ebc32cae86
Installer now expects Debian 12 and requires base-stack repo installed first New systemd files New wg-client-zip-email.sh script Moved bash scripts into sbin dir Install & configure firewalld instead of ufw wg.sh now has configurable options - DNS nameserver settings - endpoint (FQDN or IP) - AllowedIPs (defaults to 0.0.0.0/0) Change the client network from 10.96.0.0/12 (1,048,574 max clients / IPs) to 10.96.0.0/16 (65,025 max clients / IPs)
118 lines
3.3 KiB
Bash
Executable File
118 lines
3.3 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# vpn-stack
|
|
# A set of bash scripts for installing and managing a WireGuard VPN server.
|
|
# https://git.stack-source.com/msb/vpn-stack
|
|
# Copyright (c) 2022 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
# any script that includes this conf file will force user to be root
|
|
if [ "$USER" != "root" ]; then
|
|
exec sudo -u root $0 $@
|
|
fi
|
|
|
|
# constants
|
|
|
|
# Set Endpoint. Hard code value here, or leave blank for automatic configuration below
|
|
endpoint=
|
|
|
|
# Check if endpoint is hard coded above, configure automatically if not.
|
|
if [[ -z $endpoint ]]; then
|
|
fqdn=`hostname -f`
|
|
primaryip=`ip route get 1.1.1.1| head -n 1 | cut -d ' ' -f 7`
|
|
reversedns=`dig -x $primaryip +short | sed 's|.$||'`
|
|
# If forward & reverse DNS are configured and match use the FQDN, otherwise use primary IP.
|
|
if [[ $fqdn = $reversedns ]]; then
|
|
endpoint=$fqdn
|
|
else
|
|
endpoint=$primaryip
|
|
fi
|
|
fi
|
|
|
|
# DNS. 3 options:
|
|
# - none: do not change client DNS settings
|
|
# - stubby: DNS Privacy
|
|
# - dnsmasq: DNS Privacy with Ad Blocking
|
|
# Default listed here, can be overriden via wg-client-add.sh
|
|
dnsconfig=dnsmasq
|
|
|
|
# IPs to route through the VPN. By default all traffic is routed through VPN. Alternatively you can specify a comma separated list of IPs/networks.
|
|
AllowedIPs=0.0.0.0/0
|
|
# AllowedIPs="10.96.0.0/16, 1.1.1.1, 1.0.0.1"
|
|
|
|
# functions
|
|
|
|
# crude but good enough domain name format validation
|
|
function wg::validate_domain () {
|
|
local my_domain=$1
|
|
if [[ $my_domain =~ ^(([a-zA-Z0-9](-?[a-zA-Z0-9])*)\.)+[a-zA-Z]{2,}$ ]] ; then
|
|
return 0
|
|
else
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
function wg::validate_client () {
|
|
local my_client=$1
|
|
if [[ $my_client =~ ^[[:alnum:]][-_[:alnum:]]{1,30}[[:alnum:]]$ ]] ; then
|
|
return 0;
|
|
else
|
|
return 1;
|
|
fi
|
|
}
|
|
|
|
function wg::getoptions () {
|
|
local OPTIND
|
|
while getopts "c:d:e:h" opt ; do
|
|
case "${opt}" in
|
|
h ) # display help and exit
|
|
help
|
|
exit
|
|
;;
|
|
c ) # client/config name
|
|
client=${OPTARG,,}
|
|
if ! wg::validate_client $client; then
|
|
echo "ERROR: '$client' is not a valid client config name."
|
|
echo "Client config name must begin & end with a letter or number,"
|
|
echo "can only contain letters numbers dashes and underscores,"
|
|
echo "and must be 3 to 32 characters in length."
|
|
exit 1
|
|
fi
|
|
;;
|
|
d ) # DNS config
|
|
dnsconfig=${OPTARG,,}
|
|
;;
|
|
e ) # email address
|
|
email=${OPTARG,,}
|
|
if [[ $email =~ "@" ]] ; then
|
|
mbox=${email%@*}
|
|
domain=${email##*@}
|
|
if [ -z $mbox ] ; then
|
|
echo "ERROR: No local part in $email."
|
|
exit 1
|
|
elif [ -z $domain ] ; then
|
|
echo "ERROR: No domain in $email."
|
|
exit 1
|
|
elif ! wg::validate_domain $domain; then
|
|
echo "ERROR: $domain is not a valid domain name."
|
|
exit 1
|
|
fi
|
|
else
|
|
echo "ERROR: $email is not a valid email."
|
|
exit 1
|
|
fi
|
|
;;
|
|
\? )
|
|
echo "Invalid option: $OPTARG"
|
|
exit 1
|
|
;;
|
|
: )
|
|
echo "Invalid option: $OPTARG requires an argument"
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
shift $((OPTIND-1))
|
|
}
|
|
|