diff --git a/README.md b/README.md
index 17cc346..a301e96 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,34 @@
-# wireguard一键脚本
-#### 适用于CentOS7
-#### wireguard_install.sh 单用户版,如需增加用户需要手动增加
+# wireguard一键配置脚本 (含服务器端与客户端)
+
+## 初次安装
+wget --no-check-certificate https://raw.githubusercontent.com/ysy/wireguard/master/wg.sh && chmod +x wg.sh && ./wg.sh
+
+选择 1.重新安装配置Wireguard
+配置完成后,会以红字显示第一个客户端配置文件的内容,拷贝到客户端或生成二维码即可使用。
+
+
+## 增加用户
+选择 2.增加用户
+输入用户名,即会生成客户端配置文件
+
+## 删除用户
+选择 4.删除用户
+输入用户名,即可删除
+
+## 配置透明代理软路由
+目前透明代理软路由只在Ubuntu系统上测试过
+### 客户端配置
+wget --no-check-certificate https://raw.githubusercontent.com/ysy/wireguard/master/install_tproxy.sh && chmod +x install_tproxy.sh && ./install_tproxy.sh
+
+### 服务器端配置
+选择 3. 增加用户(udp2raw配置)
+输入用户名,再输入软路由下设的局域网地址段 (如: 192.168.0.0)
+完成后,重启下wg0接口(wg-quick down wg0 && wg-quick up wg0)
+脚本会自动生成客户端的wg配置文件,将其文件拷贝至软路由(Ubuntu系统)的 /etc/wireguard/wg0.conf
+在软路由上运行 wg-quick up wg0
+需要将终端机的网关和DNS设为软路由的地址(如: 192.168.0.1 或 192.168.0.2 等)
+这个配置会根据域名是否在GfwList中来做分流,所以必须将终端机的DNS为软路由的地址。
+另外,在软路由的wg0口上没有做NAT,整个局域网的地址段跟服务器是相通的,可以在服务器上PING通局域网上的主机。如果配置多个客户端时,注意局域网地址段不能一样,否则无法路由。如果有多个局域网接入,这些局域网也是相通的,如果认为有安全风险,请自行增加iptables规则。
diff --git a/install_tproxy.sh b/install_tproxy.sh
new file mode 100755
index 0000000..eae6d9f
--- /dev/null
+++ b/install_tproxy.sh
@@ -0,0 +1,93 @@
+#!/bin/bash
+# 配置透明代理路由器
+
+# 需要与Wireguard一键脚本所生成的UDP2RAW客户端配置文件相配合
+# 适合Debian/Ubuntu 桌面/服务器系统,用于做软路由透明代理
+# 需要使用root权限运行
+GFWLIST_IPSET=gfwlist
+GFWLIST_TIMEOUT=3600
+
+install_udp2raw()
+{
+ [ -e /usr/local/bin/udp2raw ] && return ;
+
+ rm -rf udp2raw-tunnel
+ git clone https://github.com/wangyu-/udp2raw-tunnel.git
+ cd udp2raw-tunnel
+ make
+ cp udp2raw /usr/local/bin
+ cd -
+}
+
+install_packages()
+{
+ if grep -q Debian /etc/issue || grep -q Ubuntu /etc/issue ; then
+ apt purge -y dnsmasq
+ rm -rf /etc/dnsmasq.conf
+ rm -rf /etc/dnsmasq.d
+ apt install -y dnsmasq dnsutils resolvconf wget curl ipset sed
+ apt install -y gettext build-essential unzip gzip openssl libssl-dev \
+ autoconf automake libtool gcc g++ make zlib1g-dev \
+ libev-dev libc-ares-dev git
+
+ if ! wg > /dev/null ; then
+ echo "Install Wireguard"
+ echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
+ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable
+ apt update
+ apt install -y dkms linux-headers-`uname -r`
+ apt install -y wireguard
+ fi
+ fi
+
+ if [ -f /etc/centos-release ] ; then
+ curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
+ yum install -y epel-release
+ yum install -y wireguard-dkms wireguard-tools
+ yum install -y bind-utils
+ yum install -y unzip gzip openssl openssl-devel gcc libtool libevent \
+ autoconf automake make curl curl-devel zlib-devel cpio gettext-devel \
+ libev-devel c-ares-devel git
+ fi
+
+ if ! [ -e /usr/local/bin/gfwlist2dnsmasq.sh ]; then
+ wget https://raw.githubusercontent.com/cokebar/gfwlist2dnsmasq/master/gfwlist2dnsmasq.sh
+ chmod +x gfwlist2dnsmasq.sh
+ mv gfwlist2dnsmasq.sh /usr/local/bin/
+ fi
+
+ install_udp2raw
+}
+
+
+config_dnsmasq()
+{
+ if (cat /etc/issue | grep -q 'Ubuntu' | grep -q '18.' ) ; then
+ if !(grep -q "DNSStubListener=no" /etc/systemd/resolved.conf) ; then
+ echo "disable systemd-resolved server"
+ sudo echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
+ service systemd-resolved restart
+ fi
+ fi
+
+ grep -q "server=223.5.5.5" /etc/dnsmasq.conf || echo "server=223.5.5.5" >> /etc/dnsmasq.conf
+
+ ipset destroy $GFWLIST_IPSET
+ ipset create $GFWLIST_IPSET hash:ip family inet timeout $GFWLIST_TIMEOUT
+ /usr/local/bin/gfwlist2dnsmasq.sh -d 8.8.8.8 -p 53 -s $GFWLIST_IPSET -o /etc/dnsmasq.d/gfwlist.conf
+
+ echo "0 0 * * 0 cd /tmp && /usr/local/bin/gfwlist2dnsmasq.sh -d 8.8.8.8 -p 53 -s $GFWLIST_IPSET -o /etc/dnsmasq.d/gfwlist.conf && /etc/init.d/dnsmasq restart> /dev/null" > /tmp/crontab.root
+
+ crontab /tmp/crontab.root
+ service dnsmasq restart
+
+}
+
+
+main()
+{
+ install_packages
+ config_dnsmasq
+}
+
+main
diff --git a/wg.sh b/wg.sh
new file mode 100755
index 0000000..fcb862b
--- /dev/null
+++ b/wg.sh
@@ -0,0 +1,355 @@
+#!/bin/sh
+
+
+
+SUBNET=192.168.100
+
+###############
+
+umask 077
+
+rand(){
+ min=$1
+ max=$(($2-$min+1))
+ num=$(cat /dev/urandom | head -n 10 | cksum | awk -F ' ' '{print $1}')
+ echo $(($num%$max+$min))
+}
+
+
+get_public_ip()
+{
+ dig -4 +short myip.opendns.com @resolver1.opendns.com
+}
+
+
+install_wireguard()
+{
+ if grep Debian /etc/issue ; then
+ apt install -y dkms linux-headers-`uname -r`
+ apt install -y dnsutils resolvconf
+ wg && return;
+
+ echo "Install Wireguard"
+ echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
+ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable
+ apt update
+ apt install linux-headers-`uname -r`
+ apt install -y wireguard resolvconf dnsutils psmisc gcc make g++
+ apt install -y gettext build-essential unzip gzip openssl libssl-dev \
+ autoconf automake libtool gcc g++ make zlib1g-dev \
+ libev-dev libc-ares-dev git
+ fi
+
+ if grep Ubuntu /etc/issue ; then
+ echo "Install Wireguard"
+ add-apt-repository ppa:wireguard/wireguard
+ apt update
+ apt install linux-headers-`uname -r`
+ apt install -y wireguard resolvconf dnsutils psmisc gcc make g++
+ apt install -y gettext build-essential unzip gzip openssl libssl-dev \
+ autoconf automake libtool gcc g++ make zlib1g-dev \
+ libev-dev libc-ares-dev git
+
+ fi
+
+
+ if [ -f /etc/centos-release ] ; then
+ curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
+ yum install -y epel-release
+ yum install -y wireguard-dkms wireguard-tools
+ yum install -y bind-utils
+ yum install -y unzip gzip openssl openssl-devel gcc libtool libevent \
+ autoconf automake make curl curl-devel zlib-devel cpio gettext-devel \
+ libev-devel c-ares-devel git
+ fi
+}
+
+build_udp2raw()
+{
+ rm -rf udp2raw-tunnel
+ git clone https://github.com/wangyu-/udp2raw-tunnel.git
+ cd udp2raw-tunnel
+ make
+ cp udp2raw /usr/local/bin
+ cd -
+}
+
+
+show_client_conf()
+{
+ echo ""
+ echo "\033[32m"
+ echo "*********************************************************"
+ echo "复制以下红色内容,在谷歌浏览器安装Offline QRcode Generator"
+ echo "插件生成二维码, 在WireGuard客户端扫描导入生成的二维码"
+ echo "*********************************************************"
+ echo "\033[0m"
+ echo "====================================================="
+ echo "====================================================="
+ echo "\033[31m"
+ cat client.conf
+ echo "\033[0m"
+ echo "====================================================="
+ echo "====================================================="
+}
+
+
+configure_wireguard()
+{
+ install_wireguard
+ build_udp2raw
+
+ wg-quick down wg0 2>/dev/null
+ rm -rf /etc/wireguard/*
+ echo "正在获取服务器公网IP地址"
+ SERVER_PUBLIC_IP=$(get_public_ip)
+ wg genkey | tee server_priv | wg pubkey > server_pub
+ wg genkey | tee client_priv | wg pubkey > client_pub
+
+ echo $SUBNET > /etc/wireguard/subnet
+
+ SERVER_PUB=$(cat server_pub)
+ SERVER_PRIV=$(cat server_priv)
+ CLIENT_PUB=$(cat client_pub)
+ CLIENT_PRIV=$(cat client_priv)
+
+ DEF_IFACE=`route | grep default | awk '{ print $8}'`
+ echo $SERVER_PUB > /etc/wireguard/server_pubkey
+
+ PORT=$(rand 20000 60000)
+ UDP2RAW_PORT=$(rand 10000 20000)
+ UDP2RAW_PASSWORD=$(cat /dev/urandom | head -n 10 | md5sum | head -c 12)
+
+ echo $UDP2RAW_PORT > /etc/wireguard/udp2raw_port
+ echo $UDP2RAW_PASSWORD > /etc/wireguard/udp2raw_password
+
+ mv /etc/wireguard/wg0.conf /etc/wireguard/wg0.conf.bak 2> /dev/null
+
+ ip=$SUBNET.2
+ cat > /etc/wireguard/wg0.conf <<-EOF
+ [Interface]
+ PrivateKey = $SERVER_PRIV
+ Address = $SUBNET.1/24
+ PreUp = udp2raw -s -l0.0.0.0:$UDP2RAW_PORT -r127.0.0.1:$PORT -k $UDP2RAW_PASSWORD --raw-mode faketcp --cipher-mode xor -a > /var/log/udp2raw.log &
+ PostUp = sysctl net.ipv4.ip_forward=1
+ PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ${DEF_IFACE} -j MASQUERADE
+ PostDown = sysctl net.ipv4.ip_forward=0 ;
+ PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ${DEF_IFACE} -j MASQUERADE
+ PostDown = killall udp2raw
+ ListenPort = $PORT
+ #DNS = 8.8.8.8
+ MTU = 1200
+
+ [Peer]
+ PublicKey = $CLIENT_PUB
+ AllowedIPs = $SUBNET.2/32
+ EOF
+
+ cat > client.conf <<-EOF
+ [Interface]
+ PrivateKey = $CLIENT_PRIV
+ Address = $ip/32
+ MTU = 1200
+ DNS = 8.8.8.8
+
+
+ [Peer]
+ AllowedIPs = 0.0.0.0/0
+ Endpoint = $SERVER_PUBLIC_IP:$PORT
+ PublicKey = $SERVER_PUB
+
+ EOF
+
+ rm -rf server_* client_*
+
+ systemctl enable wg-quick@wg0
+ wg-quick up wg0
+
+ mkdir -p /etc/wireguard/clients/default/
+ cp client.conf /etc/wireguard/clients/default/
+ echo $ip > /etc/wireguard/lastip
+ show_client_conf
+
+ rm client.conf
+}
+
+add_peer_udp2raw()
+{
+ read -p "请输入要增加的用户名(英文+数字): " peer_name
+
+ if [ -d /etc/wireguard/clients/$peer_name ]; then
+ echo "用户已经存在"
+ return;
+ fi
+
+ read -p "请输入局域网网段(例如192.168.0.0): " lan_ip
+
+
+ SERVER_PUBLIC_IP=$(get_public_ip)
+ subnet=$(cat /etc/wireguard/subnet)
+
+ ip=$subnet.$(expr $(cat /etc/wireguard/lastip | tr "." " " | awk '{print $4}') + 1)
+
+
+ wg genkey | tee client_priv | wg pubkey > client_pub
+
+ cat > client.conf <<-EOF
+ [Interface]
+ PrivateKey = $(cat client_priv)
+ Address = $ip/32
+ MTU = 1200
+ #DNS = 8.8.8.8
+
+ PreUp = udp2raw -c -l0.0.0.0:$(cat /etc/wireguard/udp2raw_port) -r$SERVER_PUBLIC_IP:$(cat /etc/wireguard/udp2raw_port) -k $(cat /etc/wireguard/udp2raw_password) --raw-mode faketcp --cipher-mode xor -a > /dev/null &
+ PreUp = ipset create gfwlist hash:ip family inet timeout 3600 || echo "gfwlist create" > /dev/null
+ PostUp = iptables -A POSTROUTING -t mangle -p tcp --tcp-flags SYN,RST SYN -o %i -j TCPMSS --clamp-mss-to-pmtu
+ PostUp = iptables -t mangle -A OUTPUT -m set --match-set gfwlist dst -j MARK --set-mark 2222
+ PostUp = iptables -t mangle -A PREROUTING -m set --match-set gfwlist dst -j MARK --set-mark 2222
+ PostUp = ip rule add fwmark 51820 lookup main
+ PostUp = ip rule add fwmark 2222 lookup 51820
+ PostUp = ip rule add to 8.8.8.8 lookup 51820
+ PostUp = ip rule add to $SERVER_PUBLIC_IP table main
+ PostUp = ip rule add to $SUBNET.0/24 lookup 51820
+ PostUp = ip rule del not fwmark 51820 lookup 51820
+ PostUp = sysctl net.ipv4.ip_forward=1
+ #PostUp = systemctl restart dnsmasq
+ PostDown = killall udp2raw || echo "no udp2raw"
+ PostDown = iptables -D POSTROUTING -t mangle -p tcp --tcp-flags SYN,RST SYN -o %i -j TCPMSS --clamp-mss-to-pmtu
+ PostDown = iptables -t mangle -D OUTPUT -m set --match-set gfwlist dst -j MARK --set-mark 2222
+ PostDown = iptables -t mangle -D PREROUTING -m set --match-set gfwlist dst -j MARK --set-mark 2222
+ PostDown = sysctl net.ipv4.ip_forward=0
+
+ [Peer]
+ AllowedIPs = 0.0.0.0/0
+ Endpoint = 127.0.0.1:$(cat /etc/wireguard/udp2raw_port)
+ PublicKey = $(wg | grep 'public key:' | awk '{print $3}')
+
+ EOF
+
+ wg set wg0 peer $(cat client_pub) allowed-ips $ip/32,$lan_ip/24
+
+ echo "$peer_name $(cat client_priv) $ip" >> /etc/wireguard/peers
+ echo $ip > /etc/wireguard/lastip
+
+ wg-quick save wg0
+
+ mkdir -p /etc/wireguard/clients/$peer_name/
+ cp client.conf /etc/wireguard/clients/$peer_name/
+
+ show_client_conf
+ rm client.conf
+ rm client_*
+ wg-quick down wg0
+ wg-quick up wg0
+}
+
+
+add_peer()
+{
+ read -p "请输入要增加的用户名(英文+数字): " peer_name
+
+ if [ -d /etc/wireguard/clients/$peer_name ]; then
+ echo "用户已经存在"
+ return;
+ fi
+
+ subnet=$(cat /etc/wireguard/subnet)
+
+ ip=$subnet.$(expr $(cat /etc/wireguard/lastip | tr "." " " | awk '{print $4}') + 1)
+
+ wg genkey | tee client_priv | wg pubkey > client_pub
+
+ cat > client.conf <<-EOF
+ [Interface]
+ PrivateKey = $(cat client_priv)
+ Address = $ip/32
+ MTU = 1200
+ DNS = 8.8.8.8
+
+ [Peer]
+ AllowedIPs = 0.0.0.0/0
+ Endpoint = $(get_public_ip):$(cat /etc/wireguard/wg0.conf | grep ListenPort | awk '{ print $3}')
+ PublicKey = $(wg | grep 'public key:' | awk '{print $3}')
+
+ EOF
+
+ wg set wg0 peer $(cat client_pub) allowed-ips $ip/32
+
+ echo "$peer_name $(cat client_priv) $ip" >> /etc/wireguard/peers
+ echo $ip > /etc/wireguard/lastip
+
+ wg-quick save wg0
+
+ mkdir -p /etc/wireguard/clients/$peer_name/
+ cp client.conf /etc/wireguard/clients/$peer_name/
+
+ show_client_conf
+ rm client.conf
+ rm client_*
+}
+
+
+delete_peer()
+{
+ read -p "请输入要删除的用户名: " peer_name
+
+ [ -d /etc/wireguard/clients/$peer_name ] || ( echo "用户不存在" ; return ;)
+
+ cat /etc/wireguard/clients/$peer_name/client.conf | grep "PrivateKey" | awk '{print $3}' > client_priv
+
+ wg set wg0 peer $(cat /etc/wireguard/clients/$peer_name/client.conf | grep "PrivateKey" | awk '{print $3}' | wg pubkey) remove
+ wg-quick save wg0
+
+ rm -rf /etc/wireguard/clients/$peer_name
+ echo "用户删除成功"
+}
+
+list_peer()
+{
+ cd /etc/wireguard/clients >/dev/null 2>/dev/null && ls && cd - 2>/dev/null 1>/dev/null
+}
+
+start_menu(){
+ echo "========================="
+ echo " 作者:基于atrandys版本修改"
+ echo "========================="
+ echo "1. 重新安装配置Wireguard"
+ echo "2. 增加用户"
+ echo "3. 增加用户(udp2raw配置)"
+ echo "4. 删除用户"
+
+ echo "5. 用户列表"
+
+ echo "6. 退出脚本"
+ read -p "请输入数字:" num
+ case "$num" in
+ 1)
+ configure_wireguard
+ ;;
+ 2)
+ add_peer
+ ;;
+
+ 3)
+ add_peer_udp2raw
+ ;;
+
+ 4)
+ delete_peer
+ ;;
+ 5)
+ list_peer
+ ;;
+ 6)
+ exit 1
+ ;;
+ *)
+ clear
+ echo "请输入正确数字"
+ sleep 2s
+ start_menu
+ ;;
+ esac
+}
+
+start_menu