#!/bin/sh # https://openwrt.org/docs/guide-user/services/vpn/wireguard/server # Install packages opkg update opkg install wireguard-tools # Configuration parameters WG_IDS="wgserver wgclient wglaptop wgmobile" WG_PKI="/etc/wireguard" WG_IF="vpn" WG_PORT="51820" WG_ADDR="192.168.99.1/24" WG_ADDR6="fdf1:e8a1:8d3f:9::1/64" WG_DNS="" # mkdir -p ${WG_PKI} cd $WG_PKI echo "Generate keys" umask go= wg genkey | tee wgserver.key | wg pubkey > wgserver.pub wg genpsk > wgserver.psk # Server private key WG_KEY="$(cat wgserver.key)" # Pre-shared key WG_PSK="$(cat wgserver.psk)" echo "Configure firewall" uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[1]="wan" uci del_list firewall.lan.network="${WG_IF}" uci add_list firewall.lan.network="${WG_IF}" uci -q delete firewall.wg uci set firewall.wg="rule" uci set firewall.wg.name="Allow-WireGuard" uci set firewall.wg.src="wan" uci set firewall.wg.dest_port="${WG_PORT}" uci set firewall.wg.proto="udp" uci set firewall.wg.target="ACCEPT" uci commit firewall #/etc/init.d/firewall reload echo "Configure network" uci -q delete network.${WG_IF} uci set network.${WG_IF}="interface" uci set network.${WG_IF}.proto="wireguard" uci set network.${WG_IF}.private_key="${WG_KEY}" uci set network.${WG_IF}.listen_port="${WG_PORT}" uci add_list network.${WG_IF}.addresses="${WG_ADDR}" uci add_list network.${WG_IF}.addresses="${WG_ADDR6}" uci commit network #/etc/init.d/network reload # Configuration parameters WG_PORT="$(uci get network.${WG_IF}.listen_port)" WG_ADDRS="$(uci get network.${WG_IF}.addresses)" WG_ADDR="${WG_ADDRS%% *}" WG_ADDR6="${WG_ADDRS##* }" echo "Fetch WAN IP address" . /lib/functions/network.sh network_flush_cache network_find_wan NET_IF network_get_ipaddr NET_ADDR "${NET_IF}" WG_SERV="${NET_ADDR}" # Fetch FQDN from DDNS client NET_FQDN="$(uci -q get "$(uci -q show ddns \ | sed -n -e "/\.enabled='1'$/s//.lookup_host/p" \ | sed -n -e "1p")")" if [ -n "${NET_FQDN}" ] then WG_SERV="${NET_FQDN}" fi echo "Generate client keys" umask go= for WG_ID in ${WG_IDS#* } do if [ ! -e "${WG_PKI}/${WG_ID}.pub" ] then wg genkey \ | tee ${WG_PKI}/${WG_ID}.key \ | wg pubkey > ${WG_PKI}/${WG_ID}.pub fi if [ ! -e "${WG_PKI}/${WG_ID}.psk" ] then wg genpsk > ${WG_PKI}/${WG_ID}.psk fi done echo "Generate client profiles" [ -z "${WG_DNS}" ] && WG_DNS="${WG_ADDR%/*}, ${WG_ADDR6%/*}" WG_SFX="1" for WG_ID in ${WG_IDS#* } do let WG_SFX++ cat << EOF > ${WG_PKI}/${WG_ID}.conf [Interface] Address = ${WG_ADDR%.*}.${WG_SFX}/24, ${WG_ADDR6%:*}:${WG_SFX}/64 PrivateKey = $(cat ${WG_PKI}/${WG_ID}.key) DNS = ${WG_DNS} [Peer] PublicKey = $(cat ${WG_PKI}/${WG_IDS%% *}.pub) PresharedKey = $(cat ${WG_PKI}/${WG_ID}.psk) PersistentKeepalive = 25 AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = ${WG_SERV}:${WG_PORT} EOF done ls ${WG_PKI}/*.conf # Back up client profiles cat << EOF >> /etc/sysupgrade.conf ${WG_PKI} EOF echo "Add VPN peers" WG_SFX="1" for WG_ID in ${WG_IDS#* } do let WG_SFX++ uci -q delete network.${WG_ID} uci set network.${WG_ID}="wireguard_${WG_IF}" uci set network.${WG_ID}.public_key="$(cat ${WG_PKI}/${WG_ID}.pub)" uci set network.${WG_ID}.preshared_key="$(cat ${WG_PKI}/${WG_ID}.psk)" uci set network.${WG_ID}.description="${WG_ID}" uci set network.${WG_ID}.persistent_keepalive='25' uci set network.${WG_ID}.endpoint_host="${WG_SERV}" uci set network.${WG_ID}.endpoint_port="${WG_PORT}" uci add_list network.${WG_ID}.allowed_ips="${WG_ADDR%.*}.${WG_SFX}/32" uci add_list network.${WG_ID}.allowed_ips="${WG_ADDR6%:*}:${WG_SFX}/128" done uci commit network echo "restart network" /etc/init.d/firewall restart /etc/init.d/network restart ifdown ${WG_IF} ifup ${WG_IF}