Skip to content
Creates Wireguard configuration for hub and peers with ease
Shell Dockerfile
Branch: master
Clone or download
burghardt Merge pull request #6 from burghardt/ipv6
IPv6 support inside tunnels based on @Worty PR #1.
Latest commit 961b96f Sep 16, 2019

README.md

easy-wg-quick

easy-wg-quick - Creates Wireguard configuration for hub and peers with ease

Getting Started

These instructions will get you a copy of the project up and running on your local machine. This machine (called hub) will act as VPN concentrator. All other peers connects to hub (as in a "road warrior" configuration).

Prerequisites

Install Wireguard for your operating system on local machine, router, VPS or container. This will be your hub.

As dependences /bin/sh, wg, wg-quick, awk, grep and ip commands should be available on hub. If ip is not available user is required to set EXT_NET_IF and EXT_NET_IP variables in script to external network interface name and IP address (or edit wghub.conf). Optionally qrencode can be used to generate QR codes for mobile applications.

sudo apt install wireguard mawk grep iproute2 qrencode

Peers also requires Wireguard installed. Android and iOS are supported.

Installing

Just download the script and make it executable with chmod.

wget https://raw.githubusercontent.com/burghardt/easy-wg-quick/master/easy-wg-quick
chmod +x easy-wg-quick

Or clone repository.

git clone https://github.com/burghardt/easy-wg-quick.git

Usage

Script do not require any arguments. Just run it and it will create usable Wireguard configuration for hub and one peer. Any sequential invocation creates another peer configuration within same hub.

./easy-wg-quick

Sample output

No seqno.txt... creating one!
No wgpsk.key... creating one!
No wghub.key... creating one!
No wghub.conf... creating one!
Wireguard hub address is 10.60.1.160:51820 on wlp2s0.
Note: customize [Interface] section of wghub.conf if required!
No wgclient10.conf... creating one!
█████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █▄▄  ▄▀▀█ ▄▀▀ ▀█ ▀▀▀█▄▀█▀██▀  ▄ ▄▄█▄▄▀ ▀▀▄██  █ ▄▄▄▄▄ ████
████ █   █ █  ██▀██▄▀█▄██▀ █▀█▄ ▄▄ ▄▀▄▄█ ██▀ █▄▄▄▄██ ▄ ▄ █ █   █ ████
████ █▄▄▄█ █▄▄▄▄ ███▄ ██▄▀▀  ▀ ▀ ▄▄▄ █▀▀▀▀ ██ ██▄▀█▀██ ▄██ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄▀▄█▄█ █▄▀▄█▄▀▄█▄█▄▀ █▄█ █▄▀▄▀ █ █ █▄▀▄█▄█ █ █▄▄▄▄▄▄▄████
████ ▄▄ ▀█▄▀ █▄ ██ ▀█▄█ ▄ █▀ ▀▄▀   ▄▄█ █ █▀████ ▀  ▀ ▀██▄ ▀█  ▄█ ████
█████▀  ▀ ▄█ ▄   ▀  ▀▀█▀▄████▄▄▀█▀█ █▀█▀▀▄▄▀█▄ ▄▀▄▀ ▄▀▀▄█ ▄▄▄ ▀▀▀████
████ ███▀▄▄▄▄▀▄▀▄██  ▀▀▄███▄▀  ▄▀▀▀▀▀█▀▀▄  ▀█▀▄▀█▄  █▄▀▄█▄▄█▀▄▄██████
█████▄▀▄▄▀▄██▄ ▄  █▄ █▀██▀██▀▀▄▀ ▀▄ ▄ ▄█ ▀ ▀█▀▄██▄▀█▄▄▄▄▄▀  ▄▄ ▀ ████
████▄█ █▀▀▄ ▀▄ ▄▄█▄▄▀▀▄█▄   ▀▄▄█▀ ▄▄▀▄▀ ▄▀▄█▀▀█▀█▄▀ ▀▄ ▀▀▀▀▄█▄▀▄▄████
████ ▄▀▀▀▄▄█ ▄█ ▀█ ██▄▄▄▀ █▀▄▄▄  ▀▄▀▀█▀ ▄█▄▄▀ ▄ █ ▄▀▄▀▀▄ █▄▀ ▄█▄█████
████▄▄▄▀▀▄▄▀█▀█▄    ▀██ ▀▄▄▀▄ █▀▄█▄ ▀▄█▀ ▀█▀██▀█▄▄▄█▀▄▄  ▄  ▄  ▀▀████
████▄▄▄▄ ▄▄▄▄█ ▀▀▄█▄▄▄ ▀▄  ▀▀ █ ██▀▀█▀▀▀▀▀▄▀▀██  █ ▄▄▄▄  ██   ▀▀▄████
████▀▀   █▄ █▄▄ ▄█▄█▄█▄▀▀▄▄█▀▄▄▀█▀▀▄█▄▀ █ █ █▀ █▀██▄█▀▀▄▄▄▄▄█▄▄██████
████ █  ██▄█▀▀████▄▄▄▀▀▄ ▄▀▄█ ██▀▄▀▄▄▄██▀ ▄▀██▄ ▀██▄▀▄▄█▄▀  █▄  ▀████
████ ██▄ ▄▄▄ ▄  ▄▀▀▀▀██ █▀▀▄▀██▀ ▄▄▄  █▄▀▀█  ▀█▀█▄  █  █ ▄▄▄ █▀▀▀████
████ ███ █▄█ ▀█▄▄ ███▀█ ▀▄▀█▄▀ █ █▄█ ▄ ▄█▄▄▀█▀▀ ██▄▄ █▄▀ █▄█ ▀▀▀▄████
████▀█▄▄▄ ▄▄ ▄ ▀ █▄█    ▀ ▀▀▄█▀▀▄▄  ▄  ▀ ███▄ ▀█▄▀▄ ██▀▀▄  ▄▄▄ █▄████
██████▀   ▄▄▄ ▄▀▄▀▀▀▄▄█   ▀▄ ▀▀▄▀██ ████▀ ▄██▀▀█ ▄▀ █ ▄▄▀▄█▄██▄ █████
████▄▄▄▀▄▄▄█▄█ ▄▄▄ █ █▀▀▄▄█ ████▀ ▀ ▀▄███ █▄ ▀▀▀▀█▀█▀█▀▄ █▄▀▄▀▀▀▀████
████    ▀▄▄▀▀▄  ▀ ▄▄█▄▀ ▀██▀ ▄▄▀▀▀ ▄▀▀ █▀██▀▀▄█ █▄▀▄▀▀█ ██▀████ ▀████
████ █▀▀█ ▄▀███   ▄ ▀▄█▄█▀▀ ▄██ ▀███▄▀█▄▄█  ▀▄█▄▄▄█ ▄█▄█▀▄▄▀▀  ▀█████
█████  ██▄▄▀ ▄ ▀ █ ▀█▄▄█▀██▄▄ ▀█▄█▄▀█ █▄▀ █▀█▄ ▀████▄  ▀ █▄ ▀██▀▄████
████▄ █▀▀█▄█▀▀█▄██▀█  ▀██▀ ▀▄▄▀▄ ▄ ▄▀▀ ▀▄  ██ ▀  ▀█  ██  ▀█▀▄ ▀██████
████ ▄█▀█▄▄ ▀▄▄   ▀ ▀ ▄▀▄▄ ▀█▄▄ ▀▀▄ ▄▀█ ▀▀▄ ▀▄█ ▄ ▄ ▀▄█▄ █▀▄▄▀█▄▄████
████▄▄  ▀▄▄ ▄▄▄ █▄████▀▀██▄█ ▀█▄ ██▀▀█▀█▄▄▀ █▄▄█ █ ▄▄ ██▄▀█▄▀▄█▄▄████
████▀▀ ▄ ▄▄▀▄▄▄▄██  ▄▄█▄█ ██▄█   ▄█▀█ ▄ ▄▀▄▀█▄▀█▀▄  ▀ ▀ ▀  ▄▀▀▄▀▀████
████▄▄▄▄██▄█▀▄▀▀▀ ▄▄  ▀▀   █▀ █▄ ▄▄▄ █▀ ▄  ▄▄▄██▄▀█ █ ▄▀ ▄▄▄  ▀ █████
████ ▄▄▄▄▄ ██▀▄▄▀█▄ ▄ ▀ ▀▀▄▄▄▄█  █▄█ ▀▄▀█▀▀▄▀▄▄█▀ ▄ ▀▄▀  █▄█  ██▄████
████ █   █ █▀▄ █▀▄▄▄▄▄  ██ ▄▀█▄█▄ ▄ ▄▀  ▀██▄▄▀▄▀█▄ ▀  ▄█▄▄▄▄▄▀██ ████
████ █▄▄▄█ █ ▄ ██▄▄▄▀▀█▀▀███▀▄█▄ ███▀▄ ▄▄▄█▀ █▄▄ █▄▀▄▀█▀██▀ █▄█▄█████
████▄▄▄▄▄▄▄█▄███▄▄▄▄█████▄█▄▄█▄█▄▄▄▄▄▄█▄▄█▄▄▄▄▄██▄█▄▄▄███▄▄█▄█▄▄▄████
█████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████
Scan QR code with your phone or use "wgclient10.conf" file.
Updating wghub.conf... done!

Important: Deploy updated wghub.conf configuration to wireguard with wg-quick:
  sudo wg-quick down ./wghub.conf # if already configured
  sudo wg-quick up ./wghub.conf
  sudo wg show # to check status

Note: passing argument to script creates symbolic link to created configuration
      to help remembering which config was for which device. If you didn't pass
      any argument you can still create a link manually with command:
  ln -vfs wgclient10.conf link_name.conf

Using generated configuration

On hub configure Wireguard.

sudo wg-quick up ./wghub.conf

On peer scan QR code or copy wgclient10.conf.

Finally on hub check if everything works with sudo wg show.

interface: wghub
  public key: kbaG3HxSDz3xhqiTNXlo1fZkFa+V6oTl+w0cSAQKxwQ=
  private key: (hidden)
  listening port: 51820

peer: th8qYu0R0mgio2wPu1kz6/5OOgi6l8iy7OobK590LHw=
  preshared key: (hidden)
  endpoint: 10.60.1.150:37218
  allowed ips: 10.127.0.10/32
  latest handshake: 50 minutes, 22 seconds ago
  transfer: 32.64 MiB received, 95.24 MiB sent

Fine tunning

Enabling IPv6

If global unicast IPv6 address is detected on server tunnels will be created with inner IPv6 addresses allocated. This allows hub's clients to connect over hub's IPv6 NAT to IPv6 network.

To use outer IPv6 addresses (i.e. connect client to hub over IPv6) just set EXT_NET_IF and EXT_NET_IP variables in script to external network interface name and IPv6 address (or edit wghub.conf).

Redirecting DNS

DNS redirection might be required to integrate with services like Pi-hole or Cloudflare DNS over TLS. This could be achieved by using port 53 UDP/TCP redirection in wghub.conf.

PostUp = iptables -t nat -A PREROUTING -i %i -p udp -m udp --dport 53 -j DNAT --to-destination 1.1.1.1:53
PostUp = iptables -t nat -A PREROUTING -i %i -p tcp -m tcp --dport 53 -j DNAT --to-destination 1.1.1.1:53
PostDown = iptables -t nat -D PREROUTING -i %i -p udp -m udp --dport 53 -j DNAT --to-destination 1.1.1.1:53
PostDown = iptables -t nat -D PREROUTING -i %i -p tcp -m tcp --dport 53 -j DNAT --to-destination 1.1.1.1:53

When using IPv6 similar rules should be set independently with ip6tables.

License

This project is licensed under the GPLv2 License - see the LICENSE file for details.

Acknowledgments

OpenVPN's easy-rsa was an inspiration for writting this script.

You can’t perform that action at this time.