-
-
Save ankitcharolia/95b41b8fcf6d63ed83dddfea28a8e7fa to your computer and use it in GitHub Desktop.
Script to generate wireguard configs for clients to allow them to connect to the local wireguard server
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ####### | |
| # Setup | |
| ####### | |
| ### Enable IPv4/6 forwarding: | |
| # # In /etc/sysctl.d/30-ipforward.conf : | |
| # net.ipv4.ip_forward=1 | |
| # net.ipv6.conf.default.forwarding=1 | |
| # net.ipv6.conf.all.forwarding=1 | |
| set -e | |
| # Params | |
| client_number="$1" | |
| name="$2" | |
| # mkdir -p /etc/wireguard/clients | |
| # Modify these per-server | |
| wg_iface="wg0" | |
| config_file="/etc/wireguard/$wg_iface.conf" | |
| # client_config_file="/etc/wireguard/clients/$name.conf" | |
| server_ip="X.X:X.X" | |
| server_port="51820" | |
| ipv4_prefix="10.0.0." | |
| ipv4_mask="32" | |
| dns_servers="8.8.4.4" | |
| # Require root to change wg-related settings | |
| if ! [ "$(id -u)" = "0" ]; then | |
| echo "ERROR: root is required to configure WireGuard clients" | |
| exit 1 | |
| fi | |
| # Help and basic error checking | |
| if [ $# -ne 2 ] || [ $# -gt 1 -a "$1" == "--help" ]; then | |
| echo "Usage:" | |
| echo "$(basename "$0") <client number> <client name>" | |
| exit 1 | |
| fi | |
| # Generate and store keypair | |
| server_privkey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ## put server private key here and based on that public key is generated | |
| server_pubkey=$(echo -n "$server_privkey" | wg pubkey) | |
| client_privkey=$(wg genkey) | |
| client_pubkey=$(echo -n "$client_privkey" | wg pubkey) | |
| # Create IPv4/6 addresses based on client ID | |
| client_ipv4="$ipv4_prefix$client_number/$ipv4_mask" | |
| client_ipv6="$ipv6_prefix$client_number/$ipv6_mask" | |
| # Can't add duplicate IPs | |
| if grep -q "$client_ipv4" "$config_file" || grep -q "$client_ipv6" "$config_file"; then | |
| echo "ERROR: This client number has already been used in the config file" | |
| exit 1 | |
| fi | |
| # Add peer to config file (blank line is on purpose) | |
| cat >> $config_file <<-EOM | |
| [Peer] | |
| # $name | |
| PublicKey = $client_pubkey | |
| AllowedIPs = $client_ipv4 | |
| EOM | |
| # Make client config | |
| client_config=$(cat <<-EOM | |
| [Interface] | |
| PrivateKey = $client_privkey | |
| Address = $client_ipv4 | |
| DNS = $dns_servers | |
| MTU = 1460 # set the same MTU size as Wireguard VPN server | |
| [Peer] | |
| PublicKey = $server_pubkey | |
| AllowedIPs = 0.0.0.0/0, ::/0 | |
| Endpoint = $server_ip:$server_port | |
| PersistentKeepalive = 25 | |
| EOM | |
| ) | |
| # Output client configuration | |
| echo "########## START CONFIG ##########" | |
| echo "$client_config" | |
| echo "########### END CONFIG ###########" | |
| if command -v qrencode > /dev/null; then | |
| echo "$client_config" | qrencode -t ansiutf8 | |
| else | |
| echo "Install 'qrencode' to also generate a QR code of the above config" | |
| fi | |
| # Restart service | |
| echo "" | |
| read -p "Restart 'wg-quick@$wg_iface' ? [y]: " confirm | |
| if [ $confirm == "y" ]; then | |
| systemctl restart "wg-quick@$wg_iface" | |
| else | |
| echo "WARNING: 'wg-quick@$wg_iface' will need to be restarted before the new client can connect" | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment