Fadhila36/vpn-wireguard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
35ff83baca011eb151532a19dec7aa61c66b54dc
vpn-wireguard/lib/wg_core.sh

100 lines
3.2 KiB
Bash
Raw Normal View History

feat: add wireguard secure installer with modular architecture This commit introduces a new WireGuard VPN installer with enterprise-grade security features. The installer includes: - Zero-touch installation with automatic configuration - Modular architecture for maintainability (separate lib files) - Client management interface with bandwidth monitoring - Support for multiple Linux distributions - Secure defaults and hardened configurations The implementation provides a complete solution for deploying WireGuard VPN servers with minimal user interaction while maintaining security best practices.
2025-11-30 14:55:15 +07:00
#!/bin/bash
# WireGuard Secure Installer
# Copyright (c) 2025 Muhammad Fadhila Abiyyu Faris
# GitHub: [github.com/fadhila36/wireguard-secure-installer](https://github.com/fadhila36/wireguard-secure-installer)
generate_keys() {
if [ -f "$WG_CONFIG" ]; then
log_warn "WireGuard config already exists. Skipping key generation to prevent overwrite."
# Extract existing private key for context if needed, or just return
SERVER_PRIV_KEY=$(grep "PrivateKey" "$WG_CONFIG" | cut -d ' ' -f 3)
SERVER_PUB_KEY=$(echo "$SERVER_PRIV_KEY" | wg pubkey)
return
fi
log_info "Generating Server Keys..."
umask 077
SERVER_PRIV_KEY=$(wg genkey)
SERVER_PUB_KEY=$(echo "$SERVER_PRIV_KEY" | wg pubkey)
}
generate_server_config() {
if [ -f "$WG_CONFIG" ]; then
log_warn "WireGuard config already exists. Skipping config generation."
return
fi
log_info "Generating Server Config..."
cat > "$WG_CONFIG" <<EOF
[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = $SERVER_PORT
PrivateKey = $SERVER_PRIV_KEY
PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $MAIN_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $MAIN_NIC -j MASQUERADE
PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $MAIN_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $MAIN_NIC -j MASQUERADE
EOF
chmod 600 "$WG_CONFIG"
}
start_wireguard() {
log_info "Starting WireGuard Service..."
systemctl enable "wg-quick@$SERVER_WG_NIC" >> "$LOG_FILE" 2>&1
systemctl start "wg-quick@$SERVER_WG_NIC" >> "$LOG_FILE" 2>&1
# Verify status
if systemctl is-active --quiet "wg-quick@$SERVER_WG_NIC"; then
log_info "WireGuard Service is RUNNING."
else
fatal_error "Failed to start WireGuard service."
fi
}
create_client_config() {
local CLIENT_NAME=$1
local CLIENT_IP_SUFFIX=$2 # e.g., 2 for 10.66.66.2
log_info "Creating Client: $CLIENT_NAME"
CLIENT_PRIV_KEY=$(wg genkey)
CLIENT_PUB_KEY=$(echo "$CLIENT_PRIV_KEY" | wg pubkey)
CLIENT_PRESHARED_KEY=$(wg genpsk)
# Add peer to server config
cat >> "$WG_CONFIG" <<EOF
### Client: $CLIENT_NAME
[Peer]
PublicKey = $CLIENT_PUB_KEY
PresharedKey = $CLIENT_PRESHARED_KEY
AllowedIPs = 10.66.66.$CLIENT_IP_SUFFIX/32,fd42:42:42::$CLIENT_IP_SUFFIX/128
EOF
# Update live interface
wg syncconf "$SERVER_WG_NIC" <(wg-quick strip "$SERVER_WG_NIC")
# Generate Client Config File
mkdir -p "$INSTALL_DIR/clients"
cat > "$INSTALL_DIR/clients/$CLIENT_NAME.conf" <<EOF
[Interface]
PrivateKey = $CLIENT_PRIV_KEY
Address = 10.66.66.$CLIENT_IP_SUFFIX/24,fd42:42:42::$CLIENT_IP_SUFFIX/64
DNS = $SERVER_DNS
[Peer]
PublicKey = $SERVER_PUB_KEY
PresharedKey = $CLIENT_PRESHARED_KEY
Endpoint = $PUBLIC_IP:$SERVER_PORT
AllowedIPs = $ALLOWED_IPS
PersistentKeepalive = 25
EOF
log_info "Client config saved to: $INSTALL_DIR/clients/$CLIENT_NAME.conf"
# Show QR Code
echo -e "${BLUE}Scan this QR Code to connect:${NC}"
qrencode -t ansiutf8 < "$INSTALL_DIR/clients/$CLIENT_NAME.conf"
}
Reference in New Issue Copy Permalink