Wireguard to go

2025-09-24 13:29:25 +02:00
parent c49ffa1769
commit 12681bd7e2
11 changed files with 94 additions and 40 deletions
--- a/services/wireguard/add_client.sh
+++ b/services/wireguard/add_client.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+if [ -z "$1" ]; then
+  echo "Usage: $0 <client-name>"
+  exit 1
+fi
+
+mkdir -p /etc/wireguard/clients/keys
+
+# Count existing clients to assign next IP, starting from 10.0.0.2
+CLIENT_COUNT=$(ls /etc/wireguard/clients | wc -l)
+NEXT_IP="10.0.0.$((CLIENT_COUNT + 1))"
+CLIENT_NAME=$1
+SERVER_ADDRESS="goofjes.nl"
+
+# Generate public and private keys for the client
+wg genkey | tee /etc/wireguard/clients/keys/$CLIENT_NAME.priv.key | wg pubkey > /etc/wireguard/clients/keys/$CLIENT_NAME.pub.key
+
+# Generate PSK for the client
+wg genpsk | tee /etc/wireguard/clients/keys/$CLIENT_NAME.psk.key
+
+cat <<EOF >> /etc/wireguard/wg0.conf
+
+[Peer]
+PublicKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.pub.key)
+PresharedKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.psk.key)
+AllowedIPs = $NEXT_IP/32
+EOF
+
+cat <<EOF > /etc/wireguard/clients/$CLIENT_NAME.conf
+[Interface]
+Address = $NEXT_IP/24
+PrivateKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.priv.key)
+
+# $CLIENT_NAME configuration
+[Peer]
+PublicKey = $(cat /etc/wireguard/server_pub.key)
+PresharedKey = $(cat /etc/wireguard/clients/keys/$CLIENT_NAME.psk.key)
+AllowedIPs = 0.0.0.0/0, ::/0
+Endpoint = $SERVER_ADDRESS:51820
+EOF
+
+rc-service wg-quick.wg0 restart
--- a/services/wireguard/install.sh
+++ b/services/wireguard/install.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+echo "Setting up Wireguard ..."
+apk add wireguard-tools
+
+# Generate server private and public keys
+mkdir -p /etc/wireguard
+wg genkey | tee /etc/wireguard/server_priv.key | wg pubkey > /etc/wireguard/server_pub.key
+
+# Generate configuration
+cat <<EOF > /etc/wireguard/wg0.conf
+[Interface]
+PrivateKey = $(cat /etc/wireguard/server_priv.key)
+Address = 10.0.0.1/24 # Server has IP in the wg network
+ListenPort = 51820
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+EOF
+
+# Enable IP forwarding, persistent
+echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf
+sysctl -p /etc/sysctl.d/ip_forward.conf
+
+# Auto-start Wireguard on boot
+apk add wireguard-tools-openrc
+ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.wg0
+rc-update add wg-quick.wg0
+rc-service wg-quick.wg0 start
--- a/services/wireguard/wireguard.policy.json
+++ b/services/wireguard/wireguard.policy.json
@@ -0,0 +1,14 @@
+{
+    "description": "Allow Wireguard server access from the internet",
+    "service": {
+        "wireguard": { "port": 51820, "proto": "udp" }
+    },
+    "filter": [
+        {
+            "in": "WAN",
+            "out": "_fw",
+            "service": "wireguard",
+            "action": "accept"
+        }
+    ]
+}