Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #
- # Based On http://bit.ly/2tYrIml
- #
- # Secure WireGuard server installer is Only Works on Debian 9
- #
- # Changes
- # - Added IPv6
- # - Improvement Security
- # - BBR Enable
- # - Added Cleanbrowsing DNS
- # - Remove Yandex DNS
- #
- # Revised by
- # Mertcan GÖKGÖZ - 03.11.2019 20:00 (GMT +3)
- # https://mertcangokgoz.com/
- #
- # How to use
- # 1. Start Terminal
- # 2. Change the file permission "chmod +x Wg-Install.sh"
- # 3. Choose the options
- # 4. Wait For Install
- # 5. Enjoy!
- #
- WG_CONFIG="/etc/wireguard/wg0.conf"
- if [[ "$EUID" -ne 0 ]]; then
- echo "Sorry, you need to run this as root"
- exit
- fi
- if [[ ! -e /dev/net/tun ]]; then
- echo "The TUN device is not available. You need to enable TUN before running this script"
- exit
- fi
- if [ "$( lsb_release -is )" = "Debian" ]; then
- os_ver="$(sed 's/\..*//' /etc/debian_version 2>/dev/null)"
- if [ "$os_ver" != "9" ]; then
- echo "Only supports Debian 9 (Stretch)"
- exit 1
- fi
- fi
- if [ "$( systemd-detect-virt )" == "openvz" ]; then
- echo "OpenVZ virtualization is not supported"
- exit
- fi
- if [ ! -f "$WG_CONFIG" ]; then
- ### Install server and add default client
- INTERACTIVE=${INTERACTIVE:-yes}
- PRIVATE_SUBNET_V4=${PRIVATE_SUBNET_V4:-"10.8.0.0/24"}
- PRIVATE_SUBNET_MASK_V4=$( echo "$PRIVATE_SUBNET_V4" | cut -d "/" -f 2 )
- GATEWAY_ADDRESS_V4="${PRIVATE_SUBNET_V4::-4}1"
- PRIVATE_SUBNET_V6=${PRIVATE_SUBNET_V6:-"fc00:8:0::0/64"}
- PRIVATE_SUBNET_MASK_V6=$( echo "$PRIVATE_SUBNET_V6" | cut -d "/" -f 2 )
- GATEWAY_ADDRESS_V6="${PRIVATE_SUBNET_V6::-4}1"
- if [ "$SERVER_HOST" == "" ]; then
- SERVER_HOST="$(wget -O - -q https://checkip.amazonaws.com)"
- if [ "$INTERACTIVE" == "yes" ]; then
- read -r -p "Servers public IP address is $SERVER_HOST. Is that correct? [y/n]: " -e -i "y" CONFIRM
- if [ "$CONFIRM" == "n" ]; then
- echo "Aborted. Use environment variable SERVER_HOST to set the correct public IP address"
- exit
- fi
- fi
- fi
- echo "What port do you want WireGuard to listen to?"
- echo " 1) Default: 51820"
- echo " 2) Custom"
- echo " 3) Random [2000-65535]"
- until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
- read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
- done
- case $PORT_CHOICE in
- 1)
- SERVER_PORT="51820"
- ;;
- 2)
- until [[ "$SERVER_PORT" =~ ^[0-9]+$ ]] && [ "$SERVER_PORT" -ge 1 ] && [ "$SERVER_PORT" -le 65535 ]; do
- read -rp "Custom port [1-65535]: " -e -i 51820 SERVER_PORT
- done
- ;;
- 3)
- # Generate random number within private ports range
- SERVER_PORT=$(shuf -i2000-65535 -n1)
- echo "Random Port: $SERVER_PORT"
- ;;
- esac
- if [ "$CLIENT_DNS" == "" ]; then
- echo "Which DNS do you want to use with the VPN?"
- echo " 1) Cloudflare"
- echo " 2) Google"
- echo " 3) OpenDNS"
- echo " 4) AdGuard(Only IPv4)"
- echo " 5) AdGuard Family Protection(Only IPv4)"
- echo " 6) Quad9(Only IPv4)"
- echo " 7) Quad9 Uncensored(Only IPv4)"
- echo " 8) FDN(Only IPv4)"
- echo " 9) DNS.WATCH(Only IPv4)"
- echo " 10) Cleanbrowsing Security Filter"
- read -r -p "DNS [1-10]: " -e -i 1 DNS_CHOICE
- case $DNS_CHOICE in
- 1)
- CLIENT_DNS="1.1.1.1,2606:4700:4700::1111"
- ;;
- 2)
- CLIENT_DNS="8.8.8.8,2001:4860:4860::8888"
- ;;
- 3)
- CLIENT_DNS="208.67.222.222,2620:119:35::35"
- ;;
- 4)
- CLIENT_DNS="176.103.130.130,176.103.130.131"
- ;;
- 5)
- CLIENT_DNS="176.103.130.132,176.103.130.134"
- ;;
- 6)
- CLIENT_DNS="9.9.9.9,149.112.112.112"
- ;;
- 7)
- CLIENT_DNS="9.9.9.10,149.112.112.10"
- ;;
- 8)
- CLIENT_DNS="80.67.169.40,80.67.169.12"
- ;;
- 9)
- CLIENT_DNS="84.200.69.80,84.200.70.40"
- ;;
- 10)
- CLIENT_DNS="185.228.168.9,2a0d:2a00:1::2"
- ;;
- esac
- fi
- echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
- printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
- apt-get update
- apt-get upgrade -y
- apt-get dist-upgrade -y
- apt-get autoremove clean -y
- apt-get install build-essential dkms git haveged -y
- apt-get install linux-headers-"$(uname -r)" -y && modprobe wireguard
- apt-get install wireguard qrencode iptables-persistent -y
- # Generate Keys
- SERVER_PRIVKEY=$( wg genkey )
- SERVER_PUBKEY=$( echo "$SERVER_PRIVKEY" | wg pubkey )
- CLIENT_PRIVKEY=$( wg genkey )
- CLIENT_PUBKEY=$( echo "$CLIENT_PRIVKEY" | wg pubkey )
- PRESHARED_KEY=$( echo "$(wg genpsk)" )
- CLIENT_ADDRESS_V4="${PRIVATE_SUBNET_V4::-4}3"
- CLIENT_ADDRESS_V6="${PRIVATE_SUBNET_V6::-4}3"
- mkdir -p /etc/wireguard
- touch $WG_CONFIG && chmod 600 $WG_CONFIG
- echo "# $PRIVATE_SUBNET_V4 $PRIVATE_SUBNET_V6 $SERVER_HOST:$SERVER_PORT $SERVER_PUBKEY $CLIENT_DNS
- [Interface]
- Address = $GATEWAY_ADDRESS_V4/$PRIVATE_SUBNET_MASK_V4, $GATEWAY_ADDRESS_V6/$PRIVATE_SUBNET_MASK_V6
- ListenPort = $SERVER_PORT
- PrivateKey = $SERVER_PRIVKEY
- PostUp = echo nameserver $CLIENT_DNS; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
- SaveConfig = false" > $WG_CONFIG
- echo "# client
- [Peer]
- PublicKey = $CLIENT_PUBKEY
- PresharedKey = $PRESHARED_KEY
- AllowedIPs = $CLIENT_ADDRESS_V4/32, $CLIENT_ADDRESS_V6/128" >> $WG_CONFIG
- echo "[Interface]
- PrivateKey = $CLIENT_PRIVKEY
- Address = $CLIENT_ADDRESS_V4/$PRIVATE_SUBNET_MASK_V4, $CLIENT_ADDRESS_V6/$PRIVATE_SUBNET_MASK_V6
- DNS = $CLIENT_DNS
- MTU = 1420
- [Peer]
- PublicKey = $SERVER_PUBKEY
- PresharedKey = $PRESHARED_KEY
- AllowedIPs = 0.0.0.0/0, ::/0
- Endpoint = $SERVER_HOST:$SERVER_PORT
- PersistentKeepalive = 25" > "$HOME"/client-wg0.conf
- {
- echo "net.ipv4.ip_forward=1"
- echo "net.ipv4.conf.all.forwarding=1"
- echo "net.ipv6.conf.all.forwarding=1"
- echo "net.core.default_qdisc=fq"
- echo "net.ipv4.tcp_congestion_control=bbr"
- } >> /etc/sysctl.conf
- sysctl -p
- iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables -A FORWARD -m conntrack --ctstate NEW -s "$PRIVATE_SUBNET_V4" -m policy --pol none --dir in -j ACCEPT
- ip6tables -A FORWARD -m conntrack --ctstate NEW -s "$PRIVATE_SUBNET_V6" -m policy --pol none --dir in -j ACCEPT
- iptables -t nat -A POSTROUTING -s "$PRIVATE_SUBNET_V4" -m policy --pol none --dir out -j MASQUERADE
- ip6tables -t nat -A POSTROUTING -s "$PRIVATE_SUBNET_V6" -m policy --pol none --dir out -j MASQUERADE
- iptables -A INPUT -p udp --dport "$SERVER_PORT" -j ACCEPT
- ip6tables -A INPUT -p udp --dport "$SERVER_PORT" -j ACCEPT
- iptables-save > /etc/iptables/rules.v4
- systemctl enable wg-quick@wg0.service
- systemctl start wg-quick@wg0.service
- git clone https://git.zx2c4.com/blind-operator-mode
- cd blind-operator-mode || exit
- make
- make install
- sysctl -w net.ipv4.ping_group_range="0 0"
- cd "$HOME" || exit
- qrencode -t ansiutf8 -l L < "$HOME"/client-wg0.conf
- echo "Client config --> $HOME/client-wg0.conf"
- echo "Now reboot the server and enjoy your fresh VPN installation! :^)"
- else
- ### Server is installed, add a new client
- CLIENT_NAME="$1"
- if [ "$CLIENT_NAME" == "" ]; then
- echo "Tell me a name for the client config file. Use one word only, no special characters."
- read -r -p "Client name: " -e CLIENT_NAME
- fi
- CLIENT_PRIVKEY=$( wg genkey )
- CLIENT_PUBKEY=$( echo "$CLIENT_PRIVKEY" | wg pubkey )
- PRIVATE_SUBNET_V4=$( head -n1 $WG_CONFIG | awk '{print $2}')
- PRIVATE_SUBNET_MASK_V4=$( echo "$PRIVATE_SUBNET_V4" | cut -d "/" -f 2 )
- PRIVATE_SUBNET_V6=$( head -n1 $WG_CONFIG | awk '{print $3}')
- PRIVATE_SUBNET_MASK_V6=$( echo "$PRIVATE_SUBNET_V6" | cut -d "/" -f 2 )
- SERVER_ENDPOINT=$( head -n1 $WG_CONFIG | awk '{print $4}')
- SERVER_PUBKEY=$( head -n1 $WG_CONFIG | awk '{print $5}')
- CLIENT_DNS=$( head -n1 $WG_CONFIG | awk '{print $6}')
- LASTIP4=$( grep "/32" $WG_CONFIG | tail -n1 | awk '{print $3}' | cut -d "/" -f 1 | cut -d "." -f 4 )
- LASTIP6=$( grep "/64" $WG_CONFIG | tail -n1 | awk '{print $6}' | cut -d "/" -f 1 | cut -d "." -f 4 )
- CLIENT_ADDRESS_V4="${PRIVATE_SUBNET_V4::-4}$((LASTIP4+1))"
- CLIENT_ADDRESS_V6="${PRIVATE_SUBNET_V6::-4}$((LASTIP6+1))"
- echo "# $CLIENT_NAME
- [Peer]
- PublicKey = $CLIENT_PUBKEY
- AllowedIPs = $CLIENT_ADDRESS_V4/32, $CLIENT_ADDRESS_V6/128" >> $WG_CONFIG
- echo "[Interface]
- PrivateKey = $CLIENT_PRIVKEY
- Address = $CLIENT_ADDRESS_V4/$PRIVATE_SUBNET_MASK_V4, $CLIENT_ADDRESS_V6/$PRIVATE_SUBNET_MASK_V6
- DNS = $CLIENT_DNS
- BlockDNS = true
- MTU = 1420
- [Peer]
- PublicKey = $SERVER_PUBKEY
- PresharedKey = $PRESHARED_KEY
- AllowedIPs = 0.0.0.0/0, ::/0
- Endpoint = $SERVER_ENDPOINT
- PersistentKeepalive = 25" > "$HOME"/"$CLIENT_NAME"-wg0.conf
- qrencode -t ansiutf8 -l L < "$HOME"/"$CLIENT_NAME"-wg0.conf
- ip address | grep -q wg0 && wg set wg0 peer "$CLIENT_PUBKEY" allowed-ips "$CLIENT_ADDRESS_V4/32 , $CLIENT_ADDRESS_V6/64"
- echo "Client added, new configuration file --> $HOME/$CLIENT_NAME-wg0.conf"
- fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement