diff --git a/Readme.md b/Readme.md index e6428cd..a26b806 100644 --- a/Readme.md +++ b/Readme.md @@ -1,14 +1,18 @@ # WireGuard Ops -A group of Interactive bash scripts for [WireGuard](https://github.com/WireGuard/wireguard-go) over [udp2raw-tunnel](https://github.com/wangyu-/udp2raw-tunnel), with optional [UDPSpeeder](https://github.com/wangyu-/UDPspeeder) support. +[wg-quick](https://man7.org/linux/man-pages/man8/wg-quick.8.html) compatiable config generator with additional features supported. ## Basic Usage -1. Run `install.sh`. (May prompt sudo) +1. Clone this repo with `git clone https://github.com/Kiritow/wg-ops` -2. Write a valid WireGuard config file, with supported extension tags. +2. Run `install.sh`. (May prompt sudo) -3. Run `python3 generate.py` to convert extension tags into config lines. +3. Write a valid WireGuard `wg-quick` config file, with supported extension tags. (see below) + +4. Run `python3 generate.py` to convert extension tags into config lines. + +5. Bring it up with `wg-quick up` Start as service: `systemctl start wg-quick@wg0` @@ -16,37 +20,118 @@ Start service on system start-up: `systemctl enable wg-quick@wg0` See [wg-quick(8)](https://man7.org/linux/man-pages/man8/wg-quick.8.html) for more information. -Run `python3 generate.py -h` for more help about the generator. +## Options + +python3 **generate.py** [-h] [-k] [-o *filename*] *source_filename* + +**-h** Display this help and quit. + +**-k** Output generated config to standard output + +**-o** *filename* Output generated config to `filename`. Default write to *source_filename*.gen + +## Generic Tags + +**enable-bbr** + +Enable [TCP BBR](https://en.wikipedia.org/wiki/TCP_congestion_control#TCP_BBR). Most of the time it's useful on VPS. + +**enable-forward** + +Set `net.ipv4.ip_forward` to 1. Enable ip packet forward. + +**iptables-forward** + +Add iptables rules to accept forward from this wireguard interface. Example: `iptables -A FORWARD -i wg0 -J ACCEPT` + +**podman-user** *username* + +Run podman container as `username`. Default to `root`. + +## Tunnel Tags + +**udp2raw-server** *name* *port* *password* + +Setup a [udp2raw](https://github.com/wangyu-/udp2raw-tunnel) server. Raw mode set to `fake-tcp`. Expose & listen on port `port`. + +**udp2raw-client** *name* *port* *remote* *password* + +Setup a udp2raw client. Listen on port `port`. + +**udp2raw-client-mux** *name* *mux_size* *port* *remote* *password* + +Setup multiple (up to `mux_size`) udp2raw clients. Listen on ports from `port` to `port + mux_size` + +**gost-server** *name* *port* + +Setup a [gost](https://github.com/ginuerzh/gost) server. Forward mode set to `relay+tls`. Expose & listen on port `port`. + +**gost-client** *name* *port* *remote* + +Setup a gost client. Listen on port `port`. + +**gost-client-mux** *name* *mux_size* *port* *remote* + +Setup multiple (up to `mux_size`) gost clients. Listen on ports from `port` to `port + mux_size` + +**trojan-server** *name* *port* *password* *cert_path* *key_path* + +Setup a [trojan-go](https://github.com/p4gefau1t/trojan-go) server. Expose & listen on port `port`. + +Requires a ssl certificate signed by trusted CA. + +[acme.sh](https://github.com/acmesh-official/acme.sh) is recommended for acquiring ssl certs. Make sure use `fullchain.cer` as `cert_path` + +**trojan-client** *name* *port* *password* *remote_host* *target_port* + +Setup a trojan-go client. Listen on port `port`. + +**trojan-client-mux** *name* *mux_size* *port* *password* *remote_host* *target_port* + +Setup multiple (up to `mux_size`) trojan-go clients. Listen on ports from `port` to `port + mux_size` + +## Peer Tags + +**use-tunnel** *name* + +Use tunnel `name` for this peer. wg-ops may add `Endpoint=` or use `wg set peer` to fullfill this requirement. + +## Route Tags + +**route-to** *ip_route_table* + +Used in chained WireGuard settings. Accept any traffic from `ip_route_table`. + +Interface marked with `route-to` should have only **one** peer. + +**route-from** *ip_route_table* + +Used in chained WireGuard settings. Route traffic from all peers or a marked peer with `ip_route_table`. + +Example: The following config means all traffic from `10.44.0.2` will be forward to `10.33.0.1` + +wg0.conf (Should have only one peer) ``` -wg-ops: WireGuard configuration extended generator -OPTIONS - -h Display this help and quit. - -k Output generated config to standard output - -o Output generated config to file. Default is {source_filename}.gen -TAGS - #enable-bbr - #enable-forward - #iptables-forward - #route-to table - #route-from table - #udp2raw-server name port password - #udp2raw-client name port remote password - #udp2raw-client-mux name mux port remote password - #gost-server name port - #gost-client name port remote - #gost-client-mux name mux port remote - #use-tunnel name +[Interface] +Address=10.33.0.2 +#route-to TABLE + +[Peer] +AllowedIPs=10.33.0.1 +``` + +wg1.conf + +``` +[Interface] +Address=10.44.0.1 + +[Peer] +AllowedIPs=10.44.0.2 +#route-from TABLE ``` ## Notice -Make sure to setup firewall. UFW is recommended. - -For a forwarding server, the following commands might be needed: - -``` -ufw route allow in on wg0 out on wg0 -``` - -Reload script only reload wireguard configs. Changes made to tunnels will not work without restart. +Make sure to setup firewall for better security. [ufw](http://manpages.ubuntu.com/manpages/bionic/man8/ufw.8.html) is recommended for Ubuntu.