From cc4887be9ce4b1b0474bf8414a3c700666fca420 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sun, 7 Nov 2021 12:07:38 +0100 Subject: [PATCH 1/2] Add script for automated Wireguard client generation Signed-off-by: DL6ER --- docs/guides/vpn/wireguard/client.md | 69 ++++++++++++++++++++--------- 1 file changed, 48 insertions(+), 21 deletions(-) diff --git a/docs/guides/vpn/wireguard/client.md b/docs/guides/vpn/wireguard/client.md index 4864426..e4af0d0 100644 --- a/docs/guides/vpn/wireguard/client.md +++ b/docs/guides/vpn/wireguard/client.md @@ -5,35 +5,62 @@ Adding clients is really simple and easy. The process for setting up a client is For each new client, the following steps must be taken. For the sake of simplicity, we will create the config file on the server itself. This, however, means that you need to transfer the config file *securely* to your server as it contains the private key of your client. An alternative way of doing this is to generate the configuration locally on your client and add the necessary lines to your server's configuration. -??? info "All commands described below at once" +??? info "Script to generate clients automatically" + Script content: + + ```bash + #!/bin/bash + ipv4="$1$4" + ipv6="$2$4" + target="$3" + name="$5" + + wg genkey | tee "${name}.key" | wg pubkey > "${name}.pub" + wg genpsk > "${name}.psk" + + echo "# $name" >> /etc/wireguard/wg0.conf + echo "[Peer]" >> /etc/wireguard/wg0.conf + echo "PublicKey = $(cat "${name}.pub")" >> /etc/wireguard/wg0.conf + echo "PresharedKey = $(cat "${name}.psk")" >> /etc/wireguard/wg0.conf + echo "AllowedIPs = $ipv4/32, $ipv6/128" >> /etc/wireguard/wg0.conf + echo "" >> /etc/wireguard/wg0.conf + + echo "[Interface]" > "${name}.conf" + echo "Address = $ipv4/32, $ipv6/128" >> "${name}.conf" + echo "PrivateKey = $(cat "${name}.key")" >> "${name}.conf" + echo "" >> "${name}.conf" + echo "[Peer]" >> "${name}.conf" + echo "PublicKey = $(cat server.pub)" >> "${name}.conf" + echo "PresharedKey = $(cat "${name}.psk")" >> "${name}.conf" + echo "Endpoint = $target" >> "${name}.conf" + echo "AllowedIPs = ${1}0/24, ${3}/64" >> "${name}.conf" + echo "PersistentKeepalive = 25" >> "${name}.conf" + + # Print QR code scanable by the Wireguard mobile app on screen + qrencode -t ansiutf8 < "${name}.conf" + + systemctl restart wg-quick@wg0 + ``` + + Run the script like + ```bash sudo -i cd /etc/wireguard umask 077 - name="client_name" - - wg genkey | tee "${name}.key" | wg pubkey > "${name}.pub" - wg genpsk > "${name}.psk" - - echo "[Peer]" >> /etc/wireguard/wg0.conf - echo "PublicKey = $(cat "${name}.pub")" >> /etc/wireguard/wg0.conf - echo "PresharedKey = $(cat "${name}.psk")" >> /etc/wireguard/wg0.conf - echo "AllowedIPs = 10.100.0.2/32, fd08:4711::2/128" >> /etc/wireguard/wg0.conf - - systemctl restart wg-quick@wg0 - - echo "[Interface]" > "${name}.conf" - echo "Address = 10.100.0.2/32, fd08:4711::2/128" >> "${name}.conf" # May need editing - echo "DNS = 10.100.0.1" >> "${name}.conf" # Your Pi-hole's IP - echo "PrivateKey = $(cat "${name}.key")" >> "${name}.conf" - echo "PublicKey = $(cat server.pub)" >> "${name}.conf" - echo "PresharedKey = $(cat "${name}.psk")" >> "${name}.conf" - - qrencode -t ansiutf8 -r "${name}.conf" + bash "10.100.0." "fd08:4711::" "my_server_domain:47111" 2 "annas-android" + bash "10.100.0." "fd08:4711::" "my_server_domain:47111" 3 "peters-laptop" exit ``` + + to generate two clients: + + - `annas-android` with addresses `10.100.0.2` and `fd08:4711::2` + - `peters-laptop` with addresses `10.100.0.3` and `fd08:4711::3` + + connecting to the server running at `my_server_domain:47111` ## Key generation From aca6b164e67f9fa7318ab1d640a1332efb179fd6 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sat, 13 Nov 2021 11:51:11 +0100 Subject: [PATCH 2/2] Default should be that clients cannot see each other Signed-off-by: DL6ER --- docs/guides/vpn/wireguard/client.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/guides/vpn/wireguard/client.md b/docs/guides/vpn/wireguard/client.md index e4af0d0..ac040e8 100644 --- a/docs/guides/vpn/wireguard/client.md +++ b/docs/guides/vpn/wireguard/client.md @@ -12,6 +12,8 @@ For each new client, the following steps must be taken. For the sake of simplici #!/bin/bash ipv4="$1$4" ipv6="$2$4" + serv4="${1}1" + serv6="${2}1" target="$3" name="$5" @@ -33,7 +35,8 @@ For each new client, the following steps must be taken. For the sake of simplici echo "PublicKey = $(cat server.pub)" >> "${name}.conf" echo "PresharedKey = $(cat "${name}.psk")" >> "${name}.conf" echo "Endpoint = $target" >> "${name}.conf" - echo "AllowedIPs = ${1}0/24, ${3}/64" >> "${name}.conf" + echo "AllowedIPs = ${serv4}/32, ${serv6}/128" >> "${name}.conf" # clients isolated from one another + # echo "AllowedIPs = ${1}0/24, ${2}/64" >> "${name}.conf" # clients can see each other echo "PersistentKeepalive = 25" >> "${name}.conf" # Print QR code scanable by the Wireguard mobile app on screen @@ -160,7 +163,7 @@ Next, add your server as peer for this client: ```plain [Peer] -AllowedIPs = 10.100.0.0/24, fd08::/64 +AllowedIPs = 10.100.0.1/32, fd08::1/128 Endpoint = [your public IP or domain]:47111 PersistentKeepalive = 25 ```