Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WireGuard automated installer | Ubuntu, Debian, CentOS, Fedora - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WireGuard automated installer | Ubuntu, Debian, CentOS, Fedora

2456789

Comments

  • NyrNyr Community Contributor, Veteran

    emre said: if you have a dual stack home connection with ipv6 and ipv4 normally browser default is ipv6 and fallback is ipv4

    I'm not up to date on that matter but that choice depends on the VPN client, operating system and web browser, they do all have their preferences. My scripts are neutral about priority of IP protocols inside the tunnel, so you'd need to check elsewhere, possibly configuration within your operating system or web browser.

    Take also into account that IPv6 routes are generally equal or less performant than IPv4 routes, but almost never better. Some software will pick the fastest route automatically.

    bdl said: Is there anyway we can all chip in some dollarz to get you one to test?

    Don't worry about it, it's very likely to work with little or no modifications and I don't really need one to test.

    mtsbatalha said: I'll test it in my rasp 4.

    • If using Raspbian (Debian 10), install theraspberrypi-kernel-headers package, then run the script.
    • If using Ubuntu 20.04, it's very possible that everything will just work

    Bertie said: Does this differ from the Angristan script in some particular ways?

    Very significantly.

    I took a quick look: my work includes an uninstaller, doesn't install unstable software, doesn't install unneeded dependencies, implements proper user management, proper firewall management, proper permissions, automated network setup, more efficient routing, doesn't break on systems with secure boot enabled, doesn't break on kernel upgrades.

    Honestly I don't want to give away more details, because he's incompetent but able to copy and paste. It just boils my blood to see how someone copied my work, claimed it was insecure based on some misconceptions ("your RSA keys are too short!", "this cipher is better!") and presented a "secure" low-effort fork breaking lots of stuff which got popular and is even getting funded on Patreon for it. He has also removed the typical GitHub notice in the header showing that his repository is a fork of mine and just includes a small mention hidden deep in the readme.

    Bertie said: I remember your OVPN setup scripts used vastly different parameters on the basis of security.

    I'd maybe be helpful to clear some misconceptions if some impartial party with the required qualifications could do a quick audit of my work and see if I made reasonable choices compared to him. But that would probably just give him more publicity and he has already had enough.

    mtsbatalha said: DNS_PROBE_FINISHED_NO_INTERNET.

    Using a Raspberry Pî as a server, right?

    Please provide:

    • Server OS and version
    • Server installation log
    • Output of iptables -t nat -L and iptables -L
    • Client connects correctly, right?

    If you have a GitHub account I'd prefer the issue tracker, but if not here is fine too.

    I'll take a look tomorrow, thanks!

    Thanked by 3mtsbatalha bdl sayem314
  • mtsbatalhamtsbatalha Member
    edited May 2020

    Nyr said: Using a Raspberry Pî as a server, right?

    No my friend. I'm using Debian 10 (online.net server).

    After run script the ouput says for install kernel, but the kernel requested is already installed.

    Edit: wireguard-install.sh: line 407: modprobe: command not found
    Warning!
    Installation was finished, but the WireGuard kernel module could not load.
    Upgrade the kernel with "apt-get install linux-image-amd64" and restart

  • apt-get install linux-image-amd64

    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    linux-image-amd64 is already the newest version (4.19+105+deb10u3).
    0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.

  • BertieBertie Member
    edited May 2020

    Nyr said: Honestly I don't want to give away more details, because he's incompetent but able to copy and paste. It just boils my blood to see how someone copied my work, claimed it was insecure based on some misconceptions ("your RSA keys are too short!", "this cipher is better!") and presented a "secure" low-effort fork breaking lots of stuff which got popular and is even getting funded on Patreon for it. He has also removed the typical GitHub notice in the header showing that his repository is a fork of mine and just includes a small mention hidden deep in the readme.

    Thank you for the overview. I feel that his version attracted a lot more credibility on first glance because he includes a detailed overview of his design and implementation decisions, while your readme appears to be quite bare-bones and focused on minimalism.

    I recognize that you're busy and doing this for free, so no expectation that this will ever be on a roadmap, and we appreciate your efforts nonetheless, but that's probably just why his fork got more traction overtime.

    Thanked by 1vimalware
  • Thanks master for this,respect to you ^:)^

  • NyrNyr Community Contributor, Veteran
    edited May 2020

    mtsbatalha said: No my friend. I'm using Debian 10 (online.net server).

    Is this a Scaleway machine? A dedicated server from Online.net? A virtualized server provided by a third party?

    Some Scaleway machines have custom kernels, which require custom header packages which can't be managed by the script, but that doesn't seem to be the issue here.

    Please provide the output of uname -r and the full server installation log.

    Also your machine doesn't seem to have modprobe available, which is very weird. Any clean installation should provide it. I've double checked and a Scaleway VPS using the standard kernel works perfectly fine.

    Bertie said: Thank you for the overview. I feel that his version attracted a lot more credibility on first glance because he includes a detailed overview of his design and implementation decisions, while your readme appears to be quite bare-bones and focused on minimalism.

    I recognize that you're busy and doing this for free, so no expectation that this will ever be on a roadmap, and we appreciate your efforts nonetheless, but that's probably just why his fork got more traction overtime.

    You are right, communication could certainly be improved from my end. Back when this project started I was very young and didn't even spoke reasonably good English to create some professional-looking documentation. That can still be seen nowadays with some of the grammar mistakes I make.

    I should probably try to create a more informative and better looking readme, I'm putting that in my to-do list :)

  • Nyr said: Is this a Scaleway machine? A dedicated server from Online.net? A virtualized server provided by a third party?

    Some Scaleway machines have custom kernels, which require custom header packages which can't be managed by the script, but that doesn't seem to be the issue here.

    Please provide the output of uname -r and the full server installation log.

    Also your machine doesn't seem to have modprobe available, which is very weird. Any clean installation should provide it. I've double checked and a Scaleway VPS using the standard kernel works perfectly fine.

    4.19.0-8-amd64

    I'm using online.net dedicated server.

     
    I need to ask you a few questions before starting setup.                                                   
    You can use the default options and just press enter if you are ok with them.                              
                                                                                                               
    What port do you want WireGuard listening to?                                                              
                                                                                                               
    Tell me a name for the first client.                                                                       
                                                                                                               
    Which DNS do you want to use for this client?                                                              
       1) Current system resolvers                                                                             
       2) 1.1.1.1                                                                                              
       3) Google                                                                                               
       4) OpenDNS                                                                                              
       5) NTT                                                                                                  
       6) AdGuard                                                                                              
                                                                                                               
    We are ready to set up your WireGuard server now.                                                          
                                                                                                               
    Hit:1 http://deb.debian.org/debian buster-backports InRelease                                              
    Hit:2 http://mirrors.online.net/debian buster InRelease                                                    
    Hit:3 http://deb.debian.org/debian unstable InRelease                                                      
    Hit:4 http://security.debian.org/debian-security buster/updates InRelease                                  
    Reading package lists...                                                                                   
    Reading package lists...                                                                                   
    Building dependency tree...                                                                                
    Reading state information...
    linux-headers-4.19.0-8-amd64 is already the newest version (4.19.98-1+deb10u1).
    The following package was automatically installed and is no longer required:
      dkms
    Use 'apt autoremove' to remove it.
    0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.
    Reading package lists...
    Building dependency tree...
    Reading state information...
    linux-headers-amd64 is already the newest version (4.19+105+deb10u3).
    The following package was automatically installed and is no longer required:
      dkms
    Use 'apt autoremove' to remove it.
    0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.
    Reading package lists...
    Building dependency tree...
    Reading state information...
    iptables is already the newest version (1.8.2-4).
    qrencode is already the newest version (4.0.2-1).
    The following NEW packages will be installed:
      wireguard wireguard-dkms wireguard-tools
    0 upgraded, 3 newly installed, 0 to remove and 15 not upgraded.
    Need to get 0 B/347 kB of archives.
    After this operation, 2,101 kB of additional disk space will be used.
    Selecting previously unselected package wireguard-dkms.
    (Reading database ... 121500 files and directories currently installed.)
    Preparing to unpack .../wireguard-dkms_0.0.20200318-1~bpo10+1_all.deb ...
    Unpacking wireguard-dkms (0.0.20200318-1~bpo10+1) ...
    Selecting previously unselected package wireguard-tools.
    Preparing to unpack .../wireguard-tools_1.0.20200319-1~bpo10+1_amd64.deb ...
    Unpacking wireguard-tools (1.0.20200319-1~bpo10+1) ...
    Selecting previously unselected package wireguard.
    Preparing to unpack .../wireguard_1.0.20200319-1~bpo10+1_all.deb ...
    Unpacking wireguard (1.0.20200319-1~bpo10+1) ...
    Setting up wireguard-dkms (0.0.20200318-1~bpo10+1) ...
    Loading new wireguard-0.0.20200318 DKMS files...
    Building for 4.19.0-8-amd64
    Building initial module for 4.19.0-8-amd64
    Done.
    
    wireguard.ko:
    Running module version sanity check.
     - Original module
       - No original module exists within this kernel
     - Installation
       - Installing to /lib/modules/4.19.0-8-amd64/updates/dkms/
    
    depmod...
    
    DKMS: install completed.
    Setting up wireguard-tools (1.0.20200319-1~bpo10+1) ...
    Setting up wireguard (1.0.20200319-1~bpo10+1) ...
    Processing triggers for man-db (2.8.5-2) ...
    
     That is a QR code containing your client configuration.
    
    Warning!
    Installation was finished, but the WireGuard kernel module could not load.
    Upgrade the kernel with "apt-get install linux-image-amd64" and restart.
    
    Your client configuration is available at: /root/wireguard_ams.conf
    If you want to add more clients, just run this script again.
    
    
  • NyrNyr Community Contributor, Veteran

    @mtsbatalha

    • I don't think that's the full installation log, at the very least the systemd service setup must be missing
    • Previously modprobe was reporting an error, but in your provided log not it doesn't show anything
    • I requested some other information like the iptables output and client connection status which still weren't provided.

    Let's not spam the topic any further, PM me with the required information and I'll try to help. Or just install the script in a clean system, it'll work.

    Thanked by 1mtsbatalha
  • Thanks for your great work. Gonna install in all my VPSs.

    Thanked by 1Nyr
  • Just a few clarifications.
    Is it compatible with a server wit direct admin and CSF?
    I was gonna install it but saw that firewalld is going to get installed.
    I'm a bit of a noob, so not sure how they are compatible.
    @Nyr

  • NyrNyr Community Contributor, Veteran

    @Iroshan464 said:
    Just a few clarifications.
    Is it compatible with a server wit direct admin and CSF?
    I was gonna install it but saw that firewalld is going to get installed.
    I'm a bit of a noob, so not sure how they are compatible.
    @Nyr

    Good question:

    CSF uses iptables as a backend, but in CentOS/Fedora which must be your OS, the default firewall frontend is firewalld (which also uses iptables/nftables, but that's not relevant). That's why in your case the script shows a warning about installing firewalld.

    Even if the default CentOS/Fedora firewall management tool is firewalld, it would be a good idea to take care of others, and that's currently not the case, so I suggest you to avoid installing WireGuard today. I'll change this tomorrow, the presence of CSF was something which wasn't initially considered.

  • @Nyr,
    Yes it's Centos.
    I will wait. I tend to use CSF on most of my machines. I would be great that you take the time to look it up.
    I just installed in a Ubuntu and it's just works. thanks a lot.
    Any plans on adding unbound DNS? Can do it by hand, just wondering. :)

  • bdlbdl Member

    @Nyr said:

    Bertie said: Does this differ from the Angristan script in some particular ways?

    Very significantly.

    ...

    Thankyou for this comment, I'm going to start using @Nyr's scripts from now on - I had no idea about angristan's behaviour prior to this comment (I've been using angristan's openvpn script prior).

    Thanked by 1AlwaysSkint
  • AlexJonesAlexJones Member
    edited May 2020

    Been waiting, angristans script didn't work for me

  • naingnaing Member

    Nyr said: For several reasons, it's going to be more work than one would guess at first glance, but I'm hoping it'll be worth it.

    Could you elaborate what kind of work?

    My 2 cents is to make a static build (CGO_ENABLED=0) of the userspace implementation (i.e., wireguard-go) with the memory tweak. The binary runs everywhere without causing troubles, so use it on older OS that doesn't ship the module in the default repository (i.e., all distros except the latest version of Ubuntu and Fedora).

    Disregard the warning that you should not use the Go program on Linux. It's much safer and easier than playing with out-of-tree kernel modules.

  • LeviLevi Member
    edited May 2020

    Those who have problem to install WG on Debian 9 kernel 4.x, just install kernel 5.x. I had a problem with freakin wireguard-dkms and kernel 5.5 helped me.

    apt-cache search linux-image-

    Locate 5.x version (not cloud version, be aware) and install it.

    As for installer script... It's good to have it, but judging from how it's written - it's a work in progress.

    Few notes: in bash you ALWAYS wrap your vars like ${var}. I will try to pull some contribution on this. Thank you for your time to write this script.

    P.S. requirement to run script as root is excessive and some say it's absolutely unacceptable, sudo should be enough.

  • NyrNyr Community Contributor, Veteran

    naing said: Could you elaborate what kind of work?

    Not at this time, mostly because I haven't even decided on the final approach, but it's going to involve significantly more work than that, at least that's what I'm planning at the moment. Just give me a few weeks and you'll understand :)

    LTniger said: Those who have problem to install WG on Debian 9 kernel 4.x, just install kernel 5.x. I had a problem with freakin wireguard-dkms and kernel 5.5 helped me.

    Debin 9 is going to be discontinued in a month anyway except for packages maintained by the LTS team. So one should, where possible, upgrade to Debian 10.

    LTniger said: As for installer script... It's good to have it, but judging from how it's written - it's a work in progress.

    Few notes: in bash you ALWAYS wrap your vars like ${var}. I will try to pull some contribution on this. Thank you for your time to write this script.

    Yes, it is a work in progress in the sense that some stuff still needs to be implemented, changed and style needs to be improved a bit, but it's more cosmetic than anything else. I did just take a look at ShellCheck and while some little things were missed, it's not too bad.

    This initial version did take me like two weeks of working part time on an off and while it may sound excessive it really wasn't and it was the absolute minimum to get something reasonable published.

    What I mean is that I do need to manage my time and set priorities. I'm going to do some small but important improvements and then work on container support. After that, I can think about other stuff, but I am busy already for a few weeks with this, because I also have a regular job and there is a limit on my available time.

    LTniger said: P.S. requirement to run script as root is excessive and some say it's absolutely unacceptable, sudo should be enough.

    The script can run perfectly with sudo, I should probably clarify the printed message.

    Thanked by 1vimalware
  • This is neat, but installing (and setting up) wireguard manually is multitudes easier than openvpn :)

  • boerndboernd Member
    edited May 2020

    @Nyr Do you continue to maintain the OpenVPN Installer? I switchted to the one from angristan because yours looked unmaintained but it seems there was recent activitiy

  • NyrNyr Community Contributor, Veteran
    edited May 2020

    @boernd said:
    @Nyr Do you continue to maintain the OpenVPN Installer? I switchted to the one from angristan because yours looked unmaintained but it seems there was recent activitiy

    Absolutely.

    There can be a lack of commits for several months sometimes which could cause someone to think that it is abandoned, but that's only because the project is very mature and solid at this stage and rarely needs significant changes.

    I have zero intentions to stop supporting openvpn-install, use it with confidence.

  • bdlbdl Member

    @Nyr said:

    @boernd said:
    @Nyr Do you continue to maintain the OpenVPN Installer? I switchted to the one from angristan because yours looked unmaintained but it seems there was recent activitiy

    Absolutely.

    There can be a lack of commits for several months sometimes which could cause someone to think that it is abandoned, but that's only because the project is very mature and solid at this stage and rarely needs significant changes.

    I have zero intentions to stop supporting openvpn-install, use it with confidence.

    Awesome! If we installed openvpn using the angristan script, can we just switch to yours, or best to uninstall using angristan's and reinstall with yours?

    thanks again for all your great work!

    Thanked by 1mustafamw3
  • NyrNyr Community Contributor, Veteran
    edited May 2020

    bdl said: Awesome! If we installed openvpn using the angristan script, can we just switch to yours, or best to uninstall using angristan's and reinstall with yours?

    thanks again for all your great work!

    An uninstall would be required.

    Thanked by 1bdl
  • CloudconeCloudcone Member, Patron Provider

    We use WireGuard as well! Thanks for the script

  • NyrNyr Community Contributor, Veteran

    Iroshan464 said: I will wait. I tend to use CSF on most of my machines. I would be great that you take the time to look it up.

    This has now been addressed with the latest commit.

    Iroshan464 said: Any plans on adding unbound DNS? Can do it by hand, just wondering.

    I'd have to take a look, but probably not at this moment. Main priority right now is OVZ support and some other stuff.

    Thanked by 1Iroshan464
  • I already installed the wireguard server with the script before the commit and im using CSF without an issue. Should I reinstall?

  • NyrNyr Community Contributor, Veteran

    AlexJones said: I already installed the wireguard server with the script before the commit and im using CSF without an issue. Should I reinstall?

    No.

    Thanked by 1AlexJones
  • MikePTMikePT Moderator, Patron Provider, Veteran

    Seen the script when you released it. You might want to add IPv6 DNS servers to resolv.conf

    Cheers and thanks ❤️

  • defaultdefault Veteran

    @Nyr - Thank you.

    Coming up next: Shadowsocks?

  • RedSoxRedSox Member
    edited May 2020

    @default said:
    @Nyr - Thank you.

    Coming up next: Shadowsocks?

    It's already made. Just 3 commands:
    wget --no-check-certificate -O shadowsocks-libev-debian.sh https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks-libev-debian.sh

    chmod +x shadowsocks-libev-debian.sh

    ./shadowsocks-libev-debian.sh 2>&1 | tee shadowsocks-libev-debian.log

  • NyrNyr Community Contributor, Veteran

    MikePT said: You might want to add IPv6 DNS servers to resolv.conf

    I'm not sure about that, IPv4 connections are usually more reliable and I see no benefit on using IPv6 DNS over a dual stack link.

    That said I probably would add it if more people ask about it.

    default said: Coming up next: Shadowsocks?

    No plans for that. Also SS is not very popular in the western world (as we can mostly use full VPNs freely).

    Thanked by 1MikePT
Sign In or Register to comment.