hwdsl2 / wireguard-install Goto Github PK
View Code? Open in Web Editor NEWWireGuard VPN server installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS, Fedora, openSUSE and Raspberry Pi OS
License: MIT License
WireGuard VPN server installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS, Fedora, openSUSE and Raspberry Pi OS
License: MIT License
任务列表
问题描述
使用清楚简明的语言描述这个 bug。
重现步骤
重现该 bug 的步骤:
Error: This system is running inside a container, which is not supported by this installer.
期待的正确结果
简要地描述你期望的正确结果。
日志
添加错误日志以帮助解释该问题(如果适用)。
服务器信息(请填写以下信息)
客户端信息(请填写以下信息)
其它信息
添加关于该 bug 的其它信息。
im trying to setup a wireguard vpn on a ubuntu server
uname -a
Linux suricata 5.15.0-73-generic #80-Ubuntu SMP Mon May 15 15:18:26 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
i installed the vpn server using default options except for the dns i used my current dns resolvers
the wg0.conf in my server:
# Do not alter the commented lines
# They are used by wireguard-install
# ENDPOINT 163.114.159.100
[Interface]
Address = 10.7.0.1/24
PrivateKey = *****
ListenPort = 51820
# BEGIN_PEER wg0
[Peer]
PublicKey = *****
PresharedKey = *****
AllowedIPs = 10.7.0.2/32
# END_PEER wg0
sudo iptables -nvL; sudo iptables -nvL -t nat
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 10.7.0.0/24 0.0.0.0/0
0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
127 7304 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 SNAT all -- * * 10.7.0.0/24 !10.7.0.0/24 to:163.114.159.100
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
the internet is working the interface is up when i move the client conf to the client machine, i don't have any internet access + i can't access the vpn server ip i tried to ping it back it doesn't work + nothing is working
cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.7.0.2/24
DNS = 163.114.159.11, 163.114.159.12
PrivateKey = *****
[Peer]
PublicKey = *****
PresharedKey = *****
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 163.114.159.100:51820
PersistentKeepalive = 25
root@test-VirtualBox:~# sudo iptables -nvL; sudo iptables -nvL -t nat
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
and even when i try to enable and start the service using systemctl it fails:
× [email protected] - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2023-06-05 03:33:07 CEST; 42s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 14796 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=1/FAILURE)
Main PID: 14796 (code=exited, status=1/FAILURE)
CPU: 15ms
juin 05 03:33:07 test-VirtualBox systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
juin 05 03:33:07 test-VirtualBox wg-quick[14796]: wg-quick: `wg0' already exists
juin 05 03:33:07 test-VirtualBox systemd[1]: [email protected]: Main process exited, code=exited, status=1/>
juin 05 03:33:07 test-VirtualBox systemd[1]: [email protected]: Failed with result 'exit-code'.
juin 05 03:33:07 test-VirtualBox systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
from the server i try to ping my client:
ubuntu@suricata:~/wireguard-install$ ping 10.7.0.2
PING 10.7.0.2 (10.7.0.2) 56(84) bytes of data.
From 10.7.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.7.0.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.7.0.1 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.7.0.1 icmp_seq=4 Destination Host Unreachable
ping: sendmsg: Destination address required
^C
--- 10.7.0.2 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3072ms
and from the client, it timeouts and it fails
感觉带宽会下降一半,不知道是clash的问题,还是这边的问题
Checklist
Describe the enhancement request
The script should add Arch Linux support
Is your enhancement request related to a problem? Please describe.
No
Additional context
Well most of the wireguard-install script either don't support Arch Linux or barely support it. So it would be great for this script to support it.
Because my protocol only supports tcp, he blocked udp.
Sorry this question isn't really related to the script but how can i stop wireguard from using ipv6? I want it to only use ipv4. Thank you
Checklist
Describe the enhancement request
When running sudo bash wireguard.sh
after having setup the server and clients the following options are available:
It would be quite helpful to add a 6th option, regenerate QR code for existing client. This would be most useful when people update their phones and reinstall everything and in the instances where people want to access with their PC as well as their phone (one person, 2 devices).
Is your enhancement request related to a problem? Please describe.
No everything works reliably.
Additional context
Hello, I encountered an issue when the subnet is being filled to the limit.
Does the script only work in one subnet? Is it possible to make the script continue creating client certs in additional subnets?
任务列表
描述改进建议
建议在脚本安装完成后,修改/etc/sysctl.conf,新增如下:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
你的改进建议与遇到的问题有关吗?请描述。
我按脚本安装完成后发现WiFi连接VPN,无法翻墙,流量连接VPN,可以翻墙。在sysctl.conf增加这些后WiFi也可以翻墙了。我其实不懂这配置的意思,开发者可以评估下。
任务列表
描述改进建议
使用清楚简明的语言描述你的改进建议。
你的改进建议与遇到的问题有关吗?请描述。
(如果适用)清楚,简洁地说明问题所在。
其它信息
添加关于该改进建议的其它信息。
Checklist
Describe the issue
A clear and concise description of what the bug is.
After the auto successful installation amazon ec2 ubuntu server . I connected to it on android and also tried to connect to it on laptop, but to no avail. no internet connection
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Logs
Add error logs to help explain the problem, if applicable.
Server (please complete the following information)
Client (please complete the following information)
Additional context
Add any other context about the problem here.
Checklist
Describe the issue
Installing WireGuard, please wait...
To Reproduce
Expected behavior
A clear and concise description of what you expected to happen.
Logs
Add error logs to help explain the problem, if applicable.
Server (please complete the following information)
Client (please complete the following information)
Additional context
Add any other context about the problem here.
因为ip段固定,无法进行更改吗
google centos9 why list faild?thanks
请问怎么修改IP地址段呢,因为我有两台服务器对接一个设备,都是使用你的脚本就冲突了
Checklist
Describe the enhancement request
A clear and concise description of an implementation with no logs
系统:轻量云centos7.6
问题:安装过程正常,但是服务器重启后,wireguard没有开机自启动。
需要怎么手动启动呢或者加入开机自启动
please add uninstall script, thanks
Do you want to continue? [Y/n] y
Installing WireGuard, please wait...
Checklist
Describe the enhancement request
It would be nice to see some information about clients, such as time of last connection and traffic that it spends, in the list of clients. I don't suggest implementing ability of logging, just some general information that would allow to know about traffic spending and time of use.
Is your enhancement request related to a problem? Please describe.
Additional context
任务列表
这个 bug 是关于 VPN 安装脚本,而不是 WireGuard VPN 本身
我已阅读 自述文件
我已按照说明 配置 VPN 客户端
我搜索了已有的 Issues
问题描述
使用安装脚本顺利安装 wireguard,并且通过扫码添加了 iOS 端的 wireguard 配置。
使用这个配置连接 VPN,成功。
可是我只能 ping 10.7.0.1 (也就是对端的IP),可是我却上不了网。
重现步骤
我猜测是不是我的 vps 有问题,于是在 三个不同的 VPS 平台上测试,都是一样状态。
其中,上面说的第一台 vps 是全新安装的 Ubuntu 20.04 ,其他 2 台都是已经有 v2ray 或者 类似软件在运行(这些软件可以正常连接)
期待的正确结果
我自己是猜测可能是路由有问题,可是又不知道如何排查,希望可以看看是不是安装时可以顺带做什么设置?或者也可能是 iOS 的问题?
( 我有 M1 Macboot,也是一样的情况)
日志
没有日志,可以正常边接 VPN。
服务器信息(请填写以下信息)
客户端信息(请填写以下信息)
其它信息
NO。
Understood, at what moment there is an error described above. Everything works fine until the first reboot of the server. After a reboot, the problem recurs. That is, the handshake goes well, but there is no Internet access.
Please tell me what information to provide you so that you can possibly help me.
wireguard is not working. The handshake goes well, the server is pinged. But there is no internet access. Tried on Windows, phone, router, the result is the same.
作者你好,我想咨询一下分流的问题还有就是wireguard数据传输安全吗
Describe the issue
I followed the instructions and used the qr code to setup the peer on my android which displays 2 public keys:
SzZkNHW... and
bC4Dsw8...
My wg0.conf file on the server:
`[Interface]
Address = 10.7.0.1/24, fddd:2c4:2c4:2c4::1/64
PrivateKey = 8D...
ListenPort = 51820
[Peer]
PublicKey = SzZkNHWC...
PresharedKey = vE...
AllowedIPs = 10.7.0.2/32, fddd:2c4:2c4:2c4::2/128
So far seems to be OK until I run wg show on the server:
interface: wg0 public key: 7TyDV3k/7I5pR4ARYaPhtfoRRWvcWvAMNLcmcwoLiiI= private key: (hidden) listening port: 51820
Running wg syncconf or wg setconf both return this error:
scott@scottlounge:~$ sudo wg setconf wg0 /etc/wireguard/wg0.conf Line unrecognized: Address=10.7.0.1/24,fddd:2c4:2c4:2c4::1/64 Configuration parsing error
I believe the public key, 7TyDV3k/7I5pR4ARYaPhtfoRRWvcWvAMNLcmcwoLiiI= was a key created by an earlier key generation attempt by me.
Expected behavior
That the wg0.conf file that did not exist prior to running the install script contains the server key that the script generated.
Logs
Add error logs to help explain the problem, if applicable.
Server (please complete the following information)
Client (please complete the following information)
任务列表
问题描述
重现步骤
重现该 bug 的步骤:
sudo bash wireguard.sh
Welcome to this WireGuard server installer!
GitHub: https://github.com/hwdsl2/wireguard-install
I need to ask you a few questions before starting setup.
You can use the default options and just press enter if you are OK with them.
Which IPv6 address should be used?
1) 111xxx
2) 222xxx
IPv6 address [1]: 1
What port should WireGuard listen to?
Port [51820]:
Enter a name for the first client:
Name [client]:
Select a DNS server for the client:
1) Current system resolvers
2) Google Public DNS
3) Cloudflare DNS
4) OpenDNS
5) Quad9
6) AdGuard DNS
7) Custom
DNS server [2]: 3
WireGuard installation is ready to begin.
Do you want to continue? [Y/n]
Installing WireGuard, please wait...
+ apt-get -yqq update
+ apt-get -yqq install wireguard qrencode
Error: 'apt-get install' failed.
期待的正确结果
正常安装
任务列表
描述改进建议
使用清楚简明的语言描述你的改进建议。
现在这个脚本不能运行在lxc里面或者docker里面,
你的改进建议与遇到的问题有关吗?请描述。
(如果适用)清楚,简洁地说明问题所在。
WireGuard本身是可以运行在docker或者lxc里面的,只要给权限就可以了,还有映射tun
其它信息
添加关于该改进建议的其它信息。
Checklist
Describe the enhancement request
UFW is the default firewall configuration tool for Ubuntu. As such it is widely used on many Ubuntu-based servers for firewalling. Currently wireguard-install
completely bypasses UFW by adding rules through the wg-iptables
service.
As per the ubuntu manpages UFW supports the forwarding and filtering functionality required by the Wireguard VPN. Some of it can be accomplished through the ufw
command, while the rest has to be performed through direct modification of /etc/ufw/before.rules
.
On a host with UFW installed and enabled, instead of creating the wireguard-iptables
service, wireguard-install should append the post-routing rules to /etc/ufw/before.rules
:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j MASQUERADE
COMMIT
and run the following commands:
ufw allow from any to any port $port proto udp
ufw route allow from 10.7.0.0/24
ufw reload
I think that the last rule in wireguard-iptables
can be ommited, as /etc/ufw/before.rules
already has the following:
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
but that would require verification.
Is your enhancement request related to a problem? Please describe.
UFW clashing with wireguard-iptables
.
Additional context
N/A
Hi, thank you so much for this script.
Can you please give me an advice how can I config VPN to work only with special sites?
Thank you again
一开始用的hwdsl2提供的一键openvpn ,突然有一天连不上了
又改用wireguard,可以连但是ping不通
不知道怎么回事,家里是电信公网ip。不知道如何排查问题,有没有可能ip被阻断了
通过阿里云域名是可以正常访问家里设备的
Checklist
Describe the enhancement request
Add support for openSUSE Linux system.
Is your enhancement request related to a problem? Please describe.
Currently, openSUSE is not supported by the installation script.
Additional context
None
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.