Script Internals

This section provides a deeper look into the script's logic and internal workings for users who wish to understand or modify its behavior.

Script Execution Flow

The script operates based on a clear, sequential flow:

  1. Initial Checks (initialCheck): Before doing anything, the script validates the environment:

    • isRoot(): Confirms the script is being run with root privileges.
    • checkOS(): Identifies the Linux distribution and version to ensure compatibility. If the OS is not supported, the script exits.
    • checkVirt(): Checks for unsupported virtualization technologies like OpenVZ and LXC, which have kernel limitations that interfere with WireGuard.

  2. Installation vs. Management: The script checks for the existence of /etc/wireguard/params.

    • If the file does not exist, it proceeds with the installWireGuard function.
    • If the file exists, it displays the manageMenu for post-installation tasks.

  3. Installation (installWireGuard):

    • Runs installQuestions to gather configuration parameters from the user.
    • Installs necessary packages (wireguard-tools, qrencode, iptables) using the appropriate package manager for the detected OS.
    • Generates the server's private and public keys using wg genkey and wg pubkey.
    • Saves all user-provided and generated parameters to /etc/wireguard/params.
    • Constructs the server configuration file at /etc/wireguard/wg0.conf, including the [Interface] block and the correct PostUp/PostDown firewall rules.
    • Creates /etc/sysctl.d/wg.conf to enable IP forwarding.
    • Starts and enables the wg-quick@<interface> systemd service.
    • Finally, calls newClient to create the first user.

  4. Client Creation (newClient):

    • Prompts for a client name.
    • Automatically determines the next available IP address in the 10.66.66.0/24 subnet by searching the existing wg0.conf file.
    • Generates a private key, public key, and a pre-shared key for the client.
    • Creates the client .conf file and saves it to the appropriate home directory.
    • Appends a new [Peer] block for the client to the server's wg0.conf.
    • Reloads the server configuration using wg syncconf to apply the changes without downtime.

Firewall Rules Explained

The script automatically configures firewall rules to allow WireGuard to function. It detects whether the system uses iptables or firewalld.

iptables

  • iptables -I INPUT -p udp --dport ${SERVER_PORT} -j ACCEPT
    • Allows incoming UDP packets on the WireGuard port.
  • iptables -I FORWARD -i ${SERVER_PUB_NIC} -o ${SERVER_WG_NIC} -j ACCEPT
    • Allows packets to be forwarded from the public interface to the WireGuard interface.
  • iptables -I FORWARD -i ${SERVER_WG_NIC} -j ACCEPT
    • Allows packets from WireGuard clients to be forwarded anywhere.
  • iptables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE
    • Applies Network Address Translation (NAT) to outgoing packets from the VPN clients, making their traffic appear to come from the server's public IP. This is the key rule for providing internet access.

firewalld

For firewalld, the script uses rich rules to achieve the same result:

  • firewall-cmd --zone=public --add-interface=${SERVER_WG_NIC}
    • Assigns the WireGuard interface to the public zone.
  • firewall-cmd --add-port ${SERVER_PORT}/udp
    • Opens the WireGuard port.
  • firewall-cmd --add-rich-rule='rule family=ipv4 source address=... masquerade'
    • Enables NAT for the WireGuard subnet.