wbk/wireguard-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Small style changes

Browse source
This commit is contained in:
Nyr 2020-05-21 19:18:29 +02:00
parent a6426a138e
commit 962862c332
1 changed files with 59 additions and 63 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

76
wireguard-install.sh
View file

@ -6,7 +6,7 @@
# Discard stdin. Needed when running from an one-liner which includes a newline # Discard stdin. Needed when running from an one-liner which includes a newline
read -N 999999999 -t 0.001 read -N 999999 -t 0.001
# Detect Debian users running the script with "sh" instead of bash # Detect Debian users running the script with "sh" instead of bash
if readlink /proc/$$/exe | grep -q "dash"; then if readlink /proc/$$/exe | grep -q "dash"; then
@ -14,11 +14,6 @@ if readlink /proc/$$/exe | grep -q "dash"; then
exit exit
fi fi
if [[ "$EUID" -ne 0 ]]; then
echo "This installer needs to be run with superuser privileges."
exit
fi
# Detect OpenVZ 6 # Detect OpenVZ 6
if [[ $(uname -r | cut -d "." -f 1) -eq 2 ]]; then if [[ $(uname -r | cut -d "." -f 1) -eq 2 ]]; then
echo "The system is running an old kernel, which is incompatible with this installer." echo "The system is running an old kernel, which is incompatible with this installer."
@ -30,19 +25,15 @@ fi
if grep -qs "ubuntu" /etc/os-release; then if grep -qs "ubuntu" /etc/os-release; then
os="ubuntu" os="ubuntu"
os_version=$(grep 'VERSION_ID' /etc/os-release | cut -d '"' -f 2 | tr -d '.') os_version=$(grep 'VERSION_ID' /etc/os-release | cut -d '"' -f 2 | tr -d '.')
group_name="nogroup"
elif [[ -e /etc/debian_version ]]; then elif [[ -e /etc/debian_version ]]; then
os="debian" os="debian"
os_version=$(grep -oE '[0-9]+' /etc/debian_version | head -1) os_version=$(grep -oE '[0-9]+' /etc/debian_version | head -1)
group_name="nogroup"
elif [[ -e /etc/centos-release ]]; then elif [[ -e /etc/centos-release ]]; then
os="centos" os="centos"
os_version=$(grep -oE '[0-9]+' /etc/centos-release | head -1) os_version=$(grep -oE '[0-9]+' /etc/centos-release | head -1)
group_name="nobody"
elif [[ -e /etc/fedora-release ]]; then elif [[ -e /etc/fedora-release ]]; then
os="fedora" os="fedora"
os_version=$(grep -oE '[0-9]+' /etc/fedora-release | head -1) os_version=$(grep -oE '[0-9]+' /etc/fedora-release | head -1)
group_name="nobody"
else else
echo "This installer seems to be running on an unsupported distribution. echo "This installer seems to be running on an unsupported distribution.
Supported distributions are Ubuntu, Debian, CentOS, and Fedora." Supported distributions are Ubuntu, Debian, CentOS, and Fedora."
@ -68,7 +59,7 @@ This version of CentOS is too old and unsupported."
fi fi
# Detect environments where $PATH does not include the sbin directories # Detect environments where $PATH does not include the sbin directories
if ! grep -q sbin <<< $PATH; then if ! grep -q sbin <<< "$PATH"; then
echo '$PATH does not include sbin. Try using "su -" instead of "su".' echo '$PATH does not include sbin. Try using "su -" instead of "su".'
exit exit
fi fi
@ -82,6 +73,11 @@ Upgrade the kernel using "dnf upgrade kernel" and restart.'
exit exit
fi fi
if [[ "$EUID" -ne 0 ]]; then
echo "This installer needs to be run with superuser privileges."
exit
fi
if [[ "$is_container" -eq 0 ]]; then if [[ "$is_container" -eq 0 ]]; then
if [ "$(uname -m)" != "x86_64" ]; then if [ "$(uname -m)" != "x86_64" ]; then
echo "In containerized systems, this installer supports only the x86_64 architecture. echo "In containerized systems, this installer supports only the x86_64 architecture.
@ -206,7 +202,7 @@ if [[ ! -e /etc/wireguard/wg0.conf ]]; then
get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' <<< "$(wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")") get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' <<< "$(wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")")
read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip
# If the checkip service is unavailable and user didn't provide input, ask again # If the checkip service is unavailable and user didn't provide input, ask again
until [[ -n "$get_public_ip" || -n $public_ip ]]; do until [[ -n "$get_public_ip" || -n "$public_ip" ]]; do
echo "Invalid input." echo "Invalid input."
read -p "Public IPv4 address / hostname: " public_ip read -p "Public IPv4 address / hostname: " public_ip
done done
@ -238,6 +234,14 @@ if [[ ! -e /etc/wireguard/wg0.conf ]]; then
read -p "Port [51820]: " port read -p "Port [51820]: " port
done done
[[ -z "$port" ]] && port="51820" [[ -z "$port" ]] && port="51820"
echo
echo "Enter a name for the first client:"
read -p "Name [client]: " unsanitized_client
# Allow a limited set of characters to avoid conflicts
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
[[ -z "$client" ]] && client="client"
echo
new_client_dns
# Set up automatic updates for BoringTun if the user is fine with that # Set up automatic updates for BoringTun if the user is fine with that
if [[ "$is_container" -eq 0 ]]; then if [[ "$is_container" -eq 0 ]]; then
echo echo
@ -256,15 +260,7 @@ if [[ ! -e /etc/wireguard/wg0.conf ]]; then
fi fi
fi fi
echo echo
echo "Enter a name for the first client:" echo "WireGuard installation is ready to begin."
read -p "Name [client]: " unsanitized_client
# Allow a limited set of characters to avoid conflicts
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
[[ -z "$client" ]] && client="client"
echo
new_client_dns
echo
echo "WireGuard installation is ready to begin now."
# Install a firewall in the rare case where one is not already available # Install a firewall in the rare case where one is not already available
if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then
if [[ "$os" == "centos" || "$os" == "fedora" ]]; then if [[ "$os" == "centos" || "$os" == "fedora" ]]; then
@ -312,7 +308,7 @@ fiJGS5WoFr1yr8b7oQxTrZlCeHk3r3FJIhv2dQ==
if [[ "$os" == "ubuntu" && "$os_version" -ge 2004 ]]; then if [[ "$os" == "ubuntu" && "$os_version" -ge 2004 ]]; then
# Ubuntu 20.04 or higer # Ubuntu 20.04 or higer
apt-get update apt-get update
apt-get install -y wireguard qrencode $firewall apt-get install -y wireguard qrencode "$firewall"
elif [[ "$os" == "ubuntu" && "$os_version" -eq 1804 ]]; then elif [[ "$os" == "ubuntu" && "$os_version" -eq 1804 ]]; then
# Ubuntu 18.04 # Ubuntu 18.04
# Repo is added manually so we don't depend on add-apt-repository. # Repo is added manually so we don't depend on add-apt-repository.
@ -326,12 +322,12 @@ fiJGS5WoFr1yr8b7oQxTrZlCeHk3r3FJIhv2dQ==
apt-get update apt-get update
# Try to install kernel headers for the running kernel and avoid a reboot. This # Try to install kernel headers for the running kernel and avoid a reboot. This
# can fail, so it's important to run separately from the other apt-get command. # can fail, so it's important to run separately from the other apt-get command.
apt-get install -y linux-headers-$(uname -r) apt-get install -y linux-headers-"$(uname -r)"
# linux-headers-generic points to the latest headers. We install it because if # linux-headers-generic points to the latest headers. We install it because if
# the system has an outdated kernel, there is no guarantee that old headers were # the system has an outdated kernel, there is no guarantee that old headers were
# still downloadable and to provide suitable headers for future kernel updates. # still downloadable and to provide suitable headers for future kernel updates.
apt-get install -y linux-headers-generic apt-get install -y linux-headers-generic
apt-get install -y wireguard qrencode $firewall apt-get install -y wireguard qrencode "$firewall"
elif [[ "$os" == "debian" && "$os_version" -eq 10 ]]; then elif [[ "$os" == "debian" && "$os_version" -eq 10 ]]; then
# Debian 10 # Debian 10
if ! grep -qs '^deb .* buster-backports main' /etc/apt/sources.list /etc/apt/sources.list.d/*.list; then if ! grep -qs '^deb .* buster-backports main' /etc/apt/sources.list /etc/apt/sources.list.d/*.list; then
@ -340,7 +336,7 @@ fiJGS5WoFr1yr8b7oQxTrZlCeHk3r3FJIhv2dQ==
apt-get update apt-get update
# Try to install kernel headers for the running kernel and avoid a reboot. This # Try to install kernel headers for the running kernel and avoid a reboot. This
# can fail, so it's important to run separately from the other apt-get command. # can fail, so it's important to run separately from the other apt-get command.
apt-get install -y linux-headers-$(uname -r) apt-get install -y linux-headers-"$(uname -r)"
# There are cleaner ways to find out the $architecture, but we require an # There are cleaner ways to find out the $architecture, but we require an
# specific format for the package name and this approach provides what we need. # specific format for the package name and this approach provides what we need.
architecture=$(dpkg --get-selections 'linux-image-*-*' | cut -f 1 | grep -oE '[^-]*$' -m 1) architecture=$(dpkg --get-selections 'linux-image-*-*' | cut -f 1 | grep -oE '[^-]*$' -m 1)
@ -349,21 +345,21 @@ fiJGS5WoFr1yr8b7oQxTrZlCeHk3r3FJIhv2dQ==
# headers were still downloadable and to provide suitable headers for future # headers were still downloadable and to provide suitable headers for future
# kernel updates. # kernel updates.
apt-get install -y linux-headers-"$architecture" apt-get install -y linux-headers-"$architecture"
apt-get install -y wireguard qrencode $firewall apt-get install -y wireguard qrencode "$firewall"
elif [[ "$os" == "centos" && "$os_version" -eq 8 ]]; then elif [[ "$os" == "centos" && "$os_version" -eq 8 ]]; then
# CentOS 8 # CentOS 8
dnf install -y epel-release elrepo-release dnf install -y epel-release elrepo-release
dnf install -y kmod-wireguard wireguard-tools qrencode $firewall dnf install -y kmod-wireguard wireguard-tools qrencode "$firewall"
mkdir -p /etc/wireguard/ mkdir -p /etc/wireguard/
elif [[ "$os" == "centos" && "$os_version" -eq 7 ]]; then elif [[ "$os" == "centos" && "$os_version" -eq 7 ]]; then
# CentOS 7 # CentOS 7
yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum install -y yum-plugin-elrepo yum install -y yum-plugin-elrepo
yum install -y kmod-wireguard wireguard-tools qrencode $firewall yum install -y kmod-wireguard wireguard-tools qrencode "$firewall"
mkdir -p /etc/wireguard/ mkdir -p /etc/wireguard/
elif [[ "$os" == "fedora" ]]; then elif [[ "$os" == "fedora" ]]; then
# Fedora # Fedora
dnf install -y wireguard-tools qrencode $firewall dnf install -y wireguard-tools qrencode "$firewall"
mkdir -p /etc/wireguard/ mkdir -p /etc/wireguard/
fi fi
# Else, we are inside a container and BoringTun needs to be used # Else, we are inside a container and BoringTun needs to be used
@ -372,7 +368,7 @@ fiJGS5WoFr1yr8b7oQxTrZlCeHk3r3FJIhv2dQ==
if [[ "$os" == "ubuntu" && "$os_version" -ge 2004 ]]; then if [[ "$os" == "ubuntu" && "$os_version" -ge 2004 ]]; then
# Ubuntu 20.04 or higer # Ubuntu 20.04 or higer
apt-get update apt-get update
apt-get install -y wireguard-tools qrencode ca-certificates $cron $firewall apt-get install -y wireguard-tools qrencode ca-certificates "$cron" "$firewall"
elif [[ "$os" == "ubuntu" && "$os_version" -eq 1804 ]]; then elif [[ "$os" == "ubuntu" && "$os_version" -eq 1804 ]]; then
# Ubuntu 18.04 # Ubuntu 18.04
# Repo is added manually so we don't depend on add-apt-repository. # Repo is added manually so we don't depend on add-apt-repository.
@ -384,7 +380,7 @@ fiJGS5WoFr1yr8b7oQxTrZlCeHk3r3FJIhv2dQ==
apt-key add - <<< "$ppa_key" apt-key add - <<< "$ppa_key"
echo "deb http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic main" > /etc/apt/sources.list.d/wireguard-ubuntu-wireguard-bionic.list echo "deb http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic main" > /etc/apt/sources.list.d/wireguard-ubuntu-wireguard-bionic.list
apt-get update apt-get update
apt-get install -y qrencode ca-certificates $cron $firewall apt-get install -y qrencode ca-certificates "$cron" "$firewall"
apt-get install -y wireguard-tools --no-install-recommends apt-get install -y wireguard-tools --no-install-recommends
elif [[ "$os" == "debian" && "$os_version" -eq 10 ]]; then elif [[ "$os" == "debian" && "$os_version" -eq 10 ]]; then
# Debian 10 # Debian 10
@ -392,21 +388,21 @@ fiJGS5WoFr1yr8b7oQxTrZlCeHk3r3FJIhv2dQ==
echo "deb http://deb.debian.org/debian buster-backports main" >> /etc/apt/sources.list echo "deb http://deb.debian.org/debian buster-backports main" >> /etc/apt/sources.list
fi fi
apt-get update apt-get update
apt-get install -y qrencode ca-certificates $cron $firewall apt-get install -y qrencode ca-certificates "$cron" "$firewall"
apt-get install -y wireguard-tools --no-install-recommends apt-get install -y wireguard-tools --no-install-recommends
elif [[ "$os" == "centos" && "$os_version" -eq 8 ]]; then elif [[ "$os" == "centos" && "$os_version" -eq 8 ]]; then
# CentOS 8 # CentOS 8
dnf install -y epel-release dnf install -y epel-release
dnf install -y wireguard-tools qrencode ca-certificates tar $cron $firewall dnf install -y wireguard-tools qrencode ca-certificates tar "$cron" "$firewall"
mkdir -p /etc/wireguard/ mkdir -p /etc/wireguard/
elif [[ "$os" == "centos" && "$os_version" -eq 7 ]]; then elif [[ "$os" == "centos" && "$os_version" -eq 7 ]]; then
# CentOS 7 # CentOS 7
yum install -y epel-release yum install -y epel-release
yum install -y wireguard-tools qrencode ca-certificates tar $cron $firewall yum install -y wireguard-tools qrencode ca-certificates tar "$cron" "$firewall"
mkdir -p /etc/wireguard/ mkdir -p /etc/wireguard/
elif [[ "$os" == "fedora" ]]; then elif [[ "$os" == "fedora" ]]; then
# Fedora # Fedora
dnf install -y wireguard-tools qrencode ca-certificates tar $cron $firewall dnf install -y wireguard-tools qrencode ca-certificates tar "$cron" "$firewall"
mkdir -p /etc/wireguard/ mkdir -p /etc/wireguard/
fi fi
# Grab the BoringTun binary using wget or curl and extract into the right place. # Grab the BoringTun binary using wget or curl and extract into the right place.
@ -470,7 +466,7 @@ EOF
ip6tables_path=$(command -v ip6tables) ip6tables_path=$(command -v ip6tables)
# nf_tables is not available as standard in OVZ kernels. So use iptables-legacy # nf_tables is not available as standard in OVZ kernels. So use iptables-legacy
# if we are in OVZ, with a nf_tables backend and iptables-legacy is available. # if we are in OVZ, with a nf_tables backend and iptables-legacy is available.
if [[ $(systemd-detect-virt) == "openvz" ]] && readlink -f $(command -v iptables) | grep -q "nft" && hash iptables-legacy 2>/dev/null; then if [[ $(systemd-detect-virt) == "openvz" ]] && readlink -f "$(command -v iptables)" | grep -q "nft" && hash iptables-legacy 2>/dev/null; then
iptables_path=$(command -v iptables-legacy) iptables_path=$(command -v iptables-legacy)
ip6tables_path=$(command -v ip6tables-legacy) ip6tables_path=$(command -v ip6tables-legacy)
fi fi
@ -564,8 +560,8 @@ else
echo "WireGuard is already installed." echo "WireGuard is already installed."
echo echo
echo "Select an option:" echo "Select an option:"
echo " 1) Add a new user" echo " 1) Add a new client"
echo " 2) Remove an existing user" echo " 2) Remove an existing client"
echo " 3) Remove WireGuard" echo " 3) Remove WireGuard"
echo " 4) Exit" echo " 4) Exit"
read -p "Option: " option read -p "Option: " option
@ -580,7 +576,7 @@ else
read -p "Name: " unsanitized_client read -p "Name: " unsanitized_client
# Allow a limited set of characters to avoid conflicts # Allow a limited set of characters to avoid conflicts
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
while [[ -z "$client" || -n $(grep "^# BEGIN_PEER $client$" /etc/wireguard/wg0.conf) ]]; do while [[ -z "$client" ]] || grep -q "^# BEGIN_PEER $client$" /etc/wireguard/wg0.conf; do
echo "$client: invalid name." echo "$client: invalid name."
read -p "Name: " unsanitized_client read -p "Name: " unsanitized_client
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
@ -624,7 +620,7 @@ else
if [[ "$remove" =~ ^[yY]$ ]]; then if [[ "$remove" =~ ^[yY]$ ]]; then
# The following is the right way to avoid disrupting other active connections: # The following is the right way to avoid disrupting other active connections:
# Remove from the live interface # Remove from the live interface
wg set wg0 peer $(sed -n "/^# BEGIN_PEER $client$/,\$p" /etc/wireguard/wg0.conf | grep -m 1 PublicKey | cut -d " " -f 3) remove wg set wg0 peer "$(sed -n "/^# BEGIN_PEER $client$/,\$p" /etc/wireguard/wg0.conf | grep -m 1 PublicKey | cut -d " " -f 3)" remove
# Remove from the configuration file # Remove from the configuration file
sed -i "/^# BEGIN_PEER $client/,/^# END_PEER $client/d" /etc/wireguard/wg0.conf sed -i "/^# BEGIN_PEER $client/,/^# END_PEER $client/d" /etc/wireguard/wg0.conf
echo echo