mar
/
sysadmin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

added reconfig, renamed wg-peer

master
Mario Alegre 5 years ago
parent
2b523fc1e4
commit
a1a53c2540
4 changed files with 99 additions and 35 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 73
      bin/wg-peer
  2. 8
      docs/linux/wireguard/add-peer.md
  3. 27
      docs/linux/wireguard/install.md
  4. 26
      docs/linux/wireguard/reconfig.md

73
bin/wg-peer
View File

@ -5,17 +5,60 @@ set -euo pipefail
wg_domain="wg.alemor.org" wg_domain="wg.alemor.org"
wg_dev="wg0" wg_dev="wg0"
# check for arguments # functions
if [[ $# -lt 1 || $# -gt 1 ]]; then help() {
echo "Usage: $(basename $0) ssh_destination" case $1 in
exit 1 main) echo "Usage: $(basename $0) [COMMAND] [DESTINATION]"
echo "Automatically configure WireGuard peer connection to a given destination that you are able to SSH to and are a sudoer on."
echo "Commands:"
echo -e "\tadd"
;;
add) echo "Usage: $(basename $0) add [DESTINATION]"
echo "Add a peer connection."
;;
esac
exit 1
}
cmd_add() {
# add peer on host
sudo wg set $wg_dev peer "${dest_key}" endpoint $dest_fqdn:$dest_port allowed-ips $dest_wgip/32
line="$dest_wgip\t$dest_name.$wg_domain"
regex="^[0-9.]+\s+$dest_name.$wg_domain\$"
sed -E -e "/$regex/{s/.*/$line/;:a;n;ba;q}" -e "\$a $line" /etc/hosts | sudo tee /etc/hosts >/dev/null
# add peer on dest
sshp sudo wg set $wg_dev peer "'${host_key}'" endpoint $host_fqdn:$host_port allowed-ips $host_wgip/32
line="$host_wgip\t$host_name.$wg_domain"
regex="^[0-9.]+\s+$host_name.$wg_domain"
sshp "sed -E -e '/$regex/{s/.*/$line/;:a;n;ba;q}' -e '\$a $line' /etc/hosts | sudo tee /etc/hosts >/dev/null"
}
# Main
# Check args
if [[ $# -lt 1 ]]; then
help main
fi fi
dest="$1" case $1 in
add)
if [[ $# -lt 2 ]]; then
help add
fi
cmd=add
dest=$2
;;
*)
help main
;;
esac
# script expects ssh-persist to be either in the same directory, or in the path # ask for local sudo password
sudo -p '[sudo] password for %u@%h: ' true sudo -p '[sudo] password for %u@%h: ' true
cd $(dirname $0) # connect to remote
. ssh-persist.sh $dest # script expects ssh-persist to be either in the same directory as script itself, or in the path
. ssh-persist.sh "$dest" || . $(dirname $0)/ssh-persist.sh "$dest"
# gather host info # gather host info
host_name=$(hostname) host_name=$(hostname)
@ -31,14 +74,6 @@ dest_wgip="$(sshp ip -4 addr show $wg_dev | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
dest_port=$(sshp sudo wg show $wg_dev listen-port) dest_port=$(sshp sudo wg show $wg_dev listen-port)
dest_key=$(sshp sudo wg show $wg_dev public-key) dest_key=$(sshp sudo wg show $wg_dev public-key)
# add peer on host case $cmd in
sudo wg set $wg_dev peer "${dest_key}" endpoint $dest_fqdn:$dest_port allowed-ips $dest_wgip/32 add) cmd_add;;
line="$dest_wgip\t$dest_name.$wg_domain" esac
regex="^[0-9.]+\s+$dest_name.$wg_domain\$"
sed -E -e "/$regex/{s/.*/$line/;:a;n;ba;q}" -e "\$a $line" /etc/hosts | sudo tee /etc/hosts >/dev/null
# add peer on dest
sshp sudo wg set $wg_dev peer "'${host_key}'" endpoint $host_fqdn:$host_port allowed-ips $host_wgip/32
line="$host_wgip\t$host_name.$wg_domain"
regex="^[0-9.]+\s+$host_name.$wg_domain"
sshp "sed -E -e '/$regex/{s/.*/$line/;:a;n;ba;q}' -e '\$a $line' /etc/hosts | sudo tee /etc/hosts >/dev/null"

8
docs/linux/wireguard/add-peer.md
View File

@ -1,8 +1,8 @@
# add a peer # Add a Peer
Say we want to connect two computers via wireguard. We will call them **one** and **two**. Say we want to connect two computers via wireguard. We will call them **one** and **two**.
## manual ## Manual
On one, run the following command to add a new host: On one, run the following command to add a new host:
``` ```
@ -15,6 +15,6 @@ echo -e "${two_wg_ip:?}\t${two_hostname}.wg.alemor.org" >> /etc/hosts
On two, run the same commands but with one and two switched. On two, run the same commands but with one and two switched.
## automatic ## Automatic
If you can ssh into an account that has sudo access on the host, simply run the `wg-addpeer` command included in the `bin` section of this repo. If you can ssh into an account that has sudo access on the host, simply run the `wg-peer` command included in the `bin` section of this repo.

27
docs/linux/wireguard/install.md
View File

@ -1,16 +1,23 @@
# install & configure wireguard # Install & Configure WireGuard
## install via apt ## Install
to install via apt:
``` ```
sudo apt install wireguard sudo apt update
sudo apt install wireguard -y
```
wireguard is a kernel module, so if you are running an outdated version of the kernel you may need to upgrade it and reboot as well:
```
sudo apt upgrade
sudo shutdown -r now
``` ```
## config ## Generate Config
create config file with private key for our bridge: create config file with private key for our bridge:
``` ```
cd /etc/wireguard/ cd /etc/wireguard/
(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee wg0.conf > /dev/null) (umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee wg0.conf > /dev/null)
wg genkey | sudo tee -a wg0.conf | wg pubkey | sudo tee wg0.pubkey wg genkey | sudo tee -a wg0.conf | wg pubkey | sudo tee wg0.pubkey > /dev/null
``` ```
open `wg0.conf` in a text editor and add the following lines: open `wg0.conf` in a text editor and add the following lines:
``` ```
@ -18,12 +25,12 @@ ListenPort = ${wireguard_port:?}
SaveConfig = true SaveConfig = true
Address = ${wireguard_ip:?}/24 Address = ${wireguard_ip:?}/24
``` ```
where `wireguard_ip` is the IP that computer should have in the WireGuard network. where '`wireguard_port`' is the port that wireguard should listen on, and `wireguard_ip` is the IP that computer should have in the WireGuard network.
## firewall ## Configure Firewall
if the computer is using a firewall, don't forget to allow whatever port you chose through the firewall. If you are using `nftables` as your firewall, you will want to edit `/etc/nftables.conf`. if the computer is using a firewall, don't forget to allow whatever port you chose through the firewall. If you are using `nftables` as your firewall, you will want to edit `/etc/nftables.conf`.
## start ## Start Service
to start wireguard, run the command: to start wireguard, run the command:
``` ```
sudo systemctl start wg-quick@wg0 sudo systemctl start wg-quick@wg0
@ -32,7 +39,3 @@ to enable wireguard to automatically start this interface on boot, run the comma
``` ```
sudo systemctl enable wg-quick@wg0 sudo systemctl enable wg-quick@wg0
``` ```
to see WireGuard's status and configuration, run:
```
wg
```

26
docs/linux/wireguard/reconfig.md
View File

@ -0,0 +1,26 @@
# Reconfigure WireGuard
The `SaveConfig = true` directive causes the `wg-quick` service to overwrite the config file, so modifications to the config should either be made using the `wg` or `ip` commands directly, or by shutting down the `wg-quick` service before making any edits to the config file.
## See Current Config
to see WireGuard's status and configuration, run:
```
sudo wg show
```
to see what ip the `wg0` interface is configured with, run:
```
ip addr show wg0
```
## Change Port
to change what port WireGuard listens on for interface `wg0`, run:
```
sudo wg set wg0 listen-port ${new_port:?}
```
## Change IP
to change what IP the interface `wg0` has, run:
```
ip addr del ${old_ip:?}/24 dev wg0
ip addr add ${new_ip:?}/24 dev wg0
```
Write Preview
Loading…
Cancel
Save