lildeadprince/01-WireGuard VPN server.sh

## 01-WireGuard VPN server.sh
# assuming it's some Debian, install the dependencies
sudo apt install -y wget wireguard-dkms wireguard-tools linux-headers-$(uname -r) mawk grep iproute2 qrencode

# download easy-wg-quick script
wget https://raw.githubusercontent.com/burghardt/easy-wg-quick/master/easy-wg-quick
chmod +x easy-wg-quick

# define params for easy-wg-quick script
## Static (preferrably static) External IP of the server deployment VM
echo "***.***.***.***" > extnetip.txt
## UDP port to use in WG
echo "1312" > portno.txt
## in Europe Google DNS is better than Cloudflare`s 1.1.1.1 (which is default in easy-wg-script)
echo "8.8.8.8" > intnetdns.txt

# Add named Peers for my devices, follow output
./easy-wg-quick peer-1-peka
./easy-wg-quick peer-2-lopata
./easy-wg-quick peer-3-pixel

# Export peer configs
cat wgclient_peer-1-peka.conf
cat wgclient_peer-2-lopata.conf
cat wgclient_peer-3-pixel.conf

# Import configs into end client application
# Windows https://download.wireguard.com/windows-client/wireguard-installer.exe
# Android https://play.google.com/store/apps/details?id=com.wireguard.android
# MacOS https://itunes.apple.com/us/app/wireguard/id1451685025
# iOS https://itunes.apple.com/us/app/wireguard/id1441195209
# Debian `sudo apt install wireguard`
# Fedora `sudo dnf install wireguard-tools`
# CentOS `sudo yum install elrepo-release epel-release
#         sudo yum install kmod-wireguard wireguard-tools`


# cat wgclient_peer-1-peka.qrcode.txt
# cat wgclient_peer-2-lopata.qrcode.txt
# cat wgclient_peer-3-pixel.qrcode.txt

# Launch the WireGuard server
sudo wg-quick up ./wghub.conf

## 02-gcp-firewall-rule-allow-wg.sh
# Create GCP Firewall rule to Allow GCP traffic

GCP_PROJECT_ID = "project-id"
# Arbitrary rule name
GCP_FIREWALL_RULE_ALLOW_WG_NAME = "wg0"
# Port used in WG Server config
GCP_FIREWALL_RULE_ALLOW_WG_PORT = 1313
# Tag to assign to VMs that should follow this rule
GCP_FIREWALL_RULE_ALLOW_WG_PORT = wg

gcloud compute --project=$GCP_PROJECT_ID \
  firewall-rules \
    create $GCP_FIREWALL_ALLOW_RULE_WG_NAME \
      --description="Allow WireGuard VPN traffic" \
      --direction=INGRESS \
      --priority=1000 \
      --network=default \
      --action=ALLOW \
      --rules=udp:$GCP_FIREWALL_ALLOW_RULE_WG_PORT \
      --source-ranges=0.0.0.0/0 \
      --target-tags=$GCP_FIREWALL_ALLOW_RULE_WG_TAG

## 03-example-wghub.conf
# Hub configuration created on cybervillain-1 on Fri 11 Feb 2022 08:55:19 PM UTC
[Interface]
Address = 10.14.196.1/24, fd36:5196:9212:8192::1/64
ListenPort = 22828
PrivateKey = REDACTED
SaveConfig = false
MTU = 1280
PostUp = iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o enp1s0 -j TCPMSS --clamp-mss-to-pmtu
PostUp = ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o enp1s0 -j TCPMSS --clamp-mss-to-pmtu
PostUp = iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
PostDown = iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o enp1s0 -j TCPMSS --clamp-mss-to-pmtu
PostDown = ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o enp1s0 -j TCPMSS --clamp-mss-to-pmtu
PostUp = ip6tables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
PostDown = ip6tables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
PostUp = sysctl -q -w net.ipv4.ip_forward=1
PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0

# 10: peka > wgclient_peka.conf
[Peer]
PublicKey = REDACTED
PresharedKey = REDACTED
AllowedIPs = 10.14.196.10/32, fd36:5196:9212:8192::10/128

# 11: lopata > wgclient_lopata.conf
[Peer]
PublicKey = REDACTED
PresharedKey = REDACTED
AllowedIPs = 10.14.196.11/32, fd36:5196:9212:8192::11/128

# 12: pihel > wgclient_pihel.conf
[Peer]
PublicKey = REDACTED
PresharedKey = REDACTED
AllowedIPs = 10.14.196.12/32, fd36:5196:9212:8192::12/128

## [email protected]
[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
PartOf=wg-quick.target
Documentation=man:wg-quick(8)
Documentation=man:wg(8)
Documentation=https://www.wireguard.com/
Documentation=https://www.wireguard.com/quickstart/
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

[Install]
WantedBy=multi-user.target
	# assuming it's some Debian, install the dependencies
	sudo apt install -y wget wireguard-dkms wireguard-tools linux-headers-$(uname -r) mawk grep iproute2 qrencode

	# download easy-wg-quick script
	wget https://raw.githubusercontent.com/burghardt/easy-wg-quick/master/easy-wg-quick
	chmod +x easy-wg-quick

	# define params for easy-wg-quick script
	## Static (preferrably static) External IP of the server deployment VM
	echo "*...*" > extnetip.txt
	## UDP port to use in WG
	echo "1312" > portno.txt
	## in Europe Google DNS is better than Cloudflare`s 1.1.1.1 (which is default in easy-wg-script)
	echo "8.8.8.8" > intnetdns.txt

	# Add named Peers for my devices, follow output
	./easy-wg-quick peer-1-peka
	./easy-wg-quick peer-2-lopata
	./easy-wg-quick peer-3-pixel

	# Export peer configs
	cat wgclient_peer-1-peka.conf
	cat wgclient_peer-2-lopata.conf
	cat wgclient_peer-3-pixel.conf

	# Import configs into end client application
	# Windows https://download.wireguard.com/windows-client/wireguard-installer.exe
	# Android https://play.google.com/store/apps/details?id=com.wireguard.android
	# MacOS https://itunes.apple.com/us/app/wireguard/id1451685025
	# iOS https://itunes.apple.com/us/app/wireguard/id1441195209
	# Debian `sudo apt install wireguard`
	# Fedora `sudo dnf install wireguard-tools`
	# CentOS `sudo yum install elrepo-release epel-release
	# sudo yum install kmod-wireguard wireguard-tools`


	# cat wgclient_peer-1-peka.qrcode.txt
	# cat wgclient_peer-2-lopata.qrcode.txt
	# cat wgclient_peer-3-pixel.qrcode.txt

	# Launch the WireGuard server
	sudo wg-quick up ./wghub.conf
	# Create GCP Firewall rule to Allow GCP traffic

	GCP_PROJECT_ID = "project-id"
	# Arbitrary rule name
	GCP_FIREWALL_RULE_ALLOW_WG_NAME = "wg0"
	# Port used in WG Server config
	GCP_FIREWALL_RULE_ALLOW_WG_PORT = 1313
	# Tag to assign to VMs that should follow this rule
	GCP_FIREWALL_RULE_ALLOW_WG_PORT = wg

	gcloud compute --project=$GCP_PROJECT_ID \
	firewall-rules \
	create $GCP_FIREWALL_ALLOW_RULE_WG_NAME \
	--description="Allow WireGuard VPN traffic" \
	--direction=INGRESS \
	--priority=1000 \
	--network=default \
	--action=ALLOW \
	--rules=udp:$GCP_FIREWALL_ALLOW_RULE_WG_PORT \
	--source-ranges=0.0.0.0/0 \
	--target-tags=$GCP_FIREWALL_ALLOW_RULE_WG_TAG
	# Hub configuration created on cybervillain-1 on Fri 11 Feb 2022 08:55:19 PM UTC
	[Interface]
	Address = 10.14.196.1/24, fd36:5196:9212:8192::1/64
	ListenPort = 22828
	PrivateKey = REDACTED
	SaveConfig = false
	MTU = 1280
	PostUp = iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o enp1s0 -j TCPMSS --clamp-mss-to-pmtu
	PostUp = ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o enp1s0 -j TCPMSS --clamp-mss-to-pmtu
	PostUp = iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
	PostUp = iptables -A FORWARD -i %i -j ACCEPT
	PostUp = ip6tables -A FORWARD -i %i -j ACCEPT
	PostDown = iptables -D FORWARD -i %i -j ACCEPT
	PostDown = ip6tables -D FORWARD -i %i -j ACCEPT
	PostDown = iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
	PostDown = iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o enp1s0 -j TCPMSS --clamp-mss-to-pmtu
	PostDown = ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o enp1s0 -j TCPMSS --clamp-mss-to-pmtu
	PostUp = ip6tables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
	PostDown = ip6tables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
	PostUp = sysctl -q -w net.ipv4.ip_forward=1
	PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
	PostDown = sysctl -q -w net.ipv4.ip_forward=0
	PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0

	# 10: peka > wgclient_peka.conf
	[Peer]
	PublicKey = REDACTED
	PresharedKey = REDACTED
	AllowedIPs = 10.14.196.10/32, fd36:5196:9212:8192::10/128

	# 11: lopata > wgclient_lopata.conf
	[Peer]
	PublicKey = REDACTED
	PresharedKey = REDACTED
	AllowedIPs = 10.14.196.11/32, fd36:5196:9212:8192::11/128

	# 12: pihel > wgclient_pihel.conf
	[Peer]
	PublicKey = REDACTED
	PresharedKey = REDACTED
	AllowedIPs = 10.14.196.12/32, fd36:5196:9212:8192::12/128
	[Unit]
	Description=WireGuard via wg-quick(8) for %I
	After=network-online.target nss-lookup.target
	Wants=network-online.target nss-lookup.target
	PartOf=wg-quick.target
	Documentation=man:wg-quick(8)
	Documentation=man:wg(8)
	Documentation=https://www.wireguard.com/
	Documentation=https://www.wireguard.com/quickstart/
	Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
	Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8

	[Service]
	Type=oneshot
	RemainAfterExit=yes
	ExecStart=/usr/bin/wg-quick up %i
	ExecStop=/usr/bin/wg-quick down %i
	ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
	Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

	[Install]
	WantedBy=multi-user.target