You are here

Setup VPN server on CentOS 8

Submitted by Alan Mels on Thu, 06/18/2020 - 06:00

Wireguard VPN setup script, to be run on a CentOS 8 fresh installation.

Howto add and remove clients:
One line ssh command to create a client for the VPN
/etc/wireguard/./add-client.sh CLIENT_ID_HERE

Generates QR code and conf files to /etc/wireguard/clients/CLIENT_ID_HERE folder and sends
mail if userid is a valid address.

/etc/wireguard/./rm-client.sh CLIENT_ID_HERE
Disables and removes the client's conf files


0) Update the server:

dnf update -y

1) Install Wireguard VPN

dnf install elrepo-release epel-release -y
dnf install kmod-wireguard wireguard-tools -y

2) Create an empty WireGuard server config file with proper permissions and generate keys

mkdir -v /etc/wireguard/
cd /etc/wireguard/
sh -c 'umask 077; wg genkey | tee privatekey | wg pubkey > publickey'
server_public_key=$( cat publickey )
server_private_key=$(cat privatekey )

3) Create Wireguard conf file

FILE=/etc/wireguard/wg0.conf
if test -f "$FILE"; then
    echo "$FILE already exists."
else 
sh -c 'umask 077; touch $FILE'
    echo "[Interface]
Address = 10.0.0.1/24,::ffff:a00:1/64
SaveConfig = true
ListenPort = 53759
PrivateKey = $server_private_key
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
" >> $FILE
fi

4) Check file permissions so only root could access

chmod 600 /etc/wireguard/{privatekey,wg0.conf}

5) Launch Wireguard and set autostart

wg-quick up wg0
systemctl enable wg-quick@wg0

6) NAT networking

NATCONFFILE=/etc/sysctl.d/wg.conf
if test -f "$NATCONFFILE"; then
    echo "$NATCONFFILE already exists."
else 
echo "net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1" >> $NATCONFFILE
fi
sysctl -p $NATCONFFILE

7) Create script to add clients

dnf install qrencode mailx sendmail -y
service sendmail start
 
echo '#!/bin/bash
 
if [ $# -eq 0 ]
then
	echo "must pass a client name as an arg: add-client.sh new-client"
elif [ -d "/etc/wireguard/clients/$1" ]
then
	echo "A client exists, please pick another id or remove existing first."
	exit
else
        base_dir=/etc/wireguard
	echo "Creating client config for: $1"
	sudo mkdir -p $base_dir/clients/$1
	sudo wg genkey | tee $base_dir/clients/$1/$1.priv | wg pubkey > $base_dir/clients/$1/$1.pub
	key=$(cat $base_dir/clients/$1/$1.priv) 
	ip="10.0.0."$(expr $(cat $base_dir/last-ip.txt | tr "." " " | awk '\''{print $4}'\'') + 1)
	FQDN=$(hostname -f)
  SERVER_PUB_KEY=$(cat $base_dir/publickey)
  cat $base_dir/wg0-client.example.conf | sed -e '\''s/:CLIENT_IP:/'\''"$ip"'\''/'\'' | sed -e '\''s|:CLIENT_KEY:|'\''"$key"'\''|'\'' | sed -e '\''s|:SERVER_PUB_KEY:|'\''"$SERVER_PUB_KEY"'\''|'\'' | sed -e '\''s|:SERVER_ADDRESS:|'\''"$FQDN"'\''|'\'' > $base_dir/clients/$1/AltaGradeVPN.conf
	echo $ip > $base_dir/last-ip.txt
	cp $base_dir/SETUP.txt $base_dir/clients/$1/SETUP.txt
	echo "Created config!"
	echo "Adding peer"
	sudo wg set wg0 peer $(cat $base_dir/clients/$1/$1.pub) allowed-ips $ip/32
        sudo wg-quick down wg0
        sudo wg-quick up wg0
	sudo wg show
	sudo qrencode -t ansiutf8 < $base_dir/clients/$1/AltaGradeVPN.conf
	sudo qrencode -o $base_dir/clients/$1/AltaGradeVPN-QR.png < $base_dir/clients/$1/AltaGradeVPN.conf
	# Check if the clientid is an email address
	if [[ $1 == *"@"* ]] ; then
		echo "An e-mail with configuration files is sent"
		echo "Please use provided conf file or the QR code to setup your Wireguard client. For more information please see: https://www.wireguard.com/install/" | mail -s "AltaGrade VPN configuration files" -a $base_dir/clients/$1/AltaGradeVPN.conf -a $base_dir/clients/$1/AltaGradeVPN-QR.png $1
	else
    		echo "Provided userid is not a valid e-mail address, no mail was sent"
	fi
 
fi'> /etc/wireguard/add-client.sh
chmod +x /etc/wireguard/add-client.sh

8) Skeleton file for client conf

echo "[Interface]
Address = :CLIENT_IP:/24
DNS = 1.1.1.1
PrivateKey = :CLIENT_KEY:
 
[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
PublicKey = :SERVER_PUB_KEY:
Endpoint = :SERVER_ADDRESS::53759
PersistentKeepalive = 25" > /etc/wireguard/wg0-client.example.conf

9) A file containing last IP to incrementally assign to new clients

echo "10.0.0.1" > last-ip.txt

10) Remove client script

echo '#!/bin/bash
if [ $# -eq 0 ]
then
        echo "must have peer id as arg: remove-client.sh <client id>"
elif [ -d "/etc/wireguard/clients/$1" ]
then
        key=$(cat /etc/wireguard/clients/$1/$1.pub )
        sudo wg set wg0 peer $key remove
        sudo wg-quick down wg0
        sudo wg-quick up wg0
        sudo wg show
        sudo rm -rf /etc/wireguard/clients/$1
else
        echo "No such client has been registered"
fi' > /etc/wireguard/rm-client.sh
chmod +x /etc/wireguard/rm-client.sh

11) Create SETUP.txt for clients

echo '# Install instructions for AltaGrade clients created by add-client.sh
 
Wireguard install guides:
https://www.wireguard.com/install/' >> /etc/wireguard/SETUP.txt

12) Setup SSH, altagrade user, banner, prompt, aliases
BUG: this part should be run manually since 56th node inside 65 is not being embedded.

65