Wireguard: Unterschied zwischen den Versionen

Aus Info-Theke
Zur Navigation springen Zur Suche springen
Zeile 8: Zeile 8:


== Zentrale einrichten ==
== Zentrale einrichten ==
=== Ablauf der Konfiguration ===
* Scripts erzeugen: Kapitel "Scripts erstellen"
* Server konfigurieren: Kapitel "Konfiguration Server"
* Beliebig viele Clients konfigurieren: "Konfiguration existierender Client (Public Key bekannt)" oder "Erzeugen Client (Keys werden erzeugt)"
* Wireguard-Konfiguration erzeugen: Kapitel "Wireguard Konfiguration erzeugen"
* Client löschen:
** db/<vpn-id>/clients/<client>.conf löschen
** Kapitel "Wireguard Konfiguration erzeugen"
* Client ändern (z.B. erlaubte Netze)
** db/<vpn-id>/clients/<client>.conf ändern
** Kapitel "Wireguard Konfiguration erzeugen"
* neuer Client:
** "Konfiguration existierender Client (Public Key bekannt)" oder "Erzeugen Client (Keys werden erzeugt)"
** Wireguard-Konfiguration erzeugen: Kapitel "Wireguard Konfiguration erzeugen"
=== Scripts erstellen ===
=== Scripts erstellen ===
==== Script für Initialisierung: Build ====
==== Script für Initialisierung: Build ====
Zeile 14: Zeile 30:
cat <<'ESCRIPT' >$FN_SCRIPT
cat <<'ESCRIPT' >$FN_SCRIPT
#! /bin/bash
#! /bin/bash
WG_ID=$1
VPN_ID=$1


function Server(){
function Server(){
   source db/$WG_ID/server.conf
   source db/$VPN_ID/server.conf
   cat <<EOS >$WG_ID.conf
   cat <<EOS >$VPN_ID.conf
[Interface]
[Interface]
Address = $IP_SERVER  
Address = $IP_SERVER  
Zeile 25: Zeile 41:


EOS
EOS
   echo "= created: $WG_ID.conf"
   echo "= created: $VPN_ID.conf"
}
}


Zeile 31: Zeile 47:
   local config=$1
   local config=$1
   source $config
   source $config
   local fn=$WG_ID.conf
   local fn=$VPN_ID.conf
   cat <<EOS >>$fn
   cat <<EOS >>$fn
[Peer]
[Peer]
Zeile 45: Zeile 61:
   echo "+++ $*"
   echo "+++ $*"
}
}
if [ -z "$WG_ID" ]; then
if [ -z "$VPN_ID" ]; then
   Usage "missing VPN_ID"
   Usage "missing VPN_ID"
elif [ ! -d db/$WG_ID ]; then
elif [ ! -d db/$VPN_ID ]; then
   Usage "VPN_ID not defined: $WG_ID"
   Usage "VPN_ID not defined: $VPN_ID"
   echo "= available:"
   echo "= available:"
   for dir in db/*; do
   for dir in db/*; do
Zeile 55: Zeile 71:
else
else
   Server
   Server
   for client in db/$WG_ID/clients/*.conf; do
   for client in db/$VPN_ID/clients/*.conf; do
     Client $client
     Client $client
   done
   done
Zeile 67: Zeile 83:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
#! /bin/bash
#! /bin/bash
WG_ID=$1
VPN_ID=$1
IP_SERVER=$2
IP_SERVER=$2
IP_PUBLIC=$3
IP_PUBLIC=$3
Zeile 85: Zeile 101:


function Create(){
function Create(){
   mkdir -p db/$WG_ID/clients
   mkdir -p db/$VPN_ID/clients
   local fnPrivateKey=db/$WG_ID/private.key
   local fnPrivateKey=db/$VPN_ID/private.key
   if [ ! -e $fnPrivateKey ]; then
   if [ ! -e $fnPrivateKey ]; then
     wg genkey > $fnPrivateKey
     wg genkey > $fnPrivateKey
Zeile 92: Zeile 108:
     echo "= created: $fnPrivateKey"
     echo "= created: $fnPrivateKey"
   fi
   fi
   local fnPublicKey=db/$WG_ID/public.key
   local fnPublicKey=db/$VPN_ID/public.key
   if [ ! -e $fnPublicKey ]; then
   if [ ! -e $fnPublicKey ]; then
     wg <$fnPrivateKey pubkey >$fnPublicKey
     wg <$fnPrivateKey pubkey >$fnPublicKey
     echo "= created: $fnPublicKey"  
     echo "= created: $fnPublicKey"  
   fi
   fi
   local fnConfig=db/$WG_ID/server.conf
   local fnConfig=db/$VPN_ID/server.conf
   cat <<EOS >$fnConfig
   cat <<EOS >$fnConfig
WG_ID=$WG_ID
VPN_ID=$VPN_ID
IP_SERVER=$IP_SERVER
IP_SERVER=$IP_SERVER
PORT=$PORT
PORT=$PORT
Zeile 123: Zeile 139:
Zur Anwendung dieses Scripts ist der Public Key schon vorhanden.
Zur Anwendung dieses Scripts ist der Public Key schon vorhanden.
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
WG_ID=$1
VPN_ID=$1
CLIENT=$2
CLIENT=$2
PUBLIC_KEY=$3
PUBLIC_KEY=$3
Zeile 136: Zeile 152:


function Create(){
function Create(){
   mkdir -p db/$WG_ID/clients
   mkdir -p db/$VPN_ID/clients
   local fnConfig=db/$WG_ID/clients/$CLIENT.conf
   local fnConfig=db/$VPN_ID/clients/$CLIENT.conf
   cat <<EOS >$fnConfig
   cat <<EOS >$fnConfig
CLIENT=$CLIENT
CLIENT=$CLIENT
Zeile 148: Zeile 164:
if [ -z "$ALLOWED_IPS" ]; then
if [ -z "$ALLOWED_IPS" ]; then
   Usage "missing arguments"
   Usage "missing arguments"
elif [ ! -d db/$WG_ID ]; then
elif [ ! -d db/$VPN_ID ]; then
   Usage "unknown VPN_ID: $WG_ID"
   Usage "unknown VPN_ID: $VPN_ID"
else
else
   Create
   Create
Zeile 158: Zeile 174:
Erzeugt Konfiguration für neuen Client (inklusive Erzeugung der Schlüssel).
Erzeugt Konfiguration für neuen Client (inklusive Erzeugung der Schlüssel).
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
</syntaxhighlight>
=== Wireguard-Konfiguration erzeugen ===
<syntaxhighlight lang="bash">
cd /etc/wireguard
VPN_ID=wg0
./Build $VPN_ID
</syntaxhighlight>
</syntaxhighlight>



Version vom 2. April 2023, 06:56 Uhr

Links

Installation

apt install wireguard resolvconf

Zentrale einrichten

Ablauf der Konfiguration

  • Scripts erzeugen: Kapitel "Scripts erstellen"
  • Server konfigurieren: Kapitel "Konfiguration Server"
  • Beliebig viele Clients konfigurieren: "Konfiguration existierender Client (Public Key bekannt)" oder "Erzeugen Client (Keys werden erzeugt)"
  • Wireguard-Konfiguration erzeugen: Kapitel "Wireguard Konfiguration erzeugen"
  • Client löschen:
    • db/<vpn-id>/clients/<client>.conf löschen
    • Kapitel "Wireguard Konfiguration erzeugen"
  • Client ändern (z.B. erlaubte Netze)
    • db/<vpn-id>/clients/<client>.conf ändern
    • Kapitel "Wireguard Konfiguration erzeugen"
  • neuer Client:
    • "Konfiguration existierender Client (Public Key bekannt)" oder "Erzeugen Client (Keys werden erzeugt)"
    • Wireguard-Konfiguration erzeugen: Kapitel "Wireguard Konfiguration erzeugen"

Scripts erstellen

Script für Initialisierung: Build

FN_SCRIPT=/etc/wireguard/Build
cat <<'ESCRIPT' >$FN_SCRIPT
#! /bin/bash
VPN_ID=$1

function Server(){
  source db/$VPN_ID/server.conf
  cat <<EOS >$VPN_ID.conf
[Interface]
Address = $IP_SERVER 
ListenPort = $PORT
PrivateKey = $PRIVATE_KEY

EOS
  echo "= created: $VPN_ID.conf"
}

function Client(){
  local config=$1
  source $config
  local fn=$VPN_ID.conf
  cat <<EOS >>$fn
[Peer]
# client $CLIENT
PublicKey = $PUB_KEY
AllowedIPs = $ALLOWED_IPS

EOS
}
function Usage(){
  echo "Usage: Build VPN_ID"
  echo "Example: Build wg0"
  echo "+++ $*"
}
if [ -z "$VPN_ID" ]; then
  Usage "missing VPN_ID"
elif [ ! -d db/$VPN_ID ]; then
  Usage "VPN_ID not defined: $VPN_ID"
  echo "= available:"
  for dir in db/*; do
    test -d $dir/clients && echo $(basename $dir)
  done
else
  Server
  for client in db/$VPN_ID/clients/*.conf; do
    Client $client
  done
fi
ESCRIPT
echo "created: $FN_SCRIPT"
chmod +x $FN_SCRIPT

Script zum Server konfigurieren

#! /bin/bash
VPN_ID=$1
IP_SERVER=$2
IP_PUBLIC=$3
HOST=$3
PORT=$4
DNS_SERVER=$5

test -z "$HOST" && HOST=$(hostname)
test -z "$PORT" && PORT=51820
test -z "$DNS_SERVER" && DNS_SERVER=9.9.9.9

function Usage(){
  echo "Usage BuildServer VPN_ID IP_VPN IP_PUBLIC [HOST [PORT [DNS_SERVER]]]"
  echo "Example: BuildServer wg0 10.10.100.1/24 207.180.255.91 dragon 51820 9.9.9.9"
  echo "+++ $*"
}

function Create(){
  mkdir -p db/$VPN_ID/clients
  local fnPrivateKey=db/$VPN_ID/private.key
  if [ ! -e $fnPrivateKey ]; then
    wg genkey > $fnPrivateKey
    chmod go= $fnPrivateKey
    echo "= created: $fnPrivateKey"
  fi
  local fnPublicKey=db/$VPN_ID/public.key
  if [ ! -e $fnPublicKey ]; then
    wg <$fnPrivateKey pubkey >$fnPublicKey
    echo "= created: $fnPublicKey" 
  fi
  local fnConfig=db/$VPN_ID/server.conf
  cat <<EOS >$fnConfig
VPN_ID=$VPN_ID
IP_SERVER=$IP_SERVER
PORT=$PORT
DNS_SERVER=$DNS_SERVER
IP_PUBLIC=$IP_PUBLIC
PRIVATE_KEY=$(cat $fnPrivateKey)
PUBLIC_KEY=$(cat $fnPublicKey)
EOS
  chmod og= $fnConfig
  echo "= created: $fnConfig"
}

if [ -z "$IP_SERVER" ]; then
  Usage "missing IP_SERVER"
elif [ ${1/\//} != $1 ]; then
  Usage "wrong IP_SERVER: $IP_SERVER"
else
  Create
fi

Script zur Clientkonfiguration: ImportClient

Zur Anwendung dieses Scripts ist der Public Key schon vorhanden.

VPN_ID=$1
CLIENT=$2
PUBLIC_KEY=$3
IP_CLIENT=$4
ALLOWED_IPS=$5

function Usage(){
  echo "Usage: BuildClient VPN_ID CLIENT_NAME IP_CLIENT PUB_KEY ALLOWED_IDS"
  echo "Example: BuildClient wg0 joe 10.10.100.44/32 0fajdkafkdla02jiw902902= 10.10.100.0/24,10.10.101.0/24"
  echo "+++ $*"
}

function Create(){
  mkdir -p db/$VPN_ID/clients
  local fnConfig=db/$VPN_ID/clients/$CLIENT.conf
  cat <<EOS >$fnConfig
CLIENT=$CLIENT
PUB_KEY=$PUBLIC_KEY
ALLOWED_IPS=$ALLOWED_IPS
EOS
  echo "= created: $fnConfig"
}

if [ -z "$ALLOWED_IPS" ]; then
  Usage "missing arguments"
elif [ ! -d db/$VPN_ID ]; then
  Usage "unknown VPN_ID: $VPN_ID"
else
  Create
fi

Script zur Clientkonfiguration: ExportClient

Erzeugt Konfiguration für neuen Client (inklusive Erzeugung der Schlüssel).

Wireguard-Konfiguration erzeugen

cd /etc/wireguard
VPN_ID=wg0
./Build $VPN_ID

Konfiguration Server

cd /etc/wireguard
WG_ID=wg0
IP_SERVER=10.58.1.1/16
HOST=$(hostname)
PORT=51820
./BuildServer $WK_ID $IP_SERVER $HOST $PORT

Konfiguration existierender Client (Public Key bekannt)

WG_ID=wg0
CLIENT=joe
IP_CLIENT=10.58.1.10/32
PUB_KEY=0fajdkafkdla02jiw902902=
ALLOWED_IPS=10.58.1.0/24
./ImportClient $WG_ID $CLIENT $IP_CLIENT $PUB_KEY $ALLOWED_IPS

Erzeugen Client (Keys werden erzeugt)

cd /etc/wireguard
WG_ID=wg0
CLIENT=joe
IP_CLIENT=10.58.1.10/32
ALLOWED_IPS=10.58.1.0/24
./CreateClient $WG_ID $CLIENT $IP_CLIENT ALLOWED_IPS

Linux Client einrichten

apt install wireguard-tools

Script erzeugen

FN_SCRIPT=/etc/wireguard/Import
cat <<'SCRIPT' >$FN_SCRIPT
#! /bin/bash
CONFIG=$1

function Usage(){
  echo "Usage: Import IMPORT_FILE"
  echo "Example: Import db/wg0.joe.conf"
  echo "+++ $*"
}

function Create(){
  local fn=$1
  source $fn
  if [ -z "$VPN_ID" -o -z "$DNS_SERVER" -o -z "$IP_SERVER" -o -z "$IP_CLIENT" ]; then
    echo "+++ wrong import data in $fn: vpn: $VPN_ID dns: $DNS_SERVER ip: $IP_SERVER ipcl: $IP_CLIENT"
  elif [ -z "$PORT_SERVER" -o -z "$ALLOWED_IPS" ]; then
    echo "+++ wrong import data: port: $PORT_SERVER allowed: $ALLOWED_IPS"
  elif [ -z "$PRIV_KEY" -o -z "$PUB_KEY" -o -z "$PUBKEY_SERVER" ]; then
    echo "+++ wrong import data: pub: $PUB_KEY priv: $PRIV_KEY pub-sv: $PUBKEY_SERVER"
  else
    local fnPrivate=/etc/wireguard/db/$VPN_ID.private.key
    echo $PUB_KEY > db/$VPN_ID.public.key
    echo $PRIV_KEY > $fnPrivate
    chmod og= $fnPrivate 
    local config=/etc/wireguard/$VPN_ID.conf
    cat <<EOS >$config
[Interface]
Address = $IP_CLIENT
DNS = $DNS_SERVER
# Load your privatekey from file
PostUp = wg set %i private-key $fnPrivate
# Also ping the vpn server to ensure the tunnel is initialized
PostUp = ping -c1 $IP_SERVER

[Peer]
PublicKey = $PUBKEY_SERVER
Endpoint = $IP_SERVER:$PORT_SERVER
AllowedIPs = $ALLOWED_IPS
PersistentKeepalive = 15
EOS
    echo "= created: $config"
  fi
}
if [ -z "$CONFIG" ]; then
  Usage "Missing parameter CONFIG_FILE"
elif [ ! -e $CONFIG ]; then
  Usage "Missing configuration file $CONFIG"
else
  Create $CONFIG
fi
SCRIPT

Importieren der Daten

mkdir -p /etc/wireguard
cd /etc/wireguard
CONFIG=/Downloads/wg0.joe.conf
./Import $CONFIG