[ { "path": ".github/FUNDING.yml", "content": "# These are supported funding model platforms\n\ngithub: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]\npatreon: # Replace with a single Patreon username\nopen_collective: # Replace with a single Open Collective username\nko_fi: # Replace with a single Ko-fi username\ntidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel\ncommunity_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry\nliberapay: # Replace with a single Liberapay username\nissuehunt: # Replace with a single IssueHunt username\notechie: # Replace with a single Otechie username\nlfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry\ncustom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']\ncustom: https://www.paypal.me/KristBegaj\n" }, { "path": ".github/dependabot.yml", "content": "# To get started with Dependabot version updates, you'll need to specify which\n# package ecosystems to update and where the package manifests are located.\n# Please see the documentation for all configuration options:\n# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file\n\nversion: 2\nupdates:\n - package-ecosystem: \"\" # See documentation for possible values\n directory: \"/\" # Location of package manifests\n schedule:\n interval: \"weekly\"\n\n" }, { "path": ".github/workflows/codacy.yml", "content": "# This workflow uses actions that are not certified by GitHub.\n# They are provided by a third-party and are governed by\n# separate terms of service, privacy policy, and support\n# documentation.\n\n# This workflow checks out code, performs a Codacy security scan\n# and integrates the results with the\n# GitHub Advanced Security code scanning feature. For more information on\n# the Codacy security scan action usage and parameters, see\n# https://github.com/codacy/codacy-analysis-cli-action.\n# For more information on Codacy Analysis CLI in general, see\n# https://github.com/codacy/codacy-analysis-cli.\n\nname: Codacy Security Scan\n\non:\n push:\n branches: [ master ]\n pull_request:\n # The branches below must be a subset of the branches above\n branches: [ master ]\n schedule:\n - cron: '32 10 * * 0'\n\npermissions:\n contents: read\n\njobs:\n codacy-security-scan:\n permissions:\n contents: read # for actions/checkout to fetch code\n security-events: write # for github/codeql-action/upload-sarif to upload SARIF results\n name: Codacy Security Scan\n runs-on: ubuntu-latest\n steps:\n # Checkout the repository to the GitHub Actions runner\n - name: Checkout code\n uses: actions/checkout@v3\n\n # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis\n - name: Run Codacy Analysis CLI\n uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b\n with:\n # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository\n # You can also omit the token and run the tools that support default configurations\n project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}\n verbose: true\n output: results.sarif\n format: sarif\n # Adjust severity of non-security issues\n gh-code-scanning-compat: true\n # Force 0 exit code to allow SARIF file generation\n # This will handover control about PR rejection to the GitHub side\n max-allowed-issues: 2147483647\n\n # Upload the SARIF file generated in the previous step\n - name: Upload SARIF results file\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: results.sarif\n" }, { "path": ".github/workflows/semgrep.yml", "content": "on:\n pull_request: {}\n push:\n branches:\n - master\n paths:\n - .github/workflows/semgrep.yml\n schedule:\n - cron: '0 0 * * 0'\nname: Semgrep\njobs:\n semgrep:\n name: Scan\n runs-on: ubuntu-20.04\n env:\n SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}\n container:\n image: returntocorp/semgrep\n steps:\n - uses: actions/checkout@v3\n - run: semgrep ci\n" }, { "path": "CONTRIBUTING.md", "content": "# Contributors of the project!\n[0x08](https://github.com/its0x08)\n\n\n### Make sure to add your self on this list before commiting\n" }, { "path": "README.md", "content": "\n# wg-install v0.1.01\nWireGuard autoinstaller written in Bash\n\n[WireGuard](https://www.wireguard.com) [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu, Debian, CentOS and Fedora!\n\nThis script will install automatically the Wireguard server and generate client configuration files for a secure connection.\n\n![Visitors](https://api.visitorbadge.io/api/visitors?path=https%3A%2F%2Fgithub.com%2Fits0x08%2Fwg-install&countColor=%232ccce4&style=flat-square)\n[![Semgrep](https://github.com/its0x08/wg-install/actions/workflows/semgrep.yml/badge.svg)](https://github.com/its0x08/wg-install/actions/workflows/semgrep.yml)\n[![Codacy Security Scan](https://github.com/its0x08/wg-install/actions/workflows/codacy.yml/badge.svg)](https://github.com/its0x08/wg-install/actions/workflows/codacy.yml)\n\n\n## Usage command\n\n### Oneliners:\n```bash\nwget http://git.io/Jff1k -qO wg.sh && bash wg.sh\n```\n```bash\ncurl http://git.io/Jff1k -sSLo wg.sh && bash wg.sh\n```\n```bash\n/bin/bash -c \"$(curl -fsSL http://git.io/Jff1k)\"\n```\n\n### Steps to download and run the scripts:\n```bash\ngit clone https://github.com/its0x08/wg-install.git\ncd wg-install\nbash wg-install.sh\n```\n\n## Add new client or remove and uninstall WireGuard\nYou can run it again to generate more users after the first run, or remove WireGuard. Reboot your server to apply all settings.\n\n## To start/activate the Wireguard client:\n```bash\nwg-quick up config_name\n```\n\n## Options:\n\nThe script can be configured by setting the following environment variables:\n\n* INTERACTIVE - if set to \"no\", the script will not prompt for user input\n* PRIVATE_SUBNET - private subnet configuration, (default: `10.9.0.0/24`)\n* SERVER_HOST - public IP address, detected by default\n* SERVER_PORT - listening port, picked randomly by default\n* CLIENT_DNS - comma serparated DNS servers to use by the client\n* ADD_REMOVE - set to `1` to remove WireGuard or `2` to add new users\n* WG_CONFIG - set config location (default: `/etc/wireguard/wg0.conf`)\n\n\nCopy the file `/root/client-wg0.conf` from a remote server to your local PC\npath `/etc/wireguard/wg0.conf` and run `sudo systemctl start wg-quick@wg0.service` or\nyou can use the QR code generated by this script to auto-add mobile clients.\n\n## Server/Client status:\nTo check VPN status, run `wg`.\n\n# Pull Requests are appreciated\n\n## Enjoy it !\n\n#### Note: dont forget to report bugs please!!\n" }, { "path": "wg-install.sh", "content": "#!/bin/bash\n# wg-install v0.1.01\n\n\nfunction generate_port {\n\tlocal random_int\n\trandom_int=\"$(shuf -i 2000-65535 -n 1)\"\n\tss -lau | grep \"$random_int\" > /dev/null\n\tif [[ \"$?\" == 1 ]]; then\n\t\techo \"$random_int\"\n\telse\n\t\tgenerate_port\n\tfi\n}\n\nif [[ \"$EUID\" != 0 ]]; then\n\techo \"[-] Sorry, you need to run this as root\"\n\texit 13\nfi\n\nif [[ ! -e /dev/net/tun ]]; then\n\techo \"[-] The TUN device is not available. You need to enable TUN before running this script\"\n\texit 2\nfi\n\nif [ -e /etc/centos-release ]; then\n\tDISTRO=\"CentOS\"\n\techo \"[i] OS: $DISTRO\"\nelif [ -e /etc/debian_version ]; then\n\tDISTRO=\"$(lsb_release -is)\"\n\techo \"[i] OS: $DISTRO\"\nelse\n\techo -e \"[-] Your distribution is not supported (yet)\\n[i] Please open an issue or pull request to address you problem.\"\n\texit 95\nfi\n\nif [ \"$WG_CONFIG\" == \"\" ]; then\n\tWG_CONFIG=\"/etc/wireguard/wg0.conf\"\nfi\n\n\nif [ ! -f \"$WG_CONFIG\" ]; then\n\tWG_CONFIG_NAME=${WG_CONFIG:15:-5}\n\t# Install server and add default client\n\tINTERACTIVE=${INTERACTIVE:-yes}\n\tPRIVATE_SUBNET=${PRIVATE_SUBNET:-\"10.9.0.0/24\"}\n\tPRIVATE_SUBNET_MASK=${PRIVATE_SUBNET##*/}\n\tGATEWAY_ADDRESS=\"${PRIVATE_SUBNET::-4}1\"\n\n\tif [ \"$SERVER_HOST\" == \"\" ]; then\n\t\tSERVER_HOST=\"$(curl -fsSL ifconfig.me 2>/dev/null || hostname -i)\"\n\t\tif [ \"$INTERACTIVE\" == \"yes\" ]; then\n\t\t\tread -rp \"[i] Servers public IP address is $SERVER_HOST Is that correct? [y/n]: \" -e -i \"y\" CONFIRM\n\t\t\tif [ \"$CONFIRM\" == \"n\" ]; then\n\t\t\t\techo \"[-] Aborted. Use environment variable SERVER_HOST to set the correct public IP address\"\n\t\t\t\texit 125\n\t\t\tfi\n\t\tfi\n\tfi\n\n\tif [ \"$SERVER_PORT\" == \"\" ]; then\n\t\tSERVER_PORT=\"$(generate_port)\"\n\tfi\n\n\tif [ \"$CLIENT_DNS\" == \"\" ]; then\n\t\techo \"Which DNS do you want to use with the VPN?\"\n\t\techo \" 1) Cloudflare (fastest DNS)\"\n\t\techo \" 2) Google\"\n\t\techo \" 3) OpenDNS (has phishing protection and other security filters)\"\n\t\techo \" 4) Quad9 (Malware protection)\"\n\t\techo \" 5) AdGuard DNS (automatically blocks ads)\"\n\t\tread -rp \"[?] DNS (1-5)[1]: \" -e -i 1 DNS_CHOICE\n\n\t\tcase $DNS_CHOICE in\n\t\t1)\n\t\t\tCLIENT_DNS=\"1.1.1.1,1.0.0.1\"\n\t\t\t;;\n\t\t2)\n\t\t\tCLIENT_DNS=\"8.8.8.8,8.8.4.4\"\n\t\t\t;;\n\t\t3)\n\t\t\tCLIENT_DNS=\"208.67.222.222,208.67.220.220\"\n\t\t\t;;\n\t\t4)\n\t\t\tCLIENT_DNS=\"9.9.9.9\"\n\t\t\t;;\n\t\t5)\n\t\t\tCLIENT_DNS=\"176.103.130.130,176.103.130.131\"\n\t\t\t;;\n\t\tesac\n\tfi\n\n\tif [ \"$DISTRO\" == \"Ubuntu\" ]; then\n\t\tapt update\n\t\tapt install linux-headers-\"$(uname -r)\" wireguard qrencode iptables-persistent -y\n\telif [ \"$DISTRO\" == \"Debian\" ]; then\n\t\techo \"deb http://deb.debian.org/debian buster-backports main\" >> /etc/apt/sources.list\n\t\tapt update\n\t\tapt install linux-headers-\"$(uname -r)\" wireguard qrencode iptables-persistent -y\n\telif [ \"$DISTRO\" == \"CentOS\" ]; then\n\t\tcurl -sLo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo\n\t\tyum install epel-release -y\n\t\tyum install kernel-headers wireguard-dkms qrencode wireguard-tools -y\n\tfi\n\n\tSERVER_PRIVKEY=\"$(wg genkey)\"\n\tSERVER_PUBKEY=\"$(echo \"$SERVER_PRIVKEY\" | wg pubkey)\"\n\tCLIENT_PRIVKEY=\"$(wg genkey)\"\n\tCLIENT_PUBKEY=\"$(echo \"$CLIENT_PRIVKEY\" | wg pubkey)\"\n\tCLIENT_ADDRESS=\"${PRIVATE_SUBNET::-4}3\"\n\n\tmkdir -p /etc/wireguard\n\ttouch $WG_CONFIG && chmod 600 $WG_CONFIG\n\n\t{\n\t\techo \"# $PRIVATE_SUBNET $SERVER_HOST:$SERVER_PORT $SERVER_PUBKEY $CLIENT_DNS\n[Interface]\nAddress = $GATEWAY_ADDRESS/$PRIVATE_SUBNET_MASK\nListenPort = $SERVER_PORT\nPrivateKey = $SERVER_PRIVKEY\nSaveConfig = false\"; \n\n\techo \"# client\n[Peer]\nPublicKey = $CLIENT_PUBKEY\nAllowedIPs = $CLIENT_ADDRESS/32\";\n\t} >> $WG_CONFIG\n\n\techo \"[Interface]\nPrivateKey = $CLIENT_PRIVKEY\nAddress = $CLIENT_ADDRESS/$PRIVATE_SUBNET_MASK\nDNS = $CLIENT_DNS\n[Peer]\nPublicKey = $SERVER_PUBKEY\nAllowedIPs = 0.0.0.0/0, ::/0\nEndpoint = $SERVER_HOST:$SERVER_PORT\nPersistentKeepalive = 25\" > \"$HOME/client-$WG_CONFIG_NAME.conf\"\n\tqrencode -t ansiutf8 -l L < \"$HOME/client-$WG_CONFIG_NAME.conf\"\n\n\t{ \n\t\techo \"net.ipv4.ip_forward=1\";\n\t\techo \"net.ipv4.conf.all.forwarding=1\";\n\t\techo \"net.ipv6.conf.all.forwarding=1\";\n\t} >> /etc/sysctl.conf\n\tsysctl -p\n\n\tif [ \"$DISTRO\" == \"CentOS\" ]; then\n\t\tfirewall-cmd --zone=public --add-port=\"$SERVER_PORT/udp\"\n\t\tfirewall-cmd --zone=trusted --add-source=\"$PRIVATE_SUBNET\"\n\t\tfirewall-cmd --permanent --zone=public --add-port=\"$SERVER_PORT/udp\"\n\t\tfirewall-cmd --permanent --zone=trusted --add-source=\"$PRIVATE_SUBNET\"\n\t\tfirewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s \"$PRIVATE_SUBNET\" ! -d \"$PRIVATE_SUBNET\" -j SNAT --to \"$SERVER_HOST\"\n\t\tfirewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s \"$PRIVATE_SUBNET\" ! -d \"$PRIVATE_SUBNET\" -j SNAT --to \"$SERVER_HOST\"\n\telse\n\t\tiptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n\t\tiptables -A FORWARD -m conntrack --ctstate NEW -s \"$PRIVATE_SUBNET\" -m policy --pol none --dir in -j ACCEPT\n\t\tiptables -t nat -A POSTROUTING -s \"$PRIVATE_SUBNET\" -m policy --pol none --dir out -j MASQUERADE\n\t\tiptables -A INPUT -p udp --dport \"$SERVER_PORT\" -j ACCEPT\n\t\tiptables-save > /etc/iptables/rules.v4\n\tfi\n\n\tsystemctl enable wg-quick@$WG_CONFIG_NAME.service\n\tsystemctl start wg-quick@$WG_CONFIG_NAME.service\n\n\t# TODO: unattended updates, apt install dnsmasq ntp\n\techo \"[+] Client config --> $HOME/client-$WG_CONFIG_NAME.conf\"\n\techo \"[+] Now reboot the server and enjoy your fresh VPN installation! :^)\"\nelse\n\t# Server is installed, add a new client or remove server\n\techo \"[1] Remove WireGuard.\"\n\techo \"[2] Add client.\"\n\tread -rp \"[+] Choose from above options [1/2]: \" -e ADD_REMOVE\n\tif [ \"$ADD_REMOVE\" == \"1\" ]; then\n\t\techo \"[*] Removing WireGuard from the server...\"\n\t\trm -rf \"$WG_CONFIG\";\n\t\tif [ \"$DISTRO\" == \"Ubuntu\" ]; then\n\t\t\tapt remove wireguard* -y && apt autoremove -y && apt autoclean -y\n\t\telif [ \"$DISTRO\" == \"Debian\" ]; then\n\t\t\tapt remove wireguard* -y && apt autoremove -y && apt autoclean -y\n\t\telif [ \"$DISTRO\" == \"CentOS\" ]; then\n\t\t\tyum remove wireguard-dkms -y\n\t\tfi\n\n\t\techo \"[i] WireGuard removed from the server!\"\n\t\texit 0\n\tfi\n\tCLIENT_NAME=\"$1\"\n\tif [ \"$CLIENT_NAME\" == \"\" ]; then\n\t\techo \"[?] Tell me a name for the client config file [no special characters].\"\n\t\tread -rp \"[+] Client name: \" -e CLIENT_NAME\n\tfi\n\tCLIENT_PRIVKEY=\"$(wg genkey)\"\n\tCLIENT_PUBKEY=\"$(echo \"$CLIENT_PRIVKEY\" | wg pubkey)\"\n\tPRIVATE_SUBNET=\"$(head -n1 \"$WG_CONFIG\" | awk '{print $2}')\"\n\tPRIVATE_SUBNET_MASK=\"$(echo \"$PRIVATE_SUBNET\" | cut -d \"/\" -f 2)\"\n\tSERVER_ENDPOINT=\"$(head -n1 \"$WG_CONFIG\" | awk '{print $3}')\"\n\tSERVER_PUBKEY=\"$(head -n1 \"$WG_CONFIG\" | awk '{print $4}')\"\n\tCLIENT_DNS=\"$(head -n1 \"$WG_CONFIG\" | awk '{print $5}')\"\n\tLASTIP=\"$(grep \"/32\" \"$WG_CONFIG\" | tail -n1 | awk '{print $3}' | cut -d \"/\" -f 1 | cut -d \".\" -f 4)\"\n\tCLIENT_ADDRESS=\"${PRIVATE_SUBNET::-4}$((LASTIP + 1))\"\n\techo \"# $CLIENT_NAME\n[Peer]\nPublicKey = $CLIENT_PUBKEY\nAllowedIPs = $CLIENT_ADDRESS/32\" >> $WG_CONFIG\n\n\techo \"[Interface]\nPrivateKey = $CLIENT_PRIVKEY\nAddress = $CLIENT_ADDRESS/$PRIVATE_SUBNET_MASK\nDNS = $CLIENT_DNS\n[Peer]\nPublicKey = $SERVER_PUBKEY\nAllowedIPs = 0.0.0.0/0, ::/0\nEndpoint = $SERVER_ENDPOINT\nPersistentKeepalive = 25\" > \"$HOME/$CLIENT_NAME-$WG_CONFIG_NAME.conf\"\n\tqrencode -t ansiutf8 -l L < \"$HOME/$CLIENT_NAME-$WG_CONFIG_NAME.conf\"\n\n\tip address | grep -q $WG_CONFIG_NAME && wg set $WG_CONFIG_NAME peer \"$CLIENT_PUBKEY\" allowed-ips \"$CLIENT_ADDRESS/32\"\n\techo \"[+] Client added, new configuration file --> $HOME/$CLIENT_NAME-$WG_CONFIG_NAME.conf\"\nfi\n" } ]