KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b98a20cae82d8b4af567ffbbb61be9199f195985
football/config/wireguard-config.sh
Charles N Wyble 1339705f9d progress snapshot
2026-01-21 08:33:09 -05:00

919 lines
24 KiB
Bash
Raw Blame History

#!/bin/bash
# Football System - WireGuard VPN Configuration
# Creates secure WireGuard VPN setup with key management
set -e
echo "Configuring WireGuard VPN..."
# Configuration variables
VPN_PORT=51820
VPN_INTERFACE=wg0
VPN_IP="10.8.0.1/24"
VPN_KEY_DIR="/etc/wireguard/keys"
VPN_CONFIG_DIR="/etc/wireguard"
VPN_LOG_DIR="/var/log/wireguard"
# Create directories
mkdir -p "$VPN_KEY_DIR"
mkdir -p "$VPN_CONFIG_DIR"
mkdir -p "$VPN_LOG_DIR"
# Set secure permissions
chmod 700 "$VPN_KEY_DIR"
chmod 755 "$VPN_CONFIG_DIR"
chmod 755 "$VPN_LOG_DIR"
# Generate server private and public keys
SERVER_PRIVATE_KEY="$VPN_KEY_DIR/server_private.key"
SERVER_PUBLIC_KEY="$VPN_KEY_DIR/server_public.key"
if [ ! -f "$SERVER_PRIVATE_KEY" ]; then
echo "Generating WireGuard server keys..."
# Generate private key
wg genkey > "$SERVER_PRIVATE_KEY"
# Generate public key from private key
wg pubkey < "$SERVER_PRIVATE_KEY" > "$SERVER_PUBLIC_KEY"
# Set secure permissions
chmod 600 "$SERVER_PRIVATE_KEY"
chmod 644 "$SERVER_PUBLIC_KEY"
chown root:root "$SERVER_PRIVATE_KEY" "$SERVER_PUBLIC_KEY"
echo "✅ WireGuard server keys generated"
else
echo "✅ WireGuard server keys already exist"
fi
# Read server public key for client configuration
SERVER_PUBKEY=$(cat "$SERVER_PUBLIC_KEY")
# Create main WireGuard server configuration
cat > "$VPN_CONFIG_DIR/wg0.conf" << EOF
# Football System - WireGuard Server Configuration
# Secure VPN for remote access
[Interface]
# Server interface configuration
Address = $VPN_IP
ListenPort = $VPN_PORT
PrivateKey = $(cat "$SERVER_PRIVATE_KEY")
# DNS for VPN clients (can use internal DNS or public)
DNS = 1.1.1.1, 8.8.8.8
# MTU (optimized for WireGuard)
MTU = 1420
# Enable connection tracking
Table = off
PostUp = iptables -A FORWARD -i $VPN_INTERFACE -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i $VPN_INTERFACE -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# Client peers will be added here using wg-add-client.sh script
EOF
# Set secure permissions on server configuration
chmod 600 "$VPN_CONFIG_DIR/wg0.conf"
chown root:root "$VPN_CONFIG_DIR/wg0.conf"
# Create client management script
cat > /usr/local/bin/wg-add-client.sh << 'EOF'
#!/bin/bash
# Football System - WireGuard Client Management
# Adds new WireGuard client with secure key management
set -e
# Configuration
VPN_INTERFACE="wg0"
VPN_NETWORK="10.8.0.0/24"
VPN_KEY_DIR="/etc/wireguard/keys"
VPN_CLIENT_CONFIG_DIR="/etc/wireguard/clients"
VPN_BASE_IP="10.8.0"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Function to print colored output
print_info() {
echo -e "${GREEN}[INFO]${NC} $1"
}
print_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Check if running as root
if [ "$EUID" -ne 0 ]; then
print_error "This script must be run as root"
exit 1
fi
# Usage function
usage() {
echo "Usage: $0 <client_name> [client_ip_suffix]"
echo "Example: $0 charles 10"
echo "Example: $0 laptop"
echo ""
echo "client_name: Name/identifier for the client"
echo "client_ip_suffix: (optional) Last octet of client IP (e.g., 10 for 10.8.0.10)"
echo " If not provided, next available IP will be assigned"
exit 1
}
# Check arguments
if [ $# -lt 1 ] || [ $# -gt 2 ]; then
usage
fi
CLIENT_NAME="$1"
CLIENT_IP_SUFFIX="$2"
# Validate client name
if [[ ! "$CLIENT_NAME" =~ ^[a-zA-Z0-9_-]+$ ]]; then
print_error "Client name must contain only alphanumeric characters, hyphens, and underscores"
exit 1
fi
if [ ${#CLIENT_NAME} -gt 50 ]; then
print_error "Client name must be 50 characters or less"
exit 1
fi
# Create client configuration directory
mkdir -p "$VPN_CLIENT_CONFIG_DIR"
# Generate client keys
print_info "Generating keys for client: $CLIENT_NAME"
CLIENT_PRIVATE_KEY="$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}_private.key"
CLIENT_PUBLIC_KEY="$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}_public.key"
# Check if client already exists
if [ -f "$CLIENT_PRIVATE_KEY" ]; then
print_warning "Client '$CLIENT_NAME' already exists"
read -p "Do you want to regenerate keys? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
print_info "Using existing keys for client '$CLIENT_NAME'"
else
print_info "Regenerating keys for client '$CLIENT_NAME'"
wg genkey > "$CLIENT_PRIVATE_KEY"
wg pubkey < "$CLIENT_PRIVATE_KEY" > "$CLIENT_PUBLIC_KEY"
fi
else
wg genkey > "$CLIENT_PRIVATE_KEY"
wg pubkey < "$CLIENT_PRIVATE_KEY" > "$CLIENT_PUBLIC_KEY"
fi
# Set permissions
chmod 600 "$CLIENT_PRIVATE_KEY"
chmod 644 "$CLIENT_PUBLIC_KEY"
chown root:root "$CLIENT_PRIVATE_KEY" "$CLIENT_PUBLIC_KEY"
# Determine client IP
if [ -n "$CLIENT_IP_SUFFIX" ]; then
# Validate provided IP suffix
if [[ ! "$CLIENT_IP_SUFFIX" =~ ^[0-9]+$ ]] || [ "$CLIENT_IP_SUFFIX" -lt 2 ] || [ "$CLIENT_IP_SUFFIX" -gt 254 ]; then
print_error "Client IP suffix must be a number between 2 and 254"
exit 1
fi
CLIENT_IP="${VPN_BASE_IP}.${CLIENT_IP_SUFFIX}"
# Check if IP is already in use
if wg show | grep -q "$CLIENT_IP"; then
print_error "IP $CLIENT_IP is already in use"
exit 1
fi
else
# Find next available IP
for suffix in {2..254}; do
test_ip="${VPN_BASE_IP}.${suffix}"
if ! wg show | grep -q "$test_ip" && ! grep -r "Address.*$test_ip" "$VPN_CLIENT_CONFIG_DIR/" >/dev/null 2>&1; then
CLIENT_IP="$test_ip"
break
fi
done
if [ -z "$CLIENT_IP" ]; then
print_error "No available IP addresses in the $VPN_BASE_IP.0/24 network"
exit 1
fi
fi
# Get server public key
SERVER_PUBLIC_KEY="$VPN_KEY_DIR/server_public.key"
if [ ! -f "$SERVER_PUBLIC_KEY" ]; then
print_error "Server public key not found. Please run wireguard-config.sh first."
exit 1
fi
SERVER_PUBKEY=$(cat "$SERVER_PUBLIC_KEY")
# Add peer to server configuration
print_info "Adding client '$CLIENT_NAME' to server configuration"
cat >> "/etc/wireguard/wg0.conf" << EOF
# Client: $CLIENT_NAME
[Peer]
PublicKey = $(cat "$CLIENT_PUBLIC_KEY")
AllowedIPs = $CLIENT_IP/32
PersistentKeepalive = 25
EOF
# Create client configuration
CLIENT_CONFIG_FILE="$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}.conf"
cat > "$CLIENT_CONFIG_FILE" << EOF
# Football System - WireGuard Client Configuration
# Client: $CLIENT_NAME
# Generated on: $(date)
[Interface]
PrivateKey = $(cat "$CLIENT_PRIVATE_KEY")
Address = $CLIENT_IP/24
DNS = 1.1.1.1, 8.8.8.8
MTU = 1420
[Peer]
PublicKey = $SERVER_PUBKEY
Endpoint = $(curl -s ifconfig.me || echo "YOUR_SERVER_IP"):51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
EOF
# Create QR code for mobile clients
if command -v qrencode >/dev/null 2>&1; then
QR_CODE_FILE="$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}.png"
qrencode -t PNG -o "$QR_CODE_FILE" < "$CLIENT_CONFIG_FILE"
print_info "QR code generated: $QR_CODE_FILE"
else
print_warning "qrencode not installed. Cannot generate QR code for mobile clients."
fi
# Set permissions on client files
chmod 600 "$CLIENT_CONFIG_FILE"
chmod 644 "$CLIENT_PUBLIC_KEY" "$QR_CODE_FILE" 2>/dev/null || true
chown root:root "$CLIENT_CONFIG_FILE" "$CLIENT_PUBLIC_KEY" "$QR_CODE_FILE" 2>/dev/null || true
# Reload WireGuard configuration
print_info "Reloading WireGuard configuration..."
if wg-quick down "$VPN_INTERFACE" >/dev/null 2>&1; then
:
fi
wg-quick up "$VPN_INTERFACE"
# Update firewall rules if needed
systemctl restart firewall-persistence.service >/dev/null 2>&1 || true
# Display summary
print_info "Client '$CLIENT_NAME' configured successfully!"
echo ""
echo "Client Configuration:"
echo "- Name: $CLIENT_NAME"
echo "- IP Address: $CLIENT_IP"
echo "- Config File: $CLIENT_CONFIG_FILE"
echo "- Private Key: $CLIENT_PRIVATE_KEY"
echo "- Public Key: $CLIENT_PUBLIC_KEY"
if [ -f "$QR_CODE_FILE" ]; then
echo "- QR Code: $QR_CODE_FILE"
fi
echo ""
echo "To connect from the client:"
echo "1. Copy the configuration file to the client device"
echo "2. Import it into WireGuard client"
echo "3. Or scan the QR code with mobile WireGuard app"
echo ""
echo "Server Endpoint: $(curl -s ifconfig.me || echo "YOUR_SERVER_IP"):51820"
# Create installation package
PACKAGE_DIR="/tmp/wireguard_client_${CLIENT_NAME}"
mkdir -p "$PACKAGE_DIR"
cp "$CLIENT_CONFIG_FILE" "$PACKAGE_DIR/"
cp "$QR_CODE_FILE" "$PACKAGE_DIR/" 2>/dev/null || true
# Create installation instructions
cat > "$PACKAGE_DIR/README.txt" << EEOF
Football System - WireGuard Client Installation
==============================================
Client Name: $CLIENT_NAME
Generated: $(date)
Files in this package:
- ${CLIENT_NAME}.conf - WireGuard configuration file
- ${CLIENT_NAME}.png - QR code for mobile clients (if generated)
Installation Instructions:
Desktop/Linux:
1. Copy ${CLIENT_NAME}.conf to /etc/wireguard/
2. Run: wg-quick up ${CLIENT_NAME}
3. To auto-start: systemctl enable wg-quick@${CLIENT_NAME}
Mobile:
1. Install WireGuard app from app store
2. Scan the QR code (or import the configuration file)
3. Toggle the connection to connect
Windows:
1. Install WireGuard for Windows
2. Click "Import tunnel(s) from file"
3. Select ${CLIENT_NAME}.conf
4. Click "Activate"
Verification:
- After connecting, you should be able to access: 10.8.0.1
- Run: ping 10.8.0.1
- For system verification: ssh user@10.8.0.1
Security Notes:
- Keep your private key secure
- Do not share the configuration file publicly
- Report any lost devices immediately
Support:
- If you lose the configuration, contact your system administrator
- Server endpoint: $(curl -s ifconfig.me || echo "YOUR_SERVER_IP"):51820
EEOF
tar -czf "/tmp/wireguard_client_${CLIENT_NAME}.tar.gz" -C "/tmp" "wireguard_client_${CLIENT_NAME}"
rm -rf "$PACKAGE_DIR"
print_info "Client package created: /tmp/wireguard_client_${CLIENT_NAME}.tar.gz"
echo ""
print_info "=== Client Configuration Summary ==="
echo "Server Public Key: $SERVER_PUBKEY"
echo "Client Private Key: $(cat "$CLIENT_PRIVATE_KEY")"
echo "Client Public Key: $(cat "$CLIENT_PUBLIC_KEY")"
echo "Client IP: $CLIENT_IP/24"
echo "Server Endpoint: $(curl -s ifconfig.me || echo "YOUR_SERVER_IP"):51820"
echo ""
print_info "Client configuration completed successfully!"
EOF
chmod 750 /usr/local/bin/wg-add-client.sh
chown root:root /usr/local/bin/wg-add-client.sh
# Create client removal script
cat > /usr/local/bin/wg-remove-client.sh << 'EOF'
#!/bin/bash
# Football System - WireGuard Client Removal
# Securely removes WireGuard client and cleans up files
set -e
# Configuration
VPN_INTERFACE="wg0"
VPN_CLIENT_CONFIG_DIR="/etc/wireguard/clients"
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
print_info() {
echo -e "${GREEN}[INFO]${NC} $1"
}
print_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Check if running as root
if [ "$EUID" -ne 0 ]; then
print_error "This script must be run as root"
exit 1
fi
# Usage
usage() {
echo "Usage: $0 <client_name>"
echo "Example: $0 charles"
exit 1
}
# Check arguments
if [ $# -ne 1 ]; then
usage
fi
CLIENT_NAME="$1"
# Check if client exists
CLIENT_CONFIG_FILE="$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}.conf"
if [ ! -f "$CLIENT_CONFIG_FILE" ]; then
print_error "Client '$CLIENT_NAME' not found"
exit 1
fi
# Get client public key
CLIENT_PUBLIC_KEY_FILE="$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}_public.key"
if [ ! -f "$CLIENT_PUBLIC_KEY_FILE" ]; then
print_error "Client public key file not found for '$CLIENT_NAME'"
exit 1
fi
CLIENT_PUBKEY=$(cat "$CLIENT_PUBLIC_KEY_FILE")
print_info "Removing client '$CLIENT_NAME' from WireGuard configuration"
# Remove peer from server configuration
# Create backup first
cp "/etc/wireguard/wg0.conf" "/etc/wireguard/wg0.conf.backup.$(date +%Y%m%d_%H%M%S)"
# Remove client peer section from server config
sed -i "/# Client: $CLIENT_NAME/,/PersistentKeepalive = 25$/d" "/etc/wireguard/wg0.conf"
# Remove client from active configuration (if connected)
if wg show "$VPN_INTERFACE" | grep -q "$CLIENT_PUBKEY"; then
print_info "Removing client from active configuration"
wg set "$VPN_INTERFACE" peer "$CLIENT_PUBKEY" remove
fi
# Remove client files
print_info "Removing client configuration files"
rm -f "$CLIENT_CONFIG_FILE"
rm -f "$CLIENT_PUBLIC_KEY_FILE"
rm -f "$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}_private.key"
rm -f "$VPN_CLIENT_CONFIG_DIR/${CLIENT_NAME}.png"
# Reload WireGuard configuration
print_info "Reloading WireGuard configuration..."
wg-quick down "$VPN_INTERFACE" >/dev/null 2>&1 || true
wg-quick up "$VPN_INTERFACE"
print_info "Client '$CLIENT_NAME' removed successfully"
EOF
chmod 750 /usr/local/bin/wg-remove-client.sh
chown root:root /usr/local/bin/wg-remove-client.sh
# Create WireGuard status and management script
cat > /usr/local/bin/wg-manage.sh << 'EOF'
#!/bin/bash
# Football System - WireGuard Management Script
# Comprehensive WireGuard VPN status and management
# Configuration
VPN_INTERFACE="wg0"
VPN_CLIENT_CONFIG_DIR="/etc/wireguard/clients"
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
print_header() {
echo -e "${BLUE}$1${NC}"
echo "=================================="
}
print_info() {
echo -e "${GREEN}✅ $1${NC}"
}
print_warning() {
echo -e "${YELLOW}⚠️ $1${NC}"
}
print_error() {
echo -e "${RED}❌ $1${NC}"
}
# Main menu
show_menu() {
clear
print_header "Football System - WireGuard VPN Management"
echo ""
echo "1. Show VPN Status"
echo "2. List All Clients"
echo "3. Add New Client"
echo "4. Remove Client"
echo "5. Show Client Details"
echo "6. Restart VPN Service"
echo "7. View VPN Logs"
echo "8. Backup Configuration"
echo "9. Exit"
echo ""
read -p "Select an option [1-9]: " choice
}
# VPN status
show_vpn_status() {
print_header "WireGuard VPN Status"
echo ""
if systemctl is-active --quiet wg-quick@$VPN_INTERFACE; then
print_info "VPN Service: Active"
else
print_error "VPN Service: Inactive"
fi
if systemctl is-enabled --quiet wg-quick@$VPN_INTERFACE; then
print_info "VPN Auto-start: Enabled"
else
print_warning "VPN Auto-start: Disabled"
fi
echo ""
echo "Interface Information:"
if ip link show "$VPN_INTERFACE" >/dev/null 2>&1; then
ip addr show "$VPN_INTERFACE"
else
print_warning "Interface $VPN_INTERFACE not found"
fi
echo ""
echo "Active Connections:"
if wg show "$VPN_INTERFACE" >/dev/null 2>&1; then
wg show "$VPN_INTERFACE"
echo ""
local connected_peers=$(wg show "$VPN_INTERFACE" | grep -c "peer:")
echo "Total connected peers: $connected_peers"
else
print_warning "No active WireGuard interface"
fi
echo ""
read -p "Press Enter to continue..."
}
# List clients
list_clients() {
print_header "WireGuard Client List"
echo ""
if [ ! -d "$VPN_CLIENT_CONFIG_DIR" ]; then
print_error "Client configuration directory not found"
read -p "Press Enter to continue..."
return
fi
local client_count=0
for client_config in "$VPN_CLIENT_CONFIG_DIR"/*.conf; do
if [ -f "$client_config" ]; then
((client_count++))
local client_name=$(basename "$client_config" .conf)
local client_ip=$(grep -A 5 "\[Interface\]" "$client_config" | grep "Address" | cut -d'=' -f2 | xargs)
local client_pubkey_file="$VPN_CLIENT_CONFIG_DIR/${client_name}_public.key"
if [ -f "$client_pubkey_file" ]; then
local client_pubkey=$(cat "$client_pubkey_file")
# Check if client is connected
if wg show "$VPN_INTERFACE" 2>/dev/null | grep -q "$client_pubkey"; then
local status="🟢 Connected"
else
local status="🔴 Disconnected"
fi
else
local status="⚠️ Keys Missing"
fi
echo "Client: $client_name"
echo " IP: $client_ip"
echo " Status: $status"
echo " Config: $client_config"
echo ""
fi
done
if [ "$client_count" -eq 0 ]; then
print_warning "No clients configured"
else
echo "Total clients: $client_count"
fi
read -p "Press Enter to continue..."
}
# Add client
add_client() {
print_header "Add New WireGuard Client"
echo ""
read -p "Enter client name: " client_name
if [ -z "$client_name" ]; then
print_error "Client name cannot be empty"
read -p "Press Enter to continue..."
return
fi
read -p "Enter client IP suffix (optional, press Enter for auto-assign): " ip_suffix
# Call the client addition script
if wg-add-client.sh "$client_name" "$ip_suffix"; then
print_info "Client added successfully"
else
print_error "Failed to add client"
fi
read -p "Press Enter to continue..."
}
# Remove client
remove_client() {
print_header "Remove WireGuard Client"
echo ""
if [ ! -d "$VPN_CLIENT_CONFIG_DIR" ]; then
print_error "No clients directory found"
read -p "Press Enter to continue..."
return
fi
# List available clients
local clients=()
local index=1
for client_config in "$VPN_CLIENT_CONFIG_DIR"/*.conf; do
if [ -f "$client_config" ]; then
local client_name=$(basename "$client_config" .conf)
clients+=("$client_name")
echo "$index. $client_name"
((index++))
fi
done
if [ ${#clients[@]} -eq 0 ]; then
print_warning "No clients found"
read -p "Press Enter to continue..."
return
fi
echo ""
read -p "Select client to remove [1-${#clients[@]}]: " choice
if [[ "$choice" =~ ^[0-9]+$ ]] && [ "$choice" -ge 1 ] && [ "$choice" -le ${#clients[@]} ]; then
local selected_client="${clients[$((choice-1))]}"
echo ""
echo "Selected client: $selected_client"
read -p "Are you sure you want to remove this client? (y/N): " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
if wg-remove-client.sh "$selected_client"; then
print_info "Client '$selected_client' removed successfully"
else
print_error "Failed to remove client '$selected_client'"
fi
else
print_info "Client removal cancelled"
fi
else
print_error "Invalid selection"
fi
read -p "Press Enter to continue..."
}
# Show client details
show_client_details() {
print_header "Client Details"
echo ""
read -p "Enter client name: " client_name
if [ -z "$client_name" ]; then
print_error "Client name cannot be empty"
read -p "Press Enter to continue..."
return
fi
local client_config="$VPN_CLIENT_CONFIG_DIR/${client_name}.conf"
if [ ! -f "$client_config" ]; then
print_error "Client '$client_name' not found"
read -p "Press Enter to continue..."
return
fi
echo "Client Configuration for: $client_name"
echo "======================================"
cat "$client_config"
echo ""
echo "Files:"
echo "- Config: $client_config"
echo "- Private Key: $VPN_CLIENT_CONFIG_DIR/${client_name}_private.key"
echo "- Public Key: $VPN_CLIENT_CONFIG_DIR/${client_name}_public.key"
echo "- QR Code: $VPN_CLIENT_CONFIG_DIR/${client_name}.png"
read -p "Press Enter to continue..."
}
# Restart VPN service
restart_vpn() {
print_header "Restart VPN Service"
echo ""
print_info "Stopping VPN service..."
systemctl stop wg-quick@$VPN_INTERFACE
sleep 2
print_info "Starting VPN service..."
systemctl start wg-quick@$VPN_INTERFACE
sleep 2
if systemctl is-active --quiet wg-quick@$VPN_INTERFACE; then
print_info "VPN service restarted successfully"
else
print_error "VPN service failed to restart"
fi
read -p "Press Enter to continue..."
}
# View logs
view_logs() {
print_header "WireGuard Logs"
echo ""
echo "Recent systemd logs:"
journalctl -u wg-quick@$VPN_INTERFACE --since "1 hour ago" -n 20 --no-pager
echo ""
echo "System log entries (last 10):"
grep -i wireguard /var/log/syslog | tail -10
echo ""
read -p "Press Enter to continue..."
}
# Backup configuration
backup_config() {
print_header "Backup WireGuard Configuration"
echo ""
local backup_dir="/var/backups/wireguard"
local backup_file="wireguard_backup_$(date +%Y%m%d_%H%M%S).tar.gz"
mkdir -p "$backup_dir"
print_info "Creating backup..."
tar -czf "$backup_dir/$backup_file" -C /etc/wireguard .
if [ -f "$backup_dir/$backup_file" ]; then
print_info "Backup created successfully: $backup_dir/$backup_file"
local backup_size=$(du -h "$backup_dir/$backup_file" | cut -f1)
echo "Backup size: $backup_size"
# Show backup contents
echo ""
echo "Backup contents:"
tar -tzf "$backup_dir/$backup_file"
else
print_error "Failed to create backup"
fi
read -p "Press Enter to continue..."
}
# Main loop
main() {
while true; do
show_menu
case $choice in
1) show_vpn_status ;;
2) list_clients ;;
3) add_client ;;
4) remove_client ;;
5) show_client_details ;;
6) restart_vpn ;;
7) view_logs ;;
8) backup_config ;;
9) print_info "Exiting WireGuard Management"; exit 0 ;;
*) print_error "Invalid option. Please select 1-9."; sleep 2 ;;
esac
done
}
# Check if running as root
if [ "$EUID" -ne 0 ]; then
echo "This script must be run as root"
exit 1
fi
# Start the management interface
main
EOF
chmod 750 /usr/local/bin/wg-manage.sh
chown root:root /usr/local/bin/wg-manage.sh
# Create systemd service for WireGuard
cat > /etc/systemd/system/wireguard-manager.service << 'EOF'
[Unit]
Description=WireGuard VPN Management Service
Documentation=man:wg(8)
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up wg0
ExecStop=/usr/bin/wg-quick down wg0
ExecReload=/usr/bin/wg-quick down wg0 && /usr/bin/wg-quick up wg0
# Security settings
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/etc/wireguard /var/log/wireguard /run
PrivateTmp=yes
[Install]
WantedBy=multi-user.target
EOF
# Enable and start WireGuard
systemctl daemon-reload
systemctl enable wireguard-manager.service
systemctl start wireguard-manager.service
# Create log rotation for WireGuard
cat > /etc/logrotate.d/wireguard << 'EOF'
# Football System - WireGuard Log Rotation
/var/log/wireguard/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 0640 root adm
sharedscripts
postrotate
systemctl reload rsyslog >/dev/null 2>&1 || true
endscript
}
EOF
chmod 644 /etc/logrotate.d/wireguard
chown root:root /etc/logrotate.d/wireguard
# Start WireGuard interface
print_info "Starting WireGuard VPN interface..."
if wg-quick up wg0; then
print_info "WireGuard VPN started successfully"
else
print_warning "WireGuard VPN started with warnings (common on first boot)"
fi
# Display summary
echo ""
print_info "=== WireGuard VPN Configuration Summary ==="
echo "✅ WireGuard server configured"
echo "✅ Interface: wg0"
echo "✅ VPN Network: 10.8.0.0/24"
echo "✅ Server IP: 10.8.0.1"
echo "✅ Listen Port: 51820"
echo ""
echo "Management Tools:"
echo "- Add client: wg-add-client.sh <client_name>"
echo "- Remove client: wg-remove-client.sh <client_name>"
echo "- Interactive management: wg-manage.sh"
echo ""
echo "Server Public Key:"
echo "$(cat "$SERVER_PUBLIC_KEY")"
echo ""
echo "Server Endpoint:"
echo "$(curl -s ifconfig.me || echo "YOUR_SERVER_IP"):51820"
echo ""
echo "Files created:"
echo "- Server config: /etc/wireguard/wg0.conf"
echo "- Client configs: /etc/wireguard/clients/"
echo "- Keys: /etc/wireguard/keys/"
echo "- Logs: /var/log/wireguard/"
echo ""
print_info "WireGuard VPN configuration completed successfully!"
Reference in New Issue View Git Blame Copy Permalink