feat: add wireguard secure installer with modular architecture

This commit introduces a new WireGuard VPN installer with enterprise-grade security features. The installer includes:

- Zero-touch installation with automatic configuration
- Modular architecture for maintainability (separate lib files)
- Client management interface with bandwidth monitoring
- Support for multiple Linux distributions
- Secure defaults and hardened configurations

The implementation provides a complete solution for deploying WireGuard VPN servers with minimal user interaction while maintaining security best practices.

lib/wg_core.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+# WireGuard Secure Installer
+# Copyright (c) 2025 Muhammad Fadhila Abiyyu Faris
+# GitHub: [github.com/fadhila36/wireguard-secure-installer](https://github.com/fadhila36/wireguard-secure-installer)
+
+generate_keys() {
+    if [ -f "$WG_CONFIG" ]; then
+        log_warn "WireGuard config already exists. Skipping key generation to prevent overwrite."
+        # Extract existing private key for context if needed, or just return
+        SERVER_PRIV_KEY=$(grep "PrivateKey" "$WG_CONFIG" | cut -d ' ' -f 3)
+        SERVER_PUB_KEY=$(echo "$SERVER_PRIV_KEY" | wg pubkey)
+        return
+    fi
+
+    log_info "Generating Server Keys..."
+    umask 077
+    SERVER_PRIV_KEY=$(wg genkey)
+    SERVER_PUB_KEY=$(echo "$SERVER_PRIV_KEY" | wg pubkey)
+}
+
+generate_server_config() {
+    if [ -f "$WG_CONFIG" ]; then
+        log_warn "WireGuard config already exists. Skipping config generation."
+        return
+    fi
+
+    log_info "Generating Server Config..."
+    
+    cat > "$WG_CONFIG" <<EOF
+[Interface]
+Address = 10.66.66.1/24,fd42:42:42::1/64
+ListenPort = $SERVER_PORT
+PrivateKey = $SERVER_PRIV_KEY
+PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $MAIN_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $MAIN_NIC -j MASQUERADE
+PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $MAIN_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $MAIN_NIC -j MASQUERADE
+
+EOF
+    chmod 600 "$WG_CONFIG"
+}
+
+start_wireguard() {
+    log_info "Starting WireGuard Service..."
+    systemctl enable "wg-quick@$SERVER_WG_NIC" >> "$LOG_FILE" 2>&1
+    systemctl start "wg-quick@$SERVER_WG_NIC" >> "$LOG_FILE" 2>&1
+    
+    # Verify status
+    if systemctl is-active --quiet "wg-quick@$SERVER_WG_NIC"; then
+        log_info "WireGuard Service is RUNNING."
+    else
+        fatal_error "Failed to start WireGuard service."
+    fi
+}
+
+create_client_config() {
+    local CLIENT_NAME=$1
+    local CLIENT_IP_SUFFIX=$2 # e.g., 2 for 10.66.66.2
+
+    log_info "Creating Client: $CLIENT_NAME"
+
+    CLIENT_PRIV_KEY=$(wg genkey)
+    CLIENT_PUB_KEY=$(echo "$CLIENT_PRIV_KEY" | wg pubkey)
+    CLIENT_PRESHARED_KEY=$(wg genpsk)
+
+    # Add peer to server config
+    cat >> "$WG_CONFIG" <<EOF
+
+### Client: $CLIENT_NAME
+[Peer]
+PublicKey = $CLIENT_PUB_KEY
+PresharedKey = $CLIENT_PRESHARED_KEY
+AllowedIPs = 10.66.66.$CLIENT_IP_SUFFIX/32,fd42:42:42::$CLIENT_IP_SUFFIX/128
+
+EOF
+
+    # Update live interface
+    wg syncconf "$SERVER_WG_NIC" <(wg-quick strip "$SERVER_WG_NIC")
+
+    # Generate Client Config File
+    mkdir -p "$INSTALL_DIR/clients"
+    cat > "$INSTALL_DIR/clients/$CLIENT_NAME.conf" <<EOF
+[Interface]
+PrivateKey = $CLIENT_PRIV_KEY
+Address = 10.66.66.$CLIENT_IP_SUFFIX/24,fd42:42:42::$CLIENT_IP_SUFFIX/64
+DNS = $SERVER_DNS
+
+[Peer]
+PublicKey = $SERVER_PUB_KEY
+PresharedKey = $CLIENT_PRESHARED_KEY
+Endpoint = $PUBLIC_IP:$SERVER_PORT
+AllowedIPs = $ALLOWED_IPS
+PersistentKeepalive = 25
+EOF
+
+    log_info "Client config saved to: $INSTALL_DIR/clients/$CLIENT_NAME.conf"
+    
+    # Show QR Code
+    echo -e "${BLUE}Scan this QR Code to connect:${NC}"
+    qrencode -t ansiutf8 < "$INSTALL_DIR/clients/$CLIENT_NAME.conf"
+}