Wireguard installation script

Bash automatization script that helps you install and manage self-hosted Wireguard server.

Note

Before running the script you should have basic knowlage of Wireguard and networking.

Note

You should never run scripts you do not fully understand.

Warning

This script assumes that you have DROP policy on both INPUT and FORWARD iptables filter chains.

Important

First edit this part of the script before running it:

# DNS for client configuration (e.g. 8.8.8.8)
CLIENT_DNS=""

# Default endpoint for client configuration (e.g. your public IP address)
DEFAULT_ENDPOINT=""

Script functions

• Installing and removing wireguard
• Adding and removing clients
• QR code generating from client configuration
• Adding and removing wireguard interfaces
• Managing Wireguard interfaces (iptables rules)

How to add new interfaces - 21) Add interface

For easier configuration this script uses wireguard-tools package.
This package requires that each interface is named in pattern like this: wg<interface index>
Your Wireguard server can have multiple interfaces. For example wg0 and wg1.
Configuration for each interface is stored in /etc/wireguard in corresponding file for example wg2.conf

1. So first step in adding new interface is to specify its index:

New interface index: 

2. The next step is to specify the port on which new interface should listen for incoming packets.
Make sure its not already in use by other interface or application.

New interface port [1-65535]:

3. In this step set address for you wireguard interface.
Make sure its not already in use by other interface.

New interface address [e.g. 10.0.0.1/24]:

In next section we will set up iptables rules to grant specific functionalities to our interface.

How to modify interfaces configuration - 22) Modify interface

This part of the script adds necessary iptables rules to our interface configuration.

Warning

At start of this function all previously set rules are removed.

Rules comes in pairs. Rules to add when you enable your interface and what rules to remove when you disable it. For example:

#Open port for this network
PostUp = iptables -A WIREGUARD_INPUT -i eth0 -p udp --dport 1000 -j ACCEPT
PostDown = iptables -D WIREGUARD_INPUT -i eth0 -p udp --dport 1000 -j ACCEPT

1. This step configures iptables rules that route client internet traffic through eth0 interface.

Do you wish to allow INTERNET access for clients in <interface>? [y/n]:

2. This step configures iptables rules specific to input traffic on that interface.
Input traffic is a traffic that is destinated to local interface on this machine.
For example when client tries to ping one of the wireguard interfaces.
With this option you can let clients access every other interface or just specific ones.

Specify policy regarding INPUT traffic on the <interface> interface:
   1) Rely on input chain policy
   2) Accept only to <interface> address
   3) Accept to specific addresses
   4) Accept all regardless of the target

About this policy:
- Affects the traffic that IS destinated to local interfaces on this machine
- Affects the ability of clients to reach local interfaces on this machine
- Affects the ability of clients to ping the <interface> interface or other local interface
- Affects the ability of clients to access services listening on the <interface> interface or other local interface
- Does NOT affect traffic forwarding

3. This step configures iptables rules specific to output traffic from that interface.

Specify policy regarding OUTPUT traffic from the <interface> interface:
   1) Rely on output chain policy
   2) Accept to specific addresses
   3) Accept all regardless of the target

About this policy:
- Affects traffic generated by the <interface> interface to external destinations

3. This step configures iptables rules specific to forwarding traffic from that interface.
Traffic forwarding occurs when interface receives packet that is not destinated to a local interface.
For example when wireguard client pings other client even if they are both connected to same wireguard interface.
With this option you can grant ability to clients to reach other clients or devices.

Specify policy regarding FORWARDING traffic from the <interface> interface:
   1) Rely on forward chain policy
   2) Accept only to <interface>
   3) Accept to specific interfaces
   4) Accept all regardless of the target

About this policy:
- Affects the traffic that is NOT destinated to local interfaces on this machine
- Affects the ability of clients in <interface> to reach other clients/devices
- Does NOT affect the ability of clients to ping the <interface> interface or other local interfaces
- Does NOT affect the ability of clients to access services listening on the <interface> interface or other local interfaces

How to add new clients - 11) Add new client

First specify to which interface you want to add new client.

Interface index to add client to:

Script outputs interface configuration.

You are adding client for <interface>
Interface address: 10.0.0.1/24
Interface port: 1000
Client Eve allowed IPs: 10.0.0.2/32
Client Adam allowed IPs: 10.0.0.3/32

1. Specify name for new client. Make sure its not already taken. Name is used only for removing clients and QR code generating.

Set client name:

2. Specify client address. Make sure it is in same subnet as server interface.
With example network: 10.0.0.0/24
And server interface address: 10.0.0.1/24
Example clients addresses would be: 10.0.0.2/24 or 10.0.0.3/24 or 10.0.0.4/24

Set client address.
Address = 

3. Specify to which networks client traffic should be routed.
For example set it to network of server interface to only route traffic related of this interface.
Or set it to 0.0.0.0/0 to route all traffic including internet traffic. Note that it should come with interface configured with internet access.

Set to which networks client traffic should be routed.
AllowedIPs =

4. Specify what IP addresses client is allowed to have.
This line belongs to server configuration.
If you have set client address for example to 10.0.0.2/24 you should set it to 10.0.0.2/32 to allow only one address.

Set which IP addresses client is allowed to have.
AllowedIPs =

Client configuration will be save to /etc/wireguard

FAQ

1. Clients don't have access to the internet.

1. Try to change DNS server in client configuration: DNS = <DNS_SERVER>.
2. Make sure you have:

• configured your interface to allow internet access.
• set net.ipv4.ip_forward=1 in /etc/sysctl.conf and applied changes with sudo sysctl -p.

2. Clients connected to same VPN network cannot reach each other.
Make sure you have configured your interface to allow traffic forwarding to this interface. Pick 2) Accept only to <interface> or in case of 3) Accept to specific interfaces remember to add interface itself to the list.

3. Client in home network gets disconnected after a while.
Check for Handshake for peer did not complete after 5 seconds. in wireguard logs. This might be a issue with ISP blocking Wireguard or UDP protocol, misconfigured NAT or just CGNAT. No easy fix for that.

4. How do I setup isolated one-way network?
With DROP policy on both INPUT and FORWARD iptables filter chains and no other new rules introduced while configuring your interface you can setup isolated network. Clients connected to this interface would have no access to any interface or client. They still can be accessed by other clients via UDP protocol. In case of TCP we have to allow packets that are part of established connections or related to them. There is high chance you already have this rules in your iptables configuration.

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT