diff --git a/wireguard-install.sh b/wireguard-install.sh index 272e445..063ea41 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -6,7 +6,7 @@ # Discard stdin. Needed when running from an one-liner which includes a newline -read -N 999999999 -t 0.001 +read -N 999999 -t 0.001 # Detect Debian users running the script with "sh" instead of bash if readlink /proc/$$/exe | grep -q "dash"; then @@ -14,11 +14,6 @@ if readlink /proc/$$/exe | grep -q "dash"; then exit fi -if [[ "$EUID" -ne 0 ]]; then - echo "This installer needs to be run with superuser privileges." - exit -fi - # Detect OpenVZ 6 if [[ $(uname -r | cut -d "." -f 1) -eq 2 ]]; then echo "The system is running an old kernel, which is incompatible with this installer." @@ -30,19 +25,15 @@ fi if grep -qs "ubuntu" /etc/os-release; then os="ubuntu" os_version=$(grep 'VERSION_ID' /etc/os-release | cut -d '"' -f 2 | tr -d '.') - group_name="nogroup" elif [[ -e /etc/debian_version ]]; then os="debian" os_version=$(grep -oE '[0-9]+' /etc/debian_version | head -1) - group_name="nogroup" elif [[ -e /etc/centos-release ]]; then os="centos" os_version=$(grep -oE '[0-9]+' /etc/centos-release | head -1) - group_name="nobody" elif [[ -e /etc/fedora-release ]]; then os="fedora" os_version=$(grep -oE '[0-9]+' /etc/fedora-release | head -1) - group_name="nobody" else echo "This installer seems to be running on an unsupported distribution. Supported distributions are Ubuntu, Debian, CentOS, and Fedora." @@ -68,7 +59,7 @@ This version of CentOS is too old and unsupported." fi # Detect environments where $PATH does not include the sbin directories -if ! grep -q sbin <<< $PATH; then +if ! grep -q sbin <<< "$PATH"; then echo '$PATH does not include sbin. Try using "su -" instead of "su".' exit fi @@ -82,6 +73,11 @@ Upgrade the kernel using "dnf upgrade kernel" and restart.' exit fi +if [[ "$EUID" -ne 0 ]]; then + echo "This installer needs to be run with superuser privileges." + exit +fi + if [[ "$is_container" -eq 0 ]]; then if [ "$(uname -m)" != "x86_64" ]; then echo "In containerized systems, this installer supports only the x86_64 architecture. @@ -145,12 +141,12 @@ new_client_setup () { # available octet. Important to start looking at 2, because 1 is our gateway. octet=2 while grep AllowedIPs /etc/wireguard/wg0.conf | cut -d "." -f 4 | cut -d "/" -f 1 | grep -q "$octet"; do - (( octet++ )) + (( octet++ )) done # Don't break the WireGuard configuration in case the address space is full if [[ "$octet" -eq 255 ]]; then - echo "253 clients are already configured. The WireGuard internal subnet is full!" - exit + echo "253 clients are already configured. The WireGuard internal subnet is full!" + exit fi key=$(wg genkey) psk=$(wg genpsk) @@ -206,8 +202,8 @@ if [[ ! -e /etc/wireguard/wg0.conf ]]; then get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' <<< "$(wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")") read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip # If the checkip service is unavailable and user didn't provide input, ask again - until [[ -n "$get_public_ip" || -n $public_ip ]]; do - echo "Invalid input." + until [[ -n "$get_public_ip" || -n "$public_ip" ]]; do + echo "Invalid input." read -p "Public IPv4 address / hostname: " public_ip done [[ -z "$public_ip" ]] && public_ip="$get_public_ip" @@ -238,13 +234,21 @@ if [[ ! -e /etc/wireguard/wg0.conf ]]; then read -p "Port [51820]: " port done [[ -z "$port" ]] && port="51820" + echo + echo "Enter a name for the first client:" + read -p "Name [client]: " unsanitized_client + # Allow a limited set of characters to avoid conflicts + client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") + [[ -z "$client" ]] && client="client" + echo + new_client_dns # Set up automatic updates for BoringTun if the user is fine with that if [[ "$is_container" -eq 0 ]]; then - echo - echo "BoringTun will be installed to set up WireGuard in the system." - read -p "Should automatic updates be enabled for it? [Y/n]: " boringtun_updates - until [[ "$boringtun_updates" =~ ^[yYnN]*$ ]]; do - echo "$remove: invalid selection." + echo + echo "BoringTun will be installed to set up WireGuard in the system." + read -p "Should automatic updates be enabled for it? [Y/n]: " boringtun_updates + until [[ "$boringtun_updates" =~ ^[yYnN]*$ ]]; do + echo "$remove: invalid selection." read -p "Should automatic updates be enabled for it? [Y/n]: " boringtun_updates done if [[ "$boringtun_updates" =~ ^[yY]*$ ]]; then @@ -256,15 +260,7 @@ if [[ ! -e /etc/wireguard/wg0.conf ]]; then fi fi echo - echo "Enter a name for the first client:" - read -p "Name [client]: " unsanitized_client - # Allow a limited set of characters to avoid conflicts - client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") - [[ -z "$client" ]] && client="client" - echo - new_client_dns - echo - echo "WireGuard installation is ready to begin now." + echo "WireGuard installation is ready to begin." # Install a firewall in the rare case where one is not already available if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then if [[ "$os" == "centos" || "$os" == "fedora" ]]; then @@ -312,7 +308,7 @@ fiJGS5WoFr1yr8b7oQxTrZlCeHk3r3FJIhv2dQ== if [[ "$os" == "ubuntu" && "$os_version" -ge 2004 ]]; then # Ubuntu 20.04 or higer apt-get update - apt-get install -y wireguard qrencode $firewall + apt-get install -y wireguard qrencode "$firewall" elif [[ "$os" == "ubuntu" && "$os_version" -eq 1804 ]]; then # Ubuntu 18.04 # Repo is added manually so we don't depend on add-apt-repository. @@ -326,21 +322,21 @@ fiJGS5WoFr1yr8b7oQxTrZlCeHk3r3FJIhv2dQ== apt-get update # Try to install kernel headers for the running kernel and avoid a reboot. This # can fail, so it's important to run separately from the other apt-get command. - apt-get install -y linux-headers-$(uname -r) + apt-get install -y linux-headers-"$(uname -r)" # linux-headers-generic points to the latest headers. We install it because if # the system has an outdated kernel, there is no guarantee that old headers were # still downloadable and to provide suitable headers for future kernel updates. apt-get install -y linux-headers-generic - apt-get install -y wireguard qrencode $firewall + apt-get install -y wireguard qrencode "$firewall" elif [[ "$os" == "debian" && "$os_version" -eq 10 ]]; then # Debian 10 if ! grep -qs '^deb .* buster-backports main' /etc/apt/sources.list /etc/apt/sources.list.d/*.list; then - echo "deb http://deb.debian.org/debian buster-backports main" >> /etc/apt/sources.list + echo "deb http://deb.debian.org/debian buster-backports main" >> /etc/apt/sources.list fi apt-get update # Try to install kernel headers for the running kernel and avoid a reboot. This # can fail, so it's important to run separately from the other apt-get command. - apt-get install -y linux-headers-$(uname -r) + apt-get install -y linux-headers-"$(uname -r)" # There are cleaner ways to find out the $architecture, but we require an # specific format for the package name and this approach provides what we need. architecture=$(dpkg --get-selections 'linux-image-*-*' | cut -f 1 | grep -oE '[^-]*$' -m 1) @@ -349,21 +345,21 @@ fiJGS5WoFr1yr8b7oQxTrZlCeHk3r3FJIhv2dQ== # headers were still downloadable and to provide suitable headers for future # kernel updates. apt-get install -y linux-headers-"$architecture" - apt-get install -y wireguard qrencode $firewall + apt-get install -y wireguard qrencode "$firewall" elif [[ "$os" == "centos" && "$os_version" -eq 8 ]]; then # CentOS 8 dnf install -y epel-release elrepo-release - dnf install -y kmod-wireguard wireguard-tools qrencode $firewall + dnf install -y kmod-wireguard wireguard-tools qrencode "$firewall" mkdir -p /etc/wireguard/ elif [[ "$os" == "centos" && "$os_version" -eq 7 ]]; then # CentOS 7 yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm yum install -y yum-plugin-elrepo - yum install -y kmod-wireguard wireguard-tools qrencode $firewall + yum install -y kmod-wireguard wireguard-tools qrencode "$firewall" mkdir -p /etc/wireguard/ elif [[ "$os" == "fedora" ]]; then # Fedora - dnf install -y wireguard-tools qrencode $firewall + dnf install -y wireguard-tools qrencode "$firewall" mkdir -p /etc/wireguard/ fi # Else, we are inside a container and BoringTun needs to be used @@ -372,7 +368,7 @@ fiJGS5WoFr1yr8b7oQxTrZlCeHk3r3FJIhv2dQ== if [[ "$os" == "ubuntu" && "$os_version" -ge 2004 ]]; then # Ubuntu 20.04 or higer apt-get update - apt-get install -y wireguard-tools qrencode ca-certificates $cron $firewall + apt-get install -y wireguard-tools qrencode ca-certificates "$cron" "$firewall" elif [[ "$os" == "ubuntu" && "$os_version" -eq 1804 ]]; then # Ubuntu 18.04 # Repo is added manually so we don't depend on add-apt-repository. @@ -384,29 +380,29 @@ fiJGS5WoFr1yr8b7oQxTrZlCeHk3r3FJIhv2dQ== apt-key add - <<< "$ppa_key" echo "deb http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic main" > /etc/apt/sources.list.d/wireguard-ubuntu-wireguard-bionic.list apt-get update - apt-get install -y qrencode ca-certificates $cron $firewall - apt-get install -y wireguard-tools --no-install-recommends + apt-get install -y qrencode ca-certificates "$cron" "$firewall" + apt-get install -y wireguard-tools --no-install-recommends elif [[ "$os" == "debian" && "$os_version" -eq 10 ]]; then # Debian 10 if ! grep -qs '^deb .* buster-backports main' /etc/apt/sources.list /etc/apt/sources.list.d/*.list; then - echo "deb http://deb.debian.org/debian buster-backports main" >> /etc/apt/sources.list + echo "deb http://deb.debian.org/debian buster-backports main" >> /etc/apt/sources.list fi apt-get update - apt-get install -y qrencode ca-certificates $cron $firewall - apt-get install -y wireguard-tools --no-install-recommends + apt-get install -y qrencode ca-certificates "$cron" "$firewall" + apt-get install -y wireguard-tools --no-install-recommends elif [[ "$os" == "centos" && "$os_version" -eq 8 ]]; then # CentOS 8 dnf install -y epel-release - dnf install -y wireguard-tools qrencode ca-certificates tar $cron $firewall + dnf install -y wireguard-tools qrencode ca-certificates tar "$cron" "$firewall" mkdir -p /etc/wireguard/ elif [[ "$os" == "centos" && "$os_version" -eq 7 ]]; then # CentOS 7 yum install -y epel-release - yum install -y wireguard-tools qrencode ca-certificates tar $cron $firewall + yum install -y wireguard-tools qrencode ca-certificates tar "$cron" "$firewall" mkdir -p /etc/wireguard/ elif [[ "$os" == "fedora" ]]; then # Fedora - dnf install -y wireguard-tools qrencode ca-certificates tar $cron $firewall + dnf install -y wireguard-tools qrencode ca-certificates tar "$cron" "$firewall" mkdir -p /etc/wireguard/ fi # Grab the BoringTun binary using wget or curl and extract into the right place. @@ -470,7 +466,7 @@ EOF ip6tables_path=$(command -v ip6tables) # nf_tables is not available as standard in OVZ kernels. So use iptables-legacy # if we are in OVZ, with a nf_tables backend and iptables-legacy is available. - if [[ $(systemd-detect-virt) == "openvz" ]] && readlink -f $(command -v iptables) | grep -q "nft" && hash iptables-legacy 2>/dev/null; then + if [[ $(systemd-detect-virt) == "openvz" ]] && readlink -f "$(command -v iptables)" | grep -q "nft" && hash iptables-legacy 2>/dev/null; then iptables_path=$(command -v iptables-legacy) ip6tables_path=$(command -v ip6tables-legacy) fi @@ -544,17 +540,17 @@ EOF # If the kernel module didn't load, system probably had an outdated kernel # We'll try to help, but will not will not force a kernel upgrade upon the user if [[ ! "$is_container" -eq 0 ]] && ! modprobe -nq wireguard; then - echo "Warning!" - echo "Installation was finished, but the WireGuard kernel module could not load." - if [[ "$os" == "ubuntu" && "$os_version" -eq 1804 ]]; then - echo 'Upgrade the kernel and headers with "apt-get install linux-generic" and restart.' - elif [[ "$os" == "debian" && "$os_version" -eq 10 ]]; then - echo "Upgrade the kernel with \"apt-get install linux-image-$architecture\" and restart." - elif [[ "$os" == "centos" && "$os_version" -le 8 ]]; then + echo "Warning!" + echo "Installation was finished, but the WireGuard kernel module could not load." + if [[ "$os" == "ubuntu" && "$os_version" -eq 1804 ]]; then + echo 'Upgrade the kernel and headers with "apt-get install linux-generic" and restart.' + elif [[ "$os" == "debian" && "$os_version" -eq 10 ]]; then + echo "Upgrade the kernel with \"apt-get install linux-image-$architecture\" and restart." + elif [[ "$os" == "centos" && "$os_version" -le 8 ]]; then echo "Reboot the system to load the most recent kernel." - fi + fi else - echo "Finished!" + echo "Finished!" fi echo echo "The client configuration is available in:" ~/"$client.conf" @@ -564,8 +560,8 @@ else echo "WireGuard is already installed." echo echo "Select an option:" - echo " 1) Add a new user" - echo " 2) Remove an existing user" + echo " 1) Add a new client" + echo " 2) Remove an existing client" echo " 3) Remove WireGuard" echo " 4) Exit" read -p "Option: " option @@ -580,7 +576,7 @@ else read -p "Name: " unsanitized_client # Allow a limited set of characters to avoid conflicts client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") - while [[ -z "$client" || -n $(grep "^# BEGIN_PEER $client$" /etc/wireguard/wg0.conf) ]]; do + while [[ -z "$client" ]] || grep -q "^# BEGIN_PEER $client$" /etc/wireguard/wg0.conf; do echo "$client: invalid name." read -p "Name: " unsanitized_client client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") @@ -624,7 +620,7 @@ else if [[ "$remove" =~ ^[yY]$ ]]; then # The following is the right way to avoid disrupting other active connections: # Remove from the live interface - wg set wg0 peer $(sed -n "/^# BEGIN_PEER $client$/,\$p" /etc/wireguard/wg0.conf | grep -m 1 PublicKey | cut -d " " -f 3) remove + wg set wg0 peer "$(sed -n "/^# BEGIN_PEER $client$/,\$p" /etc/wireguard/wg0.conf | grep -m 1 PublicKey | cut -d " " -f 3)" remove # Remove from the configuration file sed -i "/^# BEGIN_PEER $client/,/^# END_PEER $client/d" /etc/wireguard/wg0.conf echo @@ -725,7 +721,7 @@ else rm -rf /etc/wireguard/ dnf remove -y wireguard-tools fi - rm -f /usr/local/sbin/boringtun /usr/local/sbin/boringtun-upgrade + rm -f /usr/local/sbin/boringtun /usr/local/sbin/boringtun-upgrade fi echo echo "WireGuard removed!"