From 819700cbbe4dd317e9219f9e590a4694d9101727 Mon Sep 17 00:00:00 2001
From: Pavel Muhortov <pavel.muhortov@hmp.today>
Date: Thu, 20 Apr 2023 15:43:09 +0300
Subject: [PATCH] add wg-client-management.sh

---
 README.md               |  54 +++++++-
 wg-client-management.sh | 284 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 336 insertions(+), 2 deletions(-)
 create mode 100644 wg-client-management.sh

diff --git a/README.md b/README.md
index b1d65b4..251bb2d 100644
--- a/README.md
+++ b/README.md
@@ -282,7 +282,7 @@ ____
 >
 > * executing by [openvpn](https://openvpn.net/) server (tested version 2.5.1 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
 > * [jq](https://github.com/stedolan/jq) (tested version 1.6 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
-> [grepcidr](https://github.com/ryantig/grepcidr) (tested version 2.0 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
+> * [grepcidr](https://github.com/ryantig/grepcidr) (tested version 2.0 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
 > * [Python 3](https://www.python.org/downloads/) (tested version 3.9.5 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
 > * existing [/usr/local/bin/sendmail.py](http://git.hmp.today/pavel.muhortov/utils/raw/branch/master/sendmail.py)
 > * [bash](https://www.gnu.org/software/bash/) (tested versions: 5.1.4 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/), 5.0.17 on [Ubuntu 20](https://wiki.ubuntu.com/FocalFossa/ReleaseNotes), 4.2.46 on [CentOS 7](https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7.2009))
@@ -321,6 +321,56 @@ tail -f /var/log/openvpn/ovpn-connect-handling.log
 
 ____
 
+## `wg-client-management`.sh
+
+**Description:**  
+> Creating or deleting client config for wireguard and sending config and info to email.  
+
+**Dependencies:**  
+>
+> * [wireguard](https://www.wireguard.com/) (tested version 1.0.2 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
+> * [qrencode](https://github.com/fukuchi/libqrencode) (tested version 4.1.1 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
+> * [grepcidr](https://github.com/ryantig/grepcidr) (tested version 2.0 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
+> * [Python 3](https://www.python.org/downloads/) (tested version 3.9.5 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
+> * existing [/usr/local/bin/sendmail.py](http://git.hmp.today/pavel.muhortov/utils/raw/branch/master/sendmail.py)
+
+|  POSITION | PARAMETERS   |       DESCRIPTION      |    DEFAULT    |
+|-----------|--------------|------------------------|---------------|
+|     1     |**add\|del**|add or delete client config|**REQUIRED**|
+|     2     |**\<username\>**|client username|**REQUIRED**|
+|     3     |**\<address\>**|client ip address|**REQUIRED**|
+|     4     |**[-f]**,**[--force]**|service will restart after add\|del username||
+
+Example usage:  
+
+```bash
+# download
+sudo wget https://git.hmp.today/pavel.muhortov/utils/src/branch/master/wg-client-management.sh -O /etc/wireguard/wg-client-management.sh
+sudo chmod +x /etc/wireguard/wg-client-management.sh
+```
+
+```bash
+# create link
+ln -s /etc/wireguard/wg-client-management.sh ./wg
+```
+
+```bash
+# create client
+sudo ./wg add username address
+```
+
+```bash
+# delete client and restart service
+sudo  ./wg del username address -f
+```
+
+```bash
+# check journal
+tail -f /var/log/wireguard/wg.log
+```
+
+____
+
 ## `wg-connect-handling`.sh
 
 **Description:**  
@@ -330,7 +380,7 @@ ____
 >
 > * privileged rights
 > * [jq](https://github.com/stedolan/jq) (tested version 1.6 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
-> [grepcidr](https://github.com/ryantig/grepcidr) (tested version 2.0 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
+> * [grepcidr](https://github.com/ryantig/grepcidr) (tested version 2.0 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
 > * [Python 3](https://www.python.org/downloads/) (tested version 3.9.5 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
 > * existing [/usr/local/bin/sendmail.py](http://git.hmp.today/pavel.muhortov/utils/raw/branch/master/sendmail.py)
 > * [bash](https://www.gnu.org/software/bash/) (tested versions: 5.1.4 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/), 5.0.17 on [Ubuntu 20](https://wiki.ubuntu.com/FocalFossa/ReleaseNotes), 4.2.46 on [CentOS 7](https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7.2009))
diff --git a/wg-client-management.sh b/wg-client-management.sh
new file mode 100644
index 0000000..276e14c
--- /dev/null
+++ b/wg-client-management.sh
@@ -0,0 +1,284 @@
+#! /bin/bash
+
+# DESCRIPTION:
+#   creating or deleting client config for wireguard
+#   and
+#   sending config and info to email
+#
+# DEPENDENCIES:
+#   - privileged rights
+#   - wireguard
+#   - qrencode
+#   - grepcidr
+#   - Python 3
+#   - existing /usr/local/bin/sendmail.py
+#
+# PARAMETERS:
+#   1: "add|del" - add or delete client config
+#   2: username - client username
+#   3: address - client ip address
+#   -f|--force - service will restart after username add|del
+#
+# FUNCTIONS:
+#
+
+#######################################
+# Print message and add to log.
+# Globals:
+#   logs
+# Arguments:
+#   1: message to print and logging
+#######################################
+addtologs() {
+  echo "$(date +'%Y.%m.%d-%H:%M:%S') $1" | tee -a "${logs}"
+}
+
+#######################################
+# Exit procedure.
+# Globals:
+#   show
+# Arguments:
+#   None
+#######################################
+execquite() {
+  addtologs "execution time is $(($(date +%s)-time)) seconds, exit"
+  exit
+}
+
+#######################################
+# Error exit procedure
+# Globals:
+#   None
+# Arguments:
+#   1: message to print and logging
+#######################################
+execerror() {
+  addtologs "error: $1"
+  execquite
+}
+
+#######################################
+# Checking user rights.
+# Globals:
+#   None
+# Arguments:
+#   None
+# return:
+#   0 - if privileged rights, 1 - if not privileged rights
+#######################################
+checkroot() {
+  if [ "${EUID}" -ne 0 ]; then
+    return 1 # false
+  else
+    return 0 # true
+  fi
+}
+
+#######################################
+# Send email notification about client connect
+# Globals:
+#   clientname
+#   faqprofile
+# Arguments:
+#   None
+#######################################
+startsendmail() {
+  subj="[WG Settings] $(cat /etc/hostname): ${clientname} client profile"
+  (
+    python3 /usr/local/bin/sendmail.py \
+    -u "$(grep "from=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
+    -p "$(grep "pass=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
+    -d "$(grep "dest=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
+    --smtp "$(grep "smtp=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
+    --port "$(grep "port=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
+    --stls "True" \
+    --subj "${subj}" \
+    --text "${faqprofile}" \
+    --file "/etc/wireguard/${clientname}.png,/etc/wireguard/${clientname}.conf" \
+    >> /dev/null 2>&1 &
+  )
+  addtologs "sent mail with subject '${subj}'"
+}
+
+#######################################
+# Create wireguard client certificates
+# Globals:
+#   clientname
+#   clientaddr
+#   servercfgname
+# Arguments:
+#   None
+#######################################
+createcert() {
+  wg genkey | tee "/etc/wireguard/pki/${clientname}-private.key" | wg pubkey > "/etc/wireguard/pki/${clientname}-public.key"
+  clientpublkey=$(cat "/etc/wireguard/pki/${clientname}-public.key")
+  clientprivkey=$(cat "/etc/wireguard/pki/${clientname}-private.key")
+  wg set wg0 peer "${clientpublkey}" allowed-ips "${clientaddr}/32"
+  {
+    echo -e "[Peer]"
+    echo -e "  PublicKey = ${clientpublkey}"
+    echo -e "  AllowedIPs = ${clientaddr}/32"
+  } >> ${servercfgname}
+  ip -4 route add "${clientaddr}/32" dev wg0
+}
+
+#######################################
+# Create wireguard client configuration
+# Globals:
+#   clientname
+#   clientaddr
+#   clientconfdef
+#   clientprivkey
+#   serverpublkey
+# Arguments:
+#   None
+#######################################
+createconf() {
+  clientconf=$(cat "${clientconfdef}")
+  clientconf=${clientconf//clientaddr/${clientaddr}}
+  clientconf=${clientconf//clientprivkey/${clientprivkey}}
+  clientconf=${clientconf//serverpublkey/${serverpublkey}}
+  clientconf=${clientconf//clientaddrs/${clientaddr}}
+  printf "%s\n" "${clientconf}" > "/etc/wireguard/${clientname}.conf"
+}
+
+#######################################
+# Create wireguard client info, qr-code
+# Globals:
+#   clientname
+# Arguments:
+#   None
+#######################################
+createinfo() {
+faqprofile=$(cat <<END
+WireGuard client:
+https://www.wireguard.com/install/
+END
+)
+  qrencode -o "/etc/wireguard/${clientname}.png" -t png -s 6 < "/etc/wireguard/${clientname}.conf"
+}
+
+#######################################
+# Delete wireguard client certificates
+# Globals:
+#   clientname
+#   clientpublkey
+#   servercfgname
+# Arguments:
+#   None
+#######################################
+deletecert() {
+  clientpublkey=$(cat "/etc/wireguard/pki/${clientname}-public.key")
+  clientprivkey=$(cat "/etc/wireguard/pki/${clientname}-private.key")
+  wg set wg0 peer "${clientpublkey}" remove
+  rm -f "/etc/wireguard/pki/${clientname}-public.key"
+  rm -f "/etc/wireguard/pki/${clientname}-private.key"
+  s2=$(grep -n "${clientpublkey}" ${servercfgname} | cut -d":" -f1)
+  s1=$(( s2 - 1 ))
+  s3=$(( s2 + 1 ))
+  sed -i "${s1}d;${s2}d;${s3}d" ${servercfgname}
+  ip -4 route del "${clientaddr}/32" dev wg0
+}
+
+#######################################
+# Delete wireguard client configuration
+# Globals:
+#   clientname
+# Arguments:
+#   None
+#######################################
+deleteconf() {
+  rm -f "/etc/wireguard/${clientname}.conf"
+}
+
+#######################################
+# Delete wireguard client qr-code
+# Globals:
+#   clientname
+# Arguments:
+#   None
+#######################################
+deleteinfo() {
+  rm -f "/etc/wireguard/${clientname}.png"
+}
+
+#
+# VARIABLES:
+#
+
+clienttodo=$1
+clientname=$2
+clientaddr=$3
+
+resetforce=0
+for argument in "${@}"; do
+  case $argument in
+  -f | --force )
+    resetforce=1
+    ;;
+  -* )
+    ;;
+  esac
+done
+
+time=$(date +%s)
+logs=/dev/null
+
+if ! command -v qrencode &> /dev/null || \
+  ! command -v /usr/local/bin/sendmail.py &> /dev/null || \
+  ! command -v python3 &> /dev/null; then
+  execerror "Not found dependencies"
+fi
+
+#
+# MAIN:
+#
+
+if checkroot; then
+  serverpublkey=$(cat /etc/wireguard/pki/server-public.key)
+  servercfgname="/etc/wireguard/wg0.conf"
+  clientpublkey=''
+  clientprivkey=''
+  clientconfdef="/etc/wireguard/client.conf.default"
+  logs=/var/log/wireguard/$(basename -s .sh "$0").log
+
+  if [ "${clienttodo}" == "add" ] && \
+     [ -n "${clientname}" ] && \
+     grepcidr "0.0.0.0/0" <(echo "${clientaddr}") >/dev/null; then
+    if [ -f "/etc/wireguard/${clientname}.conf" ] || \
+      grep -q -w "${clientaddr}/32" ${servercfgname}; then
+      execerror "wireguard config exist or address used, exit"
+    else
+      createcert && addtologs "created certificate for ${clientname}"
+      createconf && addtologs "created wg config file for ${clientname}"
+      createinfo && addtologs "created info file for ${clientname}"
+      startsendmail
+    fi
+    if [ "${resetforce}" -eq 1 ];then
+      addtologs "restarting wg-quick@wg0..."
+      systemctl restart wg-quick@wg0
+    fi
+  elif [ "${clienttodo}" == "del" ] && \
+     [ -n "${clientname}" ] && \
+     grepcidr "0.0.0.0/0" <(echo "${clientaddr}") >/dev/null; then
+    if [ -f "/etc/wireguard/${clientname}.conf" ]; then
+      deleteconf && addtologs "deleted wg config file for ${clientname}"
+    fi
+    if [ -f "/etc/wireguard/${clientname}.png" ]; then
+      deleteinfo && addtologs "deleted info file for ${clientname}"
+    fi
+    if grep -q -w "${clientaddr}/32" ${servercfgname}; then
+      deletecert && addtologs "deleted certificate for ${clientname}"
+    fi
+    if [ "${resetforce}" -eq 1 ];then
+      addtologs "restarting wg-quick@wg0..."
+      systemctl restart wg-quick@wg0
+    fi
+  else
+    printf "%s\n" "Usage example: $0 'add' 'username(surname)' 'address(ww.xx.yy.zz) -f'"
+    printf "%s\n" "Usage example: $0 'del' 'username(surname)' 'address(ww.xx.yy.zz)'"
+  fi
+else
+  execerror "Restart this as root!"
+fi
+execquite