Wireguard: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(35 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 8: | Zeile 8: | ||
== Zentrale einrichten == | == Zentrale einrichten == | ||
=== | === Ablauf der Konfiguration === | ||
* Scripts erzeugen: Kapitel "Scripts erstellen" | |||
* Server konfigurieren: Kapitel "Konfiguration Server" | |||
* Beliebig viele Clients konfigurieren: "Konfiguration existierender Client (Public Key bekannt)" oder "Erzeugen Client (Keys werden erzeugt)" | |||
* Wireguard-Konfiguration erzeugen: Kapitel "Wireguard Konfiguration erzeugen" | |||
* Client löschen: | |||
** db/<vpn-id>/clients/<client>.conf löschen | |||
** Kapitel "Wireguard Konfiguration erzeugen" | |||
* Client ändern (z.B. erlaubte Netze) | |||
** db/<vpn-id>/clients/<client>.conf ändern | |||
** Kapitel "Wireguard Konfiguration erzeugen" | |||
* neuer Client: | |||
** "Konfiguration existierender Client (Public Key bekannt)" oder "Erzeugen Client (Keys werden erzeugt)" | |||
** Wireguard-Konfiguration erzeugen: Kapitel "Wireguard Konfiguration erzeugen" | |||
=== Scripts erstellen === | === Scripts erstellen === | ||
==== Script für Initialisierung: Build ==== | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
FN_SCRIPT=/etc/wireguard/Build | FN_SCRIPT=/etc/wireguard/Build | ||
cat <<'ESCRIPT' >$FN_SCRIPT | cat <<'ESCRIPT' >$FN_SCRIPT | ||
#! /bin/bash | #! /bin/bash | ||
VPN_ID=$1 | |||
function Server(){ | function Server(){ | ||
source db/$ | source db/$VPN_ID/server.conf | ||
cat <<EOS >$ | cat <<EOS >$VPN_ID.conf | ||
[Interface] | [Interface] | ||
Address = $IP_SERVER | Address = $IP_SERVER | ||
Zeile 40: | Zeile 41: | ||
EOS | EOS | ||
echo "= created: $ | echo "= created: $VPN_ID.conf" | ||
} | } | ||
Zeile 46: | Zeile 47: | ||
local config=$1 | local config=$1 | ||
source $config | source $config | ||
local fn=$ | local fn=$VPN_ID.conf | ||
cat <<EOS >>$fn | cat <<EOS >>$fn | ||
[Peer] | [Peer] | ||
Zeile 60: | Zeile 61: | ||
echo "+++ $*" | echo "+++ $*" | ||
} | } | ||
if [ -z "$ | if [ -z "$VPN_ID" ]; then | ||
Usage "missing VPN_ID" | Usage "missing VPN_ID" | ||
elif [ ! -d db/$ | elif [ ! -d db/$VPN_ID ]; then | ||
Usage "VPN_ID not defined: $ | Usage "VPN_ID not defined: $VPN_ID" | ||
echo "= available:" | echo "= available:" | ||
for dir in db/*; do | for dir in db/*; do | ||
Zeile 70: | Zeile 71: | ||
else | else | ||
Server | Server | ||
for client in db/$ | for client in db/$VPN_ID/clients/*.conf; do | ||
Client $client | Client $client | ||
done | done | ||
Zeile 77: | Zeile 78: | ||
echo "created: $FN_SCRIPT" | echo "created: $FN_SCRIPT" | ||
chmod +x $FN_SCRIPT | chmod +x $FN_SCRIPT | ||
</syntaxhighlight> | |||
==== Script zum Server konfigurieren ==== | |||
<syntaxhighlight lang="bash"> | |||
FN_SCRIPT=/etc/wireguard/BuildServer | FN_SCRIPT=/etc/wireguard/BuildServer | ||
cat <<'SCRIPT' >$FN_SCRIPT | cat <<'SCRIPT' >$FN_SCRIPT | ||
#! /bin/bash | #! /bin/bash | ||
VPN_ID=$1 | |||
IP_SERVER=$2 | IP_SERVER=$2 | ||
HOST=$ | IP_PUBLIC=$3 | ||
PORT=$ | HOST=$4 | ||
PORT=$5 | |||
DNS_SERVER=$6 | |||
test -z "$HOST" && HOST=$(hostname) | test -z "$HOST" && HOST=$(hostname) | ||
test -z "$PORT" && PORT=51820 | test -z "$PORT" && PORT=51820 | ||
test -z "$DNS_SERVER" && DNS_SERVER=9.9.9.9 | |||
function Usage(){ | function Usage(){ | ||
echo "Usage BuildServer VPN_ID | echo "Usage BuildServer VPN_ID IP_VPN IP_PUBLIC [HOST [PORT [DNS_SERVER]]]" | ||
echo "Example: BuildServer wg0 10.10.100.1/24 dragon 51820" | echo "Example: BuildServer wg0 10.10.100.1/24 207.180.255.91 dragon 51820 9.9.9.9" | ||
echo "+++ $*" | |||
} | } | ||
function Create(){ | function Create(){ | ||
mkdir -p db/$ | mkdir -p db/$VPN_ID/clients | ||
local fnPrivateKey=db/$ | local fnPrivateKey=db/$VPN_ID/private.key | ||
if [ ! -e $fnPrivateKey ]; then | if [ ! -e $fnPrivateKey ]; then | ||
wg genkey > $fnPrivateKey | wg genkey > $fnPrivateKey | ||
Zeile 101: | Zeile 110: | ||
echo "= created: $fnPrivateKey" | echo "= created: $fnPrivateKey" | ||
fi | fi | ||
local fnPublicKey=db/$ | local fnPublicKey=db/$VPN_ID/public.key | ||
if [ ! -e $fnPublicKey ]; then | if [ ! -e $fnPublicKey ]; then | ||
wg <$fnPrivateKey pubkey >$fnPublicKey | wg <$fnPrivateKey pubkey >$fnPublicKey | ||
echo "= created: $fnPublicKey" | echo "= created: $fnPublicKey" | ||
fi | fi | ||
local fnConfig=db/$ | local fnConfig=db/$VPN_ID/server.conf | ||
cat <<EOS >$fnConfig | cat <<EOS >$fnConfig | ||
VPN_ID=$VPN_ID | |||
IP_SERVER=$IP_SERVER | IP_SERVER=$IP_SERVER | ||
PORT=$PORT | PORT=$PORT | ||
DNS_SERVER=$DNS_SERVER | |||
IP_PUBLIC=$IP_PUBLIC | |||
PRIVATE_KEY=$(cat $fnPrivateKey) | PRIVATE_KEY=$(cat $fnPrivateKey) | ||
PUBLIC_KEY=$(cat $fnPublicKey) | |||
EOS | EOS | ||
chmod og= $fnConfig | |||
echo "= created: $fnConfig" | echo "= created: $fnConfig" | ||
} | } | ||
Zeile 126: | Zeile 139: | ||
chmod +x $FN_SCRIPT | chmod +x $FN_SCRIPT | ||
echo "= created: $FN_SCRIPT" | echo "= created: $FN_SCRIPT" | ||
</syntaxhighlight> | |||
FN_SCRIPT=/etc/wireguard/ | |||
==== Script zur Clientkonfiguration: ImportClient ==== | |||
Zur Anwendung dieses Scripts ist der Public Key schon vorhanden. | |||
<syntaxhighlight lang="bash"> | |||
FN_SCRIPT=/etc/wireguard/ImportClient | |||
#! /bin/bash | |||
cat <<'SCRIPT' >$FN_SCRIPT | cat <<'SCRIPT' >$FN_SCRIPT | ||
VPN_ID=$1 | |||
CLIENT=$2 | CLIENT=$2 | ||
PUBLIC_KEY=$3 | PUBLIC_KEY=$3 | ||
Zeile 137: | Zeile 154: | ||
function Usage(){ | function Usage(){ | ||
echo "Usage: | echo "Usage: ImportClient VPN_ID CLIENT_NAME IP_CLIENT PUB_KEY ALLOWED_IDS" | ||
echo "Example: | echo "Example: ImportClient wg0 joe 10.10.100.44/32 0fajdkafkdla02jiw902902= 10.10.100.0/24,10.10.101.0/24" | ||
echo "+++ $*" | echo "+++ $*" | ||
} | } | ||
function Create(){ | function Create(){ | ||
mkdir -p db/$ | mkdir -p db/$VPN_ID/clients | ||
local fnConfig=db/$ | local fnConfig=db/$VPN_ID/clients/$CLIENT.conf | ||
cat <<EOS >$fnConfig | cat <<EOS >$fnConfig | ||
CLIENT=$CLIENT | CLIENT=$CLIENT | ||
Zeile 155: | Zeile 172: | ||
if [ -z "$ALLOWED_IPS" ]; then | if [ -z "$ALLOWED_IPS" ]; then | ||
Usage "missing arguments" | Usage "missing arguments" | ||
elif [ ! -d db/$ | elif [ ! -d db/$VPN_ID ]; then | ||
Usage "unknown VPN_ID: $ | Usage "unknown VPN_ID: $VPN_ID" | ||
else | else | ||
Create | Create | ||
fi | fi | ||
SCRIPT | SCRIPT | ||
chmod +x $FN_SCRIPT | chmod +x $FN_SCRIPT | ||
echo "= created: $FN_SCRIPT" | |||
</syntaxhighlight> | |||
==== Script zur Clientkonfiguration: ExportClient ==== | |||
Erzeugt Konfiguration für neuen Client (inklusive Erzeugung der Schlüssel). | |||
<syntaxhighlight lang="bash"> | |||
FN_SCRIPT=/etc/wireguard/ExportClient | |||
cat <<'SCRIPT' >$FN_SCRIPT | |||
#! /bin/bash | |||
VPN_ID=$1 | |||
CLIENT=$2 | |||
IP_CLIENT=$3 | |||
ALLOWED_IPS=$4 | |||
function Usage(){ | |||
echo "Usage: ExportClient VPN_ID CLIENT_NAME IP_CLIENT ALLOWED_IDS" | |||
echo "Example: ExportClient wg0 joe 10.10.100.44/32 10.10.100.0/24,10.10.101.0/24" | |||
echo "+++ $*" | |||
} | |||
function CreateIntern(){ | |||
mkdir -p db/$VPN_ID/clients | |||
local fnConfig=db/$VPN_ID/clients/$CLIENT.conf | |||
cat <<EOS >$fnConfig | |||
CLIENT=$CLIENT | |||
PUB_KEY=$PUBLIC_KEY_CLIENT | |||
ALLOWED_IPS=$ALLOWED_IPS | |||
EOS | |||
echo "= created: $fnConfig" | |||
fnConfig=exported/$VPN_ID.$CLIENT.conf | |||
mkdir -p $(dirname $fnConfig) | |||
cat <<EOS >$fnConfig | |||
EOS | |||
} | |||
function CreateExport(){ | |||
local fnConfig=export/$VPN_ID.$CLIENT.conf | |||
mkdir -p $(dirname $fnConfig) | |||
source db/$VPN_ID/server.conf | |||
local privateKey=$(wg genkey) | |||
PUBLIC_KEY_CLIENT=$(echo $privateKey | wg pubkey) | |||
cat <<EOS >$fnConfig | |||
VPN_ID=$VPN_ID | |||
DNS_SERVER=$DNS_SERVER | |||
IP_SERVER=$IP_PUBLIC | |||
IP_CLIENT=$IP_CLIENT | |||
PORT_SERVER=$PORT | |||
ALLOWED_IPS=$ALLOWED_IPS | |||
PRIV_KEY=$privateKey | |||
PUB_KEY=$PUBLIC_KEY_CLIENT | |||
PUBKEY_SERVER=$(cat /etc/wireguard/db/$VPN_ID/public.key) | |||
EOS | |||
echo "= created: $fnConfig" | |||
} | |||
fnConfig=exported/$VPN_ID.$CLIENT.conf | |||
if [ -z "$ALLOWED_IPS" ]; then | |||
Usage "missing arguments" | |||
elif [ ! -d db/$VPN_ID ]; then | |||
Usage "unknown VPN_ID: $VPN_ID" | |||
else | |||
CreateExport | |||
CreateIntern | |||
fi | |||
SCRIPT | |||
chmod +x $FN_SCRIPT | |||
echo "= created: $FN_SCRIPT" | |||
</syntaxhighlight> | |||
=== Wireguard-Konfiguration erzeugen === | |||
<syntaxhighlight lang="bash"> | |||
cd /etc/wireguard | |||
VPN_ID=wg0 | |||
./Build $VPN_ID | |||
</syntaxhighlight> | |||
* VPN neu starten | |||
<syntaxhighlight lang="bash"> | |||
# Falls VPN läuft: | |||
wg-quick down wg0 | |||
wg-quick up wg0 | |||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Konfiguration Server === | === Konfiguration Server === | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
cd /etc/wireguard | |||
IP_SERVER=10. | VPN_ID=wg0 | ||
IP_SERVER=10.10.100.1/16 | |||
IP_PUBLIC=139.44.33.91 | |||
DNS_SERVER=9.9.9.9 | |||
HOST=$(hostname) | HOST=$(hostname) | ||
PORT=51820 | PORT=51820 | ||
./BuildServer $ | ./BuildServer $VPN_ID $IP_SERVER $IP_PUBLIC $HOST $PORT $DNS_SERVER | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Konfiguration Client === | === Konfiguration existierender Client (Public Key bekannt) === | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
VPN_ID=wg0 | |||
CLIENT=joe | CLIENT=joe | ||
IP_CLIENT=10. | IP_CLIENT=10.10.100.10/32 | ||
PUB_KEY=0fajdkafkdla02jiw902902= | PUB_KEY=0fajdkafkdla02jiw902902= | ||
ALLOWED_IPS=10. | ALLOWED_IPS=10.100.10.0/24 | ||
./ | ./ImportClient $VPN_ID $CLIENT $IP_CLIENT $PUB_KEY $ALLOWED_IPS | ||
</syntaxhighlight> | |||
=== Erzeugen Client (Keys werden erzeugt) === | |||
<syntaxhighlight lang="bash"> | |||
cd /etc/wireguard | |||
VPN_ID=wg0 | |||
CLIENT=joe | |||
IP_CLIENT=10.10.100.112/32 | |||
ALLOWED_IPS=10.10.100.0/24 | |||
./ExportClient $VPN_ID $CLIENT $IP_CLIENT $ALLOWED_IPS | |||
</syntaxhighlight> | </syntaxhighlight> | ||
== Linux Client einrichten == | == Linux Client einrichten == | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
apt install wireguard-tools | apt install wireguard-tools resolvconf | ||
</syntaxhighlight> | |||
=== Script erzeugen === | |||
<syntaxhighlight lang="bash"> | |||
FN_SCRIPT=/etc/wireguard/Import | |||
cat <<'SCRIPT' >$FN_SCRIPT | |||
#! /bin/bash | |||
CONFIG=$1 | |||
function Usage(){ | |||
echo "Usage: Import IMPORT_FILE" | |||
echo "Example: Import db/wg0.joe.conf" | |||
echo "+++ $*" | |||
} | |||
function Create(){ | |||
local fn=$1 | |||
chmod | source $fn | ||
if [ -z "$VPN_ID" -o -z "$DNS_SERVER" -o -z "$IP_SERVER" -o -z "$IP_CLIENT" ]; then | |||
cat <<EOS >$ | echo "+++ wrong import data in $fn: vpn: $VPN_ID dns: $DNS_SERVER ip: $IP_SERVER ipcl: $IP_CLIENT" | ||
elif [ -z "$PORT_SERVER" -o -z "$ALLOWED_IPS" ]; then | |||
echo "+++ wrong import data: port: $PORT_SERVER allowed: $ALLOWED_IPS" | |||
elif [ -z "$PRIV_KEY" -o -z "$PUB_KEY" -o -z "$PUBKEY_SERVER" ]; then | |||
echo "+++ wrong import data: pub: $PUB_KEY priv: $PRIV_KEY pub-sv: $PUBKEY_SERVER" | |||
else | |||
local fnPrivate=/etc/wireguard/db/$VPN_ID.private.key | |||
mkdir -p $(dirname $fnPrivate) | |||
echo $PUB_KEY > db/$VPN_ID.public.key | |||
echo $PRIV_KEY > $fnPrivate | |||
chmod og= $fnPrivate | |||
local config=/etc/wireguard/$VPN_ID.conf | |||
cat <<EOS >$config | |||
[Interface] | [Interface] | ||
Address = $IP_CLIENT | |||
Address = $ | |||
DNS = $DNS_SERVER | DNS = $DNS_SERVER | ||
# Load your privatekey from file | # Load your privatekey from file | ||
PostUp = wg set %i private-key $ | PostUp = wg set %i private-key $fnPrivate | ||
# Also ping the vpn server to ensure the tunnel is initialized | # Also ping the vpn server to ensure the tunnel is initialized | ||
PostUp = ping -c1 $ | PostUp = ping -c1 $IP_SERVER | ||
[Peer] | [Peer] | ||
PublicKey = $PUBKEY_SERVER | PublicKey = $PUBKEY_SERVER | ||
Endpoint = $IP_SERVER:$PORT_SERVER | Endpoint = $IP_SERVER:$PORT_SERVER | ||
AllowedIPs = $ALLOWED_IPS | AllowedIPs = $ALLOWED_IPS | ||
PersistentKeepalive = 15 | |||
EOS | EOS | ||
echo "= created: $config" | |||
fi | |||
} | |||
if [ -z "$CONFIG" ]; then | |||
Usage "Missing parameter CONFIG_FILE" | |||
elif [ ! -e $CONFIG ]; then | |||
Usage "Missing configuration file $CONFIG" | |||
else | |||
Create $CONFIG | |||
fi | |||
SCRIPT | |||
chmod +x $FN_SCRIPT | |||
echo "= created: $FN_SCRIPT" | |||
</syntaxhighlight> | |||
=== Importieren der Daten === | |||
<syntaxhighlight lang="bash"> | |||
mkdir -p /etc/wireguard | |||
cd /etc/wireguard | |||
CONFIG=/Downloads/wg0.joe.conf | |||
./Import $CONFIG | |||
</syntaxhighlight> | |||
=== VPN neu starten === | |||
<syntaxhighlight lang="bash"> | |||
# Falls VPN läuft: | |||
wg-quick down wg0 | |||
wg-quick up wg0 | |||
</syntaxhighlight> | </syntaxhighlight> |
Aktuelle Version vom 2. April 2023, 13:07 Uhr
Links[Bearbeiten]
Installation[Bearbeiten]
apt install wireguard resolvconf
Zentrale einrichten[Bearbeiten]
Ablauf der Konfiguration[Bearbeiten]
- Scripts erzeugen: Kapitel "Scripts erstellen"
- Server konfigurieren: Kapitel "Konfiguration Server"
- Beliebig viele Clients konfigurieren: "Konfiguration existierender Client (Public Key bekannt)" oder "Erzeugen Client (Keys werden erzeugt)"
- Wireguard-Konfiguration erzeugen: Kapitel "Wireguard Konfiguration erzeugen"
- Client löschen:
- db/<vpn-id>/clients/<client>.conf löschen
- Kapitel "Wireguard Konfiguration erzeugen"
- Client ändern (z.B. erlaubte Netze)
- db/<vpn-id>/clients/<client>.conf ändern
- Kapitel "Wireguard Konfiguration erzeugen"
- neuer Client:
- "Konfiguration existierender Client (Public Key bekannt)" oder "Erzeugen Client (Keys werden erzeugt)"
- Wireguard-Konfiguration erzeugen: Kapitel "Wireguard Konfiguration erzeugen"
Scripts erstellen[Bearbeiten]
Script für Initialisierung: Build[Bearbeiten]
FN_SCRIPT=/etc/wireguard/Build
cat <<'ESCRIPT' >$FN_SCRIPT
#! /bin/bash
VPN_ID=$1
function Server(){
source db/$VPN_ID/server.conf
cat <<EOS >$VPN_ID.conf
[Interface]
Address = $IP_SERVER
ListenPort = $PORT
PrivateKey = $PRIVATE_KEY
EOS
echo "= created: $VPN_ID.conf"
}
function Client(){
local config=$1
source $config
local fn=$VPN_ID.conf
cat <<EOS >>$fn
[Peer]
# client $CLIENT
PublicKey = $PUB_KEY
AllowedIPs = $ALLOWED_IPS
EOS
}
function Usage(){
echo "Usage: Build VPN_ID"
echo "Example: Build wg0"
echo "+++ $*"
}
if [ -z "$VPN_ID" ]; then
Usage "missing VPN_ID"
elif [ ! -d db/$VPN_ID ]; then
Usage "VPN_ID not defined: $VPN_ID"
echo "= available:"
for dir in db/*; do
test -d $dir/clients && echo $(basename $dir)
done
else
Server
for client in db/$VPN_ID/clients/*.conf; do
Client $client
done
fi
ESCRIPT
echo "created: $FN_SCRIPT"
chmod +x $FN_SCRIPT
Script zum Server konfigurieren[Bearbeiten]
FN_SCRIPT=/etc/wireguard/BuildServer
cat <<'SCRIPT' >$FN_SCRIPT
#! /bin/bash
VPN_ID=$1
IP_SERVER=$2
IP_PUBLIC=$3
HOST=$4
PORT=$5
DNS_SERVER=$6
test -z "$HOST" && HOST=$(hostname)
test -z "$PORT" && PORT=51820
test -z "$DNS_SERVER" && DNS_SERVER=9.9.9.9
function Usage(){
echo "Usage BuildServer VPN_ID IP_VPN IP_PUBLIC [HOST [PORT [DNS_SERVER]]]"
echo "Example: BuildServer wg0 10.10.100.1/24 207.180.255.91 dragon 51820 9.9.9.9"
echo "+++ $*"
}
function Create(){
mkdir -p db/$VPN_ID/clients
local fnPrivateKey=db/$VPN_ID/private.key
if [ ! -e $fnPrivateKey ]; then
wg genkey > $fnPrivateKey
chmod go= $fnPrivateKey
echo "= created: $fnPrivateKey"
fi
local fnPublicKey=db/$VPN_ID/public.key
if [ ! -e $fnPublicKey ]; then
wg <$fnPrivateKey pubkey >$fnPublicKey
echo "= created: $fnPublicKey"
fi
local fnConfig=db/$VPN_ID/server.conf
cat <<EOS >$fnConfig
VPN_ID=$VPN_ID
IP_SERVER=$IP_SERVER
PORT=$PORT
DNS_SERVER=$DNS_SERVER
IP_PUBLIC=$IP_PUBLIC
PRIVATE_KEY=$(cat $fnPrivateKey)
PUBLIC_KEY=$(cat $fnPublicKey)
EOS
chmod og= $fnConfig
echo "= created: $fnConfig"
}
if [ -z "$IP_SERVER" ]; then
Usage "missing IP_SERVER"
elif [ ${1/\//} != $1 ]; then
Usage "wrong IP_SERVER: $IP_SERVER"
else
Create
fi
SCRIPT
chmod +x $FN_SCRIPT
echo "= created: $FN_SCRIPT"
Script zur Clientkonfiguration: ImportClient[Bearbeiten]
Zur Anwendung dieses Scripts ist der Public Key schon vorhanden.
FN_SCRIPT=/etc/wireguard/ImportClient
#! /bin/bash
cat <<'SCRIPT' >$FN_SCRIPT
VPN_ID=$1
CLIENT=$2
PUBLIC_KEY=$3
IP_CLIENT=$4
ALLOWED_IPS=$5
function Usage(){
echo "Usage: ImportClient VPN_ID CLIENT_NAME IP_CLIENT PUB_KEY ALLOWED_IDS"
echo "Example: ImportClient wg0 joe 10.10.100.44/32 0fajdkafkdla02jiw902902= 10.10.100.0/24,10.10.101.0/24"
echo "+++ $*"
}
function Create(){
mkdir -p db/$VPN_ID/clients
local fnConfig=db/$VPN_ID/clients/$CLIENT.conf
cat <<EOS >$fnConfig
CLIENT=$CLIENT
PUB_KEY=$PUBLIC_KEY
ALLOWED_IPS=$ALLOWED_IPS
EOS
echo "= created: $fnConfig"
}
if [ -z "$ALLOWED_IPS" ]; then
Usage "missing arguments"
elif [ ! -d db/$VPN_ID ]; then
Usage "unknown VPN_ID: $VPN_ID"
else
Create
fi
SCRIPT
chmod +x $FN_SCRIPT
echo "= created: $FN_SCRIPT"
Script zur Clientkonfiguration: ExportClient[Bearbeiten]
Erzeugt Konfiguration für neuen Client (inklusive Erzeugung der Schlüssel).
FN_SCRIPT=/etc/wireguard/ExportClient
cat <<'SCRIPT' >$FN_SCRIPT
#! /bin/bash
VPN_ID=$1
CLIENT=$2
IP_CLIENT=$3
ALLOWED_IPS=$4
function Usage(){
echo "Usage: ExportClient VPN_ID CLIENT_NAME IP_CLIENT ALLOWED_IDS"
echo "Example: ExportClient wg0 joe 10.10.100.44/32 10.10.100.0/24,10.10.101.0/24"
echo "+++ $*"
}
function CreateIntern(){
mkdir -p db/$VPN_ID/clients
local fnConfig=db/$VPN_ID/clients/$CLIENT.conf
cat <<EOS >$fnConfig
CLIENT=$CLIENT
PUB_KEY=$PUBLIC_KEY_CLIENT
ALLOWED_IPS=$ALLOWED_IPS
EOS
echo "= created: $fnConfig"
fnConfig=exported/$VPN_ID.$CLIENT.conf
mkdir -p $(dirname $fnConfig)
cat <<EOS >$fnConfig
EOS
}
function CreateExport(){
local fnConfig=export/$VPN_ID.$CLIENT.conf
mkdir -p $(dirname $fnConfig)
source db/$VPN_ID/server.conf
local privateKey=$(wg genkey)
PUBLIC_KEY_CLIENT=$(echo $privateKey | wg pubkey)
cat <<EOS >$fnConfig
VPN_ID=$VPN_ID
DNS_SERVER=$DNS_SERVER
IP_SERVER=$IP_PUBLIC
IP_CLIENT=$IP_CLIENT
PORT_SERVER=$PORT
ALLOWED_IPS=$ALLOWED_IPS
PRIV_KEY=$privateKey
PUB_KEY=$PUBLIC_KEY_CLIENT
PUBKEY_SERVER=$(cat /etc/wireguard/db/$VPN_ID/public.key)
EOS
echo "= created: $fnConfig"
}
fnConfig=exported/$VPN_ID.$CLIENT.conf
if [ -z "$ALLOWED_IPS" ]; then
Usage "missing arguments"
elif [ ! -d db/$VPN_ID ]; then
Usage "unknown VPN_ID: $VPN_ID"
else
CreateExport
CreateIntern
fi
SCRIPT
chmod +x $FN_SCRIPT
echo "= created: $FN_SCRIPT"
Wireguard-Konfiguration erzeugen[Bearbeiten]
cd /etc/wireguard
VPN_ID=wg0
./Build $VPN_ID
- VPN neu starten
# Falls VPN läuft:
wg-quick down wg0
wg-quick up wg0
Konfiguration Server[Bearbeiten]
cd /etc/wireguard
VPN_ID=wg0
IP_SERVER=10.10.100.1/16
IP_PUBLIC=139.44.33.91
DNS_SERVER=9.9.9.9
HOST=$(hostname)
PORT=51820
./BuildServer $VPN_ID $IP_SERVER $IP_PUBLIC $HOST $PORT $DNS_SERVER
Konfiguration existierender Client (Public Key bekannt)[Bearbeiten]
VPN_ID=wg0
CLIENT=joe
IP_CLIENT=10.10.100.10/32
PUB_KEY=0fajdkafkdla02jiw902902=
ALLOWED_IPS=10.100.10.0/24
./ImportClient $VPN_ID $CLIENT $IP_CLIENT $PUB_KEY $ALLOWED_IPS
Erzeugen Client (Keys werden erzeugt)[Bearbeiten]
cd /etc/wireguard
VPN_ID=wg0
CLIENT=joe
IP_CLIENT=10.10.100.112/32
ALLOWED_IPS=10.10.100.0/24
./ExportClient $VPN_ID $CLIENT $IP_CLIENT $ALLOWED_IPS
Linux Client einrichten[Bearbeiten]
apt install wireguard-tools resolvconf
Script erzeugen[Bearbeiten]
FN_SCRIPT=/etc/wireguard/Import
cat <<'SCRIPT' >$FN_SCRIPT
#! /bin/bash
CONFIG=$1
function Usage(){
echo "Usage: Import IMPORT_FILE"
echo "Example: Import db/wg0.joe.conf"
echo "+++ $*"
}
function Create(){
local fn=$1
source $fn
if [ -z "$VPN_ID" -o -z "$DNS_SERVER" -o -z "$IP_SERVER" -o -z "$IP_CLIENT" ]; then
echo "+++ wrong import data in $fn: vpn: $VPN_ID dns: $DNS_SERVER ip: $IP_SERVER ipcl: $IP_CLIENT"
elif [ -z "$PORT_SERVER" -o -z "$ALLOWED_IPS" ]; then
echo "+++ wrong import data: port: $PORT_SERVER allowed: $ALLOWED_IPS"
elif [ -z "$PRIV_KEY" -o -z "$PUB_KEY" -o -z "$PUBKEY_SERVER" ]; then
echo "+++ wrong import data: pub: $PUB_KEY priv: $PRIV_KEY pub-sv: $PUBKEY_SERVER"
else
local fnPrivate=/etc/wireguard/db/$VPN_ID.private.key
mkdir -p $(dirname $fnPrivate)
echo $PUB_KEY > db/$VPN_ID.public.key
echo $PRIV_KEY > $fnPrivate
chmod og= $fnPrivate
local config=/etc/wireguard/$VPN_ID.conf
cat <<EOS >$config
[Interface]
Address = $IP_CLIENT
DNS = $DNS_SERVER
# Load your privatekey from file
PostUp = wg set %i private-key $fnPrivate
# Also ping the vpn server to ensure the tunnel is initialized
PostUp = ping -c1 $IP_SERVER
[Peer]
PublicKey = $PUBKEY_SERVER
Endpoint = $IP_SERVER:$PORT_SERVER
AllowedIPs = $ALLOWED_IPS
PersistentKeepalive = 15
EOS
echo "= created: $config"
fi
}
if [ -z "$CONFIG" ]; then
Usage "Missing parameter CONFIG_FILE"
elif [ ! -e $CONFIG ]; then
Usage "Missing configuration file $CONFIG"
else
Create $CONFIG
fi
SCRIPT
chmod +x $FN_SCRIPT
echo "= created: $FN_SCRIPT"
Importieren der Daten[Bearbeiten]
mkdir -p /etc/wireguard
cd /etc/wireguard
CONFIG=/Downloads/wg0.joe.conf
./Import $CONFIG
VPN neu starten[Bearbeiten]
# Falls VPN läuft:
wg-quick down wg0
wg-quick up wg0