From 27cab7b65fd0fc5ad858a1c80c42e3c5aa6ebfbf Mon Sep 17 00:00:00 2001 From: afify Date: Sun, 9 Apr 2023 19:56:15 +0300 Subject: [PATCH] init --- README.md | 29 ++++++++++++++++++++++ wireguard_client.sh | 59 +++++++++++++++++++++++++++++++++++++++++++++ wireguard_server.sh | 47 ++++++++++++++++++++++++++++++++++++ 3 files changed, 135 insertions(+) create mode 100644 README.md create mode 100644 wireguard_client.sh create mode 100644 wireguard_server.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..c0e0f71 --- /dev/null +++ b/README.md @@ -0,0 +1,29 @@ +# Wireguard config for OpenBSD + +## Server +```sh +pkg_add wireguard-tools +pkg_add qrencode #optional +sh wireguard_server.sh +``` +### For each client +```sh +sh wireguard_client.sh client_name +``` +- config file will be generated at /etc/wireguard/clients/client_name.conf +- qr code will be generated + + +## Client +```sh +wg-quick up client_name.conf +``` + +### IOS +https://apps.apple.com/us/app/wireguard/id1441195209 (App Store) +https://apps.apple.com/us/app/wireguard/id1451685025 (Mac App Store) + + +### Android +https://play.google.com/store/apps/details?id=com.wireguard.android +https://f-droid.org/en/packages/com.wireguard.android/ diff --git a/wireguard_client.sh b/wireguard_client.sh new file mode 100644 index 0000000..0a3eeea --- /dev/null +++ b/wireguard_client.sh @@ -0,0 +1,59 @@ +#!/bin/sh + +if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run as root" + exit 1 +fi + +if [ -z "$1" ]; then + echo "Usage: $0 " + exit 1 +fi + +client=$1 +server_ip=$(curl ipinfo.io/ip) +interface="wg0" +config_file="/etc/wireguard/${interface}.conf" +clients_dir="/etc/wireguard/clients" +server_port=$(grep "ListenPort" ${config_file} | awk '{print $3}') + +last_ip=$(tail -n 1 ${config_file} |\ + grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}") +new_ip=$(echo "$last_ip" | awk -F. '{print $1"."$2"."$3"."$4+1}') +client_ip="${new_ip}/32" + +mkdir -p ${clients_dir} +cd ${clients_dir} || exit +server_public=$(cat "../public.key") +umask 077 && wg genkey > "${client}_private.key" +wg pubkey < "${client}_private.key" > "${client}_public.key" + +client_private=$(cat "${client}_private.key") +client_public=$(cat "${client}_public.key") + +cat > "${client}.conf" << EOF +[Interface] +PrivateKey = ${client_private} +Address=${client_ip} +DNS = 9.9.9.9 + +# Server +[Peer] +PublicKey = ${server_public} +Endpoint = ${server_ip}:${server_port} +AllowedIPs = ::/0, 0.0.0.0/0 +PersistentKeepalive = 25 +EOF + +cat >> ${config_file} << EOF + +# client [${client}] +[Peer] +PublicKey = ${client_public} +AllowedIPs = ${client_ip} +EOF + +qrencode --read-from="${client}.conf" --type=UTF8 --level=M + +sh /etc/netstart ${interface} +cat "${clients_dir}/${client}.conf" diff --git a/wireguard_server.sh b/wireguard_server.sh new file mode 100644 index 0000000..c9cb2e8 --- /dev/null +++ b/wireguard_server.sh @@ -0,0 +1,47 @@ +#!/bin/sh + +if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run as root" + exit 1 +fi + +random_digits=$(LC_ALL=C tr -dc 0-9 > /etc/sysctl.conf +echo "net.inet6.ip6.forwarding=1" >> /etc/sysctl.conf +mkdir -p /etc/wireguard +chmod 700 /etc/wireguard +cd /etc/wireguard || exit +wg genkey > private.key +chmod 600 private.key +wg pubkey < private.key > public.key +server_private=$(cat "private.key") + +cat > ${config_file} << EOF +[Interface] +PrivateKey = ${server_private} +ListenPort = ${server_port} +EOF + +cat > /etc/hostname.${interface} << EOF +inet 10.0.0.1 255.255.255.0 NONE +up + +!/usr/local/bin/wg setconf ${interface} ${config_file} +EOF + +# pf +cat >> /etc/pf.conf << EOF +pass in on ${interface} +pass in inet proto udp from any to any port ${server_port} +pass out on egress inet from (${interface}:network) nat-to (vio0:0) +EOF + +sh /etc/netstart ${interface} +pfctl -f /etc/pf.conf