homelab-scripts/wireguard.sh

#/bin/bash
# install wireguard as the VPN server

# install wireguard
sudo curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
sudo yum install epel-release
sudo yum install wireguard-dkms wireguard-tools

 cat << EOF >> /etc/firewalld/services/wireguard.xml
<?xml version="1.0" encoding="utf-8"?>
    <service>
        <short>wireguard</short>
        <description>wireguard vpn</description>
        <port protocol="udp" port="51820"/>
    </service>
EOF    

sleep 5

sudo firewall-cmd --add-service wireguard --permanent
sudo firewall-cmd --add-masquerade --permanent
sudo firewall-cmd --reload

sudo mkdir /etc/wireguard
# make private and public keys
wg genkey | tee /etc/wireguard/<hostname>.wg0.key | wg pubkey > /etc/wireguard/<hostname>.wg0.pub

# example of wg0.conf file
: '
[Interface]
Address = 10.12.0.1/29
PrivateKey = <Private Key>
ListenPort = 51820
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o <INTERFACE> -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o <INTERFACE> -j MASQUERADE

# iPhone
[Peer]
PublicKey = <Public Key>
AllowedIPs = 10.12.0.2/32

# GauntLaptop
[Peer]
PublicKey = <Public Key>
AllowedIPs = 10.12.0.3/32

# GauntMTA
[Peer]
PublicKey = <Public Key>
AllowedIPs = 10.12.0.4/32 

'