-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsteps-19-wireguard
executable file
·92 lines (63 loc) · 2.65 KB
/
steps-19-wireguard
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#! /usr/bin/env sh
# SPDX-License-Identifier: BlueOak-1.0.0
# SPDX-FileCopyrightText: 2023 Saulius Krasuckas <saulius2_at_ar-fi_point_lt> | sskras
# Set up WireGuard server peer.
# Via: https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04
set -e
set -x
# Step 1: choosing the essential WG parameters
#WG_ADDR="10.8.0.1/24"
WG_ADDR="10.255.8.1/24"
#WG_PORT=51876
WG_PORT=51820
# Step 2: installing the package
sudo apt update
sudo apt install ufw # Missing on some installations (like Proxmox)
sudo apt install -y wireguard # Runs DKMS installer
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
# Step 3: creating WG configuration
cat << \
---------------------------------------------------------------------- |
[Interface]
PrivateKey = $(sudo cat /etc/wireguard/private.key)
Address = ${WG_ADDR}
ListenPort = ${WG_PORT}
SaveConfig = true
----------------------------------------------------------------------
sudo tee /etc/wireguard/wg0.conf
# Step 4: ensuring IP packets are forwarded between interfaces
cat << \
---------------------------------------------------------------------- |
net.ipv4.ip_forward = 1
----------------------------------------------------------------------
sudo tee /etc/sysctl.d/11-ip_forward.conf | sudo sysctl -p-
# Step 5: configuring firewall
UPLINK_DEV=$(ip route list default | awk '{ for (i=1; i<=NF; i++) if ($i == "dev") print $(i+1) }')
cat << \
----------------------------------------------------------------------- |
PostUp = ufw route allow in on wg0 out on ${UPLINK_DEV}
PostUp = iptables -t nat -I POSTROUTING -o ${UPLINK_DEV} -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on ${UPLINK_DEV}
PreDown = iptables -t nat -D POSTROUTING -o ${UPLINK_DEV} -j MASQUERADE
-----------------------------------------------------------------------
sudo tee -a /etc/wireguard/wg0.conf
# TODO: Does ufw necessary need to be present? Maybe this block should be optional:
sudo ufw allow ${WG_PORT}/udp
sudo ufw allow OpenSSH
# Via: https://gist.github.com/rdroro/9988478#ufw
# Allow Proxmox web-UI:
sudo ufw allow 8006/tcp
# TODO: What about all other potentially listening ports?
# Explicitely enable fwd via ufw too:
sudo ufw default allow FORWARD
sudo ufw disable
sudo ufw enable
sudo ufw status verbose
# Step 6: starting WG service
sudo systemctl enable wg-quick@wg0
# TODO: this fails on OpenVZ (insmod not supported)
sudo systemctl start wg-quick@wg0
systemctl status wg-quick@wg0
# TODO: Detect the error or the conditions and stop / rollback the changes.