From a1a53c254085f9911dda1dff6807b728721ff6af Mon Sep 17 00:00:00 2001 From: Mario Alegre Date: Wed, 23 Dec 2020 17:01:34 -0500 Subject: [PATCH] added reconfig, renamed wg-peer --- bin/wg-peer | 73 +++++++++++++++++++++++--------- docs/linux/wireguard/add-peer.md | 8 ++-- docs/linux/wireguard/install.md | 27 ++++++------ docs/linux/wireguard/reconfig.md | 26 ++++++++++++ 4 files changed, 99 insertions(+), 35 deletions(-) create mode 100644 docs/linux/wireguard/reconfig.md diff --git a/bin/wg-peer b/bin/wg-peer index 09b4f22..163f65b 100755 --- a/bin/wg-peer +++ b/bin/wg-peer @@ -5,17 +5,60 @@ set -euo pipefail wg_domain="wg.alemor.org" wg_dev="wg0" -# check for arguments -if [[ $# -lt 1 || $# -gt 1 ]]; then - echo "Usage: $(basename $0) ssh_destination" - exit 1 +# functions +help() { + case $1 in + main) echo "Usage: $(basename $0) [COMMAND] [DESTINATION]" + echo "Automatically configure WireGuard peer connection to a given destination that you are able to SSH to and are a sudoer on." + echo "Commands:" + echo -e "\tadd" + ;; + add) echo "Usage: $(basename $0) add [DESTINATION]" + echo "Add a peer connection." + ;; + esac + exit 1 +} + + +cmd_add() { + # add peer on host + sudo wg set $wg_dev peer "${dest_key}" endpoint $dest_fqdn:$dest_port allowed-ips $dest_wgip/32 + line="$dest_wgip\t$dest_name.$wg_domain" + regex="^[0-9.]+\s+$dest_name.$wg_domain\$" + sed -E -e "/$regex/{s/.*/$line/;:a;n;ba;q}" -e "\$a $line" /etc/hosts | sudo tee /etc/hosts >/dev/null + + # add peer on dest + sshp sudo wg set $wg_dev peer "'${host_key}'" endpoint $host_fqdn:$host_port allowed-ips $host_wgip/32 + line="$host_wgip\t$host_name.$wg_domain" + regex="^[0-9.]+\s+$host_name.$wg_domain" + sshp "sed -E -e '/$regex/{s/.*/$line/;:a;n;ba;q}' -e '\$a $line' /etc/hosts | sudo tee /etc/hosts >/dev/null" +} + +# Main + +# Check args +if [[ $# -lt 1 ]]; then + help main fi -dest="$1" +case $1 in + add) + if [[ $# -lt 2 ]]; then + help add + fi + cmd=add + dest=$2 + ;; + *) + help main + ;; +esac -# script expects ssh-persist to be either in the same directory, or in the path +# ask for local sudo password sudo -p '[sudo] password for %u@%h: ' true -cd $(dirname $0) -. ssh-persist.sh $dest +# connect to remote +# script expects ssh-persist to be either in the same directory as script itself, or in the path +. ssh-persist.sh "$dest" || . $(dirname $0)/ssh-persist.sh "$dest" # gather host info host_name=$(hostname) @@ -31,14 +74,6 @@ dest_wgip="$(sshp ip -4 addr show $wg_dev | grep -oP '(?<=inet\s)\d+(\.\d+){3}') dest_port=$(sshp sudo wg show $wg_dev listen-port) dest_key=$(sshp sudo wg show $wg_dev public-key) -# add peer on host -sudo wg set $wg_dev peer "${dest_key}" endpoint $dest_fqdn:$dest_port allowed-ips $dest_wgip/32 -line="$dest_wgip\t$dest_name.$wg_domain" -regex="^[0-9.]+\s+$dest_name.$wg_domain\$" -sed -E -e "/$regex/{s/.*/$line/;:a;n;ba;q}" -e "\$a $line" /etc/hosts | sudo tee /etc/hosts >/dev/null - -# add peer on dest -sshp sudo wg set $wg_dev peer "'${host_key}'" endpoint $host_fqdn:$host_port allowed-ips $host_wgip/32 -line="$host_wgip\t$host_name.$wg_domain" -regex="^[0-9.]+\s+$host_name.$wg_domain" -sshp "sed -E -e '/$regex/{s/.*/$line/;:a;n;ba;q}' -e '\$a $line' /etc/hosts | sudo tee /etc/hosts >/dev/null" +case $cmd in + add) cmd_add;; +esac diff --git a/docs/linux/wireguard/add-peer.md b/docs/linux/wireguard/add-peer.md index 08e4a8c..d28058f 100644 --- a/docs/linux/wireguard/add-peer.md +++ b/docs/linux/wireguard/add-peer.md @@ -1,8 +1,8 @@ -# add a peer +# Add a Peer Say we want to connect two computers via wireguard. We will call them **one** and **two**. -## manual +## Manual On one, run the following command to add a new host: ``` @@ -15,6 +15,6 @@ echo -e "${two_wg_ip:?}\t${two_hostname}.wg.alemor.org" >> /etc/hosts On two, run the same commands but with one and two switched. -## automatic +## Automatic -If you can ssh into an account that has sudo access on the host, simply run the `wg-addpeer` command included in the `bin` section of this repo. +If you can ssh into an account that has sudo access on the host, simply run the `wg-peer` command included in the `bin` section of this repo. diff --git a/docs/linux/wireguard/install.md b/docs/linux/wireguard/install.md index 0891c4d..3f2cd59 100644 --- a/docs/linux/wireguard/install.md +++ b/docs/linux/wireguard/install.md @@ -1,16 +1,23 @@ -# install & configure wireguard +# Install & Configure WireGuard -## install via apt +## Install +to install via apt: ``` -sudo apt install wireguard +sudo apt update +sudo apt install wireguard -y +``` +wireguard is a kernel module, so if you are running an outdated version of the kernel you may need to upgrade it and reboot as well: +``` +sudo apt upgrade +sudo shutdown -r now ``` -## config +## Generate Config create config file with private key for our bridge: ``` cd /etc/wireguard/ (umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee wg0.conf > /dev/null) -wg genkey | sudo tee -a wg0.conf | wg pubkey | sudo tee wg0.pubkey +wg genkey | sudo tee -a wg0.conf | wg pubkey | sudo tee wg0.pubkey > /dev/null ``` open `wg0.conf` in a text editor and add the following lines: ``` @@ -18,12 +25,12 @@ ListenPort = ${wireguard_port:?} SaveConfig = true Address = ${wireguard_ip:?}/24 ``` -where `wireguard_ip` is the IP that computer should have in the WireGuard network. +where '`wireguard_port`' is the port that wireguard should listen on, and `wireguard_ip` is the IP that computer should have in the WireGuard network. -## firewall +## Configure Firewall if the computer is using a firewall, don't forget to allow whatever port you chose through the firewall. If you are using `nftables` as your firewall, you will want to edit `/etc/nftables.conf`. -## start +## Start Service to start wireguard, run the command: ``` sudo systemctl start wg-quick@wg0 @@ -32,7 +39,3 @@ to enable wireguard to automatically start this interface on boot, run the comma ``` sudo systemctl enable wg-quick@wg0 ``` -to see WireGuard's status and configuration, run: -``` -wg -``` diff --git a/docs/linux/wireguard/reconfig.md b/docs/linux/wireguard/reconfig.md new file mode 100644 index 0000000..680ae78 --- /dev/null +++ b/docs/linux/wireguard/reconfig.md @@ -0,0 +1,26 @@ +# Reconfigure WireGuard + +The `SaveConfig = true` directive causes the `wg-quick` service to overwrite the config file, so modifications to the config should either be made using the `wg` or `ip` commands directly, or by shutting down the `wg-quick` service before making any edits to the config file. + +## See Current Config +to see WireGuard's status and configuration, run: +``` +sudo wg show +``` +to see what ip the `wg0` interface is configured with, run: +``` +ip addr show wg0 +``` + +## Change Port +to change what port WireGuard listens on for interface `wg0`, run: +``` +sudo wg set wg0 listen-port ${new_port:?} +``` + +## Change IP +to change what IP the interface `wg0` has, run: +``` +ip addr del ${old_ip:?}/24 dev wg0 +ip addr add ${new_ip:?}/24 dev wg0 +```