feat: add wireguard secure installer with modular architecture

This commit introduces a new WireGuard VPN installer with enterprise-grade security features. The installer includes: - Zero-touch installation with automatic configuration - Modular architecture for maintainability (separate lib files) - Client management interface with bandwidth monitoring - Support for multiple Linux distributions - Secure defaults and hardened configurations The implementation provides a complete solution for deploying WireGuard VPN servers with minimal user interaction while maintaining security best practices.
2025-11-30 14:55:15 +07:00
commit 35ff83baca
12 changed files with 1322 additions and 0 deletions
--- a/lib/network.sh
+++ b/lib/network.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+# WireGuard Secure Installer
+# Copyright (c) 2025 Muhammad Fadhila Abiyyu Faris
+# GitHub: [github.com/fadhila36/wireguard-secure-installer](https://github.com/fadhila36/wireguard-secure-installer)
+
+detect_public_ip() {
+    log_info "Detecting public IP..."
+    # Try multiple sources for redundancy
+    PUBLIC_IP=$(curl -s https://api.ipify.org || curl -s https://ifconfig.me || curl -s https://icanhazip.com)
+    
+    if [[ -z "$PUBLIC_IP" ]]; then
+        log_warn "Failed to detect public IP. Falling back to local interface IP."
+        # Fallback to default route IP
+        PUBLIC_IP=$(ip route get 1.1.1.1 | grep -oP 'src \K\S+')
+    fi
+
+    if [[ -z "$PUBLIC_IP" ]]; then
+        fatal_error "Could not detect Public IP or Local IP. Network configuration failed."
+    fi
+
+    log_info "Public IP detected: $PUBLIC_IP"
+}
+
+detect_main_interface() {
+    MAIN_NIC=$(ip route get 1.1.1.1 | grep -oP 'dev \K\S+')
+    if [[ -z "$MAIN_NIC" ]]; then
+        fatal_error "Could not detect main network interface."
+    fi
+    log_info "Main Interface detected: $MAIN_NIC"
+}
+
+configure_firewall() {
+    log_info "Configuring Firewall..."
+
+    # Enable IP Forwarding (Idempotent: Overwrites the file)
+    cat > /etc/sysctl.d/99-wireguard.conf <<EOF
+net.ipv4.ip_forward=1
+net.ipv6.conf.all.forwarding=1
+EOF
+    sysctl --system >> "$LOG_FILE" 2>&1
+
+    # Detect Firewall Type (UFW, Firewalld, or IPTables)
+    if command -v ufw >/dev/null; then
+        log_info "UFW detected. Adding rules..."
+        ufw allow "$SERVER_PORT"/udp
+        ufw allow OpenSSH
+        # UFW routing rules are complex to automate safely without breaking existing config, 
+        # relying on PostUp/PostDown in wg0.conf for NAT is safer and standard for WG.
+    elif command -v firewall-cmd >/dev/null; then
+        log_info "Firewalld detected. Adding rules..."
+        firewall-cmd --zone=public --add-port="$SERVER_PORT"/udp --permanent
+        firewall-cmd --zone=public --add-masquerade --permanent
+        firewall-cmd --reload
+    else
+        log_info "No specific firewall manager found. Relying on WireGuard PostUp/PostDown for iptables."
+    fi
+}