wireguard-management/README.md

179 lines
5.4 KiB
Markdown
Raw Normal View History

2023-05-01 16:52:35 +03:00
# wireguard-management
2023-05-01 11:57:20 +03:00
2023-05-01 16:52:35 +03:00
Wireguard management and monitoring utils.
2023-05-01 11:57:20 +03:00
* [`wg_status`.py](https://git.hmp.today/pavel.muhortov/wireguard-management#wg_status-py)
2023-05-01 16:52:35 +03:00
* [`wg-client-management`.sh](https://git.hmp.today/pavel.muhortov/wireguard-management#wg-client-management-sh)
2023-05-30 15:51:45 +03:00
* [`wg-heavy@wg1`.service](https://git.hmp.today/pavel.muhortov/wireguard-management#wg-heavy-wg1-service)
2023-05-01 11:57:20 +03:00
____
## `wg_status`.py
**Description:**
> Wireguard server status parser.
**Dependencies:**
>
> * privileged rights
> * [Python 3](https://www.python.org/downloads/) (tested version 3.9.5 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
> * [requests](https://requests.readthedocs.io/) Python 3 module (tested version 2.31.0)
> * to use peer names instead of their public keys, the existence of a directory with configurations or public keys of peers is required
| PARAMETERS | DESCRIPTION | DEFAULT |
|--------------|------------------------|---------------|
|**[-p, --peers_root]**|root path to peers configs or public keys|`/etc/wireguard/pki`|
|**[-f, --filter]**|client names filter by regex|`.*`|
|**[-g, --geo]**|check client real ip geo location (may be slow)|`None`|
Example usage with Zabbix agent:
```bash
# install dependencies
sudo pip install requests
# download
sudo wget https://git.hmp.today/pavel.muhortov/wireguard-management/raw/branch/master/wg_status.py -O /etc/wireguard/wg_status.py
sudo chmod +x /etc/wireguard/wg_status.py
```
```bash
# edit sudoers
sudo sh -c "echo '
zabbix ALL=(ALL) NOPASSWD:/etc/wireguard/wg_status.py
' > /etc/sudoers.d/zabbix_agentd"
# check permission
sudo -u zabbix sudo /etc/wireguard/wg_status.py
```
```bash
# add UserParameter to Zabbix agent
sudo sh -c "echo '
Timeout=30
AllowRoot=0
UserParameter=discovery.wg, sudo /etc/wireguard/wg_status.py
' >> /etc/zabbix/zabbix_agentd.conf"
sudo systemctl restart zabbix-agent
```
2023-09-10 12:30:25 +03:00
Download [Wireguard_by_Zabbix_agent.yaml](https://git.hmp.today/pavel.muhortov/zabbix/raw/branch/master/templates/applications/vpn/wireguard/6.0/wireguard_by_zabbix_agent.yaml) template
Zabbix Server -> Configuration -> Templates -> Import template
____
2023-05-01 16:52:35 +03:00
## `wg-client-management`.sh
2023-05-01 11:57:20 +03:00
**Description:**
2023-05-01 16:52:35 +03:00
> Creating or deleting client config for wireguard and sending config and info to email.
2023-05-01 11:57:20 +03:00
**Dependencies:**
>
2023-05-01 16:52:35 +03:00
> * privileged rights
> * [wireguard](https://www.wireguard.com/) (tested version 1.0.2 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
> * [qrencode](https://github.com/fukuchi/libqrencode) (tested version 4.1.1 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
> * [grepcidr](https://github.com/ryantig/grepcidr) (tested version 2.0 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
> * [Python 3](https://www.python.org/downloads/) (tested version 3.9.5 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
> * existing [/usr/local/bin/sendmail.py](https://git.hmp.today/pavel.muhortov/utils#sendmail-py)
2023-05-01 11:57:20 +03:00
| POSITION | PARAMETERS | DESCRIPTION | DEFAULT |
|-----------|--------------|------------------------|---------------|
2023-08-17 13:00:10 +03:00
| 1 |**\<ifname\>**|wireguard interface name|**REQUIRED**|
| 2 |**add\|del**|add or delete client config|**REQUIRED**|
| 3 |**\<username\>**|client username|**REQUIRED**|
| 4 |**\<address\>**|client ip address|**REQUIRED**|
2024-01-06 09:06:19 +03:00
| 5 |**\<additional\>**|client description||
| 6 |**[-f]**,**[--force]**|service will restart after add\|del username||
2023-05-01 11:57:20 +03:00
2023-05-01 16:52:35 +03:00
Example usage:
2023-05-01 11:57:20 +03:00
2023-08-17 09:36:42 +03:00
```bash
# create client config template
sudo tee /etc/wireguard/client.conf.default > /dev/null <<'EOF'
[Interface]
Address = clientaddr/32
PrivateKey = clientprivkey
DNS = 1.1.1.1,8.8.8.8 # edit this line!
[Peer]
PublicKey = serverpublkey
AllowedIPs = 10.0.0.0/8,192.168.0.0/16 # edit this line!
Endpoint = server.public.address:51820 # edit this line!
PersistentKeepalive = 5
EOF
```
2023-05-01 11:57:20 +03:00
```bash
2023-05-01 16:52:35 +03:00
# download
2023-05-11 23:53:40 +03:00
sudo wget https://git.hmp.today/pavel.muhortov/wireguard-management/raw/branch/master/wg-client-management.sh -O /etc/wireguard/wg-client-management.sh
2023-05-01 16:52:35 +03:00
sudo chmod +x /etc/wireguard/wg-client-management.sh
2023-08-17 09:36:42 +03:00
# create log directory
sudo mkdir /var/log/wireguard
2023-05-01 11:57:20 +03:00
```
2024-01-06 09:06:19 +03:00
```bash
# edit wg-client-management.conf
sudo tee /etc/wireguard/wg-client-management.conf > /dev/null <<'EOF'
# sendmail configuration
from=user@host.zone
pass=password
dest=user@host.zone
smtp=smtp.host.zone
port=587
# telegram configuration
API_KEY=YOURAPIKEY
CHAT_ID=-100123456789
THRD_ID=123
EOF
```
2023-05-01 16:52:35 +03:00
```bash
# create link
ln -s /etc/wireguard/wg-client-management.sh ./wg
```
```bash
# create client
2023-08-17 13:00:10 +03:00
sudo ./wg wg0 add username address
2023-05-01 16:52:35 +03:00
```
```bash
# delete client and restart service
2023-08-17 13:00:10 +03:00
sudo ./wg wg0 del username address -f
2023-05-01 16:52:35 +03:00
```
```bash
# check journal
tail -f /var/log/wireguard/wg.log
```
____
2023-05-30 15:46:28 +03:00
## `wg-heavy@wg1`.service
**Description:**
> Launch Wireguard without creating route table.
**Dependencies:**
>
> * privileged rights
> * existing /etc/wireguard/wg1.conf
Example usage:
```bash
# download
sudo wget https://git.hmp.today/pavel.muhortov/wireguard-management/raw/branch/master/wg-heavy@wg1.service -O /etc/init.d/wg-heavy@wg1.service
sudo chmod +x /etc/init.d/wg-heavy@wg1.service
```
```bash
# debian update init
sudo update-rc.d wg-heavy@wg1.service defaults
# rhel/alt update init
sudo chkconfig --add wg-heavy@wg1.service
```
```bash
# start service
sudo service wg-heavy@wg1 start
sudo service wg-heavy@wg1 status
```