-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgenerate_wg_config
executable file
·175 lines (147 loc) · 6.42 KB
/
generate_wg_config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
#!/usr/bin/env bash
#shellcheck disable=SC2206,SC2207,SC1091,SC2034,SC2128
[[ $UID == 0 ]] || { echo "You must be root to run this."; exit 1; }
. "$(dirname "$BASH_SOURCE")/core.bash"
. "$(dirname "$BASH_SOURCE")/networking.bash"
. "$(dirname "$BASH_SOURCE")/wireguard.bash"
. "$(dirname "$BASH_SOURCE")/.env"
[[
-z "${VPN_SERVER_IP:-}" ||
-z "${VPN_SERVER_BITS_MASK:-}" ||
-z "${VPN_SERVER_PRIVATE_KEY:-}" ||
-z "${VPN_SERVER_PUBLIC_KEY:-}" ||
-z "${VPN_SERVER_CONFIG_FILE:-}" ||
-z "${INTERFACE_PEERS_CONFIG_PATH:-}" ||
-z "${INTERFACE_STORE_KEYS_PATH:-}"
]] && echo "Any needed variable is not configured" && exit 4
VPN_NETWORK_CIDR="${VPN_NETWORK_CIDR:-$(get_network_cidr "${VPN_SERVER_IP}/${VPN_SERVER_BITS_MASK}")}"
VPN_SERVER_PORT=${VPN_SERVER_PORT:-51820}
SSHD_SERVER_PORT=${SSHD_SERVER_PORT:-22}
GENERATE_PEER_PSK=${GENERATE_PEER_PSK:-true}
should_create_backup=false
mkdir -p "$INTERFACE_PEERS_CONFIG_PATH" || true
if [[ ! -w "$INTERFACE_PEERS_CONFIG_PATH" ]]; then
echo "Failed to create the directory to store the peers configuration or is not writable"
exit 5
fi
mkdir -p "$INTERFACE_STORE_KEYS_PATH" || true
if [[ ! -w "$INTERFACE_STORE_KEYS_PATH" ]]; then
echo "Failed to create the directory to store the keys or is not writable"
exit 5
fi
if [[ -z "${VPN_NETWORK_CIDR:-}" ]]; then
echo "Can not determine the VPN network CIDR"
exit 4
fi
if [[ $VPN_SERVER_PORT -gt 65535 || $VPN_SERVER_PORT -lt 1024 ]]; then
echo "You should choose a port between 1024 & 65535"
exit 4
fi
if [[ -n "$(sudo lsof "-i:${VPN_SERVER_PORT}" 2> /dev/null)" ]]; then
echo "The port '${VPN_SERVER_PORT}' is still in use"
exit 4
fi
start_sudo
if ! has_sudo; then
echo "sudo is necessary"
exit 5
fi
# Generate keys
if [[ ! -r "$VPN_SERVER_PRIVATE_KEY" || ! -r "$VPN_SERVER_PUBLIC_KEY" ]]; then
rm -f "$VPN_SERVER_PRIVATE_KEY" "$VPN_SERVER_PUBLIC_KEY"
# Generate keys
gen_pair_of_keys "$VPN_SERVER_PRIVATE_KEY" "$VPN_SERVER_PUBLIC_KEY" | _log "Generating server pair of keys"
fi
SERVER_PRIVATE_KEY="$(cat "$VPN_SERVER_PRIVATE_KEY")"
SERVER_PUBLIC_KEY="$(cat "$VPN_SERVER_PUBLIC_KEY")"
# Generate server configuration
if [[ ! -r "$VPN_SERVER_CONFIG_FILE" ]]; then
should_create_backup=true
echo "Generating server config"
{
gen_interface_config "Wireguard Server ${VPN_PUBLIC_IP}:${VPN_SERVER_PORT}" "${VPN_SERVER_IP}" "${VPN_SERVER_BITS_MASK}" "$VPN_SERVER_PORT" "$SERVER_PRIVATE_KEY" "" 1 | tee "$VPN_SERVER_CONFIG_FILE" | _log "Generating server config" &> /dev/null
chmod 0600 "$VPN_SERVER_CONFIG_FILE" | _log "Setting permissions on server config"
} | _log "Generating server config"
if [[ ! -r "$VPN_SERVER_CONFIG_FILE" ]]; then
echo "Failed to generate server config"
exit 4
fi
fi
# Generate peers configuration
for i in "${!PEERS_IP[@]}"; do
peer_ip="" peer_name="" peer_config_file="" peer_private_key="" peer_public_key="" peer_psk=""
peer_ip="${PEERS_IP[$i]}"
peer_name="${PEERS_NAMES[$i]:-$peer_ip}"
peer_config_file="${INTERFACE_PEERS_CONFIG_PATH}/${peer_ip}"
is_behind_nat=false
# Gerating keys
peer_private_key_file="${INTERFACE_STORE_KEYS_PATH}/${peer_ip}"
peer_public_key_file="${INTERFACE_STORE_KEYS_PATH}/${peer_ip}.pub"
if [[ ! -r "$peer_private_key_file" || ! -r "$peer_public_key_file" ]]; then
should_create_backup=true
rm -rf "$peer_private_key_file" "$peer_public_key_file"
echo "Generating keys for peer: ${peer_name}"
gen_pair_of_keys "$peer_private_key_file" "$peer_public_key_file" | _log "Generating peer pair of keys"
if [[ ! -r "$peer_private_key_file" || ! -r "$peer_public_key_file" ]]; then
echo "Failed to generate keys for peer: ${peer_name}"
echo "Continuing with next client"
echo
continue
fi
fi
peer_private_key="$(cat "$peer_private_key_file")"
peer_public_key="$(cat "$peer_public_key_file")"
# Generate peer configuration to save in server config
if ! grep -q "^PublicKey = ${peer_public_key}" "$VPN_SERVER_CONFIG_FILE"; then
should_create_backup=true
if [[ "${GENERATE_PEER_PSK:-true}" == "true" || "${GENERATE_PEER_PSK:-true}" == "1" ]]; then
peer_psk=$(wg genpsk)
fi
echo
echo "Generating peer config for '${peer_name}' in server config file"
REACHED_NETWORKS_PEER="$(get_peer_index_networks "$i")" # "Server" config
if [[ -n "${REACHED_NETWORKS_PEER:-}" ]]; then
PEER_ROUTES="${VPN_NETWORK_CIDR}, $(get_all_allowed_ips)" # "Client" config
else
PEER_ROUTES="$(get_all_allowed_ips)"
PEER_ROUTES="${peer_ip}/32, $(get_all_allowed_ips)"
is_behind_nat=true
echo "No other networks found for '${peer_name}'"
fi
REACHED_NETWORKS_PEER="${peer_ip}/32${REACHED_NETWORKS_PEER:+, ${REACHED_NETWORKS_PEER}}"
{
# Should add in peer_ip a comma separated list of all reachable networks
gen_peer_config "${peer_name}" "" "$peer_public_key" "${REACHED_NETWORKS_PEER}" false "${peer_psk:-}" | tee -a "$VPN_SERVER_CONFIG_FILE"
} | _log "Generated peer config for '${peer_name}'" &> /dev/null
else
echo "Peer '${peer_name}' already exists in server config"
echo "If configuration is created Pre Shared Key should be added later manually"
fi
# Check if peer config already exists
if
[[ ! -f "$peer_config_file" ]] ||
! grep -q "^PrivateKey = ${peer_private_key}" "$peer_config_file" ||
! grep -q "^PublicKey = ${SERVER_PUBLIC_KEY}" "$peer_config_file"
then
# Generate interface config for peer
should_create_backup=true
echo "Generating interface config for peer '${peer_name}'"
{
gen_interface_config "${peer_name}" "${peer_ip}" "${VPN_SERVER_BITS_MASK}" "" "$peer_private_key" "${PEER_DNS_SERVERS:-1.1.1.1}" false | tee "$peer_config_file"
} | _log "Generated interface config for peer '${peer_name}'" &> /dev/null
# Generate peer config for peer
echo "Generating peer config for peer '${peer_name}'"
{
gen_peer_config "Link '${peer_name}' to '${VPN_PUBLIC_IP}:${VPN_SERVER_PORT}'" "${VPN_PUBLIC_IP}:${VPN_SERVER_PORT}" "$SERVER_PUBLIC_KEY" "${PEER_ROUTES}" "${is_behind_nat:-false}" "${peer_psk:-}" | tee -a "$peer_config_file"
} | _log "Generated peer config for peer '${peer_name}'" &> /dev/null
echo
else
echo "Peer '${peer_name}' config already exists"
echo "Skipping"
fi
# Generate peer config QR code
if [[ ! -f "${peer_config_file}.png" ]]; then
echo "Generating peer '${peer_name}' qr code"
generate_qr_code_from_file "${peer_config_file}" "${peer_config_file}.png"
fi
done