WireGuard automated installer | Ubuntu, Debian, CentOS, Fedora
Lightweight WireGuard installer, written entirely in bash.
GitHub:
https://github.com/Nyr/wireguard-install
One-liner:
wget https://git.io/wireguard -O wireguard-install.sh && bash wireguard-install.sh
Supported distros:
- Ubuntu 20.04 and 18.04
- Debian 10
- Centos 8 and 7
- Fedora 32 and 31
FAQ:
Will it work in my Raspberry Pi?
Probably, I don't have one to test. Install the raspberrypi-kernel-headers package and hope for the best. But you should consider using a distribution with built-in kernel support when it becomes available.
OpenVZ support?
News on this soon. I have something in mind, but I want to do it right and it's a decent ammount of work. That's why I wanted to release the current version of wireguard-install, which is fully compatible with everything else first.
Can you add x feature?
Maybe, if it's worth it. But I'll keep the installer simple and functional, so keep that in mind. Niche features are unlikely to be implemented.
I like the project, how can I help?
Tell other people about it! wireguard-install is new and many people do not yet know about it. Some other low-quality tools based on my openvpn-install work exist, with credits and copyright notices removed. It's a sad sight to me after nearly a decade maintaining openvpn-install.
LowEndBox & LowEndTalk.
Comments
This is what I like to see.
ExtraVM - AMD Ryzen VPS starting @ $3.50
USA (TX, VA, FL), CA, FR, UK, SGP, AU, RU
I was waiting for this, thanks!
Thank you Master. You made life easier for thousands of people ^:)^
P.S. I wish someone showed up here with a script that installs and configures a mailbox (Exim+Dovecot+Roundcube) in just 5 minutes...
Awesome! Thanks
https://www.iredmail.org/
DomainPeon
<333333
PREM
BillingServ - Easy, simple, and hassle-free online invoicing solution. Contact us today.
BaseServ Certified to ISO/IEC 27001:2013
mailcow
Is it possible to use same config for multiple users at the same time?
You can add up to 253 users per server, but each one has a statically assigned address, so two clients can't use the same credentials (and they shouldn't anyway).
Thank you Nyr!
Thanks @Nyr.
Is compatible to Debian 9?
Official support for Debian 9 ends in one month and there are no WireGuard packages for it anyway, so that would be a lot of trouble for little benefit.
Thanks @Nyr
I'm having a few probs, I know I need to install iptables for one. Would it be possible for you to take a look please?
We are ready to set up your WireGuard server now.Press any key to continue...E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation Get:1 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic InRelease [15.9 kB] Hit:2 http://us.archive.ubuntu.com/ubuntu bionic InRelease Err:1 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AE33835F504A1A25 Hit:3 http://security.ubuntu.com/ubuntu bionic-security InRelease Hit:4 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease Hit:5 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease Reading package lists... Done W: GPG error: http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AE33835F504A1A25 E: The repository 'http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. Reading package lists... Done Building dependency tree Reading state information... Done linux-headers-4.15.0-99-generic is already the newest version (4.15.0-99.100). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Reading package lists... Done Building dependency tree Reading state information... Done linux-headers-generic is already the newest version (4.15.0.99.89). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package wireguard wireguard-install.sh: line 323: wg: command not found wireguard-install.sh: line 323: /etc/wireguard/wg0.conf: No such file or directory chmod: cannot access '/etc/wireguard/wg0.conf': No such file or directory Job for wg-iptables.service failed because the control process exited with error code. See "systemctl status wg-iptables.service" and "journalctl -xe" for details. grep: /etc/wireguard/wg0.conf: No such file or directory wireguard-install.sh: line 129: wg: command not found wireguard-install.sh: line 130: wg: command not found wireguard-install.sh: line 132: wg: command not found grep: /etc/wireguard/wg0.conf: No such file or directory wireguard-install.sh: line 132: /etc/wireguard/wg0.conf: No such file or directory grep: /etc/wireguard/wg0.conf: No such file or directory wireguard-install.sh: line 141: wg: command not found grep: /etc/wireguard/wg0.conf: No such file or directory grep: /etc/wireguard/wg0.conf: No such file or directory grep: /etc/wireguard/wg0.conf: No such file or directory Failed to enable unit: Unit file [email protected] does not exist.This is Ubuntu 18.04 KVM, Inception Hosting
We're not on topic, but:
https://yunohost.org/
That's way more than just mailbox, but it doesn't include wireguard!
I'll address this in an hour or so.
Your system image has probably been customized from the distribution defaults by the provider and lacks a dependency which is required. iptables is installed for Ubuntu, in your case it was a problem related to the first one.
Thanks a lot for the report.
Fixed in the latest commit.
Thanks.. this is what i need... already used your installer openvpn in 3y now. Very stable for access my porn linux iso collection
Awesome. Thank you @Nyr
Great work. thank you
Nyr for President!
Long live LowEndInfo.com
Thanks @Nyr!
And for OpenVZ support (wireguard-go?) that would be really awesome, time to use those cheap idling NAT VPS
Yes, I know that a lot of people want that and I'll try to get it done as soon as possible.
For several reasons, it's going to be more work than one would guess at first glance, but I'm hoping it'll be worth it.
@Nyr if you have a dual stack home connection with ipv6 and ipv4 normally browser default is ipv6 and fallback is ipv4
but with your wireguard (and updated openvpn) installations, browser default is ipv4 and fallback is ipv6.
is there any particular reason for this?
I want ipv6 to be the default for everything if possible
this ss is from ipleak.net with vpn I just installed.
KUDOS for this beautiful wireguard script on the other hand.
between installling a vultr instance and connecting to vpn only takes 2 mins!
Is there anyway we can all chip in some dollarz to get you one to test?
I'll test it in my rasp 4.
At the bottom of his github page
Does this differ from the Angristan script in some particular ways? I remember your OVPN setup scripts used vastly different parameters on the basis of security.
@Nyr DNS_PROBE_FINISHED_NO_INTERNET.
I can't browser. Shoult I missing any thing?
I'm not up to date on that matter but that choice depends on the VPN client, operating system and web browser, they do all have their preferences. My scripts are neutral about priority of IP protocols inside the tunnel, so you'd need to check elsewhere, possibly configuration within your operating system or web browser.
Take also into account that IPv6 routes are generally equal or less performant than IPv4 routes, but almost never better. Some software will pick the fastest route automatically.
Don't worry about it, it's very likely to work with little or no modifications and I don't really need one to test.
raspberrypi-kernel-headerspackage, then run the script.Very significantly.
I took a quick look: my work includes an uninstaller, doesn't install unstable software, doesn't install unneeded dependencies, implements proper user management, proper firewall management, proper permissions, automated network setup, more efficient routing, doesn't break on systems with secure boot enabled, doesn't break on kernel upgrades.
Honestly I don't want to give away more details, because he's incompetent but able to copy and paste. It just boils my blood to see how someone copied my work, claimed it was insecure based on some misconceptions ("your RSA keys are too short!", "this cipher is better!") and presented a "secure" low-effort fork breaking lots of stuff which got popular and is even getting funded on Patreon for it. He has also removed the typical GitHub notice in the header showing that his repository is a fork of mine and just includes a small mention hidden deep in the readme.
I'd maybe be helpful to clear some misconceptions if some impartial party with the required qualifications could do a quick audit of my work and see if I made reasonable choices compared to him. But that would probably just give him more publicity and he has already had enough.
Using a Raspberry Pî as a server, right?
Please provide:
iptables -t nat -Landiptables -LIf you have a GitHub account I'd prefer the issue tracker, but if not here is fine too.
I'll take a look tomorrow, thanks!
No my friend. I'm using Debian 10 (online.net server).
After run script the ouput says for install kernel, but the kernel requested is already installed.
Edit: wireguard-install.sh: line 407: modprobe: command not found
Warning!
Installation was finished, but the WireGuard kernel module could not load.
Upgrade the kernel with "apt-get install linux-image-amd64" and restart
apt-get install linux-image-amd64
Reading package lists... Done
Building dependency tree
Reading state information... Done
linux-image-amd64 is already the newest version (4.19+105+deb10u3).
0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.
Thank you for the overview. I feel that his version attracted a lot more credibility on first glance because he includes a detailed overview of his design and implementation decisions, while your readme appears to be quite bare-bones and focused on minimalism.
I recognize that you're busy and doing this for free, so no expectation that this will ever be on a roadmap, and we appreciate your efforts nonetheless, but that's probably just why his fork got more traction overtime.
Thanks master for this,respect to you ^:)^
Is this a Scaleway machine? A dedicated server from Online.net? A virtualized server provided by a third party?
Some Scaleway machines have custom kernels, which require custom header packages which can't be managed by the script, but that doesn't seem to be the issue here.
Please provide the output of
uname -rand the full server installation log.Also your machine doesn't seem to have modprobe available, which is very weird. Any clean installation should provide it. I've double checked and a Scaleway VPS using the standard kernel works perfectly fine.
You are right, communication could certainly be improved from my end. Back when this project started I was very young and didn't even spoke reasonably good English to create some professional-looking documentation. That can still be seen nowadays with some of the grammar mistakes I make.
I should probably try to create a more informative and better looking readme, I'm putting that in my to-do list
4.19.0-8-amd64
I'm using online.net dedicated server.
I need to ask you a few questions before starting setup. You can use the default options and just press enter if you are ok with them. What port do you want WireGuard listening to? Tell me a name for the first client. Which DNS do you want to use for this client? 1) Current system resolvers 2) 1.1.1.1 3) Google 4) OpenDNS 5) NTT 6) AdGuard We are ready to set up your WireGuard server now. Hit:1 http://deb.debian.org/debian buster-backports InRelease Hit:2 http://mirrors.online.net/debian buster InRelease Hit:3 http://deb.debian.org/debian unstable InRelease Hit:4 http://security.debian.org/debian-security buster/updates InRelease Reading package lists... Reading package lists... Building dependency tree... Reading state information... linux-headers-4.19.0-8-amd64 is already the newest version (4.19.98-1+deb10u1). The following package was automatically installed and is no longer required: dkms Use 'apt autoremove' to remove it. 0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded. Reading package lists... Building dependency tree... Reading state information... linux-headers-amd64 is already the newest version (4.19+105+deb10u3). The following package was automatically installed and is no longer required: dkms Use 'apt autoremove' to remove it. 0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded. Reading package lists... Building dependency tree... Reading state information... iptables is already the newest version (1.8.2-4). qrencode is already the newest version (4.0.2-1). The following NEW packages will be installed: wireguard wireguard-dkms wireguard-tools 0 upgraded, 3 newly installed, 0 to remove and 15 not upgraded. Need to get 0 B/347 kB of archives. After this operation, 2,101 kB of additional disk space will be used. Selecting previously unselected package wireguard-dkms. (Reading database ... 121500 files and directories currently installed.) Preparing to unpack .../wireguard-dkms_0.0.20200318-1~bpo10+1_all.deb ... Unpacking wireguard-dkms (0.0.20200318-1~bpo10+1) ... Selecting previously unselected package wireguard-tools. Preparing to unpack .../wireguard-tools_1.0.20200319-1~bpo10+1_amd64.deb ... Unpacking wireguard-tools (1.0.20200319-1~bpo10+1) ... Selecting previously unselected package wireguard. Preparing to unpack .../wireguard_1.0.20200319-1~bpo10+1_all.deb ... Unpacking wireguard (1.0.20200319-1~bpo10+1) ... Setting up wireguard-dkms (0.0.20200318-1~bpo10+1) ... Loading new wireguard-0.0.20200318 DKMS files... Building for 4.19.0-8-amd64 Building initial module for 4.19.0-8-amd64 Done. wireguard.ko: Running module version sanity check. - Original module - No original module exists within this kernel - Installation - Installing to /lib/modules/4.19.0-8-amd64/updates/dkms/ depmod... DKMS: install completed. Setting up wireguard-tools (1.0.20200319-1~bpo10+1) ... Setting up wireguard (1.0.20200319-1~bpo10+1) ... Processing triggers for man-db (2.8.5-2) ... That is a QR code containing your client configuration. Warning! Installation was finished, but the WireGuard kernel module could not load. Upgrade the kernel with "apt-get install linux-image-amd64" and restart. Your client configuration is available at: /root/wireguard_ams.conf If you want to add more clients, just run this script again.@mtsbatalha
Let's not spam the topic any further, PM me with the required information and I'll try to help. Or just install the script in a clean system, it'll work.
Thanks for your great work. Gonna install in all my VPSs.
Just a few clarifications.
Is it compatible with a server wit direct admin and CSF?
I was gonna install it but saw that firewalld is going to get installed.
I'm a bit of a noob, so not sure how they are compatible.
@Nyr
Good question:
CSF uses iptables as a backend, but in CentOS/Fedora which must be your OS, the default firewall frontend is firewalld (which also uses iptables/nftables, but that's not relevant). That's why in your case the script shows a warning about installing firewalld.
Even if the default CentOS/Fedora firewall management tool is firewalld, it would be a good idea to take care of others, and that's currently not the case, so I suggest you to avoid installing WireGuard today. I'll change this tomorrow, the presence of CSF was something which wasn't initially considered.
@Nyr,
Yes it's Centos.
I will wait. I tend to use CSF on most of my machines. I would be great that you take the time to look it up.
I just installed in a Ubuntu and it's just works. thanks a lot.
Any plans on adding unbound DNS? Can do it by hand, just wondering.
Thankyou for this comment, I'm going to start using @Nyr's scripts from now on - I had no idea about angristan's behaviour prior to this comment (I've been using angristan's openvpn script prior).
Been waiting, angristans script didn't work for me
Could you elaborate what kind of work?
My 2 cents is to make a static build (
CGO_ENABLED=0) of the userspace implementation (i.e., wireguard-go) with the memory tweak. The binary runs everywhere without causing troubles, so use it on older OS that doesn't ship the module in the default repository (i.e., all distros except the latest version of Ubuntu and Fedora).Disregard the warning that you should not use the Go program on Linux. It's much safer and easier than playing with out-of-tree kernel modules.
Those who have problem to install WG on Debian 9 kernel 4.x, just install kernel 5.x. I had a problem with freakin wireguard-dkms and kernel 5.5 helped me.
apt-cache search linux-image-
Locate 5.x version (not cloud version, be aware) and install it.
As for installer script... It's good to have it, but judging from how it's written - it's a work in progress.
Few notes: in bash you ALWAYS wrap your vars like ${var}. I will try to pull some contribution on this. Thank you for your time to write this script.
P.S. requirement to run script as root is excessive and some say it's absolutely unacceptable, sudo should be enough.
Wordpress Hosting - To make developers life more enjoyable!
Not at this time, mostly because I haven't even decided on the final approach, but it's going to involve significantly more work than that, at least that's what I'm planning at the moment. Just give me a few weeks and you'll understand
Debin 9 is going to be discontinued in a month anyway except for packages maintained by the LTS team. So one should, where possible, upgrade to Debian 10.
Yes, it is a work in progress in the sense that some stuff still needs to be implemented, changed and style needs to be improved a bit, but it's more cosmetic than anything else. I did just take a look at ShellCheck and while some little things were missed, it's not too bad.
This initial version did take me like two weeks of working part time on an off and while it may sound excessive it really wasn't and it was the absolute minimum to get something reasonable published.
What I mean is that I do need to manage my time and set priorities. I'm going to do some small but important improvements and then work on container support. After that, I can think about other stuff, but I am busy already for a few weeks with this, because I also have a regular job and there is a limit on my available time.
The script can run perfectly with sudo, I should probably clarify the printed message.
This is neat, but installing (and setting up) wireguard manually is multitudes easier than openvpn
@Nyr Do you continue to maintain the OpenVPN Installer? I switchted to the one from angristan because yours looked unmaintained but it seems there was recent activitiy
Absolutely.
There can be a lack of commits for several months sometimes which could cause someone to think that it is abandoned, but that's only because the project is very mature and solid at this stage and rarely needs significant changes.
I have zero intentions to stop supporting openvpn-install, use it with confidence.