angristan / wireguard-install Goto Github PK

View Code? Open in Web Editor NEW

7.2K 117.0 1.2K 134 KB

WireGuard VPN installer for Linux servers

Home Page: https://stanislas.blog/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/

License: MIT License

Shell 100.00%

wireguard vpn linux nat privacy

wireguard-install's Introduction

WireGuard installer

This project is a bash script that aims to setup a WireGuard VPN on a Linux server, as easily as possible!

WireGuard is a point-to-point VPN that can be used in different ways. Here, we mean a VPN as in: the client will forward all its traffic through an encrypted tunnel to the server. The server will apply NAT to the client's traffic so it will appear as if the client is browsing the web with the server's IP.

The script supports both IPv4 and IPv6. Please check the issues for ongoing development, bugs and planned features! You might also want to check the discussions for help.

WireGuard does not fit your environment? Check out openvpn-install.

Requirements

Supported distributions:

AlmaLinux >= 8
Arch Linux
CentOS Stream >= 8
Debian >= 10
Fedora >= 32
Oracle Linux
Rocky Linux >= 8
Ubuntu >= 18.04

Usage

Download and execute the script. Answer the questions asked by the script and it will take care of the rest.

curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
./wireguard-install.sh

It will install WireGuard (kernel module and tools) on the server, configure it, create a systemd service and a client configuration file.

Run the script again to add or remove clients!

Providers

I recommend these cheap cloud providers for your VPN server:

Vultr: Worldwide locations, IPv6 support, starting at $5/month
Hetzner: Germany, Finland and USA. IPv6, 20 TB of traffic, starting at 4.5€/month
Digital Ocean: Worldwide locations, IPv6 support, starting at $4/month

Contributing

Discuss changes

Please open an issue before submitting a PR if you want to discuss a change, especially if it's a big one.

Code formatting

We use shellcheck and shfmt to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration here.

Say thanks

You can say thanks if you want!

Credits & Licence

This project is under the MIT Licence

Star History

wireguard-install's People

Contributors

Stargazers

Watchers

Forkers

gdog1985 fo0nikens spacexnasa cloudxtreme bhyvex mestrogov lucawen neargostudio leopere hejiangda payomagic moelanen venombat shimco avesed overwatchheir mybigman thpryrchn agentmishra c0d3d-net centminmod 296677863 shtongyi genothomas thiagozs victorlhlam justintaft iotgod abumalick rjroot johnsonhit 90linux mileswang618 zhenlove joe1280 goodkid mosleim ennysantana simon-liu shyamjos nekulin jgavinray bitcoin-software dibon-github vetrek gaoxiaowei eaglesharkmayonnaise pisarov hobbit19 liberodark farzadak2010 y1024 niiv0832 justinfarmer14 ioxuy shpynx insolemment berkshireasia fmoledina bosstownusa theworms piatikantrop opteris geryalanmamahit sryazantsev karandit loadcorp dovanpho gelomon imawright oio4201 hamid-k erdemakyildiz drrowland rockyzhng evilfaust abhijithvijayan abietic altuntepe lordh3lmchen andreaspreuss sanhrt larshlunde soko1 chifth randshell wbvetal egort 593413198 egsk klozz kepeto eliasmusk flyarong jm051484 karlheinzniebuhr atomichiddenmachine zenithteq mohatb abhishekluv

wireguard-install's Issues

Fedora: firewalld default settings block WireGuard

I have used the script on clean Fedora installation in Vultr, but no clients (macOS, mobile, Windows, multiple ISPs) is able to connect with the following client log:

2020-03-04 10:24:17.135947: [NET] peer(ZJdh…yJW4) - Sending handshake initiation
2020-03-04 10:24:22.445891: [NET] peer(ZJdh…yJW4) - Handshake did not complete after 5 seconds, retrying (try 2)
2020-03-04 10:24:22.446094: [NET] peer(ZJdh…yJW4) - Sending handshake initiation

Server config

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 1194
PrivateKey = EPfU...MA0E=
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
[Peer]
PublicKey = asYF...fpWc=
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
PresharedKey = wCTA...ajQI=

Client config

[Interface]
PrivateKey = oAUc...jUlA=
Address = 10.66.66.2/24,fd42:42:42::2/64
DNS = 176.103.130.130,176.103.130.131
[Peer]
PublicKey = ZJdh…yJW4=
Endpoint = <vultr>:1194
AllowedIPs = 0.0.0.0/0,::/0
PresharedKey = wCTA...ajQI=

sysctl -p

[root@vultr ~]# sysctl -p
...
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

Server does receive requests, but somehow it's being dropped (as seen from tcpdumps).

tcpdump -n -i ens3 "port 1194"

[root@vultr ~]# tcpdump -n -i ens3 "port 1194"
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
17:27:04.203131 IP 128.135.98.221.62114 > 80.240.22.24.openvpn: UDP, length 148
17:27:09.478064 IP 128.135.98.221.62114 > 80.240.22.24.openvpn: UDP, length 148
17:27:14.643509 IP 128.135.98.221.62114 > 80.240.22.24.openvpn: UDP, length 148

tcpdump -n -i wg0

[root@vultr ~]# tcpdump -n -i wg0
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes

I tried to do manually based on article and this manual, but without success.

Include QR code generation after successful setup

Taking inspiration from here, it would be much more user-friendly to have a QR code popup at the end of the setup process, allowing mobile users to simply scan the code and have the mobile setup done instantly.

More and more mobile users are interested in WG, this would really help.

Thanks

Remove confirmation steps during install

apt-get -y etc

wg-quick cant start.

debian 9, it cant just start.

Uninstall

How do I uninstall?

Add the possibility to use a pre-shared symmetric key

Add the possibility to set pre shared keys

Can this support LXD containers across multiple servers/clouds?

Stanislas

I am part of a team project where we use LXD Ubuntu 18.04 containers with Ubuntu 18.04 Host/Servers and recently started looking for a Mesh VPN solution to interconnect servers Hosting LXD containers on multiple Clouds.

Normally LXD on a Host uses dnsmasq and provdes all created containers on that Host with a private 10.x.x.x IP address.

I'd like to be able to interconnect multiple Host LXD containers (multiple clouds) to the same L2 or L3 network so they can inter-communicate.

Could you script do this somehow for LXD containers. I see in your install..sh file mention of LXC and I am assuming for LXD you would be referring to creating the LXD container with:

$ lxc launch ubuntu:18.04 cn_name -c linux.kernel_modules=wireguard
then

$ lxc exec cn_name bash
then

# apt install --no-install-recommends wireguard-tools

Thanks for any information or advice.
Brian

Configured Server port not used in client config

change
Endpoint = $SERVER_PUB_IP:1194
to
Endpoint = $SERVER_PUB_IP:$SERVER_PORT

Abort the script if OpenVZ or LXC

wg-quick: `wg0-client-qjL8odh7' does not exist

Server on AWS EC2
(security group for ssh + all tcp and all udp ports listening for my public IP) when script asked I put IPv4 public IP that amazon gave me rest all default.
I am using Arch linux to connect to server. wireguard-tools installed.
wg0-client-qj...conf copied to /etc/wireguard.
I had openvpn and networkmanager-openvpn installed which i removed after installing wireguard.
following config files did not help either
/etc/NetworkManager/conf.d/unmanaged.conf
[keyfile]
unmanaged-devices=interface-name:wg*

sudo wg-quick up produces the above result

OSX Client failing internet connectivity.

OSX Client Version: 1.0.3 https://i.imgur.com/GcPE4qn.jpg
Install date as of today on a Digital Ocean VPS for the sake of trialing this installer.
Ubuntu 18.04.x (latest)
Wireguard Client Logs

2019-06-05 09:32:01.362556: [APP] App version: 0.0.20190423 (8); Go backend version: 0.0.20190409
2019-06-05 09:54:55.590383: [APP] startActivation: Entering (tunnel: wg0-client)
2019-06-05 09:54:55.591303: [APP] startActivation: Starting tunnel
2019-06-05 09:54:55.591749: [APP] startActivation: Success
2019-06-05 09:54:55.601951: [APP] Tunnel 'wg0-client' connection status changed to 'connecting'
2019-06-05 09:54:56.285975: [NET] App version: 0.0.20190423 (8); Go backend version: 0.0.20190409
2019-06-05 09:54:56.286331: [NET] Starting tunnel from the app
2019-06-05 09:54:56.374920: [NET] Tunnel interface is utun3
2019-06-05 09:54:56.375816: [NET] Attaching to interface
2019-06-05 09:54:56.376882: [NET] Routine: decryption worker - started
2019-06-05 09:54:56.376962: [NET] Routine: encryption worker - started
2019-06-05 09:54:56.377167: [NET] Routine: encryption worker - started
2019-06-05 09:54:56.377223: [NET] Routine: handshake worker - started
2019-06-05 09:54:56.377384: [NET] Routine: handshake worker - started
2019-06-05 09:54:56.377429: [NET] Routine: decryption worker - started
2019-06-05 09:54:56.377470: [NET] Routine: handshake worker - started
2019-06-05 09:54:56.377512: [NET] Routine: encryption worker - started
2019-06-05 09:54:56.377555: [NET] Routine: decryption worker - started
2019-06-05 09:54:56.377595: [NET] Routine: encryption worker - started
2019-06-05 09:54:56.377636: [NET] Routine: handshake worker - started
2019-06-05 09:54:56.377677: [NET] Routine: TUN reader - started
2019-06-05 09:54:56.377757: [NET] Routine: event worker - started
2019-06-05 09:54:56.377828: [NET] Routine: decryption worker - started
2019-06-05 09:54:56.378158: [NET] UAPI: Updating private key
2019-06-05 09:54:56.378386: [NET] UAPI: Removing all peers
2019-06-05 09:54:56.378435: [NET] UAPI: Transition to peer configuration
2019-06-05 09:54:56.380053: [NET] peer(lu1I…S+l0) - UAPI: Created
2019-06-05 09:54:56.380127: [NET] peer(lu1I…S+l0) - UAPI: Updating endpoint
2019-06-05 09:54:56.380585: [NET] peer(lu1I…S+l0) - UAPI: Updating persistent keepalive interval
2019-06-05 09:54:56.380677: [NET] peer(lu1I…S+l0) - UAPI: Removing all allowedips
2019-06-05 09:54:56.380802: [NET] peer(lu1I…S+l0) - UAPI: Adding allowedip
2019-06-05 09:54:56.380851: [NET] peer(lu1I…S+l0) - UAPI: Adding allowedip
2019-06-05 09:54:56.381531: [NET] Routine: receive incoming IPv4 - started
2019-06-05 09:54:56.381602: [NET] Routine: receive incoming IPv6 - started
2019-06-05 09:54:56.381779: [NET] UDP bind has been updated
2019-06-05 09:54:56.381831: [NET] peer(lu1I…S+l0) - Starting...
2019-06-05 09:54:56.382068: [NET] peer(lu1I…S+l0) - Routine: sequential receiver - started
2019-06-05 09:54:56.382111: [NET] peer(lu1I…S+l0) - Routine: nonce worker - started
2019-06-05 09:54:56.382285: [NET] peer(lu1I…S+l0) - Routine: sequential sender - started
2019-06-05 09:54:56.382372: [NET] Device started
2019-06-05 09:54:56.391967: [APP] Tunnel 'wg0-client' connection status changed to 'connected'
2019-06-05 09:54:56.680364: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:54:56.682426: [NET] peer(lu1I…S+l0) - Awaiting keypair
2019-06-05 09:55:00.592687: [APP] Status update notification timeout for tunnel 'wg0-client'. Tunnel status is now 'connected'.
2019-06-05 09:55:01.703553: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:55:06.739444: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:55:12.023507: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:55:12.023727: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:55:17.202525: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:55:17.202676: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:55:22.408772: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:55:27.702031: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:55:32.709286: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:55:37.820464: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:55:42.966108: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:55:42.966302: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:55:48.109453: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:55:48.109610: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:55:53.404832: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:55:53.405108: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:55:58.673482: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:55:58.673737: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:56:03.712979: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:56:08.827537: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:56:08.827818: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:56:13.901260: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:56:13.901443: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:56:18.997159: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:56:18.997467: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:56:24.013706: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 3)
2019-06-05 09:56:24.013868: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:56:29.067451: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:56:34.150905: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:56:34.151134: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:56:39.456818: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:56:39.456943: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:56:44.685982: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:56:44.686204: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:56:47.871354: [APP] startDeactivation: Tunnel: wg0-client
2019-06-05 09:56:47.879508: [APP] Tunnel 'wg0-client' connection status changed to 'disconnecting'
2019-06-05 09:56:48.303094: [NET] Stopping tunnel
2019-06-05 09:56:48.303271: [NET] Device closing
2019-06-05 09:56:48.303435: [NET] Routine: TUN reader - stopped
2019-06-05 09:56:48.303731: [NET] Routine: event worker - stopped
2019-06-05 09:56:48.303872: [NET] Routine: receive incoming IPv4 - stopped
2019-06-05 09:56:48.303948: [NET] Routine: receive incoming IPv6 - stopped
2019-06-05 09:56:48.304016: [NET] Routine: handshake worker - stopped
2019-06-05 09:56:48.304084: [NET] Routine: handshake worker - stopped
2019-06-05 09:56:48.304285: [NET] peer(lu1I…S+l0) - Stopping...
2019-06-05 09:56:48.304412: [NET] peer(lu1I…S+l0) - Routine: nonce worker - stopped
2019-06-05 09:56:48.304492: [NET] peer(lu1I…S+l0) - Routine: sequential receiver - stopped
2019-06-05 09:56:48.304532: [NET] Routine: decryption worker - stopped
2019-06-05 09:56:48.304566: [NET] Routine: encryption worker - stopped
2019-06-05 09:56:48.304613: [NET] Routine: decryption worker - stopped
2019-06-05 09:56:48.304648: [NET] Routine: encryption worker - stopped
2019-06-05 09:56:48.304693: [NET] Routine: decryption worker - stopped
2019-06-05 09:56:48.304772: [NET] Routine: encryption worker - stopped
2019-06-05 09:56:48.304816: [NET] Routine: handshake worker - stopped
2019-06-05 09:56:48.304985: [NET] Routine: handshake worker - stopped
2019-06-05 09:56:48.305018: [NET] Routine: encryption worker - stopped
2019-06-05 09:56:48.305117: [NET] peer(lu1I…S+l0) - Routine: sequential sender - stopped
2019-06-05 09:56:48.305206: [NET] Routine: decryption worker - stopped
2019-06-05 09:56:48.305500: [NET] Interface closed
2019-06-05 09:56:48.318421: [APP] Tunnel 'wg0-client' connection status changed to 'disconnected'
2019-06-05 09:57:26.394554: [APP] startActivation: Entering (tunnel: wg0-client)
2019-06-05 09:57:26.395252: [APP] startActivation: Starting tunnel
2019-06-05 09:57:26.395424: [APP] startActivation: Success
2019-06-05 09:57:26.405384: [APP] Tunnel 'wg0-client' connection status changed to 'connecting'
2019-06-05 09:57:26.559612: [NET] App version: 0.0.20190423 (8); Go backend version: 0.0.20190409
2019-06-05 09:57:26.559856: [NET] Starting tunnel from the app
2019-06-05 09:57:26.644019: [NET] Tunnel interface is utun3
2019-06-05 09:57:26.644733: [NET] Attaching to interface
2019-06-05 09:57:26.645470: [NET] Routine: decryption worker - started
2019-06-05 09:57:26.645556: [NET] Routine: handshake worker - started
2019-06-05 09:57:26.645729: [NET] Routine: event worker - started
2019-06-05 09:57:26.645775: [NET] Routine: handshake worker - started
2019-06-05 09:57:26.645947: [NET] Routine: encryption worker - started
2019-06-05 09:57:26.645987: [NET] Routine: decryption worker - started
2019-06-05 09:57:26.646161: [NET] Routine: encryption worker - started
2019-06-05 09:57:26.646316: [NET] Routine: handshake worker - started
2019-06-05 09:57:26.646370: [NET] Routine: encryption worker - started
2019-06-05 09:57:26.646421: [NET] Routine: encryption worker - started
2019-06-05 09:57:26.646455: [NET] Routine: handshake worker - started
2019-06-05 09:57:26.646633: [NET] Routine: decryption worker - started
2019-06-05 09:57:26.646712: [NET] Routine: TUN reader - started
2019-06-05 09:57:26.646899: [NET] Routine: decryption worker - started
2019-06-05 09:57:26.646986: [NET] UAPI: Updating private key
2019-06-05 09:57:26.647315: [NET] UAPI: Removing all peers
2019-06-05 09:57:26.647359: [NET] UAPI: Transition to peer configuration
2019-06-05 09:57:26.647685: [NET] peer(lu1I…S+l0) - UAPI: Created
2019-06-05 09:57:26.647729: [NET] peer(lu1I…S+l0) - UAPI: Updating endpoint
2019-06-05 09:57:26.647946: [NET] peer(lu1I…S+l0) - UAPI: Updating persistent keepalive interval
2019-06-05 09:57:26.648097: [NET] peer(lu1I…S+l0) - UAPI: Removing all allowedips
2019-06-05 09:57:26.648241: [NET] peer(lu1I…S+l0) - UAPI: Adding allowedip
2019-06-05 09:57:26.648372: [NET] peer(lu1I…S+l0) - UAPI: Adding allowedip
2019-06-05 09:57:26.648665: [NET] Routine: receive incoming IPv6 - started
2019-06-05 09:57:26.648736: [NET] Routine: receive incoming IPv4 - started
2019-06-05 09:57:26.648974: [NET] UDP bind has been updated
2019-06-05 09:57:26.649020: [NET] peer(lu1I…S+l0) - Starting...
2019-06-05 09:57:26.649289: [NET] peer(lu1I…S+l0) - Routine: nonce worker - started
2019-06-05 09:57:26.649340: [NET] peer(lu1I…S+l0) - Routine: sequential receiver - started
2019-06-05 09:57:26.649535: [NET] peer(lu1I…S+l0) - Routine: sequential sender - started
2019-06-05 09:57:26.649708: [NET] Device started
2019-06-05 09:57:26.650775: [APP] Tunnel 'wg0-client' connection status changed to 'connected'
2019-06-05 09:57:27.062277: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:57:27.063382: [NET] peer(lu1I…S+l0) - Awaiting keypair
2019-06-05 09:57:31.396512: [APP] Status update notification timeout for tunnel 'wg0-client'. Tunnel status is now 'connected'.
2019-06-05 09:57:32.095268: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:57:37.259232: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:57:37.259484: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:57:42.545890: [NET] peer(lu1I…S+l0) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-06-05 09:57:42.546200: [NET] peer(lu1I…S+l0) - Sending handshake initiation
2019-06-05 09:57:47.636457: [NET] peer(lu1I…S+l0) - Sending handshake initiation

Ubuntu 18.04 requires PPA

Using your script on my Ubuntu 18.04 VPS, the package Wireguard is not found. It needs to be installed first by a PPA as described here https://www.wireguard.com/install/ then it works (I had to install apt-get install software-properties-common as well also

CLIENT_IPV4

This variable holds no meaning, right now its useless and causing the installation not to be complete since at the end of the script run the end we're left with:

~ $ cat wg0-client.conf
   1 [Interface]
   3 Address = /24,/64

Something like this, an empty address field.

Not working on aws ec2 instance

I tried the same example on an AWS EC2 ubuntu instance. I am to connect to VPN but after connecting to internet, I am not able to access internet.

Would haveged make a difference?

Hey got a question my good sir, i was wondering would haveged make a difference in wireguard security ???

@angristan

Not working on DietPi -

Here is the error, I already tried sudo apt install linux-headers-$(uname -r)

Error:

Job for [email protected] failed because the control process exited with error code.
See "systemctl status [email protected]" and "journalctl -xe" for details.

Detects Private IP instead of Public IP in Ubuntu 16.04 behind Proxy server

Plus my campus internet runs behind a http/s proxy server, is there a way to set up a WG VPN server on such a network. Maybe the proxy server does not support UDP.

Accept environment variables as answers.

Would it be unreasonable to imagine a world where your Q&A system could be automated with the addition of bash environment variables? I think this would be incredibly useful if you already know the answers you want to give.

Otherwise, you could even have an option like $WIREGUARD-INSTALL-RECOMMENDS=True and it would just pick whatever you recommend by default and skip all other questions.

service start error?

Applying /etc/sysctl.d/99-sysctl.conf ...
Applying /etc/sysctl.d/wg.conf ...
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
Applying /etc/sysctl.conf ...
Job for [email protected] failed. See 'systemctl status [email protected]' and 'journalctl -xn' for details.
Created symlink from /etc/systemd/system/multi-user.target.wants/[email protected] to /lib/systemd/system/[email protected].

root@localhost:~# journalctl -xn
-- Logs begin at Fri 2019-08-30 21:51:39 EDT, end at Sat 2019-08-31 12:26:44 EDT. --
Aug 31 12:22:26 localhost wg-quick[13075]: Unable to access interface: Protocol not supported
Aug 31 12:22:26 localhost wg-quick[13075]: [#] ip link delete dev wg0
Aug 31 12:22:26 localhost wg-quick[13075]: Cannot find device "wg0"
Aug 31 12:24:01 localhost CRON[13711]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 31 12:24:01 localhost CRON[13712]: (root) CMD (/etc/cron.hourly/gcc.sh)
Aug 31 12:24:01 localhost CRON[13711]: pam_unix(cron:session): session closed for user root
Aug 31 12:26:07 localhost dhclient[390]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5
Aug 31 12:26:12 localhost dhclient[390]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 11
Aug 31 12:26:23 localhost dhclient[390]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 21
Aug 31 12:26:44 localhost dhclient[390]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 14
root@localhost:~# 

root@localhost:~# systemctl status [email protected]
● [email protected]
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

root@localhost:~# cat /etc/systemd/system/multi-user.target.wants/[email protected] 
[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
Documentation=man:wg-quick(8)
Documentation=man:wg(8)
Documentation=https://www.wireguard.com/
Documentation=https://www.wireguard.com/quickstart/
Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

[Install]
WantedBy=multi-user.target
root@localhost:~# 

root@localhost:~# wg-quick up      wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"

Add the possibility to remove clients

After #3. This is going to be hard.

Debian 10 x64: Errors when installing | KVM VPS and baremetal

./wireguard-install.sh
IPv4 or IPv6 public address: CENSORED
Public interface: ens3
WireGuard interface name: wg0
Server's WireGuard IPv4: 10.66.66.1
Server's WireGuard IPv6: fd42:42:42::1
Server's WireGuard port: 63584
Hit:1 http://deb.debian.org/debian buster InRelease
Hit:2 http://deb.debian.org/debian buster-updates InRelease
Hit:3 http://security.debian.org/debian-security buster/updates InRelease
Hit:4 http://deb.debian.org/debian unstable InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
4 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree
Reading state information... Done
linux-headers-4.19.0-8-amd64 is already the newest version (4.19.98-1).
The following packages were automatically installed and are no longer required:
  dkms linux-headers-amd64 wireguard-tools
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
iptables is already the newest version (1.8.2-4).
qrencode is already the newest version (4.0.2-1).
resolvconf is already the newest version (1.79).
The following additional packages will be installed:
  wireguard-dkms
The following NEW packages will be installed:
  wireguard wireguard-dkms
0 upgraded, 2 newly installed, 0 to remove and 4 not upgraded.
Need to get 0 B/259 kB of archives.
After this operation, 1776 kB of additional disk space will be used.
Selecting previously unselected package wireguard-dkms.
(Reading database ... 55611 files and directories currently installed.)
Preparing to unpack .../wireguard-dkms_1.0.20200413-2_all.deb ...
Unpacking wireguard-dkms (1.0.20200413-2) ...
Selecting previously unselected package wireguard.
Preparing to unpack .../wireguard_1.0.20200319-1_all.deb ...
Unpacking wireguard (1.0.20200319-1) ...
Setting up wireguard-dkms (1.0.20200413-2) ...
Loading new wireguard-1.0.20200413 DKMS files...
Building for 4.19.0-8-amd64
Building initial module for 4.19.0-8-amd64
! Bad return status for module build on kernel: 4.19.0-8-amd64 (x86_64)
Consult /var/lib/dkms/wireguard/1.0.20200413/build/make.log for more information.
dpkg: error processing package wireguard-dkms (--configure):
 installed wireguard-dkms package post-installation script subprocess returned error exit status 10
dpkg: dependency problems prevent configuration of wireguard:
 wireguard depends on wireguard-dkms (>= 0.0.20200121-2) | wireguard-modules (>= 0.0.20191219); however:
  Package wireguard-dkms is not configured yet.
  Package wireguard-modules is not installed.

dpkg: error processing package wireguard (--configure):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 wireguard-dkms
 wireguard
E: Sub-process /usr/bin/dpkg returned an error code (1)
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/protect-links.conf ...
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/wg.conf ...
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
* Applying /etc/sysctl.conf ...
Job for [email protected] failed because the control process exited with error code.
See "systemctl status [email protected]" and "journalctl -xe" for details.
IPv4 Detected
Client's WireGuard IPv4 10.66.66.2
Client's WireGuard IPv6 fd42:42:42::2
First DNS resolver to use for the client: 176.103.130.130
Second DNS resolver to use for the client: 176.103.130.131
Job for [email protected] failed because the control process exited with error code.
See "systemctl status [email protected]" and "journalctl -xe" for details.

# journalctl -xe
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit [email protected] has finished with a failure.
--
-- The job identifier is 321 and the job result is failed.
Apr 21 23:27:10 host systemd[1]: Reloading.
Apr 21 23:27:10 host systemd[1]: [email protected]: Current command vanished from the unit file
Apr 21 23:27:32 host systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
-- Subject: A start job for unit [email protected] has begun execution
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit [email protected] has begun execution.
--
-- The job identifier is 409.
Apr 21 23:27:32 host wg-quick[2155]: [#] ip link add wg0 type wireguard
Apr 21 23:27:32 host wg-quick[2155]: RTNETLINK answers: Operation not supported
Apr 21 23:27:32 host wg-quick[2155]: Unable to access interface: Protocol not supported
Apr 21 23:27:32 host wg-quick[2155]: [#] ip link delete dev wg0
Apr 21 23:27:32 host wg-quick[2155]: Cannot find device "wg0"
Apr 21 23:27:32 host systemd[1]: [email protected]: Main process exited, code=exited, status=
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- An ExecStart= process belonging to unit [email protected] has exited.
--
-- The process' exit code is 'exited' and its exit status is 1.
Apr 21 23:27:32 host systemd[1]: [email protected]: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit [email protected] has entered the 'failed' state with result 'exit-code'.
Apr 21 23:27:32 host systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
-- Subject: A start job for unit [email protected] has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit [email protected] has finished with a failure.
--
-- The job identifier is 409 and the job result is failed.

Support more Linux distributions

Consider changing the default port to something else

I had a small issue when installing your script, I had previously setup openvpn with your install script on the same server. In consequence I used the same ports for the two services, it took me some time to realize this.

What do you think about changing the default port for the script ?

Add the possibility to choose IPv4/IPv6/dual-stack

I'm talking about the WireGuard network. You can already connect using IPv4 or IPv6.

Currently each peer has an IPv4 and IPv6 address. 3 options should be available during install:

IPv4 only
IPv6 only
Dual stack

Thinking about #3... Should this be a option asked only during the first run? Otherwise it's going to be a mess when adding more clients

Add Support for Openvz 7

Openvz 7 can have kernel 4.15 so wireguard should work on that.

Add iptables as a dependency

Getting error after inserting client name

After entering a name, I'm getting this error with no further output nor file generated

Client name: karl
./wireguard-install.sh: line 183: -4: substring expression < 0

Deep Packet Inspection

Good day!
Hello Angristan and Contributors,
Is wireguard capable to bypass deep packet inspection by srambles metadata to prevent DPI, vpb blocking and throttling.

I`m newbie at wireguard.

Thanks for the script. Appreciated.

Add the possibility to add more clients

debian 10...wireguard: module verification failed: signature and/or required key missing - tainting kernel

Mar 13 15:13:52 crush kernel: [ 16.260799] wireguard: loading out-of-tree module taints kernel.
Mar 13 15:13:52 crush kernel: [ 16.260950] wireguard: module verification failed: signature and/or required key missing - tainting kernel
Mar 13 15:13:52 crush kernel: [ 16.264175] wireguard: WireGuard 0.0.20200215 loaded. See www.wireguard.com for information.
Mar 13 15:13:52 crush kernel: [ 16.264180] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld [email protected]. All Rights Reserved.
root@crush /var/log # uname -a
Linux crush 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux

Client generator leaves comma when leaving second DNS blank

When a new client file is generated, and only one DNS Server is specified (in my case the first, the second I left blank), the file generated still has a comma after the IP, which leads to errors. Simply removing the comma fixes it.

Netflix Support

Hi,

Would be great to add netflix support in installer.
Im not sure how to make that.
If you have idea can add this on my PR.

Best Regards

Detect Linux 5.6 to not install the DKMS module

Since Wireguard is upstream now.

Add uninstallation option

OVZ7

are there any chances for support for OVZ7

Updating the script

Take a look at this...

@angristan

https://github.com/LiveChief/wireguard-install

Do whatever the fuck you want with that script.

resolvconf screws up raspberry pi

i had downloaded a previous version of this script, but the latest one installs resolvconf which breaks DNS on raspbian. You will need to edit /etc/network/interfaces manually and put the dns nameservers manually or you won't be able to resolve hostnames.

IMO script needs to detect raspbian away from debian/ubuntu, even if it means repeating some code. right now it doesn't work anyway unless you manually force OS=debian

Error on Line#111

Getting these error when running script after IPV4 detection. Please help me out. I already shared where i am facing trouble.

Want to use a pre-shared symmetric key? [Y/n]: y
IPv4 Detected
./wireguard-install.sh: line 111: wg: command not found
./wireguard-install.sh: line 112: wg: command not found
./wireguard-install.sh: line 115: wg: command not found
./wireguard-install.sh: line 116: wg: command not found
./wireguard-install.sh: line 146: wg: command not found

Applying /etc/sysctl.d/98-rpi.conf ...
kernel.printk = 3 4 1 3
vm.min_free_kbytes = 16384
Applying /etc/sysctl.d/99-sysctl.conf ...
Applying /etc/sysctl.d/protect-links.conf ...
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
Applying /etc/sysctl.d/wg.conf ...
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
Applying /etc/sysctl.conf ...
Failed to start [email protected]: Unit [email protected] not found.
Failed to enable unit: Unit file [email protected] does not exist.

Thank you

Raspberry Pi / Raspbian compatibility

#17 (docs)
#56 (detect raspbian)
#43 (resolvconf)

IPv6 endpoint missing "[]"

if i try and connect to my vm via ipv6 it wont connect, please help me...

[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.8.0.3/24,fd42:42:42::3/64
DNS = 176.103.130.130,176.103.130.131,2a00:5a60::ad1:0ff,2a00:5a60::ad2:0ff
MTU = 1420
[Peer]
PublicKey = PUBLIC_KEY
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 2604:a880:400:d1::7d0:6001:51820
PersistentKeepalive = 0

it says unable to parse endpoint as error.

IPV6 > IPV6

Suggestion: generate clients

I made this script to generate a bunch of clients and scripts to configure these clients. It was inspired by your install script, so feel free to use whatever might be useful for you in these scripts.

https://github.com/realcarbonneau/easy-wireguard

Suggestion

IPv6 not working with Hetzner Cloud

Hi,

first of all, thanks for this script, it's very helpful when setting up a Wireguard server.
I tried running this script on a Hetzner VPS using a Debian 10 and Ubuntu 18.04.
Hetzer assigns you an ipv4 address and a public ipv6 /64 prefix.
Running this script, i am able to connect with a client, ping the servers private v4 and v6.
My public v4 traffic from the client also gets successfully routed through the server.
My public v6 traffic from the client gets routed to the server, but then vanishes.
To debug this i pinging a public v6 address from the server (ipv6.google.com),
which was unsuccessful. So i tried turning off Wireguard, which made the pings go through again. When disabling the servers private ipv6 address by removing it, and then enabling Wireguard, i have successful public ipv6 access (both on the server, and the client routed through the server). However it would be better to have private v6 access too.
I'm not quite sure how to debug this as i'm not very experienced with linux networking.

I tried this on Digitalocean, where you have a single ipv6 address, and there the script works as expected, so my guess is the ipv6 address prefix.

Thanks!

Docs for Raspberry Pi

Works fine, except you have to use the stock kernel (no raspi-update) + install headers.

WG Firewall Rules

Pls check your Firewall Rules settings in ur script .Somethings wrong.But what idk.I did re-configure again Firewall Rules (Ports) manualy ..Have a nc day.

[Archlinux] Package "wireguard-arch" is required.

This kernel module is required to set up the wg0 interface.
It is in the official repos. Please add it to the pacman invocation :

pacman -Sy wireguard-arch

add `-y` to apt and yum commands

to prevent them from waiting on user approval.

Kernel module doesn't load on Fedora/CentOS

[root@fedora-2gb-nbg1-1 ~]# systemctl status [email protected]
● [email protected] - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2019-08-08 22:30:55 CEST; 31s ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
           https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8
  Process: 1056 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=1/FAILURE)
 Main PID: 1056 (code=exited, status=1/FAILURE)

Aug 08 22:30:55 fedora-2gb-nbg1-1 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Aug 08 22:30:55 fedora-2gb-nbg1-1 wg-quick[1056]: [#] ip link add wg0 type wireguard
Aug 08 22:30:55 fedora-2gb-nbg1-1 wg-quick[1056]: Error: Unknown device type.
Aug 08 22:30:55 fedora-2gb-nbg1-1 wg-quick[1056]: Unable to access interface: Protocol not supported
Aug 08 22:30:55 fedora-2gb-nbg1-1 wg-quick[1056]: [#] ip link delete dev wg0
Aug 08 22:30:55 fedora-2gb-nbg1-1 wg-quick[1056]: Cannot find device "wg0"
Aug 08 22:30:55 fedora-2gb-nbg1-1 systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Aug 08 22:30:55 fedora-2gb-nbg1-1 systemd[1]: [email protected]: Failed with result 'exit-code'.
Aug 08 22:30:55 fedora-2gb-nbg1-1 systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
[root@fedora-2gb-nbg1-1 ~]#
[root@fedora-2gb-nbg1-1 ~]# lsmod | grep wireguard
[root@fedora-2gb-nbg1-1 ~]#

[root@centos-2gb-nbg1-1 ~]# systemctl status [email protected]
● [email protected] - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2019-08-08 22:32:32 CEST; 13s ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
           https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8
 Main PID: 22401 (code=exited, status=1/FAILURE)

Aug 08 22:32:32 centos-2gb-nbg1-1 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Aug 08 22:32:32 centos-2gb-nbg1-1 wg-quick[22401]: [#] ip link add wg0 type wireguard
Aug 08 22:32:32 centos-2gb-nbg1-1 wg-quick[22401]: RTNETLINK answers: Operation not supported
Aug 08 22:32:32 centos-2gb-nbg1-1 wg-quick[22401]: Unable to access interface: Protocol not supported
Aug 08 22:32:32 centos-2gb-nbg1-1 wg-quick[22401]: [#] ip link delete dev wg0
Aug 08 22:32:32 centos-2gb-nbg1-1 wg-quick[22401]: Cannot find device "wg0"
Aug 08 22:32:32 centos-2gb-nbg1-1 systemd[1]: [email protected]: main process exited, code=exited, status=1/FAILURE
Aug 08 22:32:32 centos-2gb-nbg1-1 systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
Aug 08 22:32:32 centos-2gb-nbg1-1 systemd[1]: Unit [email protected] entered failed state.
Aug 08 22:32:32 centos-2gb-nbg1-1 systemd[1]: [email protected] failed.
[root@centos-2gb-nbg1-1 ~]# 
[root@centos-2gb-nbg1-1 ~]# lsmod | grep wireguard
[root@centos-2gb-nbg1-1 ~]#

Make sure kernel headers are installed

error: handshake did not complete after 5 seconds

when disconnect in the client(iOS，Mac and windows), after some time to connect the wireGuard again, the status on the client side is success, but in the client log alway show "handshake did not complete after 5 seconds retrying(try 2)"

in this time can only need to restart the wireGuard on the vps, it there any other better solution on it?