96 lines
2.4 KiB
Bash
96 lines
2.4 KiB
Bash
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
# Remove unattended-upgrades
|
|
apt remove --purge -y unattended-upgrades
|
|
|
|
# Update and upgrade
|
|
apt update && apt upgrade -y
|
|
|
|
# Install basic tools and WireGuard
|
|
apt install -y git curl wget tmux nano net-tools unzip zip gnupg tzdata qrencode wireguard
|
|
|
|
# Setup WireGuard directory
|
|
WG_DIR="/etc/wireguard"
|
|
mkdir -p "$WG_DIR/self"
|
|
cd "$WG_DIR/self"
|
|
|
|
# Generate server keys
|
|
wg genkey | tee private | wg pubkey > public
|
|
|
|
# Enable IP forwarding
|
|
echo "net.ipv4.ip_forward=1" | tee -a /etc/sysctl.conf
|
|
echo "net.ipv6.conf.all.forwarding=1" | tee -a /etc/sysctl.conf
|
|
sysctl -p
|
|
|
|
# Create basic wg0.conf if it doesn't exist
|
|
WG_CONF="$WG_DIR/wg0.conf"
|
|
if [ ! -f "$WG_CONF" ]; then
|
|
SERVER_PRIVATE_KEY=$(cat private)
|
|
SERVER_PUBLIC_KEY=$(cat public)
|
|
SERVER_PORT=51820
|
|
SERVER_INTERFACE=$(ip route get 8.8.8.8 | awk '{print $5; exit}') # Detect network interface (e.g., eth0, ens3, etc.)
|
|
|
|
cat > "$WG_CONF" <<EOF
|
|
[Interface]
|
|
Address = 10.0.0.1/24
|
|
ListenPort = $SERVER_PORT
|
|
PrivateKey = $SERVER_PRIVATE_KEY
|
|
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o $SERVER_INTERFACE -j MASQUERADE
|
|
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o $SERVER_INTERFACE -j MASQUERADE
|
|
EOF
|
|
fi
|
|
|
|
# Enable and start WireGuard
|
|
systemctl enable wg-quick@wg0
|
|
systemctl start wg-quick@wg0
|
|
|
|
# Detect public IP
|
|
PUBLIC_IP=$(curl -4 -s ifconfig.me)
|
|
|
|
# Setup Mobile Peer
|
|
MOBILE_DIR="$WG_DIR/mobile_1"
|
|
mkdir -p "$MOBILE_DIR"
|
|
cd "$MOBILE_DIR"
|
|
|
|
# Generate mobile peer keys
|
|
wg genkey | tee private | wg pubkey > public
|
|
|
|
MOBILE_PRIVATE_KEY=$(cat private)
|
|
MOBILE_PUBLIC_KEY=$(cat public)
|
|
|
|
# Create peer config for mobile
|
|
cat > mobile.conf <<EOF
|
|
[Interface]
|
|
PrivateKey = $MOBILE_PRIVATE_KEY
|
|
Address = 10.0.0.2/24
|
|
DNS = 1.1.1.1
|
|
|
|
[Peer]
|
|
PublicKey = $(cat "$WG_DIR/self/public")
|
|
Endpoint = $PUBLIC_IP:51820
|
|
AllowedIPs = 0.0.0.0/0, ::/0
|
|
PersistentKeepalive = 25
|
|
EOF
|
|
|
|
# Add mobile peer to server config
|
|
cat >> "$WG_CONF" <<EOF
|
|
|
|
[Peer]
|
|
PublicKey = $MOBILE_PUBLIC_KEY
|
|
AllowedIPs = 10.0.0.2/32
|
|
EOF
|
|
|
|
# Restart WireGuard to apply new peer
|
|
systemctl restart wg-quick@wg0
|
|
|
|
# Generate QR code for mobile
|
|
qrencode -t ansiutf8 < mobile.conf
|
|
|
|
echo
|
|
echo "✅ WireGuard server setup complete!"
|
|
echo "📱 Scan the above QR code from your mobile WireGuard app!"
|
|
echo
|
|
echo "If needed, your mobile config is saved here: $MOBILE_DIR/mobile.conf"
|