generated from pavel.muhortov/template-bash
210 lines
6.9 KiB
Markdown
210 lines
6.9 KiB
Markdown
# wireguard-management
|
|
|
|
Wireguard management and monitoring utils.
|
|
|
|
* [`wg_status`.py](https://git.hmp.today/pavel.muhortov/wireguard-management#wg_status-py)
|
|
* [`wg-client-management`.sh](https://git.hmp.today/pavel.muhortov/wireguard-management#wg-client-management-sh)
|
|
* [`wg-heavy@wg1`.service](https://git.hmp.today/pavel.muhortov/wireguard-management#wg-heavy-wg1-service)
|
|
|
|
____
|
|
|
|
## `wg_status`.py
|
|
|
|
**Description:**
|
|
> Wireguard server status parser.
|
|
|
|
**Dependencies:**
|
|
>
|
|
> * privileged rights
|
|
> * [Python 3](https://www.python.org/downloads/) (tested version 3.9.5 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
|
|
> * [requests](https://requests.readthedocs.io/) Python 3 module (tested version 2.31.0)
|
|
> * to use peer names instead of their public keys, the existence of a directory with configurations or public keys of peers is required
|
|
|
|
| PARAMETERS | DESCRIPTION | DEFAULT |
|
|
|--------------|------------------------|---------------|
|
|
|**[-p, --peers_root]**|root path to peers configs or public keys|`/etc/wireguard/pki`|
|
|
|**[-f, --filter]**|client names filter by regex|`.*`|
|
|
|**[-g, --geo]**|check client real ip geo location (may be slow)|`None`|
|
|
|
|
Example usage with Zabbix agent:
|
|
|
|
```bash
|
|
# install dependencies
|
|
sudo pip install requests
|
|
# download
|
|
sudo wget https://git.hmp.today/pavel.muhortov/wireguard-management/raw/branch/master/wg_status.py -O /etc/wireguard/wg_status.py
|
|
sudo chmod +x /etc/wireguard/wg_status.py
|
|
```
|
|
|
|
```bash
|
|
# edit sudoers
|
|
sudo sh -c "echo '
|
|
zabbix ALL=(ALL) NOPASSWD:/etc/wireguard/wg_status.py
|
|
' > /etc/sudoers.d/zabbix_agentd"
|
|
# check permission
|
|
sudo -u zabbix sudo /etc/wireguard/wg_status.py
|
|
```
|
|
|
|
```bash
|
|
# add UserParameter to Zabbix agent
|
|
sudo sh -c "echo '
|
|
Timeout=30
|
|
AllowRoot=0
|
|
UserParameter=discovery.wg, sudo /etc/wireguard/wg_status.py
|
|
' >> /etc/zabbix/zabbix_agentd.conf"
|
|
sudo systemctl restart zabbix-agent
|
|
```
|
|
|
|
Download [Wireguard_by_Zabbix_agent.yaml](https://git.hmp.today/pavel.muhortov/wireguard-management/raw/branch/master/Wireguard_by_Zabbix_agent.yaml) template
|
|
Zabbix Server -> Configuration -> Templates -> Import template
|
|
|
|
____
|
|
|
|
## `wg-client-management`.sh
|
|
|
|
**Description:**
|
|
> Creating or deleting client config for wireguard and sending config and info to email.
|
|
|
|
**Dependencies:**
|
|
>
|
|
> * privileged rights
|
|
> * [wireguard](https://www.wireguard.com/) (tested version 1.0.2 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
|
|
> * [qrencode](https://github.com/fukuchi/libqrencode) (tested version 4.1.1 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
|
|
> * [grepcidr](https://github.com/ryantig/grepcidr) (tested version 2.0 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
|
|
> * [Python 3](https://www.python.org/downloads/) (tested version 3.9.5 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
|
|
> * existing [/usr/local/bin/sendmail.py](https://git.hmp.today/pavel.muhortov/utils#sendmail-py)
|
|
|
|
| POSITION | PARAMETERS | DESCRIPTION | DEFAULT |
|
|
|-----------|--------------|------------------------|---------------|
|
|
| 1 |**add\|del**|add or delete client config|**REQUIRED**|
|
|
| 2 |**\<username\>**|client username|**REQUIRED**|
|
|
| 3 |**\<address\>**|client ip address|**REQUIRED**|
|
|
| 4 |**[-f]**,**[--force]**|service will restart after add\|del username||
|
|
|
|
Example usage:
|
|
|
|
```bash
|
|
# create client config template
|
|
sudo tee /etc/wireguard/client.conf.default > /dev/null <<'EOF'
|
|
[Interface]
|
|
Address = clientaddr/32
|
|
PrivateKey = clientprivkey
|
|
DNS = 1.1.1.1,8.8.8.8 # edit this line!
|
|
[Peer]
|
|
PublicKey = serverpublkey
|
|
AllowedIPs = 10.0.0.0/8,192.168.0.0/16 # edit this line!
|
|
Endpoint = server.public.address:51820 # edit this line!
|
|
PersistentKeepalive = 5
|
|
EOF
|
|
```
|
|
|
|
```bash
|
|
# download
|
|
sudo wget https://git.hmp.today/pavel.muhortov/wireguard-management/raw/branch/master/wg-client-management.sh -O /etc/wireguard/wg-client-management.sh
|
|
sudo chmod +x /etc/wireguard/wg-client-management.sh
|
|
# create log directory
|
|
sudo mkdir /var/log/wireguard
|
|
```
|
|
|
|
```bash
|
|
# create link
|
|
ln -s /etc/wireguard/wg-client-management.sh ./wg
|
|
```
|
|
|
|
```bash
|
|
# create client
|
|
sudo ./wg add username address
|
|
```
|
|
|
|
```bash
|
|
# delete client and restart service
|
|
sudo ./wg del username address -f
|
|
```
|
|
|
|
```bash
|
|
# check journal
|
|
tail -f /var/log/wireguard/wg.log
|
|
```
|
|
|
|
____
|
|
|
|
## `wg-connect-handling`.sh
|
|
|
|
**Description:**
|
|
> Handling client connection and preparing stats for monitoring.
|
|
|
|
**Dependencies:**
|
|
>
|
|
> * privileged rights
|
|
> * [jq](https://github.com/stedolan/jq) (tested version 1.6 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
|
|
> * [grepcidr](https://github.com/ryantig/grepcidr) (tested version 2.0 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
|
|
> * [Python 3](https://www.python.org/downloads/) (tested version 3.9.5 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
|
|
> * existing [/usr/local/bin/sendmail.py](https://git.hmp.today/pavel.muhortov/utils#sendmail-py)
|
|
> * [bash](https://www.gnu.org/software/bash/) (tested versions: 5.1.4 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/), 5.0.17 on [Ubuntu 20](https://wiki.ubuntu.com/FocalFossa/ReleaseNotes), 4.2.46 on [CentOS 7](https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7.2009))
|
|
|
|
| POSITION | PARAMETERS | DESCRIPTION | DEFAULT |
|
|
|-----------|--------------|------------------------|---------------|
|
|
| 1 |**</path/to/dir>**|root path for counter, names, log|**REQUIRED**|
|
|
| 2 |**[mail]**|send email notification||
|
|
| 3 |**[geo]**|check client address geolocation||
|
|
|
|
Example usage:
|
|
|
|
```bash
|
|
# download
|
|
sudo wget https://git.hmp.today/pavel.muhortov/wireguard-management/raw/branch/master/wg-connect-handling.sh -O /etc/wireguard/wg-connect-handling.sh
|
|
sudo chmod +x /etc/wireguard/wg-connect-handling.sh
|
|
```
|
|
|
|
```bash
|
|
# create root path for counter, names, log
|
|
sudo mkdir /var/log/wireguard
|
|
sudo chown -R root:root /var/log/wireguard
|
|
sudo chmod -R 755 /var/log/wireguard
|
|
```
|
|
|
|
```bash
|
|
# sudo crontab -e
|
|
* * * * * bash /etc/wireguard/wg-connect-handling.sh /var/log/wireguard mail geo
|
|
```
|
|
|
|
```bash
|
|
# check counter and names
|
|
watch cat /var/log/wireguard/wg-counts.log
|
|
# check journal
|
|
tail -f /var/log/wireguard/wg-connect-handling.log
|
|
```
|
|
|
|
____
|
|
|
|
## `wg-heavy@wg1`.service
|
|
|
|
**Description:**
|
|
> Launch Wireguard without creating route table.
|
|
|
|
**Dependencies:**
|
|
>
|
|
> * privileged rights
|
|
> * existing /etc/wireguard/wg1.conf
|
|
|
|
Example usage:
|
|
|
|
```bash
|
|
# download
|
|
sudo wget https://git.hmp.today/pavel.muhortov/wireguard-management/raw/branch/master/wg-heavy@wg1.service -O /etc/init.d/wg-heavy@wg1.service
|
|
sudo chmod +x /etc/init.d/wg-heavy@wg1.service
|
|
```
|
|
|
|
```bash
|
|
# debian update init
|
|
sudo update-rc.d wg-heavy@wg1.service defaults
|
|
# rhel/alt update init
|
|
sudo chkconfig --add wg-heavy@wg1.service
|
|
```
|
|
|
|
```bash
|
|
# start service
|
|
sudo service wg-heavy@wg1 start
|
|
sudo service wg-heavy@wg1 status
|
|
```
|