#!/bin/bash # Football System - WireGuard VPN Configuration # Creates secure WireGuard VPN setup with key management set -e echo "Configuring WireGuard VPN..." # Configuration variables VPN_PORT=51820 VPN_INTERFACE=wg0 VPN_IP="10.8.0.1/24" VPN_KEY_DIR="/etc/wireguard/keys" VPN_CONFIG_DIR="/etc/wireguard" VPN_LOG_DIR="/var/log/wireguard" # Create directories mkdir -p "$VPN_KEY_DIR" mkdir -p "$VPN_CONFIG_DIR" mkdir -p "$VPN_LOG_DIR" # Set secure permissions chmod 700 "$VPN_KEY_DIR" chmod 755 "$VPN_CONFIG_DIR" chmod 755 "$VPN_LOG_DIR" # Generate server private and public keys SERVER_PRIVATE_KEY="$VPN_KEY_DIR/server_private.key" SERVER_PUBLIC_KEY="$VPN_KEY_DIR/server_public.key" if [ ! -f "$SERVER_PRIVATE_KEY" ]; then echo "Generating WireGuard server keys..." # Generate private key wg genkey > "$SERVER_PRIVATE_KEY" # Generate public key from private key wg pubkey < "$SERVER_PRIVATE_KEY" > "$SERVER_PUBLIC_KEY" # Set secure permissions chmod 600 "$SERVER_PRIVATE_KEY" chmod 644 "$SERVER_PUBLIC_KEY" chown root:root "$SERVER_PRIVATE_KEY" "$SERVER_PUBLIC_KEY" echo "✅ WireGuard server keys generated" else echo "✅ WireGuard server keys already exist" fi # Read server public key for client configuration SERVER_PUBKEY=$(cat "$SERVER_PUBLIC_KEY") # Create main WireGuard server configuration cat > "$VPN_CONFIG_DIR/wg0.conf" << EOF # Football System - WireGuard Server Configuration # Secure VPN for remote access [Interface] # Server interface configuration Address = $VPN_IP ListenPort = $VPN_PORT PrivateKey = $(cat "$SERVER_PRIVATE_KEY") # DNS for VPN clients (can use internal DNS or public) DNS = 1.1.1.1, 8.8.8.8 # MTU (optimized for WireGuard) MTU = 1420 # Enable connection tracking Table = off PostUp = iptables -A FORWARD -i $VPN_INTERFACE -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i $VPN_INTERFACE -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE # Client peers will be added here using wg-add-client.sh script EOF # Set secure permissions on server configuration chmod 600 "$VPN_CONFIG_DIR/wg0.conf" chown root:root "$VPN_CONFIG_DIR/wg0.conf" # Create client management script cat > /usr/local/bin/wg-add-client.sh << 'EOF' #!/bin/bash # Football System - WireGuard Client Management # Adds new WireGuard client with secure key management set -e # Configuration VPN_INTERFACE="wg0" VPN_NETWORK="10.8.0.0/24" VPN_KEY_DIR="/etc/wireguard/keys" VPN_CLIENT_CONFIG_DIR="/etc/wireguard/clients" VPN_BASE_IP="10.8.0" # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color # Function to print colored output print_info() { echo -e "${GREEN}[INFO]${NC} $1" } print_warning() { echo -e "${YELLOW}[WARNING]${NC} $1" } print_error() { echo -e "${RED}[ERROR]${NC} $1" } # Check if running as root if [ "$EUID" -ne 0 ]; then print_error "This script must be run as root" exit 1 fi # Usage function usage() { echo "Usage: $0 [client_ip_suffix]" echo "Example: $0 charles 10" echo "Example: $0 laptop" echo "" echo "client_name: Name/identifier for the client" echo "client_ip_suffix: (optional) Last octet of client IP (e.g., 10 for 10.8.0.10)" echo " If not provided, next available IP will be assigned" exit 1 } # Check arguments if [ $# -lt 1 ] || [ $# -gt 2 ]; then usage fi CLIENT_NAME="$1" CLIENT_IP_SUFFIX="$2" # Validate client name if [[ ! "$CLIENT_NAME" =~ ^[a-zA-Z0-9_-]+$ ]]; then print_error "Client name must contain only alphanumeric characters, hyphens, and underscores" exit 1 fi if [ ${#CLIENT_NAME} -gt 50 ]; then print_error "Client name must be 50 characters or less" exit 1 fi # Create client configuration directory mkdir -p "$VPN_CLIENT_CONFIG_DIR" # Generate client keys print_info "Generating keys for client: $CLIENT_NAME" CLIENT_PRIVATE_KEY="$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}_private.key" CLIENT_PUBLIC_KEY="$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}_public.key" # Check if client already exists if [ -f "$CLIENT_PRIVATE_KEY" ]; then print_warning "Client '$CLIENT_NAME' already exists" read -p "Do you want to regenerate keys? (y/N): " -n 1 -r echo if [[ ! $REPLY =~ ^[Yy]$ ]]; then print_info "Using existing keys for client '$CLIENT_NAME'" else print_info "Regenerating keys for client '$CLIENT_NAME'" wg genkey > "$CLIENT_PRIVATE_KEY" wg pubkey < "$CLIENT_PRIVATE_KEY" > "$CLIENT_PUBLIC_KEY" fi else wg genkey > "$CLIENT_PRIVATE_KEY" wg pubkey < "$CLIENT_PRIVATE_KEY" > "$CLIENT_PUBLIC_KEY" fi # Set permissions chmod 600 "$CLIENT_PRIVATE_KEY" chmod 644 "$CLIENT_PUBLIC_KEY" chown root:root "$CLIENT_PRIVATE_KEY" "$CLIENT_PUBLIC_KEY" # Determine client IP if [ -n "$CLIENT_IP_SUFFIX" ]; then # Validate provided IP suffix if [[ ! "$CLIENT_IP_SUFFIX" =~ ^[0-9]+$ ]] || [ "$CLIENT_IP_SUFFIX" -lt 2 ] || [ "$CLIENT_IP_SUFFIX" -gt 254 ]; then print_error "Client IP suffix must be a number between 2 and 254" exit 1 fi CLIENT_IP="${VPN_BASE_IP}.${CLIENT_IP_SUFFIX}" # Check if IP is already in use if wg show | grep -q "$CLIENT_IP"; then print_error "IP $CLIENT_IP is already in use" exit 1 fi else # Find next available IP for suffix in {2..254}; do test_ip="${VPN_BASE_IP}.${suffix}" if ! wg show | grep -q "$test_ip" && ! grep -r "Address.*$test_ip" "$VPN_CLIENT_CONFIG_DIR/" >/dev/null 2>&1; then CLIENT_IP="$test_ip" break fi done if [ -z "$CLIENT_IP" ]; then print_error "No available IP addresses in the $VPN_BASE_IP.0/24 network" exit 1 fi fi # Get server public key SERVER_PUBLIC_KEY="$VPN_KEY_DIR/server_public.key" if [ ! -f "$SERVER_PUBLIC_KEY" ]; then print_error "Server public key not found. Please run wireguard-config.sh first." exit 1 fi SERVER_PUBKEY=$(cat "$SERVER_PUBLIC_KEY") # Add peer to server configuration print_info "Adding client '$CLIENT_NAME' to server configuration" cat >> "/etc/wireguard/wg0.conf" << EOF # Client: $CLIENT_NAME [Peer] PublicKey = $(cat "$CLIENT_PUBLIC_KEY") AllowedIPs = $CLIENT_IP/32 PersistentKeepalive = 25 EOF # Create client configuration CLIENT_CONFIG_FILE="$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}.conf" cat > "$CLIENT_CONFIG_FILE" << EOF # Football System - WireGuard Client Configuration # Client: $CLIENT_NAME # Generated on: $(date) [Interface] PrivateKey = $(cat "$CLIENT_PRIVATE_KEY") Address = $CLIENT_IP/24 DNS = 1.1.1.1, 8.8.8.8 MTU = 1420 [Peer] PublicKey = $SERVER_PUBKEY Endpoint = $(curl -s ifconfig.me || echo "YOUR_SERVER_IP"):51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25 EOF # Create QR code for mobile clients if command -v qrencode >/dev/null 2>&1; then QR_CODE_FILE="$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}.png" qrencode -t PNG -o "$QR_CODE_FILE" < "$CLIENT_CONFIG_FILE" print_info "QR code generated: $QR_CODE_FILE" else print_warning "qrencode not installed. Cannot generate QR code for mobile clients." fi # Set permissions on client files chmod 600 "$CLIENT_CONFIG_FILE" chmod 644 "$CLIENT_PUBLIC_KEY" "$QR_CODE_FILE" 2>/dev/null || true chown root:root "$CLIENT_CONFIG_FILE" "$CLIENT_PUBLIC_KEY" "$QR_CODE_FILE" 2>/dev/null || true # Reload WireGuard configuration print_info "Reloading WireGuard configuration..." if wg-quick down "$VPN_INTERFACE" >/dev/null 2>&1; then : fi wg-quick up "$VPN_INTERFACE" # Update firewall rules if needed systemctl restart firewall-persistence.service >/dev/null 2>&1 || true # Display summary print_info "Client '$CLIENT_NAME' configured successfully!" echo "" echo "Client Configuration:" echo "- Name: $CLIENT_NAME" echo "- IP Address: $CLIENT_IP" echo "- Config File: $CLIENT_CONFIG_FILE" echo "- Private Key: $CLIENT_PRIVATE_KEY" echo "- Public Key: $CLIENT_PUBLIC_KEY" if [ -f "$QR_CODE_FILE" ]; then echo "- QR Code: $QR_CODE_FILE" fi echo "" echo "To connect from the client:" echo "1. Copy the configuration file to the client device" echo "2. Import it into WireGuard client" echo "3. Or scan the QR code with mobile WireGuard app" echo "" echo "Server Endpoint: $(curl -s ifconfig.me || echo "YOUR_SERVER_IP"):51820" # Create installation package PACKAGE_DIR="/tmp/wireguard_client_${CLIENT_NAME}" mkdir -p "$PACKAGE_DIR" cp "$CLIENT_CONFIG_FILE" "$PACKAGE_DIR/" cp "$QR_CODE_FILE" "$PACKAGE_DIR/" 2>/dev/null || true # Create installation instructions cat > "$PACKAGE_DIR/README.txt" << EEOF Football System - WireGuard Client Installation ============================================== Client Name: $CLIENT_NAME Generated: $(date) Files in this package: - ${CLIENT_NAME}.conf - WireGuard configuration file - ${CLIENT_NAME}.png - QR code for mobile clients (if generated) Installation Instructions: Desktop/Linux: 1. Copy ${CLIENT_NAME}.conf to /etc/wireguard/ 2. Run: wg-quick up ${CLIENT_NAME} 3. To auto-start: systemctl enable wg-quick@${CLIENT_NAME} Mobile: 1. Install WireGuard app from app store 2. Scan the QR code (or import the configuration file) 3. Toggle the connection to connect Windows: 1. Install WireGuard for Windows 2. Click "Import tunnel(s) from file" 3. Select ${CLIENT_NAME}.conf 4. Click "Activate" Verification: - After connecting, you should be able to access: 10.8.0.1 - Run: ping 10.8.0.1 - For system verification: ssh user@10.8.0.1 Security Notes: - Keep your private key secure - Do not share the configuration file publicly - Report any lost devices immediately Support: - If you lose the configuration, contact your system administrator - Server endpoint: $(curl -s ifconfig.me || echo "YOUR_SERVER_IP"):51820 EEOF tar -czf "/tmp/wireguard_client_${CLIENT_NAME}.tar.gz" -C "/tmp" "wireguard_client_${CLIENT_NAME}" rm -rf "$PACKAGE_DIR" print_info "Client package created: /tmp/wireguard_client_${CLIENT_NAME}.tar.gz" echo "" print_info "=== Client Configuration Summary ===" echo "Server Public Key: $SERVER_PUBKEY" echo "Client Private Key: $(cat "$CLIENT_PRIVATE_KEY")" echo "Client Public Key: $(cat "$CLIENT_PUBLIC_KEY")" echo "Client IP: $CLIENT_IP/24" echo "Server Endpoint: $(curl -s ifconfig.me || echo "YOUR_SERVER_IP"):51820" echo "" print_info "Client configuration completed successfully!" EOF chmod 750 /usr/local/bin/wg-add-client.sh chown root:root /usr/local/bin/wg-add-client.sh # Create client removal script cat > /usr/local/bin/wg-remove-client.sh << 'EOF' #!/bin/bash # Football System - WireGuard Client Removal # Securely removes WireGuard client and cleans up files set -e # Configuration VPN_INTERFACE="wg0" VPN_CLIENT_CONFIG_DIR="/etc/wireguard/clients" # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' print_info() { echo -e "${GREEN}[INFO]${NC} $1" } print_warning() { echo -e "${YELLOW}[WARNING]${NC} $1" } print_error() { echo -e "${RED}[ERROR]${NC} $1" } # Check if running as root if [ "$EUID" -ne 0 ]; then print_error "This script must be run as root" exit 1 fi # Usage usage() { echo "Usage: $0 " echo "Example: $0 charles" exit 1 } # Check arguments if [ $# -ne 1 ]; then usage fi CLIENT_NAME="$1" # Check if client exists CLIENT_CONFIG_FILE="$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}.conf" if [ ! -f "$CLIENT_CONFIG_FILE" ]; then print_error "Client '$CLIENT_NAME' not found" exit 1 fi # Get client public key CLIENT_PUBLIC_KEY_FILE="$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}_public.key" if [ ! -f "$CLIENT_PUBLIC_KEY_FILE" ]; then print_error "Client public key file not found for '$CLIENT_NAME'" exit 1 fi CLIENT_PUBKEY=$(cat "$CLIENT_PUBLIC_KEY_FILE") print_info "Removing client '$CLIENT_NAME' from WireGuard configuration" # Remove peer from server configuration # Create backup first cp "/etc/wireguard/wg0.conf" "/etc/wireguard/wg0.conf.backup.$(date +%Y%m%d_%H%M%S)" # Remove client peer section from server config sed -i "/# Client: $CLIENT_NAME/,/PersistentKeepalive = 25$/d" "/etc/wireguard/wg0.conf" # Remove client from active configuration (if connected) if wg show "$VPN_INTERFACE" | grep -q "$CLIENT_PUBKEY"; then print_info "Removing client from active configuration" wg set "$VPN_INTERFACE" peer "$CLIENT_PUBKEY" remove fi # Remove client files print_info "Removing client configuration files" rm -f "$CLIENT_CONFIG_FILE" rm -f "$CLIENT_PUBLIC_KEY_FILE" rm -f "$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}_private.key" rm -f "$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}.png" # Reload WireGuard configuration print_info "Reloading WireGuard configuration..." wg-quick down "$VPN_INTERFACE" >/dev/null 2>&1 || true wg-quick up "$VPN_INTERFACE" print_info "Client '$CLIENT_NAME' removed successfully" EOF chmod 750 /usr/local/bin/wg-remove-client.sh chown root:root /usr/local/bin/wg-remove-client.sh # Create WireGuard status and management script cat > /usr/local/bin/wg-manage.sh << 'EOF' #!/bin/bash # Football System - WireGuard Management Script # Comprehensive WireGuard VPN status and management # Configuration VPN_INTERFACE="wg0" VPN_CLIENT_CONFIG_DIR="/etc/wireguard/clients" # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' print_header() { echo -e "${BLUE}$1${NC}" echo "==================================" } print_info() { echo -e "${GREEN}✅ $1${NC}" } print_warning() { echo -e "${YELLOW}⚠️ $1${NC}" } print_error() { echo -e "${RED}❌ $1${NC}" } # Main menu show_menu() { clear print_header "Football System - WireGuard VPN Management" echo "" echo "1. Show VPN Status" echo "2. List All Clients" echo "3. Add New Client" echo "4. Remove Client" echo "5. Show Client Details" echo "6. Restart VPN Service" echo "7. View VPN Logs" echo "8. Backup Configuration" echo "9. Exit" echo "" read -p "Select an option [1-9]: " choice } # VPN status show_vpn_status() { print_header "WireGuard VPN Status" echo "" if systemctl is-active --quiet wg-quick@$VPN_INTERFACE; then print_info "VPN Service: Active" else print_error "VPN Service: Inactive" fi if systemctl is-enabled --quiet wg-quick@$VPN_INTERFACE; then print_info "VPN Auto-start: Enabled" else print_warning "VPN Auto-start: Disabled" fi echo "" echo "Interface Information:" if ip link show "$VPN_INTERFACE" >/dev/null 2>&1; then ip addr show "$VPN_INTERFACE" else print_warning "Interface $VPN_INTERFACE not found" fi echo "" echo "Active Connections:" if wg show "$VPN_INTERFACE" >/dev/null 2>&1; then wg show "$VPN_INTERFACE" echo "" local connected_peers=$(wg show "$VPN_INTERFACE" | grep -c "peer:") echo "Total connected peers: $connected_peers" else print_warning "No active WireGuard interface" fi echo "" read -p "Press Enter to continue..." } # List clients list_clients() { print_header "WireGuard Client List" echo "" if [ ! -d "$VPN_CLIENT_CONFIG_DIR" ]; then print_error "Client configuration directory not found" read -p "Press Enter to continue..." return fi local client_count=0 for client_config in "$VPN_CLIENT_CONFIG_DIR"/*.conf; do if [ -f "$client_config" ]; then ((client_count++)) local client_name=$(basename "$client_config" .conf) local client_ip=$(grep -A 5 "\[Interface\]" "$client_config" | grep "Address" | cut -d'=' -f2 | xargs) local client_pubkey_file="$VPN_CLIENT_CONFIG_DIR/${client_name}_public.key" if [ -f "$client_pubkey_file" ]; then local client_pubkey=$(cat "$client_pubkey_file") # Check if client is connected if wg show "$VPN_INTERFACE" 2>/dev/null | grep -q "$client_pubkey"; then local status="🟢 Connected" else local status="🔴 Disconnected" fi else local status="⚠️ Keys Missing" fi echo "Client: $client_name" echo " IP: $client_ip" echo " Status: $status" echo " Config: $client_config" echo "" fi done if [ "$client_count" -eq 0 ]; then print_warning "No clients configured" else echo "Total clients: $client_count" fi read -p "Press Enter to continue..." } # Add client add_client() { print_header "Add New WireGuard Client" echo "" read -p "Enter client name: " client_name if [ -z "$client_name" ]; then print_error "Client name cannot be empty" read -p "Press Enter to continue..." return fi read -p "Enter client IP suffix (optional, press Enter for auto-assign): " ip_suffix # Call the client addition script if wg-add-client.sh "$client_name" "$ip_suffix"; then print_info "Client added successfully" else print_error "Failed to add client" fi read -p "Press Enter to continue..." } # Remove client remove_client() { print_header "Remove WireGuard Client" echo "" if [ ! -d "$VPN_CLIENT_CONFIG_DIR" ]; then print_error "No clients directory found" read -p "Press Enter to continue..." return fi # List available clients local clients=() local index=1 for client_config in "$VPN_CLIENT_CONFIG_DIR"/*.conf; do if [ -f "$client_config" ]; then local client_name=$(basename "$client_config" .conf) clients+=("$client_name") echo "$index. $client_name" ((index++)) fi done if [ ${#clients[@]} -eq 0 ]; then print_warning "No clients found" read -p "Press Enter to continue..." return fi echo "" read -p "Select client to remove [1-${#clients[@]}]: " choice if [[ "$choice" =~ ^[0-9]+$ ]] && [ "$choice" -ge 1 ] && [ "$choice" -le ${#clients[@]} ]; then local selected_client="${clients[$((choice-1))]}" echo "" echo "Selected client: $selected_client" read -p "Are you sure you want to remove this client? (y/N): " -n 1 -r echo if [[ $REPLY =~ ^[Yy]$ ]]; then if wg-remove-client.sh "$selected_client"; then print_info "Client '$selected_client' removed successfully" else print_error "Failed to remove client '$selected_client'" fi else print_info "Client removal cancelled" fi else print_error "Invalid selection" fi read -p "Press Enter to continue..." } # Show client details show_client_details() { print_header "Client Details" echo "" read -p "Enter client name: " client_name if [ -z "$client_name" ]; then print_error "Client name cannot be empty" read -p "Press Enter to continue..." return fi local client_config="$VPN_CLIENT_CONFIG_DIR/${client_name}.conf" if [ ! -f "$client_config" ]; then print_error "Client '$client_name' not found" read -p "Press Enter to continue..." return fi echo "Client Configuration for: $client_name" echo "======================================" cat "$client_config" echo "" echo "Files:" echo "- Config: $client_config" echo "- Private Key: $VPN_CLIENT_CONFIG_DIR/${client_name}_private.key" echo "- Public Key: $VPN_CLIENT_CONFIG_DIR/${client_name}_public.key" echo "- QR Code: $VPN_CLIENT_CONFIG_DIR/${client_name}.png" read -p "Press Enter to continue..." } # Restart VPN service restart_vpn() { print_header "Restart VPN Service" echo "" print_info "Stopping VPN service..." systemctl stop wg-quick@$VPN_INTERFACE sleep 2 print_info "Starting VPN service..." systemctl start wg-quick@$VPN_INTERFACE sleep 2 if systemctl is-active --quiet wg-quick@$VPN_INTERFACE; then print_info "VPN service restarted successfully" else print_error "VPN service failed to restart" fi read -p "Press Enter to continue..." } # View logs view_logs() { print_header "WireGuard Logs" echo "" echo "Recent systemd logs:" journalctl -u wg-quick@$VPN_INTERFACE --since "1 hour ago" -n 20 --no-pager echo "" echo "System log entries (last 10):" grep -i wireguard /var/log/syslog | tail -10 echo "" read -p "Press Enter to continue..." } # Backup configuration backup_config() { print_header "Backup WireGuard Configuration" echo "" local backup_dir="/var/backups/wireguard" local backup_file="wireguard_backup_$(date +%Y%m%d_%H%M%S).tar.gz" mkdir -p "$backup_dir" print_info "Creating backup..." tar -czf "$backup_dir/$backup_file" -C /etc/wireguard . if [ -f "$backup_dir/$backup_file" ]; then print_info "Backup created successfully: $backup_dir/$backup_file" local backup_size=$(du -h "$backup_dir/$backup_file" | cut -f1) echo "Backup size: $backup_size" # Show backup contents echo "" echo "Backup contents:" tar -tzf "$backup_dir/$backup_file" else print_error "Failed to create backup" fi read -p "Press Enter to continue..." } # Main loop main() { while true; do show_menu case $choice in 1) show_vpn_status ;; 2) list_clients ;; 3) add_client ;; 4) remove_client ;; 5) show_client_details ;; 6) restart_vpn ;; 7) view_logs ;; 8) backup_config ;; 9) print_info "Exiting WireGuard Management"; exit 0 ;; *) print_error "Invalid option. Please select 1-9."; sleep 2 ;; esac done } # Check if running as root if [ "$EUID" -ne 0 ]; then echo "This script must be run as root" exit 1 fi # Start the management interface main EOF chmod 750 /usr/local/bin/wg-manage.sh chown root:root /usr/local/bin/wg-manage.sh # Create systemd service for WireGuard cat > /etc/systemd/system/wireguard-manager.service << 'EOF' [Unit] Description=WireGuard VPN Management Service Documentation=man:wg(8) After=network-online.target Wants=network-online.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/wg-quick up wg0 ExecStop=/usr/bin/wg-quick down wg0 ExecReload=/usr/bin/wg-quick down wg0 && /usr/bin/wg-quick up wg0 # Security settings NoNewPrivileges=yes ProtectSystem=strict ProtectHome=yes ReadWritePaths=/etc/wireguard /var/log/wireguard /run PrivateTmp=yes [Install] WantedBy=multi-user.target EOF # Enable and start WireGuard systemctl daemon-reload systemctl enable wireguard-manager.service systemctl start wireguard-manager.service # Create log rotation for WireGuard cat > /etc/logrotate.d/wireguard << 'EOF' # Football System - WireGuard Log Rotation /var/log/wireguard/*.log { daily rotate 30 compress delaycompress missingok notifempty create 0640 root adm sharedscripts postrotate systemctl reload rsyslog >/dev/null 2>&1 || true endscript } EOF chmod 644 /etc/logrotate.d/wireguard chown root:root /etc/logrotate.d/wireguard # Start WireGuard interface print_info "Starting WireGuard VPN interface..." if wg-quick up wg0; then print_info "WireGuard VPN started successfully" else print_warning "WireGuard VPN started with warnings (common on first boot)" fi # Display summary echo "" print_info "=== WireGuard VPN Configuration Summary ===" echo "✅ WireGuard server configured" echo "✅ Interface: wg0" echo "✅ VPN Network: 10.8.0.0/24" echo "✅ Server IP: 10.8.0.1" echo "✅ Listen Port: 51820" echo "" echo "Management Tools:" echo "- Add client: wg-add-client.sh " echo "- Remove client: wg-remove-client.sh " echo "- Interactive management: wg-manage.sh" echo "" echo "Server Public Key:" echo "$(cat "$SERVER_PUBLIC_KEY")" echo "" echo "Server Endpoint:" echo "$(curl -s ifconfig.me || echo "YOUR_SERVER_IP"):51820" echo "" echo "Files created:" echo "- Server config: /etc/wireguard/wg0.conf" echo "- Client configs: /etc/wireguard/clients/" echo "- Keys: /etc/wireguard/keys/" echo "- Logs: /var/log/wireguard/" echo "" print_info "WireGuard VPN configuration completed successfully!"