This is a part of project:
https://github.com/adrianmihalko/raspberrypiwireguard
Be sure to read this first.
##############################################################################
This is a simple wireguard VPN user management script using on VPN server. Client config file and qrcode are generated.
- wireguard
- qrencode
The wireguard default config directory is /etc/wireguard.
The script config file is wg.def, create and edit it according to wg.def.sample.
You can generate the public key and private key with command wg genkey | tee > prikey | wg pubkey > pubkey.
Running as root.
./init.sh./user.sh -a aliceThis will generate a client conf and qrcode in current directory which name is alice and add alice to the wg config.
./user.sh -d aliceThis will delete the alice directory and delete alice from the wg config.
./user.sh -v aliceThis will show generated QR codes.
./config.sh -d./config.sh -rBy default, data from wireguard peers cannot access the LAN. To allow peers to access the LAN, uncomment the following line in /etc/sysctl.conf
net.ipv4.ip_forward=1A restart is required after this has been enabled.
The default iptable rules for wireguard will allow all traffic from the peers to the LAN. If you wish to limit access to certain addresses, add the LAN range to the server.conf.blacklist. IP addresses added to server.conf.whitelist will be forward from the peers.
The following will only allow 192.168.1.100 and 192.168.1.48 and prevent any other access to the LAN
192.168.1.48/32
192.168.1.100/32192.168.1.0/24By default all ports are open to be routed through wireguard. If you wish to restrict access to certain ports, add the ports to server.conf.ports.whitelist. This will block every TCP and UDP ports except those specifed in the whitelist. If there is no ports specified in the whitelist, then all ports will be available to the client.
The following will only allow SMB access from a wireguard client
139
445When these files are changed, a reload of the wireguard interface is required.
./config.sh -r