scripts
/
automate
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
automate/openwrt/010_wireguard-server.sh

143 lines
3.6 KiB
Bash
Raw Blame History

#!/bin/sh
# https://openwrt.org/docs/guide-user/services/vpn/wireguard/server
# Install packages
opkg update
opkg install wireguard-tools
# Configuration parameters
WG_IDS="wgserver wgclient wglaptop wgmobile"
WG_PKI="/etc/wireguard"
WG_IF="vpn"
WG_PORT="51820"
WG_ADDR="192.168.99.1/24"
WG_ADDR6="fdf1:e8a1:8d3f:9::1/64"
WG_DNS=""
#
mkdir -p ${WG_PKI}
cd $WG_PKI
echo "Generate keys"
umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genpsk > wgserver.psk
# Server private key
WG_KEY="$(cat wgserver.key)"
# Pre-shared key
WG_PSK="$(cat wgserver.psk)"
echo "Configure firewall"
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${WG_IF}"
uci add_list firewall.lan.network="${WG_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${WG_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
#/etc/init.d/firewall reload
echo "Configure network"
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci set network.${WG_IF}.listen_port="${WG_PORT}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
uci commit network
#/etc/init.d/network reload
# Configuration parameters
WG_PORT="$(uci get network.${WG_IF}.listen_port)"
WG_ADDRS="$(uci get network.${WG_IF}.addresses)"
WG_ADDR="${WG_ADDRS%% *}"
WG_ADDR6="${WG_ADDRS##* }"
echo "Fetch WAN IP address"
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_ipaddr NET_ADDR "${NET_IF}"
WG_SERV="${NET_ADDR}"
# Fetch FQDN from DDNS client
NET_FQDN="$(uci -q get "$(uci -q show ddns \
| sed -n -e "/\.enabled='1'$/s//.lookup_host/p" \
| sed -n -e "1p")")"
if [ -n "${NET_FQDN}" ]
then WG_SERV="${NET_FQDN}"
fi
echo "Generate client keys"
umask go=
for WG_ID in ${WG_IDS#* }
do
if [ ! -e "${WG_PKI}/${WG_ID}.pub" ]
then wg genkey \
| tee ${WG_PKI}/${WG_ID}.key \
| wg pubkey > ${WG_PKI}/${WG_ID}.pub
fi
if [ ! -e "${WG_PKI}/${WG_ID}.psk" ]
then wg genpsk > ${WG_PKI}/${WG_ID}.psk
fi
done
echo "Generate client profiles"
[ -z "${WG_DNS}" ] && WG_DNS="${WG_ADDR%/*}, ${WG_ADDR6%/*}"
WG_SFX="1"
for WG_ID in ${WG_IDS#* }
do
let WG_SFX++
cat << EOF > ${WG_PKI}/${WG_ID}.conf
[Interface]
Address = ${WG_ADDR%.*}.${WG_SFX}/24, ${WG_ADDR6%:*}:${WG_SFX}/64
PrivateKey = $(cat ${WG_PKI}/${WG_ID}.key)
DNS = ${WG_DNS}
[Peer]
PublicKey = $(cat ${WG_PKI}/${WG_IDS%% *}.pub)
PresharedKey = $(cat ${WG_PKI}/${WG_ID}.psk)
PersistentKeepalive = 25
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ${WG_SERV}:${WG_PORT}
EOF
done
ls ${WG_PKI}/*.conf
# Back up client profiles
cat << EOF >> /etc/sysupgrade.conf
${WG_PKI}
EOF
echo "Add VPN peers"
WG_SFX="1"
for WG_ID in ${WG_IDS#* }
do
let WG_SFX++
uci -q delete network.${WG_ID}
uci set network.${WG_ID}="wireguard_${WG_IF}"
uci set network.${WG_ID}.public_key="$(cat ${WG_PKI}/${WG_ID}.pub)"
uci set network.${WG_ID}.preshared_key="$(cat ${WG_PKI}/${WG_ID}.psk)"
uci set network.${WG_ID}.description="${WG_ID}"
uci set network.${WG_ID}.persistent_keepalive='25'
uci set network.${WG_ID}.endpoint_host="${WG_SERV}"
uci set network.${WG_ID}.endpoint_port="${WG_PORT}"
uci add_list network.${WG_ID}.allowed_ips="${WG_ADDR%.*}.${WG_SFX}/32"
uci add_list network.${WG_ID}.allowed_ips="${WG_ADDR6%:*}:${WG_SFX}/128"
done
uci commit network
echo "restart network"
/etc/init.d/firewall restart
/etc/init.d/network restart
ifdown ${WG_IF}
ifup ${WG_IF}
Reference in New Issue View Git Blame Copy Permalink