Projekte & Automatisierung

Howto install and setup WireGuard on OpenWRT

Code

#!/bin/sh
clear
echo WireGuard Server / Client script
echo
quit=n 
while [ "$quit" = "n" ] 
do 
echo 
echo "1. Setup Server (If you run this step the first time, the device has to restart and manually run the script again!)" 
echo "2. Setup Client" 
echo "3. Restart"
echo "4. Quit" 
echo 
echo "Enter choice" 
read choice 
case $choice in 
1)
echo
echo Enter the port:
read port
echo
opkg update
opkg install kmod-wireguard luci-app-wireguard qrencode ipset luci-proto-wireguard wireguard wireguard-tools
WG_SERVER="server"
WG_DIR="/etc/wireguard"
WG_PORT=$port
rm ${WG_DIR}/*
### Key generation ### 
mkdir ${WG_DIR}/
cd ${WG_DIR}/
umask 077
wg genkey | tee ${WG_SERVER}-private.key | wg pubkey > ${WG_SERVER}-public.key
### Creating the local WireGuard 'server' interface ###
if [ -e /etc/config/network.bak ]
then
    cp /etc/config/network.bak /etc/config/network
else
    cp /etc/config/network /etc/config/network.bak
fi
uci set network.wg0="interface"
uci set network.wg0.proto="wireguard"
uci set network.wg0.private_key="$(cat ${WG_DIR}/${WG_SERVER}-private.key)"
uci set network.wg0.listen_port="${WG_PORT}"
uci add_list network.wg0.addresses='10.0.10.0/24'
uci commit network
/etc/init.d/network reload
### Configuring your firewall ###
if [ -e /etc/config/firewall.bak ]
then
    cp /etc/config/firewall.bak /etc/config/firewall
else
    cp /etc/config/firewall /etc/config/firewall.bak
fi
uci add firewall zone
uci set firewall.@zone[-1].name='wg'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].forward='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].network='wg0'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='wg'
uci set firewall.@forwarding[-1].dest='lan'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='wg'
uci add firewall rule
uci set firewall.@rule[-1].src="*"
uci set firewall.@rule[-1].target="ACCEPT"
uci set firewall.@rule[-1].proto="udp"
uci set firewall.@rule[-1].dest_port="${WG_PORT}"
uci set firewall.@rule[-1].name="Allow-Wireguard-Inbound"
uci commit firewall
sleep 1
/etc/init.d/firewall restart
### Keeping your keys between OpenWrt upgrades ###
ls ${WG_DIR}/*key >> /etc/sysupgrade.conf

;;
2)
clear 
# CLIENT
echo ATTENTION: on Ubuntu / Debian install openresolv for DNS!
read -p "Press any key to continue... " -n1 -s
echo
echo Enter the Client name:
read client
echo
echo Enter the dyndns oder ip of your network:
read dyndns
echo
echo Enter the port:
read port
echo
echo Enter the DNS:
read dns
echo
WG_DIR="/etc/wireguard"
WG_DYNDNS=$dyndns
WG_PORT=$port
WG_CLIENT=$client
WG_All_Files="$(find ${WG_DIR}/ -name '*private.key' | wc -l)"
WG_Files=$(($WG_All_Files-1))
WG_Network=$((250-${WG_Files}))
WG_SERVER="server"
WG_DNS=$dns
#### Add new client ####
cd ${WG_DIR}/
umask 077
wg genkey | tee ${WG_CLIENT}-private.key | wg pubkey > ${WG_CLIENT}-public.key
wg genpsk > ${WG_CLIENT}-preshared.key
uci add network wireguard_wg0
uci set network.@wireguard_wg0[-1].public_key="$(cat ${WG_DIR}/${WG_CLIENT}-public.key)"
parse1=10.0.10."$(echo ${WG_Network})"/32
uci add_list network.@wireguard_wg0[-1].allowed_ips='PARSE1'
uci set network.@wireguard_wg0[-1].route_allowed_ips="1"
uci set network.@wireguard_wg0[-1].persistent_keepalive='25'
parse2=${WG_CLIENT}
uci set network.@wireguard_wg0[-1].description='PARSE2'
uci set network.@wireguard_wg0[-1].preshared_key="$(cat ${WG_DIR}/${WG_CLIENT}-preshared.key)"
uci commit network
sed -i "s|PARSE1|$parse1|g" /etc/config/network
sed -i "s|PARSE2|$parse2|g" /etc/config/network
/etc/init.d/network reload

ifdown wg0
ifup wg0
sleep 1
wg showconf wg0
wg show

cat << EOF > ${WG_DIR}/${WG_CLIENT}.conf
[Interface]
Address = 10.0.10.${WG_Network}/32
PrivateKey = $(cat ${WG_DIR}/${WG_CLIENT}-private.key)
DNS = ${WG_DNS}

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = ${WG_DYNDNS}:${WG_PORT}
PersistentKeepalive = 25
Presharedkey = $(cat ${WG_DIR}/${WG_CLIENT}-preshared.key)
PublicKey = $(cat ${WG_DIR}/${WG_SERVER}-public.key)
EOF

qrencode -t ansiutf8 < ${WG_CLIENT}.conf
read -p "Press any key to continue... " -n1 -s

;;
3)
clear
# REBOOT
echo The device will now reboot!
sleep 1
reboot

;;
4) quit=y ;;

*) echo "Try Again"
sleep 1
esac
done