lib/wg_core.sh

#!/bin/bash
# WireGuard Secure Installer
# Copyright (c) 2025 Muhammad Fadhila Abiyyu Faris
# GitHub: [github.com/fadhila36/wireguard-secure-installer](https://github.com/fadhila36/wireguard-secure-installer)

generate_keys() {
    if [ -f "$WG_CONFIG" ]; then
        log_warn "WireGuard config already exists. Skipping key generation to prevent overwrite."
        # Extract existing private key for context if needed, or just return
        SERVER_PRIV_KEY=$(grep "PrivateKey" "$WG_CONFIG" | cut -d ' ' -f 3)
        SERVER_PUB_KEY=$(echo "$SERVER_PRIV_KEY" | wg pubkey)
        return
    fi

    log_info "Generating Server Keys..."
    umask 077
    SERVER_PRIV_KEY=$(wg genkey)
    SERVER_PUB_KEY=$(echo "$SERVER_PRIV_KEY" | wg pubkey)
}

generate_server_config() {
    if [ -f "$WG_CONFIG" ]; then
        log_warn "WireGuard config already exists. Skipping config generation."
        return
    fi

    log_info "Generating Server Config..."
    
    cat > "$WG_CONFIG" <<EOF
[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = $SERVER_PORT
PrivateKey = $SERVER_PRIV_KEY
PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $MAIN_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $MAIN_NIC -j MASQUERADE
PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $MAIN_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $MAIN_NIC -j MASQUERADE

EOF
    chmod 600 "$WG_CONFIG"
}

start_wireguard() {
    log_info "Starting WireGuard Service..."
    systemctl enable "wg-quick@$SERVER_WG_NIC" >> "$LOG_FILE" 2>&1
    systemctl start "wg-quick@$SERVER_WG_NIC" >> "$LOG_FILE" 2>&1
    
    # Verify status
    if systemctl is-active --quiet "wg-quick@$SERVER_WG_NIC"; then
        log_info "WireGuard Service is RUNNING."
    else
        fatal_error "Failed to start WireGuard service."
    fi
}

create_client_config() {
    local CLIENT_NAME=$1
    local CLIENT_IP_SUFFIX=$2 # e.g., 2 for 10.66.66.2

    log_info "Creating Client: $CLIENT_NAME"

    CLIENT_PRIV_KEY=$(wg genkey)
    CLIENT_PUB_KEY=$(echo "$CLIENT_PRIV_KEY" | wg pubkey)
    CLIENT_PRESHARED_KEY=$(wg genpsk)

    # Add peer to server config
    cat >> "$WG_CONFIG" <<EOF

### Client: $CLIENT_NAME
[Peer]
PublicKey = $CLIENT_PUB_KEY
PresharedKey = $CLIENT_PRESHARED_KEY
AllowedIPs = 10.66.66.$CLIENT_IP_SUFFIX/32,fd42:42:42::$CLIENT_IP_SUFFIX/128

EOF

    # Update live interface
    wg syncconf "$SERVER_WG_NIC" <(wg-quick strip "$SERVER_WG_NIC")

    # Generate Client Config File
    mkdir -p "$INSTALL_DIR/clients"
    cat > "$INSTALL_DIR/clients/$CLIENT_NAME.conf" <<EOF
[Interface]
PrivateKey = $CLIENT_PRIV_KEY
Address = 10.66.66.$CLIENT_IP_SUFFIX/24,fd42:42:42::$CLIENT_IP_SUFFIX/64
DNS = $SERVER_DNS

[Peer]
PublicKey = $SERVER_PUB_KEY
PresharedKey = $CLIENT_PRESHARED_KEY
Endpoint = $PUBLIC_IP:$SERVER_PORT
AllowedIPs = $ALLOWED_IPS
PersistentKeepalive = 25
EOF

    log_info "Client config saved to: $INSTALL_DIR/clients/$CLIENT_NAME.conf"
    
    # Show QR Code
    echo -e "${BLUE}Scan this QR Code to connect:${NC}"
    qrencode -t ansiutf8 < "$INSTALL_DIR/clients/$CLIENT_NAME.conf"
}
feat: add wireguard secure installer with modular architecture This commit introduces a new WireGuard VPN installer with enterprise-grade security features. The installer includes: - Zero-touch installation with automatic configuration - Modular architecture for maintainability (separate lib files) - Client management interface with bandwidth monitoring - Support for multiple Linux distributions - Secure defaults and hardened configurations The implementation provides a complete solution for deploying WireGuard VPN servers with minimal user interaction while maintaining security best practices. 2025-11-30 14:55:15 +07:00			`#!/bin/bash`
			`# WireGuard Secure Installer`
			`# Copyright (c) 2025 Muhammad Fadhila Abiyyu Faris`
			`# GitHub: [github.com/fadhila36/wireguard-secure-installer](https://github.com/fadhila36/wireguard-secure-installer)`

			`generate_keys() {`
			`if [ -f "$WG_CONFIG" ]; then`
			`log_warn "WireGuard config already exists. Skipping key generation to prevent overwrite."`
			`# Extract existing private key for context if needed, or just return`
			`SERVER_PRIV_KEY=$(grep "PrivateKey" "$WG_CONFIG" \| cut -d ' ' -f 3)`
			`SERVER_PUB_KEY=$(echo "$SERVER_PRIV_KEY" \| wg pubkey)`
			`return`
			`fi`

			`log_info "Generating Server Keys..."`
			`umask 077`
			`SERVER_PRIV_KEY=$(wg genkey)`
			`SERVER_PUB_KEY=$(echo "$SERVER_PRIV_KEY" \| wg pubkey)`
			`}`

			`generate_server_config() {`
			`if [ -f "$WG_CONFIG" ]; then`
			`log_warn "WireGuard config already exists. Skipping config generation."`
			`return`
			`fi`

			`log_info "Generating Server Config..."`

			`cat > "$WG_CONFIG" <<EOF`
			`[Interface]`
			`Address = 10.66.66.1/24,fd42:42:42::1/64`
			`ListenPort = $SERVER_PORT`
			`PrivateKey = $SERVER_PRIV_KEY`
			`PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $MAIN_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $MAIN_NIC -j MASQUERADE`
			`PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $MAIN_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $MAIN_NIC -j MASQUERADE`

			`EOF`
			`chmod 600 "$WG_CONFIG"`
			`}`

			`start_wireguard() {`
			`log_info "Starting WireGuard Service..."`
			`systemctl enable "wg-quick@$SERVER_WG_NIC" >> "$LOG_FILE" 2>&1`
			`systemctl start "wg-quick@$SERVER_WG_NIC" >> "$LOG_FILE" 2>&1`

			`# Verify status`
			`if systemctl is-active --quiet "wg-quick@$SERVER_WG_NIC"; then`
			`log_info "WireGuard Service is RUNNING."`
			`else`
			`fatal_error "Failed to start WireGuard service."`
			`fi`
			`}`

			`create_client_config() {`
			`local CLIENT_NAME=$1`
			`local CLIENT_IP_SUFFIX=$2 # e.g., 2 for 10.66.66.2`

			`log_info "Creating Client: $CLIENT_NAME"`

			`CLIENT_PRIV_KEY=$(wg genkey)`
			`CLIENT_PUB_KEY=$(echo "$CLIENT_PRIV_KEY" \| wg pubkey)`
			`CLIENT_PRESHARED_KEY=$(wg genpsk)`

			`# Add peer to server config`
			`cat >> "$WG_CONFIG" <<EOF`

			`### Client: $CLIENT_NAME`
			`[Peer]`
			`PublicKey = $CLIENT_PUB_KEY`
			`PresharedKey = $CLIENT_PRESHARED_KEY`
			`AllowedIPs = 10.66.66.$CLIENT_IP_SUFFIX/32,fd42:42:42::$CLIENT_IP_SUFFIX/128`

			`EOF`

			`# Update live interface`
			`wg syncconf "$SERVER_WG_NIC" <(wg-quick strip "$SERVER_WG_NIC")`

			`# Generate Client Config File`
			`mkdir -p "$INSTALL_DIR/clients"`
			`cat > "$INSTALL_DIR/clients/$CLIENT_NAME.conf" <<EOF`
			`[Interface]`
			`PrivateKey = $CLIENT_PRIV_KEY`
			`Address = 10.66.66.$CLIENT_IP_SUFFIX/24,fd42:42:42::$CLIENT_IP_SUFFIX/64`
			`DNS = $SERVER_DNS`

			`[Peer]`
			`PublicKey = $SERVER_PUB_KEY`
			`PresharedKey = $CLIENT_PRESHARED_KEY`
			`Endpoint = $PUBLIC_IP:$SERVER_PORT`
			`AllowedIPs = $ALLOWED_IPS`
			`PersistentKeepalive = 25`
			`EOF`

			`log_info "Client config saved to: $INSTALL_DIR/clients/$CLIENT_NAME.conf"`

			`# Show QR Code`
			`echo -e "${BLUE}Scan this QR Code to connect:${NC}"`
			`qrencode -t ansiutf8 < "$INSTALL_DIR/clients/$CLIENT_NAME.conf"`
			`}`