burghardt / easy-wg-quick Goto Github PK

View Code? Open in Web Editor NEW

957.0 31.0 108.0 267 KB

Creates Wireguard configuration for hub and peers with ease

License: GNU General Public License v2.0

Shell 99.30% Ruby 0.23% Dockerfile 0.47%

wireguard vpn vpn-server qrcode wg-quick configuration config generator security encryption

easy-wg-quick's Introduction

easy-wg-quick

easy-wg-quick - Creates WireGuard configuration for hub and peers with ease

Getting Started
Usage
- Sample output
- Using generated configuration
Fine tuning
License
Acknowledgments

Getting Started

These instructions will get you a copy of the project up and running on your local machine. This machine (called hub) will act as VPN concentrator. All other peers connects to hub (as in a "road warrior" configuration).

Docker

A Docker container image based on Alpine Linux, WireGuard tools and libqrencode is available from ghcr.io.

curl -4 ifconfig.co/ip > extnetip.txt
docker run --rm -it -v "$PWD:/pwd" ghcr.io/burghardt/easy-wg-quick

Please note that extnetip.txt must be populated with the server IP via the cURL command above or manually if you use the generated configuration on the host (instead of the container).

Terraform

Terraform code for deploying easy-wg-quick in the Google Cloud Platform is available from the tf-gcp-easy-wg-quick repository.

Prerequisites

Install WireGuard for your operating system on local machine, router, VPS or container. This will be your hub.

As dependences /bin/sh, wg, wg-quick, awk, grep and ip commands should be available on hub. If ip is not available user is required to set EXT_NET_IF and EXT_NET_IP variables in script to external network interface name and IP address (or edit wghub.conf). Optionally qrencode can be used to generate QR codes for mobile applications.

Debian, Ubuntu

sudo apt install wireguard-tools mawk grep iproute2 qrencode

Fedora, RHEL, CentOS

sudo dnf install wireguard-tools gawk grep iproute qrencode

FreeBSD

sudo pkg install net/wireguard-tools graphics/libqrencode

macOS

brew install wireguard-tools qrencode

Installing WireGuard tools (and modules)

This script requires only tools installed, but to use WireGuard module (or user-space implementation) is also required. Detailed install guide for various operating systems is available at wireguard.com/install.

Peers also requires WireGuard installed. Android and iOS are supported. OpenWRT clients are supported with UCI configuration fragments.

Installing

Just download the script and make it executable with chmod.

wget https://raw.githubusercontent.com/burghardt/easy-wg-quick/master/easy-wg-quick
chmod +x easy-wg-quick

Note that you can use a short URL as well.

wget https://git.io/fjb5R -O easy-wg-quick
chmod +x easy-wg-quick

Or clone repository.

git clone https://github.com/burghardt/easy-wg-quick.git

Usage

Script do not require any arguments. Just run it and it will create usable WireGuard configuration for hub and one peer. Any sequential invocation creates another peer configuration within same hub.

./easy-wg-quick # 1st run creates hub configuration and one client
./easy-wg-quick # any other runs creates additional clients

Passing an argument to script creates configuration file with name instead of sequence number to help remembering which config was for which device. Following command will create wgclient_client_name.conf file.

./easy-wg-quick client_name

Sample output

No seqno.txt... creating one!
No wghub.key... creating one!
No wghub.conf... creating one!
WireGuard hub address is 10.13.1.140:51820 on wlp9s0.
Note: customize [Interface] section of wghub.conf if required!

Note: passing argument to script creates client configuration with supplied
      name to help remembering which config was for which device. If you
      didn't pass any argument you can still rename created file manually
      with command:
  mv -vi wgclient_10.conf wgclient_name.conf

No wgclient_10.conf... creating one!
█████████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █▀██ ▀▄▀▄█▄ ▀▄ █▀▀▄█▄▄▀ ▄▀██▀▀▀▀█▄  █▀▀▄█  ▄▀▀ █▄▀█ ▄▄▄▄▄ ████
████ █   █ █▀▄▀ ▀█▀▄▄▄ ▄ ▀█ ▄██▄█ ▀▀▄ ███▀▀▄▄  ▀ ▄▄▀███▄▀▀ ▀▄█ █   █ ████
████ █▄▄▄█ █▀▀▀██▀▄██  ▀▄███▀▀▀▀▄▄ ▄▄▄ ▄  ▀██  ▄█▀▀  █▀██▄▀█▄█ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄█▄▀ ▀▄▀▄▀ ▀▄▀▄█ █▄█ █ █▄█ █ █ ▀ ▀▄█ ▀▄▀ ▀▄▀ ▀▄█▄█▄▄▄▄▄▄▄████
████▄▄   █▄ ▄ ██ ▄▄▄█ ▀█▀▄ ▀▄█▄▄█▄▄   ▄   █ █▀▄▀▄▀█▄▀▄▀▀▄▄ █▄ ▀▄▀ ▀ █████
█████▀ ▄▀▀▄▀▀▄█▀  █▀ ▀▀▄▀█▄█▄ ▄▀▀▄▄▄█ ▄▀▀█ ▄ ▀▀▄ ▄▄▄ ▀ █▀▀▀██▀▄█ ▄███████
████ ▄███ ▄▀█▄▀█▄▀ ███▀▀▀▀▀▀▄ ▄   ▀ ██▀  ▄███ ▄ ▀ ▀ ▄▄▀▄█▀▄▀▀ █▀ ▄▄▀ ████
█████▀  ▀▀▄ ▄▀▄▀▄██▄█  ▀ ▀▄▀█ █ █▀▀▄ ▀█▀▄▀█▀▀▄▄█▀ ██▀█▄▄▀█▄ ▀  ▀██▀▄▀████
████▀▄▄▀▀ ▄▄▄▄▄█ ▀█  ▀▀ ▀█ █▀█ ▀▀▄ ▀█▀██▀█ ▄▀▀▀▀▄▀   █▀▄▄▄ █ ▀▀▀ ▄▄ █████
████▀▄▄██ ▄▀▀▀▀█▄▄▄ ▀▄█ ▀▀ ▄▄▄ █▀▄   █▄▄ ▄███▀▄▀██   ▀▀██ ▄ ▀▄  ▄██▀▄████
████▄  ███▄  ▀▄█   ▄▀▄▀▀▀▀▄▀▀▄▄▀   ▄ ▄▄▄▀▄▄█▄▄ ▀█▄▄▀▀▀▄▄▄▀ ▀▄██▀ ▄▄  ████
████ █▄▀▀ ▄██▀▄ █▄▀▄ ▀ █▀ ▄ ▄██▀█ ▄ ██▀▄▄▀   █ ▄▄█  ▀▀  ▄▀█ ▄ ██ ▀▀▄▄████
████   ▄ ▀▄▄▄█▄█▀█▄ ▀▀▀ ▀▀▄▄█  ▀▄▀██ ▀▄█  █ █▄  █▀▀▀  ▀██  ▀▀ ▀▄▀ ██▀████
█████▄ ▀▄▀▄█▄ ▄▄▀█ ▄█   █▄▄▀ ▄▄▀█  ▄█▄▄▄ ▀▀▀▀ ▄▄  █ ▀▄█▄ ▄▄▀▀ █ ▀▄▀▄▄████
████ █▀█▀▄▄▀▀▄ ███ ▀█▀▀▄█▄ ▄  ▄███▀▄▄▀▀  ▀▀▀▀ ▄ █▄▀▄▄▄▀▄▀  ██ █▀ █  ▀████
█████▄▄█ ▄▄▄  █ ▄  ▀█▀ ▄█▀█▄  █▀▄▄ ▄▄▄ ▄  █▄█▄ ██▀▄█▀██▀   ▄ ▄▄▄ ▀▀▄█████
████▀█▀▄ █▄█ █▄█▄▀▀█ █▄▄  ▀███▀███ █▄█  ▄▄▄▀▀█ ▄██▀▀ ▀▀▄▄▄▄▄ █▄█ ██▄▀████
████   ▀ ▄▄  ▀█ ▄█  █▀ ▄█▄█▄▄▀████ ▄  ▄ ▄▄▄███▄▀██▄▄▄▄▄▀▄▄██ ▄ ▄▄▄█ ▄████
████ ▀ ▄▄ ▄ ▄▄ ▄▀▄█▄▀▀  █▄█▀ ▀█▀▀█ █▀██▀▀███▄▀▀▀█▄█▀  ▄█▄  ▄█▄█▀▄   ▀████
████▄▀▄▄▀▄▄█▀▄▄ █▄▄█▀  ▄▀▀█▄ ▄█▀██  ███ █▄▄█▀█▄▀▀▄ ▀▄▀▄ ▀██ ▀▀    ▀▀▄████
████  ▄▀▄▀▄▀ ▄▀▄ ▄  ▀█▄█  ▀▀▄█▄▀█▀▀▄██▀  ▄▀▀▄ ▄█▄██▀ ▄█▄▄▄ ▀ ██▄▀██▀▄████
████▀█ ▄█▄▄▄▄██▄ ▄▄▄█  ▄▀▄▄█▄█▄▀▀▀ █▀ █▀▀▄▀█▀█▀█▀▄█▄ ▀█▄█▀ ▀▄█▄█ ▄▀ ▄████
████▄▀▀█▄▄▄▀▀█▄ ▀█ ▄▀▄ ▀▀█▄▀▄▄▄ ▄▀ ▀▀▀▄▀█ █▀█  ▄▀ ▀█▄ ▀▀█▀▄▄█ █▄█▄██▀████
████▀█▀▄ ▀▄▄  █▄ ▀█▄   ▀ ▄▄▀█▀█▀▄██▀▄  ▄█▀█▀██▀ ▀▄█  ▀██▀▄█▄█▀ █ █▀ █████
█████ █ ▄▄▄ █▀  ▀██ ▀▄ ▄  █████▀█ ▄▀ ▄▄▄█ ▄▄█▄▄ ▄ ▄▄▄█▀▄▄▄▄▄▄▀ ▄█▄▄ █████
████▄█▄ ▄▀▄  ▄▀█▀██▄▀▄█▄█▀   ▄ █▀██ ▀▄ ▄▄▀▀▀▀█▀█ █▄  ▀▀ █  █▀ ▀ ▄██▀▄████
████▄▄ █ █▄▄▄▄ █ ▄▄▀█▄▀█ ▀▄▀ ▄▄ ▀ ▄█ █▄▀▀▄█▀▄  ▀███▀▀ ▄██  █▄▄█▀█▄▄▄▀████
████▀█▄ █▄▄█ █▀ ▄ ▀██ ▀ ▀▄▄▄▄██▄█▄▄▄█▄▄▄▀▀▄▀▄█▀ ▄█  ▄▀▄  ▀█  ▄█ ▄▄▀▄▄████
█████▄▄█▄█▄█▀▄█ ▀ █▄ ▀▀▀▀▀█▄█▄▄ ▄█ ▄▄▄  ▀▄▀██▄▄▀█▄▀▀  █▄█ ▄█ ▄▄▄ █ █▀████
████ ▄▄▄▄▄ █▄██▀▀█▀██▀▀▄█ ▄▀ ▄█▄█▀ █▄█    █▀▀▄█▄  █▄█▄▀█▀  █ █▄█ ▀▀▀▄████
████ █   █ █ █ ▀▄█ ▀███▄██▄▄  ▄ █ ▄▄ ▄▄█ ▄▀▀█▀▄▄▀▀█▄▄▄▀▀▀█ █   ▄▄▄▀ █████
████ █▄▄▄█ █  ▀▄ █▄▀█▀ ▄███▄  █ ▄ ▀█▄ ▄▀ ▀▄▀▀▄ █▀ ▄ ▀▄█▀▄█▀▄▄███▄▀▀ █████
████▄▄▄▄▄▄▄█▄▄██▄▄█▄█▄█▄▄▄▄█▄▄▄██▄█████▄▄█▄▄▄█▄▄████████▄▄▄█▄████████████
█████████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████████
Scan QR code with your phone or use "wgclient_10.conf" file.
Updating wghub.conf... done!

Important: Deploy updated wghub.conf configuration to WireGuard with wg-quick:
  sudo wg-quick down ./wghub.conf # if already configured
  sudo wg-quick up ./wghub.conf
  sudo wg show # to check status

Using generated configuration

On hub configure WireGuard.

sudo wg-quick up ./wghub.conf

On peer scan QR code or copy wgclient_10.conf. To display QR code again use

qrencode -t ansiutf8 < wgclient_10.conf

Or use saved QR code

cat wgclient_10.qrcode.txt

To connect the whole network with a single WireGuard client running on an OpenWRT router, append generated UCI client configuration fragment to your router /etc/config/network file.

cat wgclient_10.uci.txt

Finally on hub check if everything works with sudo wg show.

interface: wghub
  public key: kbaG3HxSDz3xhqiTNXlo1fZkFa+V6oTl+w0cSAQKxwQ=
  private key: (hidden)
  listening port: 51820

peer: th8qYu0R0mgio2wPu1kz6/5OOgi6l8iy7OobK590LHw=
  preshared key: (hidden)
  endpoint: 10.60.1.150:37218
  allowed ips: 10.127.0.10/32
  latest handshake: 50 minutes, 22 seconds ago
  transfer: 32.64 MiB received, 95.24 MiB sent

Fine tuning

Disabling external interface autodetection

By default easy-wg-quick use interface with default routing done over it as external network interface of VPN hub. If autodetection fails or generation of configuration is done outside the hub (i.e. on air gapped laptop) user can set interface name in extnetif.txt file with command:

echo vtnet0 > extnetif.txt

Disabling external IP address autodetection

By default easy-wg-quick uses IP address of interface that has default routing done over it as external IP address of VPN hub. This might not be true if hub is behind firewall or NAT/PAT/masquarading is done. User can set prefered IP address in extnetip.txt file with command:

echo 192.168.1.2 > extnetip.txt

In case of NAT/PAT/masquarading one can try to use service like ifconfig.co for autodetection:

curl -4 ifconfig.co/ip > extnetip.txt

For IPv6 addresses, one can use curl's -6 switch. Brackets around IPv6 addresses are required:

sed -i 's/\(.*\)/[\1]/' extnetip.txt

Disabling random port assignment

By default easy-wg-quick use random port number from range 1025-65535. When using static port number is required for firewall configuration or other reasons user can set preferred port number (80 in this example) in portno.txt file with command:

echo 80 > portno.txt

Disabling randomly generated internal network addresses

By default easy-wg-quick use randomly generated internal network addresses for both IPv4 and IPv6. Custom network addresses can be set with the following commands.

echo "10.1.1."               > intnetaddress.txt   # for IPv4
echo "fd90:d175:8e43:705d::" > intnet6address.txt  # for IPv6

Default masks are /24 for IPv4 and /64 for IPv6.

Setting network masks

To change default masks set new masks in files named intnetmask.txt (IPv4) and intnet6mask.txt (IPv6).

echo 172.16.0. > intnetaddress.txt
echo /16       > intnetmask.txt
echo fd9d:9648:0841:0c6e:3d28:94d9:: > intnet6address.txt
echo /112                            > intnet6mask.txt

Setting interface's maximum transmission unit (MTU) size

To change the default interface's maximum transmission unit (MTU) size of 1280 bytes, write a new value into the file named intnetmtu.txt. WireGuard MTU should be between 1280 and 1420 bytes.

echo 1380 > intnetmtu.txt

Setting custom DNS

Setting IPv4 resolver address

By default easy-wg-quick uses 1.1.1.1 as it's internal DNS. You can use the command below to serve a custom IPv4 DNS to clients.

echo 8.8.8.8 > intnetdns.txt

Setting IPv6 resolver address

By default easy-wg-quick uses 2606:4700:4700::1111 as it's internal DNS. You can use the command below to serve a custom IPv6 DNS to clients.

echo 2001:4860:4860::8888 > intnet6dns.txt

Setting custom client's `AllowedIPs`

By default, the client's AllowedIPs variable is set to 0.0.0.0/0, ::/0, directing the whole client's traffic through the VPN connection. If you want to create a VPN split tunneling configuration, store required IP addresses ranges in the intnetallowedips.txt file:

echo '172.16.1.0/24, 172.16.2.0/24' > intnetallowedips.txt

Choosing firewall type

Firewall type is guessed from operating system. For Linux iptables and ip6tables are used. For FreeBSD and macOS basic pf NAT rules are implemented.

There are other firewall implementations to choose from. The following table compares the features of the alternative implementations.

Firewall type	IPv4 MASQ	IPv6 MASQ	IPv6 NDP	TCP MSS clamp
iptables	✓	✓	✓	✓
nft	✓	✓	✓	✓
ufw	✓	✓	✓	✓
firewalld	✓	✓	_	✓
pf	✓	-	_	_
custom / none	-	-	-	-

File fwtype.txt contains name of firewall type. To override autodetection or disable any rules run one of the following commands:

echo iptables  > fwtype.txt  # to choose Linux netfilter
echo nft       > fwtype.txt  # to choose Linux nftables
echo firewalld > fwtype.txt  # to choose [firewalld]
echo ufw       > fwtype.txt  # to choose Uncomplicated Firewall
echo pf        > fwtype.txt  # to choose OpenBSD PF
echo custom    > fwtype.txt  # to include predefined commands from file
echo none      > fwtype.txt  # to skip any setup during wg-quick up/down

If fwtype.txt contains word custom content of commands.txt is included in the wghub.conf file.

Format of commands.txt is:

PostUp = echo "command 1"
PostUp = echo "command 2"
PostUp = ...

PostDown = echo "command 1"
PostDown = secho "command 2"
PostDown = ...

Choosing if PostUp/PostDown should enable/disable IP forwarding

Sysctl command syntax is guessed from operating system. Linux, FreeBSD (and macOS) are supported. As enabling IP forwarding is required for hub to forward VPN traffic to the Internet it is managed by PostUp/PostDown settings by default.

Some application (i.e. Docker) might require that IP forwarding is never disabled. In that case setting none in sysctltype.txt and managing IP forwarding settings elsewhere might be required.

File sysctltype.txt contains name of sysctl type. To override autodetection or disable any commands from being run use one of the following commands:

echo linux   > sysctltype.txt  # to choose Linux sysctl command
echo freebsd > sysctltype.txt  # to choose FreeBSD sysctl command
echo none    > sysctltype.txt  # to skip any setup during wg-quick up/down

Enabling IPv6

If a global unicast IPv6 address is detected on server tunnels will be created with inner IPv6 addresses allocated. This allows hub's clients to connect over hub's IPv6 NAT to IPv6 network.

If a global unicast IPv6 address is not detected, the existence of a file named forceipv6.txt can forcibly enable IPv6 support.

touch forceipv6.txt

To use outer IPv6 addresses (i.e. connect client to hub over IPv6) just set EXT_NET_IF and EXT_NET_IP variables in script to external network interface name and IPv6 address (or edit wghub.conf).

Enabling NDP proxy (instead of default IPv6 masquerading)

By default easy-wg-quick uses IPv6 masquerading to provide IPv6 connectivity to peers. This is easier to setup and require only single IPv6 global unicast address to work. On the other hand network address translation (NAT) has issues and limitations.

To enable proxied NDP create file named ipv6mode.txt with proxy_ndp string.

echo proxy_ndp > ipv6mode.txt

When hub has 2001:19f0:6c01:1c0d/64 assigned, part of it can be assigned to WireGuard interface (i.e. 2001:19f0:6c01:1c0d:40/112).

echo 2001:19f0:6c01:1c0d:40:: > intnet6address.txt
echo /112 > intnet6mask.txt

Please note that NDP proxy mode in easy-wg-quick is supported only on Linux.

Redirecting DNS

DNS redirection might be required to integrate with services like Pi-hole or Cloudflare DNS over TLS. This could be achieved by using port 53 UDP/TCP redirection in wghub.conf.

PostUp = iptables -t nat -A PREROUTING -i %i -p udp -m udp --dport 53 -j DNAT --to-destination 1.1.1.1:53
PostUp = iptables -t nat -A PREROUTING -i %i -p tcp -m tcp --dport 53 -j DNAT --to-destination 1.1.1.1:53
PostDown = iptables -t nat -D PREROUTING -i %i -p udp -m udp --dport 53 -j DNAT --to-destination 1.1.1.1:53
PostDown = iptables -t nat -D PREROUTING -i %i -p tcp -m tcp --dport 53 -j DNAT --to-destination 1.1.1.1:53

When using IPv6 similar rules should be set independently with ip6tables.

PostUp = ip6tables -t nat -A PREROUTING -i %i -p udp -m udp --dport 53 -j DNAT --to-destination 2606:4700:4700::1111:53
PostUp = ip6tables -t nat -A PREROUTING -i %i -p tcp -m tcp --dport 53 -j DNAT --to-destination 2606:4700:4700::1111:53
PostDown = ip6tables -t nat -D PREROUTING -i %i -p udp -m udp --dport 53 -j DNAT --to-destination 2606:4700:4700::1111:53
PostDown = ip6tables -t nat -D PREROUTING -i %i -p tcp -m tcp --dport 53 -j DNAT --to-destination 2606:4700:4700::1111:53

Traffic control

Clients can benefit from setting traffic control rules in the wghub.conf. For example, setting an SFQ scheduler on the Linux hub is the simplest way to ensure the fairness of the download so that each flow can send data in turn, thus preventing any single client from drowning out the rest. In addition, SFQ will prevent increased latency and latency spikes (aka bufferbloat) during high bandwidth consumption.

PostUp = tc qdisc add dev %i root sfq perturb 10

On Linux clients setting the same should improve the fairness of upload flows.

Persisting configuration with systemd

Systemd may load configuration for both hub and clients using wg-quick.service. Note that also native support for setting up WireGuard interfaces exists (since version 237).

sudo cp wghub.conf /etc/wireguard/wghub.conf
sudo systemctl enable wg-quick@wghub
sudo systemctl start wg-quick@wghub
systemctl status wg-quick@wghub

License

This project is licensed under the GPLv2 License - see the LICENSE file for details.

Acknowledgments

OpenVPN's easy-rsa was an inspiration for writing this script.

easy-wg-quick's People

Stargazers

Watchers

Forkers

erdoukki 13w mrbutlertron ssiuhk danielabelski zer0nka masterbtc yapus fflo ishrakr mehfix pantsman0 drkarl crashcart lucky-wavespider daddyfix britannic olesonya arrow768 mortefromplanescape mediaeater tomasmetal23 diev iaunn squadramunter genothomas alghanim estets2 ttimasdf davidpesticcio iglesias294 philippgille wikipikimiki ifiknewit-debug tea4tom mukaiguy youxiaojie r0b3rdv zion009 hotelzululima fevil pindank robdyke thedemoncat cwetkow kyr7 enovella romangrechin alexlii1971 angelitocsg zanyxdev qnyblog komori max88art nemani savemech folusomaine fishg ochafik kevindiffily qluo1 spm1377 amsokol ccaiccie fosseperme87 t0rik gitntel chronum thejezzi telecomuk qiihz ronioncloud tidux akrush24 landers125 jeffry38 kamons34 idzmitry pinghe rfjakob tediscript desk77 alzabo michaljesionek hot-doc kcroot nanyaozhou ttm-alexeypolunin linweifu alexeiov avt00 isabella232 hsklia sbenve offs3c cloudarray-v1 liuquanl markdeng206 modulman keatonp-inahoodie

easy-wg-quick's Issues

Named wgclient files and commented named ID in config file

Please, consider changing client filenames schema from wgclientXX.conf to wgclient_NAME.conf.

For example executing ./easy-wg-quick desktop1 will make wgclient_desktop1.conf file.

So instead of this mess:

desktop1.conf     wgclient10.conf  wgclient13.key   wghub.conf
desktop2.conf     wgclient10.key   wgclient14.conf  wghub.key
easy-wg-quick     wgclient11.conf  wgclient14.key   wgpsk.key
iphone.conf       wgclient11.key   wgclient15.conf  xiaomi_1.conf
laptop_air.conf   wgclient12.conf  wgclient15.key   xiaomi_2.conf
laptop_asus.conf  wgclient12.key   wgclient16.conf
seqno.txt         wgclient13.conf  wgclient16.key

will look like:

wgclient_desktop1.conf 
wgclient_desktop1.key
wgclient_desktop2.conf
wgclient_desktop2.key
wgclient_iphone.conf
wgclient_iphone.key
wgclient_laptop_air.conf 
wgclient_laptop_air.key
wgclient_laptop_asus.conf
wgclient_laptop_asus.key
wgclient_xiaomi_1.conf
wgclient_xiaomi_1.key
wgclient_xiaomi_2.conf
wgclient_xiaomi_2.key
wghub.conf
wghub.key
wgpsk.key

when using ipv6 public addr, the default gate way is not my wg server

when I run wg and config an ipv6 traceroute something should be first hop my wg server, however my pc direct using the native ipv6 in stead of vpn ipv6. should there add route?

Multihomed gateway

Hello. Great toolkit, but i have some problem with routing setup in multihomed environment
i've got 3 interfaces
ens160,ens192,wghub on server
ens160 is internal : 10.40.0.15/24
ens192 is external: 99.x.x.x/29
wgub is 10.87.123.1/24

when i connect to external ip, i cannot ping internal ip address subnet, only 10.40.0.15 (the local ip of ens160), but not 10.40.0.11 for example. how can i make routing between 10.40.0.11 <> 10.40.0.15 <> 10.87.123.11 <> - 99.x.x.x/29?

config for ds-lite isp link

Hi,
this script is really great, plenty of supporting files/scripts are generated automatically.

Unfortunately I cannot get my config running for peers outside of local LAN, i.e. 'dialing in' from remote.
My ISP link is ds-lite (dual stack lite), i.e. only the IPv6 address of my WG hub is global/public, his IPv4 is not reachable from outside.

I am not trying to tunnel IPv6 encapsulated in WG IPv4 link, but just the other way around. The dialing-in peer (iOS) shall call the IPv6 address only of the WG hub and establish a tunnel carrying at least IPv6, carrying/routing IPv4 also would be of substantial benefit of course.

I think, "wg show" on the hub reveals the problem:
preshared key: (hidden)
endpoint: 192.168.0.36:62927
allowed ips: 10.50.43.15/32, 2a00:xxxx:xxxx:xxxx:xxxx:32ff:fe39:15/128
latest handshake: 15 minutes, 58 seconds ago
transfer: 283.10 KiB received, 1.81 MiB sent
The "endpoint", which is the same as in the client config, is not the global IPv6 of the WG hub, but some local LAN IPv4 address ... ???

Some advice, how to eleminate IPv4 for dialing-in out of the scripts, is very much appreaciated. I tried to replace IPv4 addresses by IPv6, but that broke the script (wg-quick not starting service and client refusing to load the QR config).

Best Regards - Donald

Suggestions for improvement

I had planned to use the config script for my wireguard config, but unfortunately this is not possible due to the following points.

You can only customize the ipv4 DNS server (INT_NET_DNS), but not the ipv6 DNS server (INT_NET6_DNS)
You cannot customize the internal ipv4/ipv6 networks.
MASQUERADE for IPv6 is always active, but mostly wireguard is used on a vpc with public ipv6 addresses (/64) so you can use /112 of the public ipv6 addresses for wireguard without problems.
"PostDown = sysctl -q -w net.ipv4.ip_forward=0, PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0" can be very dangerous, because after that e.g. Docker containers won't work anymore.
A single config file would be easier to maintain than many config files.

No internet access

Hi! I've used this script previously and everything works well, but this time i ran into issue and need some help with it. I executed script, generated config and applied this config on client. It successfully connects, but no internet access and even ping. Tcpdump show packets on port. Will appreciate any help

# tcpdump -i ens3 port 30329
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:35:48.795960 IP <client_ip>.14341 > <host>.30329: UDP, length 148
18:35:53.332491 IP <client_ip>.14341 > <host>.30329: UDP, length 148
18:35:58.551266 IP <client_ip>.14341 > <host>.30329: UDP, length 148
18:36:03.582010 IP <client_ip>.14341 > <host>.30329: UDP, length 148
18:36:08.590700 IP <client_ip>.14341 > <host>.30329: UDP, length 148
18:36:13.799693 IP <client_ip>.14341 > <host>.30329: UDP, length 148
18:36:18.892225 IP <client_ip>.14341 > <host>.30329: UDP, length 148

# iptables -vnxL -t filter
Chain INPUT (policy ACCEPT 211492 packets, 162774643 bytes)
    pkts      bytes target     prot opt in     out     source               destination
      85    14960 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:30329
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30329
   24526  1953027 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    2902   121521 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
   20073  2273861 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
       7      348 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 ctstate NEW,ESTABLISHED
     176    14643 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 ctstate NEW,ESTABLISHED
    1601   123142 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 ctstate NEW,ESTABLISHED
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 ctstate NEW,ESTABLISHED
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 ctstate NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  wghub  *       0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  *      wghub   0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 244231 packets, 144644696 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       4      251 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:25 ctstate ESTABLISHED
     145    56943 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:143 ctstate ESTABLISHED
    1709   225542 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:993 ctstate ESTABLISHED
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:110 ctstate ESTABLISHED
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:995 ctstate ESTABLISHED

# iptables -vnxL -t nat
Chain PREROUTING (policy ACCEPT 4582 packets, 238090 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 2678 packets, 119142 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 7597 packets, 463595 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 6390 packets, 383443 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 MASQUERADE  all  --  *      ens3    10.18.96.0/24        0.0.0.0/0
      39     2915 MASQUERADE  all  --  *      ens3    0.0.0.0/0            0.0.0.0/0
       0        0 MASQUERADE  all  --  *      ens3    0.0.0.0/0            0.0.0.0/0
       0        0 MASQUERADE  all  --  *      ens3    0.0.0.0/0            0.0.0.0/0
       0        0 MASQUERADE  all  --  *      ens3    0.0.0.0/0            0.0.0.0/0
       0        0 MASQUERADE  all  --  *      ens3    0.0.0.0/0            0.0.0.0/0
       0        0 MASQUERADE  all  --  *      ens3    0.0.0.0/0            0.0.0.0/0
       0        0 MASQUERADE  all  --  *      ens3    0.0.0.0/0            0.0.0.0/0

# wg show
interface: wghub
  public key: rREdMvDekHjUwXeSieeLgHpA1ARoatNnSH3KcXmExG4=
  private key: (hidden)
  listening port: 30329

peer: tBv/YZaYfM1xRfQ17bKQLcL3jV4pVCH29lqFa6PlHiU=
  preshared key: (hidden)
  allowed ips: 10.219.11.10/32

Something went wrong

$ sudo wg-quick up ./wghub.conf

[#] ip link add wghub type wireguard
[#] wg setconf wghub /dev/fd/63
Line unrecognized: `ens2-jTCPMSS--clamp-mss-to-pmtu'
Configuration parsing error
[#] ip link delete dev wghub

What does that mean? Also, $ sudo wg show shows nothing.

nftables PostDown doesn't work

Hello,

The current way rules are removed doesn't work in nft. Here is an example:

nft delete rule inet filter forward iifname $WG_IF accept
Error: syntax error, unexpected iifname, expecting handle
delete rule inet filter forward iifname accept
                                ^^^^^^^

Unlike iptables nft seems to require the user to give it an handle for the rule that can be found with something like nft -a list ruleset.

Are there any plans for a better way to handle this? Thank you.

Can't connect to internet

Hi there. When I to access a website or one of my local services while connected to my VPN, it just doesn't work.
Here's my wghub.conf file:

# Hub configuration created on wireguard-vm on Thu 10 Nov 18:13:00 UTC 2022
[Interface]
Address = 10.65.194.1/24
ListenPort = 62669
PrivateKey = ******
SaveConfig = false
MTU = 1280
PostUp = iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ens160 -j TCPMSS --clamp-mss-to-pmtu
PostUp = ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ens160 -j TCPMSS --clamp-mss-to-pmtu
PostUp = iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
PostUp = iptables -I DOCKER-USER -i %i -j ACCEPT || iptables -A FORWARD -i %i -j ACCEPT
PostUp = ip6tables -I DOCKER-USER -i %i -j ACCEPT || ip6tables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -I DOCKER-USER -o %i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || iptables -A FORWARD -o %i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
PostUp = ip6tables -I DOCKER-USER -o %i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || ip6tables -A FORWARD -o %i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
PostDown = iptables -D DOCKER-USER -i %i -j ACCEPT || iptables -D FORWARD -i %i -j ACCEPT
PostDown = ip6tables -D DOCKER-USER -i %i -j ACCEPT || iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D DOCKER-USER -o %i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || iptables -D FORWARD -o %i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
PostDown = ip6tables -D DOCKER-USER -o %i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || ip6tables -D FORWARD -o %i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens160 -j MASQUERADE
PostDown = iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ens160 -j TCPMSS --clamp-mss-to-pmtu
PostDown = ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ens160 -j TCPMSS --clamp-mss-to-pmtu
PostUp = sysctl -q -w net.ipv4.ip_forward=1
PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0
PostUp = iptables -A FORWARD -i wghub -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
PostDown = iptables -D FORWARD -i wghub -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens160 -j MASQUERADE

# 10: 10 > wgclient_10.conf
[Peer]
PublicKey = ******
PresharedKey = ******
AllowedIPs = 10.65.194.10/32

Any help is appreciated!

EDIT: I'm running behind a NAT and have port forwared. The handshake succeed and also I'm trying to connect from my phone on cellular data.

IP address generation does not work correctly above 255

Hey team, thanks for the handy script.

There's one issue I've run into. When setting the subnet to 16 and trying to create more than 255 addresses, the incrementing doesn't properly cascade into the third quadrant, it just keeps incrementing the fourth quadrant, like so: 10.0.0.256, creating invalid IP addresses.

Incorrect rules in case if nftables is already present and activated

Hello!

Thanks a lot for your script, but it took for me a few hours to detect why all doesn't work as should be at the computer with nftables already activated. In this case these rules ARE incorrect, or config is not full at least:

PostUp = nft add chain inet filter %i-forward "{ type filter hook forward priority 0; }"
PostUp = nft add rule inet filter %i-forward iifname %i accept
PostUp = nft add rule inet filter %i-forward oifname %i ct state related,established accept

You should check the presence of the "main" forwarding chain and add rules to it like:

nft list ruleset | grep forward

or something similar. If something is found, then CORRECT rules are:

PostUp = nft add chain inet filter forward "{ type filter hook forward priority 0; }"
PostUp = nft add rule inet filter forward iifname %i accept
PostUp = nft add rule inet filter forward oifname %i ct state related,established accept

You can leave your commands as they are, then you should add to the main forward chain something like to
jump %i-forward - i didn't checked it out, it's the common nftables idea to extend standard filters, to make jump to custom filters.

about /48 ipv6 addr.

Neighbor Discovery Proxies (ND Proxy, NDP Proxy) allows end-to-end connectivity, but requires /64 network to be assigned to hub. From this /64 network, a subnetwork has to be divided (i.e. /112) and assigned to Wireguard interface.
dear friend, I see you mentioned ndp requires /64, if I got a /48 ipv6, can I use it in sub network? what I want is to setting wg on top level of router(whole company), assign /48 vpn. and then devided to /64 on second level router(each department), for slaac ipv6 in vpn, is it feasible? /112 will not be used in slaac.

Unable to locate package

i am using digitalocean's vps, Ubuntu 20.04

root@ubuntu-s-1vcpu-1gb-nyc1-01:~# sudo apt install wireguard-tools mawk grep iproute2 qrencode
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package wireguard-tools
E: Unable to locate package qrencode

NDP Proxy - how to verify its working?

I appreciate the work in putting together a quick script that can turn a VPS into an easy dual-stack wireguard gateway. I'm trying to get IPv6 from my VPS to be reachable from the internet through the wireguard tunnel.

The script seems to set this up correctly - but I am not sure how to validate that my client is receiving the NDP packets. VPS is debian 10 and the client is windows 10 using the official wireguard client.

root@straw:~# sysctl net.ipv6.conf.all.proxy_ndp
net.ipv6.conf.all.proxy_ndp = 1
root@straw:~# sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1
root@straw:~# ping 2607:f1c0:1801:195:40::10
PING 2607:f1c0:1801:195:40::10(2607:f1c0:1801:195:40::10) 56 data bytes
64 bytes from 2607:f1c0:1801:195:40::10: icmp_seq=1 ttl=128 time=87.3 ms
64 bytes from 2607:f1c0:1801:195:40::10: icmp_seq=2 ttl=128 time=93.0 ms
64 bytes from 2607:f1c0:1801:195:40::10: icmp_seq=3 ttl=128 time=84.8 ms

The VPS itself can ping the client thru the tunnel - but when I try to access the IPv6 unicast from anywhere else like https://tools.keycdn.com/ipv6-ping - it fails. Other websites that should be working are indicating I don't have an IPv6 address http://test-ipv6.com/ and https://ipv6-test.com/

I carried out a simple install on a dummy VPS with throwaway IPv6 addresses just to test and learn, here's the exact steps done after wireguard was installed.

   18  wget https://raw.githubusercontent.com/burghardt/easy-wg-quick/master/easy-wg-quick
   19  chmod +x easy-wg-quick
   20  echo proxy_ndp > ipv6mode.txt
   21  ip a
   22  echo 2607:f1c0:1801:195:40:: > intnet6address.txt
   23  echo /112 > intnet6mask.txt

The windows NDP table shows "Probe" on it but never changes.

Interface 38: ionos


Internet Address                              Physical Address   Type
--------------------------------------------  -----------------  -----------
::                                                               Permanent
2001:478:65::53                                                  Stale
2001:4860:4860::8888                                             Stale
2600:1407:21:281::2c1a                                           Stale
2600:1407:21:298::2c1a                                           Unreachable
2606:4700::6812:1ad3                                             Stale
2606:4700::6812:1bd3                                             Unreachable
2606:4700:4700::1111                                             Unreachable
2607:f1c0:1801:195:40::1                                         Probe
...
ff02::2                                                          Permanent
ff02::16                                                         Permanent
ff02::fb                                                         Permanent
ff02::1:3                                                        Permanent
ff02::1:ff00:10                                                  Permanent
ff02::1:ff2f:9883                                                Permanent

Any pointers on what I may have missed or what else to check to make this work?

about saveconfig=true

in man wg-quick,
`For use on a server, the following is a more complicated example involving multiple peers:

       [Interface]
       Address = 10.192.122.1/24
       Address = 10.10.0.1/16
       SaveConfig = true
       PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
       ListenPort = 51820

       [Peer]
       PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
       AllowedIPs = 10.192.122.3/32, 10.192.124.1/24

       [Peer]
       PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=
       AllowedIPs = 10.192.122.4/32, 192.168.0.0/16

       [Peer]
       PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
       AllowedIPs = 10.10.10.230/32

   Notice the two `Address' lines at the top, and that `SaveConfig' is set to `true', indicating that the configuration
   file should be saved on shutdown using the current status of the interface.

but your setting is false, why?

please consider two interface, which is ipv4 only and other is v6 only

local eth get v4only, and he-ipv6 get v6 only, can you make a judgment to ensure iptable get correct interface. thanks

Renaming wghub.conf --> wg0.conf

thanks for the script. it works as expected. please use the standard naming for the network device wg0 to make it conform to the wireguard standard. systemd also expects these names.

strong recomend using 0.0.0.0/1 128.0.0.0/1 instead of 0.0.0.0/0 in allowips

after research, I recommend using 0.0.0.0/1 128.0.0.0/1 instead of 0.0.0.0/0 because 0.0.0.0/0 will replace the original default gateway, result in offline when turn wireguard off.

https://unix.stackexchange.com/questions/110716/how-to-understand-the-routing-table-on-an-openvpn-client

After reading [this](https://unix.stackexchange.com/questions/110716/understand-the-route-table), I found some more information. The below lines makes a lot of sense to me now:

0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0

So, the 1st line is defining 0.0.0.0/128.0.0.0 and second one is defining 128.0.0.0/128.0.0.0. Essentially:

0.0.0.0/128.0.0.0 = 0.0.0.0/1 = 0.0.0.0 TO 127.255.255.255
128.0.0.0/128.0.0.0 = 128.0.0.0/1 = 128.0.0.0 TO 255.255.255.255

So, above 2 routes are covering the entire IPv4 Address range [0.0.0.0 TO 255.255.255.255]. It is a clever way of OpenVPN to add a default route without replacing the original default route and this default route will be routed via tun0.

TCP MSS Clamping missing if fwtype set to firewalld

TCP MSS Clamping feature is not enabled by default for firewalld fwtype.

I see someone use route table but not iptable6 is it suitable for this?

I see someone use route table but not iptable6 is it suitable for this? what is the difference by two method between iptable6 and ip route? in my view , iptable6 can using fd00:: address by nat, route is used when we can get a /64 public routable ipv6,is it right?

eg. I use HE broker get /64 routable address, can I using it in vpn?

Add firewalld support for Centos / Arch based systems

Should be nice if there is firewalld support using firewall-cmd command.

These are my firewall rules.

PostUp = firewall-cmd --zone=public --add-port 62156/udp && firewall-cmd --zone=public --add-masquerade
PostDown = firewall-cmd --zone=public --remove-port 62156/udp && firewall-cmd --zone=public --remove-masquerade

you could make a variable for the port that correspondent to the random generated port number in the script.

There is already a fwtype.txt and if I could change it to firewall-cmd it would be great for me.

SSH tunnels not working

Thanks for your work at first! 👍

I have setup everything according to your instructions and it works kinda as expected. At least for standart web traffic. Ping and traceroutes are running fine throught the tunnel. But i can not establish ssh tunnels throught the wireguard VPN. Not to other clients in the VPN, not to the Peer, not to public servers.

Any idea what could be wrong.

debug1: Authenticating to xxx as 'rico'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

right there the ssh connection attempt stalls.

I appreciate any tipps. Thanks!

I've successfully installed this script, the Endpoint port is 52757, but I can't connect to the network

I've successfully installed this script, the Endpoint port is 52757, but I can't connect to the network
i set a Custom UDP rule use UFW
Status: active

To Action From

52757/udp ALLOW Anywhere
52757/udp (v6) ALLOW Anywhere (v6)

i also set a Custom UDP Inbound Rule 52757 in DigitalOcean
But still can't connect to the network, please help, thank you

discuss: about ndp proxy

dear friend, I take a look at your script, I see you take a subnet from /64 in client, in this situation, the system will add an route to wghub, eg eth0 take aa:bb:cc:dd:ee:ff:gg:hh:ii/64 wghub client set to aa:bb:cc:dd:ee:ff/112, the route as this:

4: he-ipv6@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 state UNKNOWN qlen 1000
inet6 2001:470:aa:bb::2/64 scope global
valid_lft forever preferred_lft forever

5: wghub: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
inet6 2001:470:aa:bb:2::1/112 scope global
valid_lft forever preferred_lft forever
inet6 2001:470:aa:bb:1::1/112 scope global
valid_lft forever preferred_lft forever
root@racknerd-4afe10:~# ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2001:470:aa:bb::1 dev he-ipv6 metric 1024 pref medium
2001:470:aa:bb:1::/112 dev wghub proto kernel metric 256 pref medium
2001:470:aa:bb:2::/112 dev wghub proto kernel metric 256 pref medium
2001:470:aa:bb::/64 dev he-ipv6 proto kernel metric 256 pref medium

is there need to add ndp in uper(outer) eth? he-ipv6 here? I think no, route /112 client from upper internet, they natively route to 2001:470:aa:bb::/64 so package arrived at he-ipv6 interface, and then routed to 2001:470:aa:bb:2::/112 subnet. vice-versa.
in this situation, I delete ndp, everthing is ok. is this a special situation? because of point to point in 2001:470:aa:bb::1(carrier) 2001:470:aa:bb::2(local gateway computer)? and if there exist 2001:470:aa:bb::3/64 computer ,is it possible to route
2001:470:aa:bb:1::/112 subnet without ndp?

I know if both side of upper and downer interface are in the same /64 prefix, we must add ndp in upper interface. and system will add route to specific ipv6 (/128) each side(Openwrt'ndp did it). Does in this subnet situation ,we need ndp? and system will add route to specific ipv6 (/128) each side. thanks!

How to we configure Bandwidth limit

wireguard provides some wasys to limit bandwidth throught the system itself. Do we have any easier ways to do this via config?

reference: https://www.procustodibus.com/blog/2022/12/limit-wireguard-bandwidth

when using ndp, the client can mtr to public ipv6, but public ipv6 could not mtr to client ipv6.

when using ndp, the client can mtr to public ipv6, but public ipv6 could not mtr to client ipv6.
should we also include an individual route for clint ipv6 to wg port?

How to remove peers

First of all, I have modified the [easy-wg-quick] for my needs and also after a new peer is created, the wgclient_clientname.conf is also copied to /root/nginx/www where I have a nginx server password protected in order to be able to download the file on a phone and then to configure wireguard client based on the conf file.

I have created a very simple bash script useful to delete a peer which delete the peer from wghub.conf, delete those 4 files associated with the client, delete also the conf file from nginx location, adjust the seqno.txt and restarts the wireguard server.
Normally if you delete any peer from the wghub.conf file it won't be necessary any adjustment to the seqno but if the last peer was deleted, in that case it will be.

run the script ./del.sh clientname

#!/bin/bash

if [ $# -ne 1 ]; then
    echo "Usage: $0 <search_string>"
    exit 1
fi

filename="wghub.conf"
search_string="$1"

# Check if file exists
if [ ! -f "$filename" ]; then
    echo "File '$filename' does not exist."
    exit 1
fi

# Check if string exists
if grep -qw "$search_string" wghub.conf; then
   echo string is in file at least once
else
   echo string $search_string not present in file
   exit 1
fi

# Create a temporary file
temp_file=$(mktemp) || exit 1

# Read the file line by line
while IFS= read -r line; do
    # Check if the line contains the search string
    if [[ "$line" == *"$search_string"* ]]; then
        # Skip the current line and the following 3 lines
        for (( i = 0; i < 5; i++ )); do
            read -r
        done
    else
        # Write the line to the temporary file
        echo "$line" >> "$temp_file"
    fi
done < "$filename"

# Overwrite the original file with the temporary file
mv "$temp_file" "$filename"

echo "Lines containing '$search_string' and the following 3 lines have been removed from '$filename'."

# Delete all 4 files associated with the client
rm -f wgclient_$search_string.*

# Restart wireguard and delete client conf from nginx folder
sleep 5
wg-quick down /root/easy-wg-quick/wghub.conf
sleep 2
rm -f  /root/nginx/www/wgclient_$search_string.conf
sleep 5
echo "done"
wg-quick up /root/easy-wg-quick/wghub.conf

# Chech and adjust seqno for the last part of IP
aidi=$(cat wghub.conf | grep "#" | tail -1 | awk '{print $2}' | cut -d ":" -f 1)
aidi=$((aidi + 1))
echo $aidi

seq=$(cat seqno.txt)
if [[ "$aidi" != "$seq" ]]; then
  echo $aidi > seqno.txt
  echo "seqno.txt updated!"
fi

You may integrate it into the project. This is NOT a bug report, I wrote here since I can't find a Discussions section.

Thank you.

LE: One more thing, I think is more useful to generate also png file qrcode to be able to put in into a PHP web page for example which reads from wghub.conf:
qrencode -t png -o "wgclient_$1.qrcode.png" -r "wgclient_$1.conf"

document cmd option for multiple clients

I noticed you included an option to add extra clients using "./easy-wg-quick x", but I didn't see any documentation for it.

the client config used by openwrt has something wrong

root@racknerd-4afe10:~/wg# cat wgclient_wghub.uci.txt 
# 10: wghub > wgclient_wghub.uci.txt
config interface 'wg0'
        option proto 'wireguard'
        option listen_port '28894' //this port should be in peer section! the server side's port
        list addresses '10.x.x.x/24'
        list addresses '2001:470:x:x:1::10/112'
        list dns '1.1.1.1'
        list dns '2606:4700:4700::1111'
        option private_key ''
config wireguard_wg0
        option allowed_ips '0.0.0.0/0' //this should be list allow_ips........
        option route_allowed_ips '1'
        option endpoint_host 'x.x.x.x'
        option endpoint_port '28894' //this is correct
        option persistent_keepalive '25'
        option public_key ''
        option preshared_key ''

Consider DOCKER-USER chain if docker is installed

I'm using this script on 3 different servers, while having the same problem on two of them. I could connect to the wireguard server and also ping the IP of my server itself, but had no internet connection. After more or less hours of troubleshooting, I realised that I had Docker running a few containers on both of the problematic hosts. Docker fiddles around with default iptables behaviour so I had to add the following iptables rule for wireguards NAT to work:

iptables -I DOCKER-USER -o wghub -j ACCEPT

I just added it as a PostUp/PostDown rule in wghub.conf, maybe it would be a good idea to detect and consider Docker in easy-wg-quick and add this rule to the configuration? Or maybe just mention it in the documentation, that one needs to add that rule if Docker is running on your host?

pls centos8 support

[centos@srv1 wg]$ sudo yum install wireguard mawk grep iproute2 qrencode
Last metadata expiration check: 0:43:12 ago on Sun 08 Dec 2019 03:33:11 PM CET.
No match for argument: wireguard
No match for argument: mawk
Package grep-3.1-6.el8.x86_64 is already installed.
No match for argument: iproute2
Error: Unable to find a match

pf/ipfw support for FreeBSD?

FreeBSD does not use iptables, the existing post up/down scripts do not work.