diff --git a/README.md b/README.md index 17cc346..a301e96 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,34 @@ -# wireguard一键脚本 -#### 适用于CentOS7 -#### wireguard_install.sh 单用户版,如需增加用户需要手动增加 +# wireguard一键配置脚本 (含服务器端与客户端) + +## 初次安装 +wget --no-check-certificate https://raw.githubusercontent.com/ysy/wireguard/master/wg.sh && chmod +x wg.sh && ./wg.sh + +选择 1.重新安装配置Wireguard
+配置完成后,会以红字显示第一个客户端配置文件的内容,拷贝到客户端或生成二维码即可使用。 + + +## 增加用户 +选择 2.增加用户
+输入用户名,即会生成客户端配置文件
+ +## 删除用户 +选择 4.删除用户
+输入用户名,即可删除
+ +## 配置透明代理软路由 +目前透明代理软路由只在Ubuntu系统上测试过
+### 客户端配置 +wget --no-check-certificate https://raw.githubusercontent.com/ysy/wireguard/master/install_tproxy.sh && chmod +x install_tproxy.sh && ./install_tproxy.sh
+ +### 服务器端配置 +选择 3. 增加用户(udp2raw配置)
+输入用户名,再输入软路由下设的局域网地址段 (如: 192.168.0.0)
+完成后,重启下wg0接口(wg-quick down wg0 && wg-quick up wg0)
+脚本会自动生成客户端的wg配置文件,将其文件拷贝至软路由(Ubuntu系统)的 /etc/wireguard/wg0.conf
+在软路由上运行 wg-quick up wg0
+需要将终端机的网关和DNS设为软路由的地址(如: 192.168.0.1 或 192.168.0.2 等)
+这个配置会根据域名是否在GfwList中来做分流,所以必须将终端机的DNS为软路由的地址。
+另外,在软路由的wg0口上没有做NAT,整个局域网的地址段跟服务器是相通的,可以在服务器上PING通局域网上的主机。如果配置多个客户端时,注意局域网地址段不能一样,否则无法路由。如果有多个局域网接入,这些局域网也是相通的,如果认为有安全风险,请自行增加iptables规则。
diff --git a/install_tproxy.sh b/install_tproxy.sh new file mode 100755 index 0000000..eae6d9f --- /dev/null +++ b/install_tproxy.sh @@ -0,0 +1,93 @@ +#!/bin/bash +# 配置透明代理路由器 + +# 需要与Wireguard一键脚本所生成的UDP2RAW客户端配置文件相配合 +# 适合Debian/Ubuntu 桌面/服务器系统,用于做软路由透明代理 +# 需要使用root权限运行 +GFWLIST_IPSET=gfwlist +GFWLIST_TIMEOUT=3600 + +install_udp2raw() +{ + [ -e /usr/local/bin/udp2raw ] && return ; + + rm -rf udp2raw-tunnel + git clone https://github.com/wangyu-/udp2raw-tunnel.git + cd udp2raw-tunnel + make + cp udp2raw /usr/local/bin + cd - +} + +install_packages() +{ + if grep -q Debian /etc/issue || grep -q Ubuntu /etc/issue ; then + apt purge -y dnsmasq + rm -rf /etc/dnsmasq.conf + rm -rf /etc/dnsmasq.d + apt install -y dnsmasq dnsutils resolvconf wget curl ipset sed + apt install -y gettext build-essential unzip gzip openssl libssl-dev \ + autoconf automake libtool gcc g++ make zlib1g-dev \ + libev-dev libc-ares-dev git + + if ! wg > /dev/null ; then + echo "Install Wireguard" + echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list + printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable + apt update + apt install -y dkms linux-headers-`uname -r` + apt install -y wireguard + fi + fi + + if [ -f /etc/centos-release ] ; then + curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo + yum install -y epel-release + yum install -y wireguard-dkms wireguard-tools + yum install -y bind-utils + yum install -y unzip gzip openssl openssl-devel gcc libtool libevent \ + autoconf automake make curl curl-devel zlib-devel cpio gettext-devel \ + libev-devel c-ares-devel git + fi + + if ! [ -e /usr/local/bin/gfwlist2dnsmasq.sh ]; then + wget https://raw.githubusercontent.com/cokebar/gfwlist2dnsmasq/master/gfwlist2dnsmasq.sh + chmod +x gfwlist2dnsmasq.sh + mv gfwlist2dnsmasq.sh /usr/local/bin/ + fi + + install_udp2raw +} + + +config_dnsmasq() +{ + if (cat /etc/issue | grep -q 'Ubuntu' | grep -q '18.' ) ; then + if !(grep -q "DNSStubListener=no" /etc/systemd/resolved.conf) ; then + echo "disable systemd-resolved server" + sudo echo "DNSStubListener=no" >> /etc/systemd/resolved.conf + service systemd-resolved restart + fi + fi + + grep -q "server=223.5.5.5" /etc/dnsmasq.conf || echo "server=223.5.5.5" >> /etc/dnsmasq.conf + + ipset destroy $GFWLIST_IPSET + ipset create $GFWLIST_IPSET hash:ip family inet timeout $GFWLIST_TIMEOUT + /usr/local/bin/gfwlist2dnsmasq.sh -d 8.8.8.8 -p 53 -s $GFWLIST_IPSET -o /etc/dnsmasq.d/gfwlist.conf + + echo "0 0 * * 0 cd /tmp && /usr/local/bin/gfwlist2dnsmasq.sh -d 8.8.8.8 -p 53 -s $GFWLIST_IPSET -o /etc/dnsmasq.d/gfwlist.conf && /etc/init.d/dnsmasq restart> /dev/null" > /tmp/crontab.root + + crontab /tmp/crontab.root + service dnsmasq restart + +} + + +main() +{ + install_packages + config_dnsmasq +} + +main diff --git a/wg.sh b/wg.sh new file mode 100755 index 0000000..fcb862b --- /dev/null +++ b/wg.sh @@ -0,0 +1,355 @@ +#!/bin/sh + + + +SUBNET=192.168.100 + +############### + +umask 077 + +rand(){ + min=$1 + max=$(($2-$min+1)) + num=$(cat /dev/urandom | head -n 10 | cksum | awk -F ' ' '{print $1}') + echo $(($num%$max+$min)) +} + + +get_public_ip() +{ + dig -4 +short myip.opendns.com @resolver1.opendns.com +} + + +install_wireguard() +{ + if grep Debian /etc/issue ; then + apt install -y dkms linux-headers-`uname -r` + apt install -y dnsutils resolvconf + wg && return; + + echo "Install Wireguard" + echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list + printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable + apt update + apt install linux-headers-`uname -r` + apt install -y wireguard resolvconf dnsutils psmisc gcc make g++ + apt install -y gettext build-essential unzip gzip openssl libssl-dev \ + autoconf automake libtool gcc g++ make zlib1g-dev \ + libev-dev libc-ares-dev git + fi + + if grep Ubuntu /etc/issue ; then + echo "Install Wireguard" + add-apt-repository ppa:wireguard/wireguard + apt update + apt install linux-headers-`uname -r` + apt install -y wireguard resolvconf dnsutils psmisc gcc make g++ + apt install -y gettext build-essential unzip gzip openssl libssl-dev \ + autoconf automake libtool gcc g++ make zlib1g-dev \ + libev-dev libc-ares-dev git + + fi + + + if [ -f /etc/centos-release ] ; then + curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo + yum install -y epel-release + yum install -y wireguard-dkms wireguard-tools + yum install -y bind-utils + yum install -y unzip gzip openssl openssl-devel gcc libtool libevent \ + autoconf automake make curl curl-devel zlib-devel cpio gettext-devel \ + libev-devel c-ares-devel git + fi +} + +build_udp2raw() +{ + rm -rf udp2raw-tunnel + git clone https://github.com/wangyu-/udp2raw-tunnel.git + cd udp2raw-tunnel + make + cp udp2raw /usr/local/bin + cd - +} + + +show_client_conf() +{ + echo "" + echo "\033[32m" + echo "*********************************************************" + echo "复制以下红色内容,在谷歌浏览器安装Offline QRcode Generator" + echo "插件生成二维码, 在WireGuard客户端扫描导入生成的二维码" + echo "*********************************************************" + echo "\033[0m" + echo "=====================================================" + echo "=====================================================" + echo "\033[31m" + cat client.conf + echo "\033[0m" + echo "=====================================================" + echo "=====================================================" +} + + +configure_wireguard() +{ + install_wireguard + build_udp2raw + + wg-quick down wg0 2>/dev/null + rm -rf /etc/wireguard/* + echo "正在获取服务器公网IP地址" + SERVER_PUBLIC_IP=$(get_public_ip) + wg genkey | tee server_priv | wg pubkey > server_pub + wg genkey | tee client_priv | wg pubkey > client_pub + + echo $SUBNET > /etc/wireguard/subnet + + SERVER_PUB=$(cat server_pub) + SERVER_PRIV=$(cat server_priv) + CLIENT_PUB=$(cat client_pub) + CLIENT_PRIV=$(cat client_priv) + + DEF_IFACE=`route | grep default | awk '{ print $8}'` + echo $SERVER_PUB > /etc/wireguard/server_pubkey + + PORT=$(rand 20000 60000) + UDP2RAW_PORT=$(rand 10000 20000) + UDP2RAW_PASSWORD=$(cat /dev/urandom | head -n 10 | md5sum | head -c 12) + + echo $UDP2RAW_PORT > /etc/wireguard/udp2raw_port + echo $UDP2RAW_PASSWORD > /etc/wireguard/udp2raw_password + + mv /etc/wireguard/wg0.conf /etc/wireguard/wg0.conf.bak 2> /dev/null + + ip=$SUBNET.2 + cat > /etc/wireguard/wg0.conf <<-EOF + [Interface] + PrivateKey = $SERVER_PRIV + Address = $SUBNET.1/24 + PreUp = udp2raw -s -l0.0.0.0:$UDP2RAW_PORT -r127.0.0.1:$PORT -k $UDP2RAW_PASSWORD --raw-mode faketcp --cipher-mode xor -a > /var/log/udp2raw.log & + PostUp = sysctl net.ipv4.ip_forward=1 + PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ${DEF_IFACE} -j MASQUERADE + PostDown = sysctl net.ipv4.ip_forward=0 ; + PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ${DEF_IFACE} -j MASQUERADE + PostDown = killall udp2raw + ListenPort = $PORT + #DNS = 8.8.8.8 + MTU = 1200 + + [Peer] + PublicKey = $CLIENT_PUB + AllowedIPs = $SUBNET.2/32 + EOF + + cat > client.conf <<-EOF + [Interface] + PrivateKey = $CLIENT_PRIV + Address = $ip/32 + MTU = 1200 + DNS = 8.8.8.8 + + + [Peer] + AllowedIPs = 0.0.0.0/0 + Endpoint = $SERVER_PUBLIC_IP:$PORT + PublicKey = $SERVER_PUB + + EOF + + rm -rf server_* client_* + + systemctl enable wg-quick@wg0 + wg-quick up wg0 + + mkdir -p /etc/wireguard/clients/default/ + cp client.conf /etc/wireguard/clients/default/ + echo $ip > /etc/wireguard/lastip + show_client_conf + + rm client.conf +} + +add_peer_udp2raw() +{ + read -p "请输入要增加的用户名(英文+数字): " peer_name + + if [ -d /etc/wireguard/clients/$peer_name ]; then + echo "用户已经存在" + return; + fi + + read -p "请输入局域网网段(例如192.168.0.0): " lan_ip + + + SERVER_PUBLIC_IP=$(get_public_ip) + subnet=$(cat /etc/wireguard/subnet) + + ip=$subnet.$(expr $(cat /etc/wireguard/lastip | tr "." " " | awk '{print $4}') + 1) + + + wg genkey | tee client_priv | wg pubkey > client_pub + + cat > client.conf <<-EOF + [Interface] + PrivateKey = $(cat client_priv) + Address = $ip/32 + MTU = 1200 + #DNS = 8.8.8.8 + + PreUp = udp2raw -c -l0.0.0.0:$(cat /etc/wireguard/udp2raw_port) -r$SERVER_PUBLIC_IP:$(cat /etc/wireguard/udp2raw_port) -k $(cat /etc/wireguard/udp2raw_password) --raw-mode faketcp --cipher-mode xor -a > /dev/null & + PreUp = ipset create gfwlist hash:ip family inet timeout 3600 || echo "gfwlist create" > /dev/null + PostUp = iptables -A POSTROUTING -t mangle -p tcp --tcp-flags SYN,RST SYN -o %i -j TCPMSS --clamp-mss-to-pmtu + PostUp = iptables -t mangle -A OUTPUT -m set --match-set gfwlist dst -j MARK --set-mark 2222 + PostUp = iptables -t mangle -A PREROUTING -m set --match-set gfwlist dst -j MARK --set-mark 2222 + PostUp = ip rule add fwmark 51820 lookup main + PostUp = ip rule add fwmark 2222 lookup 51820 + PostUp = ip rule add to 8.8.8.8 lookup 51820 + PostUp = ip rule add to $SERVER_PUBLIC_IP table main + PostUp = ip rule add to $SUBNET.0/24 lookup 51820 + PostUp = ip rule del not fwmark 51820 lookup 51820 + PostUp = sysctl net.ipv4.ip_forward=1 + #PostUp = systemctl restart dnsmasq + PostDown = killall udp2raw || echo "no udp2raw" + PostDown = iptables -D POSTROUTING -t mangle -p tcp --tcp-flags SYN,RST SYN -o %i -j TCPMSS --clamp-mss-to-pmtu + PostDown = iptables -t mangle -D OUTPUT -m set --match-set gfwlist dst -j MARK --set-mark 2222 + PostDown = iptables -t mangle -D PREROUTING -m set --match-set gfwlist dst -j MARK --set-mark 2222 + PostDown = sysctl net.ipv4.ip_forward=0 + + [Peer] + AllowedIPs = 0.0.0.0/0 + Endpoint = 127.0.0.1:$(cat /etc/wireguard/udp2raw_port) + PublicKey = $(wg | grep 'public key:' | awk '{print $3}') + + EOF + + wg set wg0 peer $(cat client_pub) allowed-ips $ip/32,$lan_ip/24 + + echo "$peer_name $(cat client_priv) $ip" >> /etc/wireguard/peers + echo $ip > /etc/wireguard/lastip + + wg-quick save wg0 + + mkdir -p /etc/wireguard/clients/$peer_name/ + cp client.conf /etc/wireguard/clients/$peer_name/ + + show_client_conf + rm client.conf + rm client_* + wg-quick down wg0 + wg-quick up wg0 +} + + +add_peer() +{ + read -p "请输入要增加的用户名(英文+数字): " peer_name + + if [ -d /etc/wireguard/clients/$peer_name ]; then + echo "用户已经存在" + return; + fi + + subnet=$(cat /etc/wireguard/subnet) + + ip=$subnet.$(expr $(cat /etc/wireguard/lastip | tr "." " " | awk '{print $4}') + 1) + + wg genkey | tee client_priv | wg pubkey > client_pub + + cat > client.conf <<-EOF + [Interface] + PrivateKey = $(cat client_priv) + Address = $ip/32 + MTU = 1200 + DNS = 8.8.8.8 + + [Peer] + AllowedIPs = 0.0.0.0/0 + Endpoint = $(get_public_ip):$(cat /etc/wireguard/wg0.conf | grep ListenPort | awk '{ print $3}') + PublicKey = $(wg | grep 'public key:' | awk '{print $3}') + + EOF + + wg set wg0 peer $(cat client_pub) allowed-ips $ip/32 + + echo "$peer_name $(cat client_priv) $ip" >> /etc/wireguard/peers + echo $ip > /etc/wireguard/lastip + + wg-quick save wg0 + + mkdir -p /etc/wireguard/clients/$peer_name/ + cp client.conf /etc/wireguard/clients/$peer_name/ + + show_client_conf + rm client.conf + rm client_* +} + + +delete_peer() +{ + read -p "请输入要删除的用户名: " peer_name + + [ -d /etc/wireguard/clients/$peer_name ] || ( echo "用户不存在" ; return ;) + + cat /etc/wireguard/clients/$peer_name/client.conf | grep "PrivateKey" | awk '{print $3}' > client_priv + + wg set wg0 peer $(cat /etc/wireguard/clients/$peer_name/client.conf | grep "PrivateKey" | awk '{print $3}' | wg pubkey) remove + wg-quick save wg0 + + rm -rf /etc/wireguard/clients/$peer_name + echo "用户删除成功" +} + +list_peer() +{ + cd /etc/wireguard/clients >/dev/null 2>/dev/null && ls && cd - 2>/dev/null 1>/dev/null +} + +start_menu(){ + echo "=========================" + echo " 作者:基于atrandys版本修改" + echo "=========================" + echo "1. 重新安装配置Wireguard" + echo "2. 增加用户" + echo "3. 增加用户(udp2raw配置)" + echo "4. 删除用户" + + echo "5. 用户列表" + + echo "6. 退出脚本" + read -p "请输入数字:" num + case "$num" in + 1) + configure_wireguard + ;; + 2) + add_peer + ;; + + 3) + add_peer_udp2raw + ;; + + 4) + delete_peer + ;; + 5) + list_peer + ;; + 6) + exit 1 + ;; + *) + clear + echo "请输入正确数字" + sleep 2s + start_menu + ;; + esac +} + +start_menu