Secure WireGuard server installer

#!/bin/bash
#
# Based On http://bit.ly/2tYrIml
#
# Secure WireGuard server installer is Only Works on Debian 9
#
# Changes
#   - Added IPv6
#   - Improvement Security
#   - BBR Enable
#   - Added Cleanbrowsing DNS
#   - Remove Yandex DNS
#
# Revised by
#   Mertcan GÖKGÖZ - 03.11.2019 20:00 (GMT +3)
#   https://mertcangokgoz.com/
#
# How to use
#   1. Start Terminal
#   2. Change the file permission "chmod +x Wg-Install.sh"
#   3. Choose the options
#   4. Wait For Install
#   5. Enjoy!
#

WG_CONFIG="/etc/wireguard/wg0.conf"

if [[ "$EUID" -ne 0 ]]; then
    echo "Sorry, you need to run this as root"
    exit
fi

if [[ ! -e /dev/net/tun ]]; then
    echo "The TUN device is not available. You need to enable TUN before running this script"
    exit
fi

if [ "$( lsb_release -is )" = "Debian" ]; then
  os_ver="$(sed 's/\..*//' /etc/debian_version 2>/dev/null)"
  if [ "$os_ver" != "9" ]; then
    echo "Only supports Debian 9 (Stretch)"
    exit 1
  fi
fi

if [ "$( systemd-detect-virt )" == "openvz" ]; then
    echo "OpenVZ virtualization is not supported"
    exit
fi

if [ ! -f "$WG_CONFIG" ]; then
    ### Install server and add default client
    INTERACTIVE=${INTERACTIVE:-yes}
    PRIVATE_SUBNET_V4=${PRIVATE_SUBNET_V4:-"10.8.0.0/24"}
    PRIVATE_SUBNET_MASK_V4=$( echo "$PRIVATE_SUBNET_V4" | cut -d "/" -f 2 )
    GATEWAY_ADDRESS_V4="${PRIVATE_SUBNET_V4::-4}1"
    PRIVATE_SUBNET_V6=${PRIVATE_SUBNET_V6:-"fc00:8:0::0/64"}
    PRIVATE_SUBNET_MASK_V6=$( echo "$PRIVATE_SUBNET_V6" | cut -d "/" -f 2 )
    GATEWAY_ADDRESS_V6="${PRIVATE_SUBNET_V6::-4}1"

    if [ "$SERVER_HOST" == "" ]; then
        SERVER_HOST="$(wget -O - -q https://checkip.amazonaws.com)"
        if [ "$INTERACTIVE" == "yes" ]; then
            read -r -p "Servers public IP address is $SERVER_HOST. Is that correct? [y/n]: " -e -i "y" CONFIRM
            if [ "$CONFIRM" == "n" ]; then
                echo "Aborted. Use environment variable SERVER_HOST to set the correct public IP address"
                exit
            fi
        fi
    fi

        echo "What port do you want WireGuard to listen to?"
    echo "   1) Default: 51820"
    echo "   2) Custom"
    echo "   3) Random [2000-65535]"
    until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
        read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
    done
    case $PORT_CHOICE in
        1)
            SERVER_PORT="51820"
        ;;
        2)
            until [[ "$SERVER_PORT" =~ ^[0-9]+$ ]] && [ "$SERVER_PORT" -ge 1 ] && [ "$SERVER_PORT" -le 65535 ]; do
                read -rp "Custom port [1-65535]: " -e -i 51820 SERVER_PORT
            done
        ;;
        3)
            # Generate random number within private ports range
            SERVER_PORT=$(shuf -i2000-65535 -n1)
            echo "Random Port: $SERVER_PORT"
        ;;
    esac

    if [ "$CLIENT_DNS" == "" ]; then
        echo "Which DNS do you want to use with the VPN?"
        echo "   1) Cloudflare"
        echo "   2) Google"
        echo "   3) OpenDNS"
        echo "   4) AdGuard(Only IPv4)"
        echo "   5) AdGuard Family Protection(Only IPv4)"
        echo "   6) Quad9(Only IPv4)"
        echo "   7) Quad9 Uncensored(Only IPv4)"
        echo "   8) FDN(Only IPv4)"
        echo "   9) DNS.WATCH(Only IPv4)"
        echo "   10) Cleanbrowsing Security Filter"
        read -r -p "DNS [1-10]: " -e -i 1 DNS_CHOICE

        case $DNS_CHOICE in
            1)
            CLIENT_DNS="1.1.1.1,2606:4700:4700::1111"
            ;;
            2)
            CLIENT_DNS="8.8.8.8,2001:4860:4860::8888"
            ;;
            3)
            CLIENT_DNS="208.67.222.222,2620:119:35::35"
            ;;
            4)
            CLIENT_DNS="176.103.130.130,176.103.130.131"
            ;;
            5)
            CLIENT_DNS="176.103.130.132,176.103.130.134"
            ;;
            6)
            CLIENT_DNS="9.9.9.9,149.112.112.112"
            ;;
            7)
            CLIENT_DNS="9.9.9.10,149.112.112.10"
            ;;
            8)
            CLIENT_DNS="80.67.169.40,80.67.169.12"
            ;;
            9)
            CLIENT_DNS="84.200.69.80,84.200.70.40"
            ;;
            10)
            CLIENT_DNS="185.228.168.9,2a0d:2a00:1::2"
            ;;
        esac

    fi

    echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
    printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
    apt-get update
    apt-get upgrade -y
    apt-get dist-upgrade -y
    apt-get autoremove clean -y
    apt-get install build-essential dkms git haveged -y
    apt-get install linux-headers-"$(uname -r)" -y && modprobe wireguard
    apt-get install wireguard qrencode iptables-persistent -y

    # Generate Keys
    SERVER_PRIVKEY=$( wg genkey )
    SERVER_PUBKEY=$( echo "$SERVER_PRIVKEY" | wg pubkey )
    CLIENT_PRIVKEY=$( wg genkey )
    CLIENT_PUBKEY=$( echo "$CLIENT_PRIVKEY" | wg pubkey )
    PRESHARED_KEY=$( echo "$(wg genpsk)" )
    CLIENT_ADDRESS_V4="${PRIVATE_SUBNET_V4::-4}3"
    CLIENT_ADDRESS_V6="${PRIVATE_SUBNET_V6::-4}3"

    mkdir -p /etc/wireguard
    touch $WG_CONFIG && chmod 600 $WG_CONFIG

    echo "# $PRIVATE_SUBNET_V4 $PRIVATE_SUBNET_V6 $SERVER_HOST:$SERVER_PORT $SERVER_PUBKEY $CLIENT_DNS
[Interface]
Address = $GATEWAY_ADDRESS_V4/$PRIVATE_SUBNET_MASK_V4, $GATEWAY_ADDRESS_V6/$PRIVATE_SUBNET_MASK_V6
ListenPort = $SERVER_PORT
PrivateKey = $SERVER_PRIVKEY
PostUp = echo nameserver $CLIENT_DNS; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = false" > $WG_CONFIG

    echo "# client
[Peer]
PublicKey = $CLIENT_PUBKEY
PresharedKey = $PRESHARED_KEY
AllowedIPs = $CLIENT_ADDRESS_V4/32, $CLIENT_ADDRESS_V6/128" >> $WG_CONFIG

    echo "[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = $CLIENT_ADDRESS_V4/$PRIVATE_SUBNET_MASK_V4, $CLIENT_ADDRESS_V6/$PRIVATE_SUBNET_MASK_V6
DNS = $CLIENT_DNS
MTU = 1420

[Peer]
PublicKey = $SERVER_PUBKEY
PresharedKey = $PRESHARED_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $SERVER_HOST:$SERVER_PORT
PersistentKeepalive = 25" > "$HOME"/client-wg0.conf

    {
        echo "net.ipv4.ip_forward=1"
        echo "net.ipv4.conf.all.forwarding=1"
        echo "net.ipv6.conf.all.forwarding=1"
        echo "net.core.default_qdisc=fq"
        echo "net.ipv4.tcp_congestion_control=bbr"
    } >> /etc/sysctl.conf
    sysctl -p

    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -m conntrack --ctstate NEW -s "$PRIVATE_SUBNET_V4" -m policy --pol none --dir in -j ACCEPT
    ip6tables -A FORWARD -m conntrack --ctstate NEW -s "$PRIVATE_SUBNET_V6" -m policy --pol none --dir in -j ACCEPT
    iptables -t nat -A POSTROUTING -s "$PRIVATE_SUBNET_V4" -m policy --pol none --dir out -j MASQUERADE
    ip6tables -t nat -A POSTROUTING -s "$PRIVATE_SUBNET_V6" -m policy --pol none --dir out -j MASQUERADE
    iptables -A INPUT -p udp --dport "$SERVER_PORT" -j ACCEPT
    ip6tables -A INPUT -p udp --dport "$SERVER_PORT" -j ACCEPT
    iptables-save > /etc/iptables/rules.v4

    systemctl enable wg-quick@wg0.service
    systemctl start wg-quick@wg0.service

    git clone https://git.zx2c4.com/blind-operator-mode
    cd blind-operator-mode || exit
    make
    make install
    sysctl -w net.ipv4.ping_group_range="0 0"
    cd "$HOME" || exit

    qrencode -t ansiutf8 -l L < "$HOME"/client-wg0.conf
    echo "Client config --> $HOME/client-wg0.conf"
    echo "Now reboot the server and enjoy your fresh VPN installation! :^)"
else
    ### Server is installed, add a new client
    CLIENT_NAME="$1"
    if [ "$CLIENT_NAME" == "" ]; then
        echo "Tell me a name for the client config file. Use one word only, no special characters."
        read -r -p "Client name: " -e CLIENT_NAME
    fi
    CLIENT_PRIVKEY=$( wg genkey )
    CLIENT_PUBKEY=$( echo "$CLIENT_PRIVKEY" | wg pubkey )
    PRIVATE_SUBNET_V4=$( head -n1 $WG_CONFIG | awk '{print $2}')
    PRIVATE_SUBNET_MASK_V4=$( echo "$PRIVATE_SUBNET_V4" | cut -d "/" -f 2 )
    PRIVATE_SUBNET_V6=$( head -n1 $WG_CONFIG | awk '{print $3}')
    PRIVATE_SUBNET_MASK_V6=$( echo "$PRIVATE_SUBNET_V6" | cut -d "/" -f 2 )
    SERVER_ENDPOINT=$( head -n1 $WG_CONFIG | awk '{print $4}')
    SERVER_PUBKEY=$( head -n1 $WG_CONFIG | awk '{print $5}')
    CLIENT_DNS=$( head -n1 $WG_CONFIG | awk '{print $6}')
    LASTIP4=$( grep "/32" $WG_CONFIG | tail -n1 | awk '{print $3}' | cut -d "/" -f 1 | cut -d "." -f 4 )
    LASTIP6=$( grep "/64" $WG_CONFIG | tail -n1 | awk '{print $6}' | cut -d "/" -f 1 | cut -d "." -f 4 )
    CLIENT_ADDRESS_V4="${PRIVATE_SUBNET_V4::-4}$((LASTIP4+1))"
    CLIENT_ADDRESS_V6="${PRIVATE_SUBNET_V6::-4}$((LASTIP6+1))"
    echo "# $CLIENT_NAME
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = $CLIENT_ADDRESS_V4/32, $CLIENT_ADDRESS_V6/128" >> $WG_CONFIG

    echo "[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = $CLIENT_ADDRESS_V4/$PRIVATE_SUBNET_MASK_V4, $CLIENT_ADDRESS_V6/$PRIVATE_SUBNET_MASK_V6
DNS = $CLIENT_DNS
BlockDNS = true
MTU = 1420

[Peer]
PublicKey = $SERVER_PUBKEY
PresharedKey = $PRESHARED_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $SERVER_ENDPOINT
PersistentKeepalive = 25" > "$HOME"/"$CLIENT_NAME"-wg0.conf
qrencode -t ansiutf8 -l L < "$HOME"/"$CLIENT_NAME"-wg0.conf

    ip address | grep -q wg0 && wg set wg0 peer "$CLIENT_PUBKEY" allowed-ips "$CLIENT_ADDRESS_V4/32 , $CLIENT_ADDRESS_V6/64"
    echo "Client added, new configuration file --> $HOME/$CLIENT_NAME-wg0.conf"
fi