wg-helpers/new-wg.sh

#! /usr/bin/env bash

if [ $(id -u) -ne 0 ]; then
	echo "[!!] This program must be run as root"
	exit -1
fi

function usage()
{
        echo "usage: $(basename $0) [-h] [-i interface] [-d nameserver] [-a address]"
        echo "  -h              show this help message"
        echo "  -i interface    the targeted wireguard interface"
        echo "  -d nameserver   the DNS server to put in the client configuration"
        echo "  -a address      your server public address (IP or DNS)"
}

function checks()
{
        # On regarde si l'interface existe bien
        if [ ! -f "/etc/wireguard/$interface.conf" ]; then
                echo "[!!] Given interface $interface does not exist, quitting"
                exit 2
        fi

        # Si aucun serveur DNS n'a ete renseigne, on prend le premier du resolv.conf
        if [ ${#nameserver} -eq 0 ]; then
                nameserver="$(sed -n -r "s|nameserver (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*|\1|p" /etc/resolv.conf | head -1)"
        fi
        # Si aucun nom de domaine ou adresse IP est resignee, on prend le nom de domaine complet
        # du server
        if [ ${#serv_addr} -eq 0 ]; then
                serv_addr="$(hostname -f)"
        fi
}

function getIP()
{
        # Get available IP from server config
        lastip="$(sed -n -r "s|AllowedIPs = (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3}).*|\1 \2 \3 \4|p" "/etc/wireguard/$interface.conf")"
        lastip="$(echo "$lastip" | sort -n -t ' ' -k 1,1 -k 2,2 -k 3,3 -k 4,4 | tail -1)"
        # On convertit en hexa
        newip="$(printf "%02X" $lastip)"
        # On incremente de 1
        newip="$(( 0x$newip + 0x1 ))"
        # Check si on ne tape pas le broadcast
        if [ $(( $newip & 0xff )) -eq 255 ]; then
                echo "[!!] No new IP is available, next would be .255"
                echo "[!!] Last used IP was $lastip"
                exit 3
        fi
        # Reconversion en IP
        newip="$(printf "%08X" $newip | sed -r 's/(..)/0x\1 /g')"
        newip="$(printf "%d.%d.%d.%d" $newip)"
}

# Variables
interface="wg0"
nameserver=""
serv_addr=""

opts=":i:d:a:h"
while getopts "$opts" arg; do
        case "$arg" in
                h)
                        usage
                        exit 0;;
                d) nameserver="$OPTARG";;
                i) interface="$OPTARG";;
                a) serv_addr="$OPTARG";;
                ?)
                        echo "[!!] Invalid option: -$OPTARG"
                        usage
                        exit 1
                        ;;
        esac
done

# On verifie les parametres
checks

# On monte l'interface au cas ou
wg-quick up "$interface" 2> /dev/null

client_confs="/etc/wireguard/clients"
mkdir -p "$client_confs"
clientpath="$(mktemp "$client_confs/client.confXXXXXX")"

# On recupere la nouvelle IP
getIP

echo "[++] New client address = $newip"

# Generation des cles privees et publiques
serv_pubkey="$(wg show wg0 public-key)"
client_privkey="$(wg genkey)"
client_pubkey="$(echo "$client_privkey" | wg pubkey)"
echo "[++] Client pubkey = $client_pubkey"

# Remplissage de la config client
cat << EOF > "$clientpath"
[Interface]
Address = $newip/32
PrivateKey = $client_privkey
DNS = $nameserver

[Peer]
PublicKey = $serv_pubkey
Endpoint = $serv_addr:$(sed -n -r "s|ListenPort = (\d+)|\1|p" /etc/wireguard/wg0.conf)
AllowedIPs = 0.0.0.0/0

EOF
echo "[++] New client config written in $clientpath"
# Creation du QRCode
qrencode -t ansiutf8 "$(cat "$clientpath")"

# Modification de la config serveur
cat << EOF >> "/etc/wireguard/wg0.conf"

# Added with a script
[Peer]
PublicKey = $client_pubkey
AllowedIPs = $newip/32
EOF
echo "[++] Added client to the server"

# Ajout du client a l'interface wireguard
wg addconf wg0 <(wg-quick strip wg0)