#!/usr/bin/env bash # # Copyright 2022 Patrick Tudor # MIT License # # wget https://wgshell.com/wg.sh && cat wg.sh # # dnf -y install wireguard-tools qrencode || apt-get install wireguard qrencode # portmaster shells/bash graphics/libqrencode net/wireguard-tools # port install wireguard-tools umask 077 # important site-specific variables ENDPOINT_SERVER="wg.example.com:51820" LISTEN_PORT="51820" # our client networks and range of unique devices SEQ_ipv4=$(seq 5 250) NET_ipv4="172.19.21." NET_ipv6="2001:db8:c001:cafe::" # have the client use a specific nameserver, preferably your own DNS_CLIENT="192.0.2.53, 2001:db8:c001:53::53" DNS_CLIENT="9.9.9.9, 2620:fe::fe, 4.2.2.4" # a client might want to send only certain networks over the VPN, or all traffic. ALLOWED_IPS="192.168.0.0/16" ALLOWED_IPS="0.0.0.0/0, ::/0" RANDOM=$$ # this is the temp directory we create files in WGDIR=$(mktemp -d wgshell.XXXXXXXXXXXXX) echo "Started, creating files in ${WGDIR}" # server keys are generated here s_privatekey=$(wg genkey) s_publickey=$(echo ${s_privatekey} | wg pubkey) # one-time server config top stanza SERVER_CONFIG_FILENAME=${WGDIR}/wg0.conf cat << EOF >> ${SERVER_CONFIG_FILENAME} [Interface] Address = ${NET_ipv4}1/24, ${NET_ipv6}${ii}1/64 ListenPort = ${LISTEN_PORT} PrivateKey = ${s_privatekey} PostUp = echo "wgshell.com: check forwarding sysctls, firewalld rules, routing tables, etc for %i" | logger #PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE #PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens192 -j MASQUERADE EOF # you get a mikrotik config for free MIKROTIK_TEMPLATE_FILENAME=${WGDIR}/mikrotik.txt cat << EOF >> ${MIKROTIK_TEMPLATE_FILENAME} /ip firewall filter add action=accept chain=input dst-port=${LISTEN_PORT} protocol=udp /ipv6 firewall filter add action=accept chain=input dst-port=${LISTEN_PORT} protocol=udp /interface/wireguard add name="wireguard1" mtu=1420 listen-port=${LISTEN_PORT} private-key="${s_privatekey}" public-key="${s_publickey}" /ip address add address=${NET_ipv4}.1/24 interface=wireguard1 network=${NET_ipv4}.0 /interface wireguard peers EOF # per-client configuration files created here for ii in ${SEQ_ipv4} ; do # if you have two minutes to spare, sleep for the entropy pool #sleep 0.${RANDOM} privatekey=$(wg genkey) publickey=$(echo ${privatekey} | wg pubkey) presharedkey=$(wg genpsk) CLIENT_CONFIG_FILENAME=${WGDIR}/client_${NET_ipv4}${ii}.conf cat << EOF >> ${CLIENT_CONFIG_FILENAME} [Interface] Address = ${NET_ipv4}${ii}/32, ${NET_ipv6}${ii}/128 ListenPort = ${LISTEN_PORT} PrivateKey = ${privatekey} DNS = ${DNS_CLIENT} [Peer] PublicKey = ${s_publickey} PresharedKey = ${presharedkey} AllowedIPs = ${ALLOWED_IPS} Endpoint = ${ENDPOINT_SERVER} EOF # make a PNG qrcode that mobile devices can scan qrencode -t PNG --size=5 --level=H --read-from=${CLIENT_CONFIG_FILENAME} --output=${CLIENT_CONFIG_FILENAME}.png # now append to server's wg0.conf cat << EOF >> ${SERVER_CONFIG_FILENAME} [Peer] PublicKey = ${publickey} PresharedKey = ${presharedkey} AllowedIPs = ${NET_ipv4}${ii} #PersistentKeepalive = 51 EOF cat << EOF >> ${MIKROTIK_TEMPLATE_FILENAME} add interface=wireguard1 allowed-address=${NET_ipv4}${ii}/32 public-key="${publickey}" preshared-key="${presharedkey}" EOF done DATE_F=$(date +'%Y%m%d%M%S.%N') DATE_DIR=~/wgshell.${DATE_F} mv ${WGDIR} ${DATE_DIR} echo "Finished, files saved in ${DATE_DIR}" exit