Skip to content

Wireguard

Wireguard HA GPLv3 license

KeepAlived

apt install -y keepalived psmisc rsync
touch /etc/keepalived/keepalived.conf

#cat /etc/keepalived/keepalived.conf
vrrp_script chk_wg {
    script "/usr/bin/wg show wg0"   # verify the pid existance
    interval 2                    # check every 2 seconds
    weight 2                      # add 2 points of prio if OK
}

vrrp_instance VI_1 {
    interface ens18                # interface to monitor
    state MASTER
    virtual_router_id 51          # Assign one ID for this route
    priority 101                  # 101 on master, 100 on backup
    virtual_ipaddress {
        192.168.0.22              # the virtual IP
    }
    track_script {
        chk_wg
    }
}
service keepalived restart
service keepalived status

#cat /etc/keepalived/keepalived.conf
vrrp_script chk_wg {
    script "/usr/bin/wg show wg0"   # verify the pid existance
    interval 2                    # check every 2 seconds
    weight 2                      # add 2 points of prio if OK
}

vrrp_instance VI_1 {
    interface ens18                # interface to monitor
    state BACKUP
    virtual_router_id 51          # Assign one ID for this route
    priority 100                  # 101 on master, 100 on backup
    virtual_ipaddress {
        192.168.0.22              # the virtual IP
    }
    track_script {
        chk_wg
    }
}
service keepalived restart
service keepalived status

Wireguard

#!/usr/bin/env bash
# Wireguard manage tool 

trap 'rm -rf "${PRIVKEYCLIENT}" "${PUBKEYCLIENT}" "${TMPFILE}"' EXIT

kernelupdate()
{
cat << "EOF"

[!] We need kernel 5.x for run wireguard :(

[+] Use follow commands to upgrade your kernel on debian10 :
$ echo "deb http://deb.debian.org/debian buster-backports main" | tee -a /etc/apt/sources.list
$ apt update
$ apt -y -t buster-backports upgrade iptables
$ reboot

EOF
}

#grep -qw debian /etc/os-release 2>&1 || { echo -e >&2 "[\e[1;31m!\e[0m] \e[1;32m$0\e[0m Solo funciona en Debian :("; exit 1; 
if [ "$EUID" -ne 0 ];then printf '%s\n' "[!] Please, run $0 as root";exit -1; fi
if [ $(uname -r | cut -d'.' -f1) -lt "5" ] ; then kernelupdate;exit -1; fi
command -v dig >/dev/null 2>&1 || { echo -e >&2 "[\e[1;31m!\e[0m] You need \e[1;32mdnsutils\e[0m package, please install it."; exit 1; }
command -v qrencode >/dev/null 2>&1 || { echo -e >&2 "[\e[1;31m!\e[0m] You need \e[1;32mqrencode\e[0m package, please install it."; exit 1; }

usage()
{
cat << "EOF"

__        ___          ____            _
\ \      / (_)_ __ ___| __ )  __ _ ___| |__
\ \ /\ / /| | '__/ _ \  _ \ / _` / __| '_ \
  \ V  V / | | | |  __/ |_) | (_| \__ \ | | |
  \_/\_/  |_|_|  \___|____/ \__,_|___/_| |_|


[+] USAGE:
EOF
printf '%s\n' "$0 -i                   # Install Wireguard"
printf '%s\n' "$0 -s                   # Create server config file"
printf '%s\n' "$0 -c                   # Create client config file"
printf '%s\n' "$0 -d                   # Delete ALL config files (client_* & /etc/wireguard/*)"
}

if [ "$#" -ne "1" ] || [ "$#" -gt "1" ] ; then
usage
    exit -1
    fi

PRIVKEYSERVER="/etc/wireguard/privatekey"
PUBKEYSERVER="/etc/wireguard/publickey"
PRIVKEYCLIENT=$(mktemp)
PUBKEYCLIENT=$(mktemp)
SERVERIP=$(dig +short myip.opendns.com @resolver1.opendns.com)
WGPORT=51821
INTERFACE=$(ip -o link | awk '$2 != "lo:" {print $2}' | cut -d':' -f1 | head -n1)
SRVCONFIGFILE="/etc/wireguard/wg0.conf"



install(){
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sysctl -p
apt update && apt install -y wireguard-dkms wireguard-tools resolvconf
systemctl enable wg-quick@wg0
printf '%s\n' "[+] Install Accomplished"
}

server(){
if [ -f "$PRIVKEYSERVER" ]
then
    printf '%s\n' "Ouch! $PRIVKEYSERVER already exist :("
    exit -1
else
    wg genkey | tee $PRIVKEYSERVER | wg pubkey > $PUBKEYSERVER

cat << EOF > $SRVCONFIGFILE
[Interface]
PrivateKey = $(cat $PRIVKEYSERVER)
ListenPort = $WGPORT
Address = 10.9.0.$(shuf -i 1-5 -n 1)/24
DNS = 8.8.8.8, 8.8.4.4

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $INTERFACE -j MASQUERADE
EOF

printf '%s\n' "[+] Server Config File : $SRVCONFIGFILE"
fi
}

client(){

TMPFILE=$(mktemp)
grep -w AllowedIPs /etc/wireguard/wg0.conf |awk '{print $3}' | tr "." " " | awk '{print $4}' | tr "/" " " | awk '{print $1}' > ${TMPFILE}

checkip(){
if grep -qw ${IP} ${TMPFILE};then
        randomize
fi
}

randomize(){
IP=$(shuf -i 11-254 -n 1)
checkip
}

randomize

if [ -f "$SRVCONFIGFILE" ]
then
local RANDOM=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 4 | head -n 1)
local CLIENTFILE="$(pwd)/client_$RANDOM.conf"
wg genkey | tee $PRIVKEYCLIENT | wg pubkey > $PUBKEYCLIENT

cat << EOF >> $SRVCONFIGFILE

[Peer]
PublicKey = $(cat $PUBKEYCLIENT)
AllowedIPs = 10.9.0.$IP/32
EOF

cat << EOF > $CLIENTFILE

[Interface]
PrivateKey = $(cat $PRIVKEYCLIENT)
Address = 10.9.0.$IP/24
DNS = 10.1.1.233, 8.8.4.4

[Peer]
PublicKey = $(cat $PUBKEYSERVER)
AllowedIPs = 10.9.0.0/24, 10.1.1.0/24
#AllowedIPs = 0.0.0.0/0
Endpoint = $SERVERIP:$WGPORT
PersistentKeepalive = 25
EOF

sed -i '/Table = off/d' $SRVCONFIGFILE
sed -i '/^ListenPort[[:blank:]]/a\Table = off' $SRVCONFIGFILE
wg-quick down wg0
wg-quick up wg0

qrencode -t ansiutf8 < $CLIENTFILE
printf '%s\n' "[+] Client File : $CLIENTFILE"

else
printf '%s\n' "[!] Ouch! $SRVCONFIGFILE not exist, create it"
exit -1
fi
}

delete(){
rm -rf client_*
rm -rf /etc/wireguard/*
}

while getopts ":iscd" Option
do
  case $Option in

    i)
        install
        exit 0
        ;;
    s)
        server
        exit 0
        ;;
    c)
        client
        exit 0
        ;;
    d)
        delete
        exit 0
        ;;
  esac
done
shift $((OPTIND - 1))

SyncScript

1. Generate new certificate and edit .ssh/authorized_keys on slave (add cert.pub)
2. Create script on /usr/bin/wgsync.sh
3. Add script to /etc/crontab
#!/bin/bash
# KeyPairGenerator

command -v puttygen >/dev/null 2>&1 || { echo -e >&2 "[\e[1;31m!\e[0m] You need \e[1;32mputty-tools package\e[0m app, please install it."; exit 1; }

if [ "$#" -ne "1" ] || [ "$#" -gt "1" ] ; then
printf '%s\n' "[+] Use: $0 username"
printf '%s\n' "[+] Example : $0 agarcia"
    exit -1
    fi
trap 'rm -rf "$TMPFILE"' EXIT

PASSWORD=$(tr -dc 'a-zA-Z0-9~!@#$%^&*_()+}{?></";.,[]=-' < /dev/urandom | fold -w 11 | head -n 1)
USER=$1
TMPFILE=$(mktemp)

howto(){
  cat << EOF >> README
- $USER file is your private key
- $USER.pub file is your public key
- $USER.ppk file is your private key for use with putty's software
- Your password is: $PASSWORD

¡¡¡ PLEASE STORE YOUR PASSWORD AND DELETE THIS FILE FOR SECURITY PURPOSES !!!
EOF
}

generate(){
  echo $PASSWORD > $TMPFILE
  ssh-keygen -t rsa -b 2048 -C $USER -f $USER -q -N ""
  puttygen $USER -O private -o $USER.ppk -P --new-passphrase $TMPFILE
  ssh-keygen -p -f $USER -N "$PASSWORD" 1>/dev/null
  howto
  tar czf $USER.tgz $USER* README
  rm -rf $USER $USER.pub $USER.ppk README
  echo -e "·····················································"
  echo -e "[\e[1;32m+\e[0m] Username : \e[1;34m$USER\e[0m"
  echo -e "[\e[1;32m+\e[0m] Password : \e[1;32m$PASSWORD\e[0m"
  echo -e "·····················································"
}

generate
#!/usr/bin/env bash

/usr/bin/systemctl restart wg-quick@wg0.service
rsync -e "ssh -i /root/.ssh/wireguard01.cert" /etc/wireguard/* root@wireguard01.lan:/etc/wireguard
ssh -i /root/.ssh/wireguard01.cert root@wireguard01.lan '/usr/bin/systemctl restart wg-quick@wg0.service'
#/etc/crontab
0 0 1 * *   root    /bin/bash /usr/local/bin/wgsync.sh