echo "This script must be run as root" - exit 1 +# load include file +source $(dirname $0)/wg.sh + +help() +{ + thisfilename=$(basename -- "$0") + echo "Create zip of client config." + echo "" + echo "usage: $thisfilename -c [-h]" + echo "" + echo " -h Print this help." + echo " -c Name of the client configuration." +} + +wg::getoptions "$@" + +# check for client config name +if [[ -z $client ]]; then + echo "client name is required" + exit fi -# check for and set client name -if [ -n "$1" ]; then - client=$1 - # set beginning of config file name - config=$client -else - echo "client name not set" - exit 1 -fi - -# check if device name was set -if [ -n "$2" ]; then - device=$2 -else - device=default -fi - -# add device name & .conf to config file name -config=$config.$device.conf -image=$config.$device.png +# set config file name +config=$client.conf # check for existing config if [ -f /etc/wireguard/clients/$config ]; then @@ -43,5 +41,5 @@ if [ -f /etc/wireguard/clients/$config ]; then /usr/bin/zip -j $config.zip /etc/wireguard/clients/$config else - echo "config for $client $device does not exist" + echo "config for $client does not exist" fi diff --git a/wg-client-del.sh b/wg-client-del.sh index 5335e9e..31173be 100755 --- a/wg-client-del.sh +++ b/wg-client-del.sh @@ -6,31 +6,30 @@ # Copyright (c) 2022 Matthew Saunders Brown # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -# require root -if [ "${EUID}" -ne 0 ]; then - echo "This script must be run as root" - exit 1 +# load include file +source $(dirname $0)/wg.sh + +help() +{ + thisfilename=$(basename -- "$0") + echo "Delete VPN client config." + echo "" + echo "usage: $thisfilename -c [-h]" + echo "" + echo " -h Print this help." + echo " -c Name of the client configuration." +} + +wg::getoptions "$@" + +# check for client config name +if [[ -z $client ]]; then + echo "client name is required" + exit fi -# check for and set client name -if [ -n "$1" ]; then - client=$1 - # set beginning of config file name - config=$client -else - echo "client name not set" - exit 1 -fi - -# check if device name was set -if [ -n "$2" ]; then - device=$2 -else - device=default -fi - -# add device name & .conf to config file name -config=$config.$device.conf +# set config file name +config=$client.conf # check for server config if [ -f /etc/wireguard/peers/$config ]; then @@ -38,11 +37,11 @@ if [ -f /etc/wireguard/peers/$config ]; then wg set wg0 peer $peer remove wg-quick save wg0 rm /etc/wireguard/peers/$config - echo "peer and server config for $client $device removed" + echo "peer and server config for $client removed" fi # check for client config if [ -f /etc/wireguard/clients/$config ]; then rm /etc/wireguard/clients/$config - echo "client config for $client $device removed" + echo "client config for $client removed" fi diff --git a/wg-client-disable.sh b/wg-client-disable.sh index 6a133ac..6f76b03 100755 --- a/wg-client-disable.sh +++ b/wg-client-disable.sh @@ -6,36 +6,35 @@ # Copyright (c) 2022 Matthew Saunders Brown # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -# require root -if [ "${EUID}" -ne 0 ]; then - echo "This script must be run as root" - exit 1 +# load include file +source $(dirname $0)/wg.sh + +help() +{ + thisfilename=$(basename -- "$0") + echo "Disable VPN client config." + echo "" + echo "usage: $thisfilename -c [-h]" + echo "" + echo " -h Print this help." + echo " -c Name of the client configuration." +} + +wg::getoptions "$@" + +# check for client config name +if [[ -z $client ]]; then + echo "client name is required" + exit fi -# check for and set client name -if [ -n "$1" ]; then - client=$1 - # set beginning of config file name - config=$client -else - echo "client name not set" - exit 1 -fi - -# check if device name was set -if [ -n "$2" ]; then - device=$2 -else - device=default -fi - -# add device name & .conf to config file name -config=$config.$device.conf +# set config file name +config=$client.conf # check for server config if [ -f /etc/wireguard/peers/$config ]; then peer=$(grep PublicKey /etc/wireguard/peers/$config|cut -d ' ' -f 3) wg set wg0 peer $peer remove wg-quick save wg0 - echo "peer for $client $device disabled" + echo "peer for $client disabled" fi diff --git a/wg-client-enable.sh b/wg-client-enable.sh index 781668f..d06972f 100755 --- a/wg-client-enable.sh +++ b/wg-client-enable.sh @@ -6,31 +6,30 @@ # Copyright (c) 2022 Matthew Saunders Brown # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -# require root -if [ "${EUID}" -ne 0 ]; then - echo "This script must be run as root" - exit 1 +# load include file +source $(dirname $0)/wg.sh + +help() +{ + thisfilename=$(basename -- "$0") + echo "Enable existing VPN client config." + echo "" + echo "usage: $thisfilename -c [-h]" + echo "" + echo " -h Print this help." + echo " -c Name of the client configuration." +} + +wg::getoptions "$@" + +# check for client config name +if [[ -z $client ]]; then + echo "client name is required" + exit fi -# check for and set client name -if [ -n "$1" ]; then - client=$1 - # set beginning of config file name - config=$client -else - echo "client name not set" - exit 1 -fi - -# check if device name was set -if [ -n "$2" ]; then - device=$2 -else - device=default -fi - -# add device name & .conf to config file name -config=$config.$device.conf +# set config file name +config=$client.conf # check for server config if [ -f /etc/wireguard/peers/$config ]; then @@ -39,17 +38,17 @@ if [ -f /etc/wireguard/peers/$config ]; then if [ $status = 0 ]; then wg addconf wg0 /etc/wireguard/peers/$config wg-quick save wg0 - echo "peer for $client $device enabled" + echo "peer for $client enabled" elif [ $status = 1 ]; then - echo "peer for $client $device already enabled" + echo "peer for $client already enabled" else - echo "unexpected status for peer $client $device ($status)" + echo "unexpected status for peer $client ($status)" fi elif [ -f /etc/wireguard/clients/$config ]; then # create server config # enable server config - echo "server config for $client $device not found, but client config exists." + echo "server config for $client not found, but client config exists." echo "add programming here to create server config and enable" else - echo "no configs for $client $device found" + echo "no configs for $client found" fi diff --git a/wg-client-list.sh b/wg-client-list.sh index bd8eba4..8762538 100755 --- a/wg-client-list.sh +++ b/wg-client-list.sh @@ -9,11 +9,8 @@ # wg-client-list.sh # list all client configs available on the server -# require root -if [ "${EUID}" -ne 0 ]; then - echo "This script must be run as root" - exit 1 -fi +# load include file +source $(dirname $0)/wg.sh # prints a table with username & device split in to columns -(echo "Client.Config" && echo "--------.------" && cd /etc/wireguard/clients/ && ls -1 *.conf)|sed 's|\.conf$||g'|sed 's|\.| |g'|column -t +(echo "Client" && echo "---------------" && cd /etc/wireguard/clients/ && ls -1 *.conf)|sed 's|\.conf$||g' diff --git a/wg-client-qr-create-png.sh b/wg-client-qr-create-png.sh index 3108bbf..86102a9 100755 --- a/wg-client-qr-create-png.sh +++ b/wg-client-qr-create-png.sh @@ -6,32 +6,31 @@ # Copyright (c) 2022 Matthew Saunders Brown # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -# require root -if [ "${EUID}" -ne 0 ]; then - echo "This script must be run as root" - exit 1 +# load include file +source $(dirname $0)/wg.sh + +help() +{ + thisfilename=$(basename -- "$0") + echo "Create PNG QR file for client config." + echo "" + echo "usage: $thisfilename -c [-h]" + echo "" + echo " -h Print this help." + echo " -c Name of the client configuration." +} + +wg::getoptions "$@" + +# check for client config name +if [[ -z $client ]]; then + echo "client name is required" + exit fi -# check for and set client name -if [ -n "$1" ]; then - client=$1 - # set beginning of config file name - config=$client -else - echo "client name not set" - exit 1 -fi - -# check if device name was set -if [ -n "$2" ]; then - device=$2 -else - device=default -fi - -# add device name & .conf to config file name -config=$config.$device.conf -image=$config.$device.png +# set config and image file names +config=$client.conf +image=$config.png # check for existing config if [ -f /etc/wireguard/clients/$config ]; then @@ -42,5 +41,5 @@ if [ -f /etc/wireguard/clients/$config ]; then qrencode -t png -r /etc/wireguard/clients/$config -o /var/lib/wireguard/$image else - echo "config for $client $device does not exist" + echo "config for $client does not exist" fi diff --git a/wg-client-qr-display.sh b/wg-client-qr-display.sh index 55ca1f0..3516962 100755 --- a/wg-client-qr-display.sh +++ b/wg-client-qr-display.sh @@ -6,35 +6,34 @@ # Copyright (c) 2022 Matthew Saunders Brown # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -# require root -if [ "${EUID}" -ne 0 ]; then - echo "This script must be run as root" - exit 1 +# load include file +source $(dirname $0)/wg.sh + +help() +{ + thisfilename=$(basename -- "$0") + echo "Display client config QR code." + echo "" + echo "usage: $thisfilename -c [-h]" + echo "" + echo " -h Print this help." + echo " -c Name of the client configuration." +} + +wg::getoptions "$@" + +# check for client config name +if [[ -z $client ]]; then + echo "client name is required" + exit fi -# check for and set client name -if [ -n "$1" ]; then - client=$1 - # set beginning of config file name - config=$client -else - echo "client name not set" - exit 1 -fi - -# check if device name was set -if [ -n "$2" ]; then - device=$2 -else - device=default -fi - -# add device name & .conf to config file name -config=$config.$device.conf +# set config and image file names +config=$client.conf # check for existing config if [ -f /etc/wireguard/clients/$config ]; then qrencode -t ansiutf8 < /etc/wireguard/clients/$config else - echo "config for $client $device does not exist" + echo "config for $client does not exist" fi diff --git a/wg-cron.sh b/wg-cron.sh index 028890b..2ad5145 100755 --- a/wg-cron.sh +++ b/wg-cron.sh @@ -11,11 +11,8 @@ # remove them then add them back to wireguard # this removes the endpoint (last connected IP) and transfer stats -# require root -if [ "${EUID}" -ne 0 ]; then - echo "This script must be run as root" - exit 1 -fi +# load include file +source $(dirname $0)/wg.sh # get peer of clients with "minutes" in their last handshake clients=($(wg|grep -B 4 minutes|grep peer|cut -d ' ' -f 2)) diff --git a/wg-peer-audit.sh b/wg-peer-audit.sh index 84033fc..73f4fe9 100755 --- a/wg-peer-audit.sh +++ b/wg-peer-audit.sh @@ -11,11 +11,8 @@ # this is basis of a "cleanup" script to remove configs for invalid # old or deleted clients -# require root -if [ "${EUID}" -ne 0 ]; then - echo "This script must be run as root" - exit 1 -fi +# load include file +source $(dirname $0)/wg.sh # get all peers in running wireguard server peers=($(wg|grep peer|cut -d ' ' -f 2)) diff --git a/wg.sh b/wg.sh index d7e547d..2cdb097 100755 --- a/wg.sh +++ b/wg.sh @@ -15,21 +15,6 @@ fi # functions -function vhost::set-virtualhostArray () { - - cd /srv/www - virtualhostArray=(`ls -1|grep -v ^html$`) - -} - -function vhost::set-phpVersion () { - - PHP_MAJOR_VERSION=`php -r "echo PHP_MAJOR_VERSION;"` - PHP_MINOR_VERSION=`php -r "echo PHP_MINOR_VERSION;"` - phpVersion=$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION - -} - # crude but good enough domain name format validation function wg::validate_domain () { local my_domain=$1 @@ -40,28 +25,16 @@ function wg::validate_domain () { fi } --c client --g config --e email --p peer ??? - -function wg:getoptions () { +function wg::getoptions () { local OPTIND - while getopts "cd:i:m:o:p:u:jhnvw" opt ; do + while getopts "c:e:h" opt ; do case "${opt}" in h ) # display help and exit help exit ;; - c ) # cvs - output in cvs format - cvs=true - ;; - d ) # domain name (virtualhost) to act on - domain=${OPTARG,,} - if ! wg::validate_domain $domain; then - echo "ERROR: $domain is not a valid domain name." - exit - fi + c ) # client/config name + client=${OPTARG,,} ;; e ) # email address email=${OPTARG,,} @@ -83,34 +56,6 @@ function wg:getoptions () { exit 1 fi ;; - i ) # User ID (UID) for new user - uid=${OPTARG} - ;; - m ) # macro - Apache mod_macro name - macro=${OPTARG} - ;; - o ) # option - usually applied to previously specified variable - # e.g. could be subdomain or alias depending on the macro defined - option=${OPTARG} - ;; - p ) # password - password=${OPTARG} - ;; - u ) # username - username=${OPTARG,,} - ;; - j ) # jail - if enabled user will be jailed - jail=true - ;; - n ) # dry-run - dryrun=true - ;; - v ) # verbose - verbose=true - ;; - w ) # write - store data in file - write=true - ;; \? ) echo "Invalid option: $OPTARG" exit 1 @@ -124,7 +69,3 @@ function wg:getoptions () { shift $((OPTIND-1)) } -# check for local config, which can be used to override any of the above -if [[ -f /usr/local/etc/wg.conf ]]; then - source /usr/local/etc/wg.conf -fi