WireGuard VPN installer on Ubuntu (OpenVZ environment)

his script is being developed and tested for this environment and requirements:

  • Ubuntu 20.04 LTS
  • OpenVZ container

The following bash script installs a userspace WireGuard implementation and a web GUI allowing you to manage the VPN. The software is used every time a customer purchase a Dedicated VPN instance.

bash 复制代码
#!/bin/sh
#!/bin/bash

#Variables
IP=$(hostname -I | awk '{print $2}')
SslKeyPath='/etc/nginx/ssl/priv.key'
SslCertPath='/etc/nginx/ssl/ssl.crt'
UiScreen=$(screen -ls | grep Detached | awk '{print $1}')
PasswordGenerator=$(</dev/urandom tr -dc '[:alnum:]' | head -c15; echo "")
now=$(date +'%Y-%m-%dT%H:%M:%S.%NZ')
PresharedKeyGen=$(openssl rand -base64 32)
export DEBIAN_FRONTEND=noninteractive

#Set proper mirrors
mv /etc/apt/sources.list /etc/apt/sources.list_backup
tee /etc/apt/sources.list <<EOF
deb https://mirrors.neterra.net/ubuntu/ focal main restricted universe
deb https://mirrors.neterra.net/ubuntu/ focal-updates main restricted universe
deb https://mirrors.neterra.net/ubuntu/ focal-security main restricted universe multiverse
deb http://archive.canonical.com/ubuntu focal partner
EOF

#Update software and install curl. 
apt-get -yq --allow-releaseinfo-change update
apt-get -y install curl nginx

#Install Go
cd /tmp 
wget https://dl.google.com/go/go1.13.4.linux-amd64.tar.gz 
tar zvxf go*
mv go /opt/go*
ln -s /opt/go*/bin/go /usr/bin/go 

#Install WireGuard
apt-get install -y --no-install-recommends wireguard-tools 
wget -P /usr/local/src http://files.vps.bg/vpn/wireguard/wireguard-go-0.0.20191012.tar.xz
tar -xvf /usr/local/src/wireguard-go-* --directory /usr/local/src/
cd /usr/local/src/wireguard-go-*
make
cp /usr/local/src/wireguard-go-*/wireguard-go /usr/local/bin 

#Install GUI
wget -P /usr/local/src/ui http://files.vps.bg/vpn/wireguard/wireguard-ui-v0.3.6-linux-amd64.tar.gz
tar xvf /usr/local/src/ui/wireguard-ui-* --directory /usr/local/src/ui

#Cleaning after the installation 
apt-get clean
rm -rf /usr/local/src/ui/*.tar.gz 
rm -rf /usr/local/src/*.tar.xz
rm -rf /tmp/*.tar.gz 

#Setting up services for the GUI
tee /etc/systemd/system/wgui.service <<EOF
[Unit]
Description=Restart WireGuard
After=network.target

[Service]
Type=oneshot
ExecStart=/bin/systemctl restart wg-quick@wg0.service

[Install]
RequiredBy=wgui.path
EOF

tee /etc/systemd/system/wgui.path <<EOF
[Unit]
Description=Watch /etc/wireguard/wg0.conf for changes

[Path]
PathModified=/etc/wireguard/wg0.conf

[Install]
WantedBy=multi-user.target
EOF

#Generate SSL key and cert. 
mkdir /etc/nginx/ssl
openssl genrsa -out /etc/nginx/ssl/priv.key 2048
printf '\n\n\n\n\n\n\n\n' | openssl req -key /etc/nginx/ssl/priv.key -new -x509 -days 365 -out /etc/nginx/ssl/ssl.crt

#Configure proxy-pass for nginx to the UI
tee /etc/nginx/sites-available/ui.conf <<EOF
server {

    listen              7654 ssl;
    listen              [::]:7654 ssl;
    error_page 497 https://$IP:7654;
    server_name         $IP;
    root                /var/www/html/;
    error_log   /dev/null   crit;
    access_log  /dev/null;

    # SSL
    ssl_certificate     $SslCertPath;
    ssl_certificate_key $SslKeyPath;

    # reverse proxy
    location / {
        proxy_pass http://127.0.0.1:5000;

    }

}
EOF

ln -s /etc/nginx/sites-available/ui.conf /etc/nginx/sites-enabled/ui.conf
rm -rf /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default

#Start GUI for first time so that the files can be generated. 
tee -a /etc/systemd/system/wireguard-ui.service <<EOF
{
[Unit]
Description=wireguard-ui

[Service]
User=root
WorkingDirectory=/usr/local/src/ui
ExecStart=/usr/local/src/ui/wireguard-ui
Restart=always

[Install]
WantedBy=multi-user.target
}
EOF

systemctl start wireguard-ui.service
while ! netstat -tulpn | grep -q '5000'; do
  sleep 2
done
systemctl stop wireguard-ui.service

#Generate Client keys
wg genkey | tee /etc/wireguard/dedicatedvpn_private_key | wg pubkey > /etc/wireguard/dedicatedvpn_public_key

ClientPrivateKey=$(cat /etc/wireguard/dedicatedvpn_private_key)
ClientPubkey=$(cat /etc/wireguard/dedicatedvpn_public_key)

#Append initial config to the UI
tee /usr/local/src/ui/db/server/global_settings.json <<EOF
{
        "endpoint_address": "$IP",
         "dns_servers": [
                "9.9.9.9",
                "149.112.112.112"
        ],
        "mtu": "1450",
        "persistent_keepalive": "15",
        "config_file_path": "/etc/wireguard/wg0.conf",
        "updated_at": "$now"
}
EOF

tee /usr/local/src/ui/db/server/interfaces.json <<EOF
{
        "addresses": [
                "10.0.3.1/24"
        ],
        "listen_port": "51820",
		"updated_at": "$now",
        "post_up": "iptables -t nat -A POSTROUTING -o venet0 -s 10.0.3.2/24 -j MASQUERADE;  iptables -A INPUT -i venet0 -p tcp --destination-port 5000 -j DROP",
        "post_down": "iptables -t nat -D POSTROUTING -o venet0 -s 10.0.3.2/24 -j MASQUERADE; iptables -D INPUT -i venet0 -p tcp --destination-port 5000 -j DROP"
}
EOF

tee /usr/local/src/ui/db/server/users.json <<EOF
{
        "username": "dedicatedvpn",
        "password": "$PasswordGenerator"
}
EOF

tee /usr/local/src/ui/db/clients/c8lk2jip7fiao760lhq0.json <<EOF
{
        "id": "c8lk2jip7fiao760lhq0",
        "private_key": "$ClientPrivateKey",
        "public_key": "$ClientPubkey",
        "preshared_key": "$PresharedKeyGen",
        "name": "dedicatedvpn",
        "email": "noreply@vpn.vpn",
        "allocated_ips": [
                "10.0.3.2/32"
        ],
        "allowed_ips": [
                "0.0.0.0/0"
        ],
        "extra_allowed_ips": [],
        "use_server_dns": true,
        "enabled": true,
        "created_at": "$now",
        "updated_at": "$now"
}
EOF

#Create a default wg0 conf for initial config
WireguardPrivateKey=$(cat /usr/local/src/ui/db/server/keypair.json | grep private | awk '{print $2}' | cut -d '"' -f2)

tee /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = 10.0.3.1/24
ListenPort = 51820
PrivateKey = $WireguardPrivateKey
MTU = 1450
PostUp = iptables -t nat -A POSTROUTING -o venet0 -s 10.0.3.2/24 -j MASQUERADE;  iptables -A INPUT -i venet0 -p tcp --destination-port 5000 -j DROP;
PostDown = iptables -t nat -D POSTROUTING -o venet0 -s 10.0.3.2/24 -j MASQUERADE; iptables -D INPUT -i venet0 -p tcp --destination-port 5000 -j DROP;


[Peer]
PublicKey = $ClientPubkey
PresharedKey = $PresharedKeyGen
AllowedIPs = 10.0.3.2/32
EOF

#Start all of the needed services
systemctl start wg-quick@wg0 
systemctl start wgui.service
systemctl start wgui.path
systemctl start wireguard-ui.service
systemctl restart nginx

systemctl enable wireguard-ui.service
systemctl enable wg-quick@wg0 
systemctl enable wgui.path
systemctl enable wgui.service


#Configure SSH.
sed -i "s/#Port 22/Port 22000/g" /etc/ssh/sshd_config
systemctl restart sshd


#Remove bloatware & update
apt-get purge libpython* exim* apache2* python* pwgen tcpdump telnet -y 
apt-get clean
reboot
相关推荐
耶啵奶膘29 分钟前
uniapp-是否删除
linux·前端·uni-app
_.Switch1 小时前
高级Python自动化运维:容器安全与网络策略的深度解析
运维·网络·python·安全·自动化·devops
2401_850410831 小时前
文件系统和日志管理
linux·运维·服务器
JokerSZ.1 小时前
【基于LSM的ELF文件安全模块设计】参考
运维·网络·安全
XMYX-02 小时前
使用 SSH 蜜罐提升安全性和记录攻击活动
linux·ssh
芯盾时代2 小时前
数字身份发展趋势前瞻:身份韧性与安全
运维·安全·网络安全·密码学·信息与通信
心灵彼岸-诗和远方3 小时前
DevOps业务价值流:架构设计最佳实践
运维·产品经理·devops
一只哒布刘3 小时前
NFS服务器
运维·服务器
苹果醋34 小时前
Java8->Java19的初步探索
java·运维·spring boot·mysql·nginx
不是笨小孩i4 小时前
开源AI图片处理工具HivisionIDPhotos安装与证件照制作指南
ubuntu